EU Digital Omnibus package: an overview

1. Key proposed amendments

1.1. GDPR

Under the Digital Omnibus on data and data protection ("Digital Omnibus I"), the proposed amendments to the GDPR aim to fine-tune certain provisions that have generated significant operational complexity since the GDPR entered into force. Rather than altering the core principles of the GDPR, these amendments seek to clarify, simplify and recalibrate specific obligations. The main proposed changes can be summarized as follows:
 

1.2. AI Act

Under the Digital Omnibus on artificial intelligence ("Digital Omnibus II"), the proposed amendments to the AI Act focus on simplifying and recalibrating certain obligations. The objective is not to revisit the AI Act's core risk-based architecture, but rather to improve its operational feasibility, particularly with respect to high-risk AI systems, governance arrangements and compliance support mechanisms.
 

2. In-depth explanation of the main changes under the GDPR

2.1. Definition of "personal data" and pseudonymisation

A central element of the proposed amendments under the Digital Omnibus I concerns the definition of personal data and, more specifically, the criterion of identifiability. The proposal clarifies that data should be regarded as personal data – and thus triggers the application of the GDPR – only where an individual can be identified by means reasonably likely to be used in the specific context (referred to as relative approach).

Closely linked to this clarification, the Digital Omnibus I also revisits the legal treatment of pseudonymised data. In particular, it envisages the introduction of EU-level criteria to assess re-identification risks and to determine whether data resulting from pseudonymisation may, for certain recipients, be considered non-personal data.

This approach aligns with recent case law of the Court of Justice of the European Union endorsing a relative approach to the notion of personal data, under which the qualification depends on the recipient’s realistic ability to re-identify individuals (see, in particular, C-413/23, European Data Protection Supervisor v. Single Resolution Board – Banco Popular, and our L&S Insight from September 2025, Recent developments in Swiss and EU data protection rules). In practice, these clarifications may lead to a more nuanced application of the GDPR, as certain datasets currently treated as personal data may fall outside its scope where identification is not reasonably likely in the specific circumstances.

2.2. Data subject access requests (DSAR)

With respect to DSAR under Article 15 GDPR, the Digital Omnibus I clarifies the conditions under which such requests may be considered manifestly excessive. In particular, it expressly recognises that an access request may be regarded as excessive where the data subject exercises the right of access for purposes other than the protection of personal data.

From a Swiss law perspective, a comparable approach already applies, as Swiss Supreme Court case law recognises that data controllers may refuse DSARs where they pursue purposes unrelated to data protection or are manifestly abusive.

2.3. Data protection impact assessments (DPIA)

The Digital Omnibus I introduces significant changes to the framework governing DPIAs. Under the current GDPR regime, controllers are required to conduct a DPIA where processing is likely to result in a high risk to the rights and freedoms of natural persons. This assessment obligation is currently supplemented by lists maintained by national supervisory authorities identifying processing activities that require, or do not require, such assessments.

The proposal replaces this fragmented approach with a harmonised EU-level system. It provides for the adoption of a common list of processing operations requiring a DPIA, as well as a mandatory list of processing operations for which a DPIA is not required (EU-wide white list). These lists would be prepared by the European Data Protection Board (EDPB) and adopted by the Commission through implementing acts.

​​​​​​​​​​​​​​2.4. Processing of personal data for AI development and operation

The Digital Omnibus I clarifies that the processing of personal data for the development and operation of AI systems may rely on legitimate interest as a lawful basis within the meaning of Article 6(1)(f) GDPR, subject to appropriate safeguards and without prejudice to specific situations in which consent is required under EU or national law.

The proposal also addresses the practical reality that AI development and operation typically involve large datasets, which may contain special categories of personal data (sensitive personal data). To that end, it introduces a derogation from the general prohibition applicable where the controller does not intend to process such data but encounters them incidentally. Controllers must nevertheless implement appropriate technical and organisational measures to avoid processing sensitive personal data. Where sensitive data are identified controllers must remove them or, where removal would require disproportionate effort, ensure that they are effectively protected against use for output generation, disclosure or other forms of availability to third parties.

​​​​​​​2.5. Notification of personal data breaches

The Digital Omnibus I revises the personal data breach notification regime by raising the notification threshold from "risk" to "high risk". This change significantly narrows the number of situations in which a breach must be reported to the competent supervisory authority.

In addition, the proposal seeks to further harmonise breach reporting at EU level through the introduction of a common notification template and an extension of the notification deadline from 72 hours to 96 hours. Also, a single entry point for incident reporting under various EU regulations (including NIS2) is introduced. The single reporting platform is intended to be operated by ENISA.

