The European Commission's package of simplification proposals seeks to recalibrate core EU digital laws. These proposals are split across the "AI Omnibus", which focuses on the EU AI Act, and the "Digital Omnibus" which proposes changes to a number of laws relating to data, cyber and digital platforms, including the GDPR, the ePrivacy Directive and the Data Act.

In their Joint Opinion 2/2026 (Opinion) on the Digital Omnibus, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) broadly support the harmonisation and compliance burden reduction aims of the proposals, but raise significant concerns that they risk narrowing the scope of data protection and create legal uncertainty. At a high level, the Opinion is:

• opposed to proposals amending the scope of the GDPR;
• in favour of reforms to breach notification requirements – and in fact suggests similar changes could be made to notification requirements under other EU laws to promote harmonised incident reporting;
• otherwise characterised by qualified support for the proposals: endorsing simplification in principle while calling for clearer drafting, tighter limits, and stronger institutional independence.

This article highlights ten key areas where the regulators’ views may be particularly influential as legislative negotiations progress.

1. Definition of personal data: EDPB-EDPS opposed

Digital Omnibus proposal:

• Codifying a subjective approach to the definition of personal data under the GDPR, focusing on whether a given entity can reasonably identify an individual.
• Empowering the European Commission to adopt implementing acts specifying the technical means and criteria to determine when pseudonymised data can be considered to no longer be personal data for a given entity.

EDPB-EDPS position:

• Opposed. They consider the proposal narrows the GDPR's scope, potentially creating legal uncertainty and enabling circumvention of data protection rules. They argue the proposal selectively codifies case law,  departs from CJEU jurisprudence and  overlooks the concept of 'singling out'.
• They also object to granting the European Commission powers over implementing acts on pseudonymisation, arguing this should remain under independent supervisory oversight.

So what? If the proposals are passed as they stand despite the EDPB-EDPS objections, the GDPR's scope of applicability would arguably narrow. A more targeted scope could have material benefits depending on how the measures are implemented.

2. Personal data breaches and incident reporting: EDPB-EDPS supportive

Digital Omnibus proposal:

• Raising the threshold so only personal data breaches likely to result in a "high risk" to individuals would need to be notified to data protection supervisory authorities.
• Extending the notification deadline from 72 to 96 hours. Empowering the EDPB to develop a common EU template for GDPR breach notifications, for adoption by the European Commission.
• Establishing a single-entry point for incident reporting across multiple EU digital laws.

EDPB-EDPS position:

In favour. However they propose:

• similar modifications to breach notification timing requirements in other laws (such as DORA) for greater harmonisation;
• exclusive EDPB competence to develop breach notification templates, without European Commission modification.

So what?  The proposals could introduce more harmonised reporting of data breach and cyber incidents across the EU, including raising the regulatory reporting threshold and extending deadlines for personal data breaches under the GDPR.

3. Data processing in the context of AI: Qualified support from the EDPB-EDPS; additional safeguards required

Digital Omnibus proposal:

• Confirming legitimate interests as a possible legal basis for AI development and operation, subject to a balancing test, while allowing Member States to require consent.
• Permitting the 'residual' processing of special category data in the context of the development and operation of AI, subject to safeguards.

EDPB-EDPS position:

• They support reliance on legitimate interests but propose additional safeguards, including defining 'enhanced transparency'.  They also propose amending the existing Article 21 (Right to object) rather than creating a new provision on the right to object.
• Recommend tightening provisions on residual processing of special category data, clarifying scope, lifecycle safeguards and the interplay with the proposed provision in the AI Omnibus on processing special category data for bias detection and correction.

So what? Businesses may have a clearer legal framework for developing, deploying and using AI if legislators can thread the needle between simplification, clarity and appropriate safeguards.hread the needle between simplification, clarity and appropriate safeguards.

