On 19 November 2025, the European Commission published a proposal for amendments to rules designed to simplify the digital domain.[1] The regulations containing the amendments are also referred to as the 'Digital Omnibus'. Broadly speaking, the proposal suggests relaxations and amendments to a wide range of EU regulations, including the GDPR, AI Act and Data Regulation. In addition, it is proposed that a number of smaller, more specific laws be repealed and merged into two existing Regulations. This will include the rules of, among others, the Data Governance Regulation, the Open Data Directive and the Regulation on the Free Movement of Non-Personal Data in the General Data Protection Regulation and the Data Regulation.[2]
The simplifications in the Digital Omnibus are in line with the European Commission's objective of simplifying, clarifying and improving the set of rights and obligations arising from Union law, thereby supporting the EU's competitiveness.[3] As the Digital Omnibus aims to implement a large number of changes, the following section will focus on the changes that are most relevant to the private sector.
Status of the Digital Omnibus
Before discussing the content of the Digital Omnibus, it should be noted that these regulations are still in the early stages of the European legislative process. The document published on 19 November 2025 is only a proposal for regulations submitted by the European Commission to the European Parliament and the Council. The latter parties still have to discuss, possibly amend and approve the proposal. In addition, opinions must be sought from the European Economic and Social Committee and the Committee of the Regions. Only after the entire legislative process has been completed and approval has been obtained from the European Parliament and the Council, the Omnibus Regulation will enter into force.
General Data Protection Regulation
Firstly, the Digital
Omnibus proposes amendments to the General Data Protection Regulation (GDPR).
Below, we discuss the most important of these.
The first proposal
concerns the specification that the legal basis of 'legitimate interest' within
the meaning of Article 6(1)(f) of the GDPR can serve as a basis for training
and testing AI. This means that the consent of the data subjects is not (or no
longer) required in all cases. It is important to note that companies must
continue to carry out the legitimate interest test in order to be allowed to
process and use personal data for AI training.[4] In order to invoke
the basis of legitimate interest, three cumulative conditions must be met: 1) there
must be a legitimate interest on the part of the controller or a third party,
2) there must be a necessity to process personal data in order to represent
that legitimate interest, and 3) the interests or fundamental rights and
freedoms of the data subject must not override the legitimate interest of the
controller or a third party (without prejudice to the other obligations under
the GDPR). The change envisaged
in the Digital Omnibus is far-reaching; legitimising the use of personal data
in AI training is not based on established case law and is also at odds with
existing guidelines regarding the GDPR grounds for justification. These grounds
for justification essentially mean that consent is usually required for the
training and implementation of AI algorithms. Amendment of the
definition of personal data The definition of
personal data has also been updated in the proposal. It adds that personal data
does not exist if a processing entity does not have the reasonable means to
trace a (pseudonymised) piece of data back to a natural person.[5] This change is in
line with recent rulings by the Court of Justice.[6] Relaxation of the
duty to provide information Under the proposal,
controllers will also no longer be required to inform data subjects by means of
a privacy statement where there is a low risk associated with the use of
personal data and there are reasonable grounds to believe that the data subject
already knows who the controller is and why their personal data is being
processed.
Artificial Intelligence Regulation (AI Act)
A number of amendments have also been proposed regarding the Artificial Intelligence Regulation (AI Act), which Act recently entered into force (in part).
Special categories of personal data AI
The Digital Omnibus includes a provision relating to the AI Act. Based on this provision, providers and user controllers of AI systems may process special categories of personal data in order to detect and correct bias in AI systems under certain conditions.[7] In parallel with this, and as mentioned earlier, the rules regarding special categories of personal data under the GDPR will be relaxed when these are processed for AI development. A new article has been proposed, which will provide a new basis for the processing of special categories of personal data in relation to the development of AI systems and AI models.
AI literacy
The Digital Omnibus proposes changing the 'AI literacy' obligation to an obligation for the European Commission and Member States to encourage companies to promote AI literacy, rather than placing this obligation solely on companies.[8]
Under the AI Act, only companies have an AI literacy obligation. Both providers and users of AI systems are therefore obliged to take measures to ensure an adequate level of AI literacy among their staff. The AI Act does not list specific measures that must be taken to comply with the AI literacy obligation. However, various guidelines on the AI literacy obligation have been drawn up by the Dutch Data Protection Authority (AP) and the European Artificial Intelligence Office (AI Office), and the European Commission has also published a list of FAQs. For now, it is currently up to organisations using AI to adequately fulfil this legal obligation in a manner that is appropriate to, among other things, the risk profile of the AI use in question, and not to the Member States and the European Commission.
High-risk AI systems
A new timeline has been proposed in the Digital Omnibus regarding the entry into force of the rules for high-risk AI systems under the AI Act. In the proposal, the date of entry into force has become dependent on the European Commission confirming that there are sufficient and adequate instruments in place to support compliance with the rules. This will cause a delay, especially now that the guidelines clarifying the classification and obligations for high-risk AI systems have not yet been drawn up. Originally, the rules for high-risk AI systems were to enter into force on 2 August 2026. However, the proposal from the Digital Omnibus would mean that various parts would not be able to enter into force until 2 December 2027.A final deadline has been set, however: 2 August 2028.[9]
Disclaimer
Please note that this is only a general blog about the Digital Omnibus. For further study, please consult the other information documents about the AI Act from Kienhuis Legal.
If you have any specific questions, please feel free to contact: Roeland de Bruin.
[1]Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus).
[2] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) p.5-6.
[3] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) p.1.
[4] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) p. 34.
[5] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) p.19.
[6] Court of Justice of the European Union 4 September 2025, C-413/23 P, ECLI:EU:C:2025:645.
[7] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) p.7.
[8] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) p. 2 & p. 7.
[9] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) p. 18.
Heeft u vragen?
Neem contact met ons op
Neem contact met ons op