​​​​​​​2.6. Cookies and online tracking

The Digital Omnibus I proposes targeted simplification measures aimed at addressing persistent issues of consent fatigue and the limited effectiveness of cookie banners. The current proposal revises the rules governing access to information stored on users' devices. While consent remains the general rule, the scope of consent requirements is narrowed by clarifying that certain low-risk uses of cookies and similar technologies are lawful without consent.

At the same time, the proposal strengthens user control by introducing clearer and more standardised consent mechanisms. Where consent is required, users must be able to give or refuse consent through a single-click option, and controllers are required to respect such choices for a defined period.

3. In-depth explanation of the main changes under the AI Act

3.1. Staggered application of requirements for high-risk AI systems

A first set of amendments concerns the application timelines of selected provisions of the AI Act. In response to delays in the adoption of harmonised standards and the designation of national competent authorities, the proposal introduces a conditional mechanism whereby the application of certain obligations – particularly those relating to high-risk AI systems – is linked to the availability of key compliance tools, such as harmonised standards, common specifications and guidance issued by the European Commission.

The revised timing framework is summarised in the table below.

​​​​​​​3.2. Proportionality and simplification of obligations

The Digital Omnibus II further seeks to ensure that compliance obligations under the AI Act remain proportionate to their underlying objectives. To that end, certain mitigating measures currently available to SMEs are proposed to be extended to SMCs[1].

The proposal also revisits selected obligations that have raised significant compliance concerns. In particular, the current obligation for companies to ensure a sufficient level of AI literacy is replaced by a softer framework, under which the Commission and Member States are tasked with encouraging providers and deployers to promote adequate AI literacy.

​​​​​​​3.3. Governance and supervisory framework

The Digital Omnibus II simplifies the governance framework of the AI Act by further centralising the supervision of certain categories of AI systems at EU level. In particular, the role of the AI Office is reinforced with respect to the oversight of general-purpose AI models and AI systems built on such models.

​​​​​​​​​​​​​​3.4. Compliance support and operational refinements

Finally, the Digital Omnibus II expands the set of measures designed to support stakeholders in complying with the AI Act. This includes extending, under controlled conditions, the possibility to use sensitive personal data for bias detection and correction beyond high-risk AI systems. The proposal also reinforces the role of AI regulatory sandboxes and enables the establishment of EU-level sandboxes for AI systems, to be operated under the supervision of the AI Office.

[1]     These mitigating measures include simplified technical documentation requirements, proportionate quality management systems adapted to the size and resources of the entity, more favourable treatment in the calculation of administrative fines and specific consideration of the needs of SMEs (undertakings with fewer than 250 employees and either an annual turnover not exceeding EUR 50 million or a balance sheet total not exceeding EUR 43 million) and SMCs (undertakings that are not SMEs with fewer than 750 employees and either an annual turnover not exceeding EUR 150 million or a balance sheet total not exceeding EUR 129 million) in the development of voluntary codes of conduct and guidance.

4. Outlook

The Digital Omnibus initiative reflects a clear shift in the EU’s approach to digital regulation. Rather than further expanding the regulatory framework, the European Commission seeks to recalibrate and streamline existing instruments in response to practical implementation challenges identified in both data protection and artificial intelligence.

For Swiss companies, these developments are particularly relevant. Many Swiss entities are directly subject to the GDPR as a result of their activities in the EU. In addition, EU regulatory developments continue to be closely monitored by the Swiss data protection authority and, in certain situations, taken into account in its supervisory practice.

At this stage, the Digital Omnibus package remains at the proposal phase and will be subject to further discussion and potential amendments during the legislative process, with possible entry into force around mid-2027.

From a practical perspective, several of the proposed adjustments may ease certain compliance burdens, notably by clarifying key concepts, narrowing selected obligations and introducing more harmonised procedures. At the same time, the revisions also introduce new points of attention. In the area of data protection, changes affecting access rights, breach notification thresholds and the treatment of pseudonymised data will require a careful reassessment of existing compliance frameworks. In the field of artificial intelligence, the recalibration of timelines, governance structures and obligations applicable to high-risk AI systems calls for close monitoring, particularly for organisations developing or deploying AI solutions with EU relevance.

Please do not hesitate to contact us in case of any questions.

Legal Note: The information contained in this Smart Insight newsletter is of general nature and does not constitute legal advice.