4. Cookies and similar technologies: Qualified support from the EDPB-EDPS; adjustments suggested

Digital Omnibus proposal:

• Limiting repeated consent requests within defined timeframes.
• Two regimes for the protection of information stored on devices – the GDPR applying where the information is personal data and the ePrivacy Directive for non-personal data.
• New provisions under which the subsequent processing of personal data lawfully obtained from terminal equipment is not captured by consent requirements.
• Conditional consent exemption for certain first-party, aggregated analytics and audience measurement cookies and confirming consent exemptions for security-related cookies and cookies for delivery of user-requested services.
• Requiring controllers to ensure recognition of automated and machine-readable  cookie preference signals.

EDPB-EDPS position:

Supportive in principle but call for:

• alignment on the scope between consent and non-consent provisions, particularly with respect to whether 'subsequent processing' is covered;
• clear limits and definitions for analytics and audience measurement exemptions; clarification that the aggregated analytics and audience measurement data includes data collected by a provider of an online service and data collected by a processor acting on their behalf;
• an additional 'contextual advertising' use case not requiring consent;
• regarding automated cookie preference signals, clarifying that 'controller' refers both to the controller of a website and the third-party cookie provider, including consumer mobile and desktop operating systems in scope and removing special treatment for media services providers.

So what? These changes would represent a substantial departure from existing practice and are likely to draw close scrutiny from policymakers, reflecting unresolved tensions between user control, regulatory coherence, technical practicality, and wider economic and business implications.

5. Scientific research and compatible processing: Qualified support from the EDPB-EDPS; clarifications suggested

Digital Omnibus proposal:

• Introducing a new definition of "scientific research", including to codify research in support of a commercial interest.
• Clarifying compatible processing – for example, for further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
• Introducing a new limited derogation from transparency obligations.

EDPB-EDPS position:

• Supportive but recommend further clarifications and amendments, including delineation of what constitutes scientific research, with specific recommendations for changes to the proposed definition.

So what? The proposals may facilitate increased and more effective use of data in contexts such as scientific or historical research.

6. Biometric data for identity verification: Qualified support from the EDPB-EDPS; additional safeguards suggested

Digital Omnibus proposal:

• Introducing a derogation allowing processing of biometric data where verification uses data under the user's sole control (for example, on-device facial recognition).

EDPB-EDPS position:

• Supportive but recommend using less intrusive alternatives where available and effective, or when the negative impact on data subjects’ fundamental rights and freedoms outweighs the benefits, and recommend removing the reference to the processing being "unlikely to create significant risks", noting that a DPIA will still be required.

So what? It may become easier to deploy biometric authentication mechanisms.

7. DPIAs: EDPB-EDPS supportive

Digital Omnibus proposal:

• Requiring the EDPB to develop EU-wide lists of processing activities requiring, or not requiring, a DPIA, replacing the current disparate national lists.
• Requiring the EDPB to develop a common EU DPIA methodology and template.

EDPB-EDPS position:

• Supportive but consider that the EDPB should have exclusive responsibly for these lists without the ability for the European Commission to modify.

So what? Businesses would need to update their DPIA template and process to align with EU-wide triggers and content requirements.

8. Abuse of the DSAR process: Qualified support from the EDPB-EDPS; adjustments suggested

Digital Omnibus proposal:

• Permitting a controller to reject a DSAR where the right of access is abused by an individual, including where a DSAR is submitted for purposes other than protecting their data or where they excessively use the right of access with the intent of causing damage or harm to the controller.

EDPB-EDPS position:

• The limitation based on 'abuse of rights' should be linked to the existence of an abusive intention. They do not support linking an 'abuse of rights' to the exercise of the right of access for purposes other than data protection. They recommend maintaining current thresholds and burdens of proof for the assessment of 'excessive' and 'manifestly unfounded' requests.

So what? For some businesses, the proposal would see a reduction in the volume of DSARs or allow a greater proportion of DSARs to be challenged.

