← Back to Insights PL
Regulations 24 November 2025 · 5 min

Digital Omnibus — What the EU's Simplification Package Means for Tech

What Is the Digital Omnibus?

On November 19, 2025, the European Commission published the Digital Omnibus package — a legislative proposal aiming to simplify and harmonize the EU's digital regulatory landscape. The package proposes amendments to several major regulations simultaneously: the AI Act, GDPR, NIS2 (cybersecurity), DORA (financial sector digital resilience), and the Data Act.

AI Act Changes

  • Self-declaration for non-high-risk — providers may self-declare that their AI system is not high-risk, potentially reducing compliance burden
  • Centralized VLOP oversight — AI embedded in Very Large Online Platforms would be supervised by the AI Office, creating a "one-stop-shop"
  • Extended timelines — the proposal links application of high-risk rules to the availability of harmonized standards
  • Sandbox expansion — regulatory sandboxes would be broadened and available from 2028

GDPR Adjustments

  • AI training data processing — clarification of legitimate interest basis for AI training on personal data
  • Credit scoring — specific provisions for automated creditworthiness assessments
  • Breach notification alignment — harmonizing breach reporting with NIS2 and DORA timelines

Cybersecurity (NIS2 + DORA)

  • Single incident reporting point — instead of reporting to multiple authorities, a single channel
  • Aligned notification timelines — reducing the compliance complexity of overlapping deadlines

Timeline and Implications

The Digital Omnibus is now in the ordinary legislative procedure — European Parliament and Council will negotiate. Key considerations:

  • The AI-related changes may need to be adopted before August 2026 for the postponed high-risk implementation dates to take effect
  • Full negotiations may take 9-12 months, meaning some provisions could still be uncertain when AI Act enforcement begins
  • The GDPR changes are potentially more controversial and may be negotiated separately

What to Do Now

  1. Don't pause AI Act preparation — proceed as if August 2026 deadlines stand; the Omnibus may not be adopted in time
  2. Monitor the legislative process — especially the AI Act simplification track
  3. Review incident reporting procedures — if subject to NIS2 and DORA, expect changes to reporting channels
  4. Assess GDPR AI training practices — the Omnibus signals a more permissive approach, but current rules still apply

Want to understand how the Digital Omnibus affects your business? Book a consultation.

Related articles

Author: Przemysław Kołakowski · Legal Counsel · Harbor Legal