On November 19, 2025, the EU Commission (Commission) published a set of legislative proposals to introduce more flexibility into a number of EU digital regulations, including:

• the Digital Omnibus, which amends a number of provisions of the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as the Data Act; and
• the AI Omnibus, which focuses on the AI Act (jointly, the Omnibus Proposals).

The Omnibus Proposals aim to simplify the legal framework for data processing and AI to encourage innovation, and, if enacted, would make several important changes to them.

Key changes include:

• a stronger basis for organizations to process personal data and sensitive personal data for AI training;
• a simplified regime for notifying cybersecurity incidents;
• an extension for the date of applicability of the rules on high-risk AI systems (until December 2027, at the latest); and
• certain potentially important changes to the GDPR, such as redefining the concepts of personal data and sensitive data.

This client alert summarizes some of the key changes set out in the Omnibus Proposals.

Importantly, at this stage, the Omnibus Proposals are only legislative proposals. They would need to be formally adopted by the European Parliament and the European Council (in effect, the EU Member States) for the changes to become legally binding. The EU’s legislative process is typically quite lengthy, and it often takes many months or even years until the EU institutions agree on a final text. Furthermore, the EU institutions may revise the wording proposed by the Commission. It is therefore still too early to determine the precise impact of the Omnibus Proposals for companies, and it will take some time for clarity on the final text to emerge.

The EU’s lengthy legislative process raises a particular challenge for the AI Omnibus, which aims to delay the start date for the rules on high-risk AI systems. Since the start date is currently set as August 2, 2026, lawmakers have no time to waste to agree on an extension of this timing. Otherwise, a scenario looms in which companies face months of uncertainty as to whether the rules will become applicable in August 2026, or not.

Amendments to the GDPR and the ePrivacy Directive

The Digital Omnibus makes several important changes to the GDPR and other regulations. Some of the key changes are:

• The Digital Omnibus intends to facilitate the processing of personal data (and sensitive personal data) for AI model training. The Digital Omnibus suggests including a new article in the GDPR confirming that the legitimate interest legal ground is a valid legal ground for the processing of personal data in the context of the development and operation and AI, provided that certain conditions are met (e.g., conduct (and document) a “balancing test”, ensure data minimization, protect against disclosure of residual data and allow individuals to opt-out).
  
  In addition, the Digital Omnibus aims to provide a legal basis for the processing of sensitive data (e.g., an individual’s ethnicity, health, or sexual orientation) for AI model training, provided attempts are made to identify and remove such sensitive data from the training dataset and, where this would be disproportionate, methods are used to prevent disclosure of the special category data in the output. This is somewhat inconsistent, and hopefully, will be clarified during the legislative process.
• Higher and streamlined breach-notification threshold. The Digital Omnibus raises the notification threshold for breaches that pose a “high risk” to individuals, reducing the number of reportable incidents. The deadline for notifying authorities would be extended from 72 to 96 hours, and the Commission would introduce a single EU-wide template and a single-entry reporting point for submitting breach notifications (valid under GDPR and cybersecurity regulations such as NIS2 and DORA).
• The Digital Omnibus broadens the cases in which information would count as “anonymous” and therefore fall out of scope of the GDPR. The Digital Omnibus proposes amending the GDPR’s definition of personal data to clarify that information will not be considered personal data for a given entity, if that entity has no reasonable way to identify the individual concerned. The Digital Omnibus further proposes empowering the EU Commission to specify the criteria in which pseudonymized personal data would cease to qualify as personal data under GDPR. This proposed change is intended to codify the recent Court of Justice of the European Union decision in EDPS vs SRB, and could have far-reaching implications for organizations processing pseudonymized (e.g., key-coded) data.
• Consolidation of cookie and tracking rules under the GDPR. The Digital Omnibus consolidates cookie and tracking rules under the GDPR. Consent remains required to access or store information on users’ devices, but the proposal expands consent exemptions (including by allowing aggregated audience measurement). In addition, the proposal suggests an EU-wide machine-readable preference signal to be implemented by browsers, operating systems and app stores, offering a unified way for users to express cookie choices.

Amendments to the Data Act

The Digital Omnibus does not propose significant changes to the Data Act, but just some focused revisions. One of the main changes consists in the reduced scope for switching and interoperability obligations. For contracts concluded before September 12, 2025, the Digital Omnibus would limit the Data Act’s switching and interoperability rules by exempting customized (non-IaaS) data processing services and providers that qualify as small and medium-sized enterprises (SMEs) or small mid-cap enterprise (SMC) providers. These exemptions would remove the need to reopen or renegotiate existing agreements, while the obligation to phase out switching fees would still apply.

Amendments to the AI Act

The main changes to the AI Act brought by the AI Omnibus concern the delay in application of the rules on high-risk AI systems, from August 2026 to December 2027, at the latest. Additionally, it introduces some procedural refinements to the AI Act while keeping the core regime intact, including:

• The AI Omnibus defers the applicability of the high-risk AI rules. The applicability of the Annex III high-risk requirements would move from August 2, 2026, to December 2, 2027, at the latest, with the Commission empowered to set an earlier date if the relevant compliance standards (issued by EU standardization bodies) become available. Under the proposal, the regime would apply six months after the Commission decides the relevant standards are available, but no later than December 2, 2027.
• The AI Omnibus creates a grace period for the provenance obligations applying to generative AI. Generative AI systems placed on the market before August 2, 2026, would only need to comply with provenance requirements by February 2, 2027, rather than immediately on the original start date.
• Certain obligations would be simplified for SMEs and SMCs. The AI Omnibus introduces lighter technical documentation and quality management system requirements for these providers when demonstrating compliance with high-risk AI rules.
• The AI Office’s supervisory role would expand. Its mandate would extend beyond general-purpose AI (GPAI) models to also oversee AI systems embedded in very large online platforms and very large online search engines under the Digital Services Act. This change could have significant implications for these companies.
• The registration requirement for providers relying on a derogation to the high-risk requirement would be removed. Certain AI systems used for narrow procedural or preparatory tasks (and not relying on profiling) may be exempt from the high-risk requirements. Providers must currently register those systems in an EU database before relying on the derogation. The AI Omnibus would remove this filing obligation and replace it with an internal documentation duty; providers would record their assessment and make it available to regulators upon request.

Next Steps

Now that the Commission has published its Omnibus Proposals, it will go through the ordinary legislative procedure, which requires the draft to be reviewed (and approved) by the European Parliament and the Council of the European Union. There is no doubt that this process will take time. As a point of comparison, it took four years for the GDPR to become law.

We recommend closely monitoring the Omnibus Proposals as they progress through the EU legislative process. If adopted in their current version, the Omnibus Proposals would significantly change the EU’s digital legal framework, providing more flexibility for companies carrying out data-driven activities in the EU. However, it may take months before EU lawmakers approve a final version of these proposals, and the final text will most likely deviate from the current version.

Wilson Sonsini routinely advises clients on EU data regulatory issues. For further inquiries about the GDPR, the EU’s Data Act, the EU Act, and other EU data regulations, please contact Cédric Burton, Laura De Boel, Yann Padova, Nikolaos Theodorakis, or any attorney from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.

Carol Evrard, Roberto Yunquera Sehwani, Yaron Moszynski, and Hugh Ó Laoide Kelly contributed to the preparation of this alert.