Compliance teams know the problem well: managing GDPR obligations, NIS2 incident reporting, ePrivacy cookie rules, and AI Act requirements means juggling separate processes, deadlines, and authorities.
A single data breach can trigger three different notification procedures. A marketing campaign requires navigating consent rules spread across multiple regulations.
The European Commission’s Digital Omnibus Package, published November 19, 2025, aims to fix this. The proposal consolidates overlapping requirements, streamlines incident reporting into a single portal, and recalibrates consent mechanisms to reduce friction. It’s the most significant regulatory simplification since the GDPR took effect in 2018.
For organizations managing EU compliance, the question isn’t whether to prepare, it’s how to prepare now. Because the transition can be smooth when provisions are expected to become law in 2026.
At a glance
- The Digital Omnibus amends the GDPR, Data Act, AI Act, NIS2, ePrivacy, and DORA to eliminate compliance overlap.
- It introduces consent changes such as single-click accept/reject, six-month moratoriums after refusal, and browser-level preference signals.
- This EU digital regulations update proposes one portal for incident reporting and replaces separate notifications under GDPR, NIS2, DORA, and other frameworks.
- Enforcement expected by mid-to-late 2026 to align with AI Act high-risk obligations.
- AI development gets clarity with the Digital Omnibus Act, as legitimate interest now explicitly covers model training with personal data.
What is the Digital Omnibus Act?
The Digital Omnibus Act is a legislative package that simplifies EU digital regulations by amending multiple existing laws at once. Instead of creating new rules, it aims to fix overlaps and contradictions across the General Data Protection Regulation (GDPR), Data Act, AI Act, ePrivacy Directive, NIS2, and Digital Operations Resilience Act (DORA).
The goal is straightforward: reduce compliance costs while maintaining privacy protections. The Commission estimates these changes could save businesses up to EUR 5 billion by 2029 by eliminating duplicate reporting and streamlining consent processes.
The package actually consists of two proposals:
- One covering data, privacy, and cybersecurity
- One focusing specifically on AI compliance
Together, they represent the first systematic effort to untangle what has become an increasingly complex regulatory web.
Businesses told the Commission throughout 2024 and 2025 that overlapping rules, inconsistent national implementations, and fragmented reporting requirements were slowing them down. The Digital Omnibus responds by consolidating processes and creating interoperable compliance infrastructure.
Digital Omnibus Act vs GDPR, DSA, and DMA
To clarify, the Digital Omnibus doesn’t replace the GDPR, the Digital Services Act (DSA), or the Digital Markets Act (DMA law). It modifies the GDPR to reduce overlap with other regulations and creates unified enforcement mechanisms.
For instance, cookie consent currently lives under the ePrivacy Directive, but the Digital Omnibus moves it to Art. 88a GDPR. This consolidates personal data processing rules in one framework, which determines which authorities have jurisdiction and what enforcement mechanisms apply.
The same logic applies to incident reporting. Right now, a data breach might trigger a GDPR notification, NIS2 reporting, and DORA requirements simultaneously. The Digital Omnibus creates one portal where organizations submit once, and the system routes notifications to the right authorities.
Ultimately, the Digital Omnibus doesn’t replace existing regulations. It modifies them to work better together. Here’s how it relates to GDPR, DSA, and DMA.
| Regulation | What it does | How the Digital Omnibus affects it |
|---|---|---|
| GDPR | Sets rules for processing personal data and protecting privacy | Directly amended: Changes breach reporting thresholds, extends notification deadlines, moves cookie consent from ePrivacy to GDPR, and adds AI training clarifications |
| DSA | Requires online platforms to moderate content and be transparent about algorithms | Not amended: Remains separate, but AI Office will oversee AI systems used by platforms covered under DSA |
| DMA | Stops big tech companies from abusing their market power | Not amended: Compliance with DMA drove Google and Microsoft to create consent mode requirements |
What’s included in the Digital Omnibus?
The EU’s digital omnibus regulation is less about creating new rules and more about adjusting how existing ones work together. It fine-tunes data protection, consent, cybersecurity, and AI governance by narrowing definitions, aligning timelines, and reducing duplication across frameworks.
Here are the key amendments it introduces.
