On 19 November 2025 the Commission tabled the Digital Omnibus Regulation Proposal, as part of its digital package simplification programme, announced in the 2025 Commission work programme, and further specified in the Communication on implementation and simplification.

To prepare the proposal, the Commission gathered feedback with a a call for evidence from 16 September to 14 October 2025. The Commission was gathering views on measures on data acquis, rules on cookies and other tracking technologies, cybersecurity incident reporting, smooth application of the AI Act rules, and electronic identification and trust services under European Digital Identity Framework. 

The final proposal on Digital Omnibus Regulation:

• Consolidates single market rules on data in one legal act – the Data Act:
  • Merges the provisions of the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation, into a single, restructured, Data Act
  • Introduces targeted exemptions to some of the Data Act's cloud-switching rules for small businesses
  • Includes model contractual terms for data access and use, and standard contractual clauses for cloud computing contracts to help companies complying with the Data Act;
• Repeals the ‘P2B Regulation' (platform-to-business regulation), the provisions of which were partially made redundant by the Digital Services Act
• Introduces amendments to the General Data Protection Regulation (GDPR):
  • Redefining "personal data" to allow AI companies greater flexibility in using such data. Pseudonymised data would not be considered personal data for an entity that does not have the means to re-identify the natural person to whom the information relates.
  • Companies would be able to rely on the GDPR’s “legitimate interest” legal basis to use personal data for training or operating AI systems and models, subject to certain conditions.
• Modernizes the cookie policy to address the consent fatigue:
  • Cookie consent rules are moved from the ePrivacy Directive to the GDPR, which includes expanding the list of data processing activities exempt from consent.
  • Users would be enabled to employ one-click consent valid for six months or browser/system-level saved preferences. Nevertheless, maintaining consent as the primary criterion for accessing data on a user’s device, remains in force.
  • The proposal also streamlines data protection impact assessments and breach reporting requirements.
• Introduces a single reporting point for cybersecurity and data incidents.

The file was assigned to the committees on Industry, Research and Energy, and Civil Liberties, Justice and Home Affairs as jointly responsible.

In the Council, the Commission presented the proposal to the Antici Group on Simplification on 21 November 2025.

The European Economic and Social Committee adopted an opinion on the proposal on 18 March 2026.

References:

• EP Legislative Observatory, Simplification of the digital legislative framework (Digital Omnibus), 2025/0360(COD)
• European commission, Digital Omnibus Regulation Proposal, COM(2025) 837 final, 19 November 2025
• European Commission, Staff Working Document accompanying the Proposal, SWD(2025)0836, 19 November 2025
• Commission work programme 2025: Moving forward together: A Bolder, Simpler, Faster Union, Annexes 1 to 5, COM(2025) 45, 11.2.2025
• A simpler and faster Europe: Communication on implementation and simplification, 11.2.2025
• Digital package – digital omnibus, Call for evidence, 16 September 2025
• European Economic and Social Committee, EESC opinion: Digital Omnibus, 18 March 2026

Further reading:

• European Parliament, EPRS, Simplifying cybersecurity reporting: The Digital Omnibus Single-Entry Point mechanism, Briefing, March 2026

Author: Polona Car, Members' Research Service, legislative-train@europarl.europa.eu