9. Transparency exemption: Qualified support from the EDPB-EDPS; clarifications suggested

Digital Omnibus proposal:

• Exempting controllers from presenting privacy information in certain circumstances, provided that the controller can reasonably assume that the individual already has the necessary information and the organisation does not carry out certain types of transfer or processing.

EDPB-EDPS position:

• They call for clarification of the scope of this new exemption removing the notion of 'reasonable grounds to assume' and including in the provision that the controller would still be required to provide all information listed in Article 13 upon request (and that the data subject should be informed of this).

So what? The proposals are intended to impact clubs, associations and small / community businesses, who may benefit from privacy notice exemptions.

10. Contractual necessity and automated individual decision-making: Qualified support from the EDPB-EDPS

Digital Omnibus proposal:

• Clarifying that the availability of non-automated alternatives does not prevent reliance on 'contractual necessity' for significant ADM under Article 22 GDPR.

EDPB-EDPS position: 

• Qualified support. They emphasise that the general prohibition on significant ADM should remain, caution against overbroad reliance on contracts, and call for clearer guidance on assessing “necessity”.

So what?  The GDPR rules for automating certain processes may become clearer, for example in relation to filtering job applications.

Other proposed changes

In addition to proposing changes to the GDPR and ePrivacy Directive, the Digital Omnibus also proposes various changes relating to the data acquis, covering matters such as making data available to public-sector bodies in a public emergency, data intermediation services, and cooperation between competent authorities. The Opinion also addresses these other changes from the Digital Omnibus.

See also

The Digital Omnibus proposal was accompanied by a parallel digital omnibus proposal on artificial intelligence (AI Omnibus), which proposed numerous amendments on the content and application of the EU AI Act. The EDPB and EDPS adopted its Joint Opinion 1/2026 in response to the AI Omnibus on 20 January 2026.

Also on 20 January 2026, the European Commission proposed a new cybersecurity package intended to strengthen the EU's cybersecurity resilience and capabilities. The package responds to the increasing threat of cyber and hybrid attacks on essential services and democratic institutions. It has two parts: the first proposes to amend and restate the EU's Cybersecurity Act with a new version and the second to amend the NIS2 Directive.

If your business is also subject to UK data protection and e-privacy law, you should already have prepared for changes to the UK GDPR and The Privacy and Electronic Communications (EC Directive) Regulations 2003 introduced by the Data (Use and Access) Act 2025 (DUA Act). Key changes to the UK data protection regime introduced by the DUA Act – some of which touch on similar issues to the Digital Omnibus proposal – came into effect on 5 February 2026. Controllers must have an operational privacy-complaint mechanism by 19 June 2026 (businesses that use the EU GDPR as their high-water mark for data protection obligations should take special note, as these provisions now exist in the UK GDPR but do not exist in the EU GDPR).

What happens next?

The Digital Omnibus (and the AI Omnibus) proposals are only the first step in a legislative process. Further engagement with businesses and civil society is expected in the coming months as the Member States and lawmakers consider their positions.

The proposals will require approval from the European Parliament and the Council of the European Union before they can become law. Businesses may nonetheless wish to assess the impact of the proposals on their activities – including where you currently use EU regulation as a high-water mark as part of a cross-border data protection compliance programme – and consider engaging with the legislative process where appropriate given this significant opportunity to help shape the EU digital rulebook on a large scale.

Opportunities for engagement include:

• the current consultations on both proposals within the Digital Omnibus (currently open until 13 March 2026 for the AI Omnibus, and until 15 March 2026 for the broader Digital Omnibus); and
• the public consultation and call for evidence to further evaluate existing EU digital legislation in the context of the Digital Fitness Check. This is the second stage of the Commission's plan to simplify and streamline the EU's digital rules. The consultation is currently open until 11 March 2026 and relates to, among other things, an assessment of how different laws work together, identifying overlaps and inconsistencies in legal definitions, requirements, scope and supervision.