Digital Omnibus GDPR changes
For starters, GDPR obligations will become more targeted. Breach reporting thresholds rise to match the “high risk” standard, and organizations get up to 96 hours to notify authorities instead of 72.
The definition of personal data also tightens, excluding data held by entities that do not have the means reasonably likely to identify individuals.
At the same time, controllers gain limited flexibility to refuse data subject requests that amount to an abuse of rights, although regulators will still need to clarify where that line sits.
Consent mechanisms
Consent rules will also be adjusted with usability in mind. Accepting and rejecting consent must require the same level of visibility and effort, effectively ending multi-step rejection journeys.
Once a user declines consent, organizations cannot ask again for the same purpose for six months unless the processing changes in a meaningful way.
However, some low-risk activities, such as first-party analytics used only for internal purposes, may fall outside consent requirements altogether. While third-party analytics and advertising remain fully covered.
Machine-readable preference signals
Rather than relying on banners, the regulation will lean more heavily on machine-readable privacy signals. Individuals will be able to express their preferences through browsers, operating systems, or app stores, and websites will be expected to respect those choices automatically.
However, media service providers are treated differently, and may still present their own consent interfaces even where browser-level signals indicate refusal.
Cyber incident reporting
In parallel, cyber incident reporting is streamlined. A single reporting portal will replace the current patchwork of notification obligations. Organizations will submit one standardized report, which is then routed to the appropriate authorities under the GDPR, NIS2, DORA, eIDAS, and CER.
The system is expected to be operational within 18 months of the regulation entering into force.
AI Act changes
The omnibus package also makes targeted adjustments to the AI Act. Processing personal data for AI model development and operation is explicitly recognized as a legitimate interest under the GDPR. So there will be a clear legal basis for processing special category data to detect and correct bias, and high-risk AI obligations are delayed until technical standards and support tools are in place.
Responsibility for AI literacy shifts away from individual organizations toward the Commission and EU Member States, while existing compliance relief for SMBs is extended to small mid-cap companies.
Data Act consolidation
Finally, several data-sharing frameworks are folded into a single structure. The Data Governance Act, Open Data Directive, and Free Flow of Non-Personal Data Regulation are consolidated into the Data Act. This reduces overlap and tracking burden while strengthening protections around trade secrets and transfers to third countries.
What is the timeline for the adoption of the EU’s digital omnibus regulation?
The Digital Omnibus entered the ordinary legislative procedure in November 2025. The European Parliament and Council must review, debate, and negotiate the proposals before adoption.
No official timeline exists yet, but the urgency is clear. While some AI Act rules were supposed to start in August 2026, the Omnibus actually plans to push that date back to late 2027. This gives businesses more time to prepare and ensures they aren’t guessing the rules and how to apply them before the official technical standards are even finished.
Here’s the likely sequence:
Commission proposal (completed November 19, 2025)
The Commission published draft text and impact assessments.
Parliament and Council review (Q1-Q2 2026, estimated)
Both institutions examine proposals and develop position papers outlining desired amendments.
Trilogue negotiations (Q2-Q3 2026, estimated)
Representatives from the EU Commission, Parliament, and Council negotiate compromises on contested provisions.
Final adoption (Q3-Q4 2026, estimated)
To ensure the proposed AI Act delays take effect before the original deadline of August 2, 2026, the Parliament and Council are expected to fast-track negotiations.
Entry into force (variable)
Different provisions will have different effective dates. Cookie consent changes would take effect six months after entry. Machine-readable signal obligations would begin 24 months after the relevant standards are adopted.
The single-entry notification point needs 18 months after entry into force to become operational since it must integrate with European Business Wallets for entity identification.
Organizations shouldn’t wait for final adoption to prepare. The core direction is clear, even if specific details change during negotiations.
Why the Digital Omnibus Act matters for businesses
The Digital Omnibus isn’t just about simplifying regulations. It changes how organizations operate, how marketing teams measure performance, and how product teams build with AI. These changes create both immediate challenges and strategic opportunities.
Here’s what companies need to know.
Compliance costs drop significantly
The Commission projects up to EUR 5 billion in savings by 2029. These savings come from eliminating duplicate reporting, reducing unnecessary consent requests, and consolidating fragmented data-sharing regimes.
Organizations currently manage separate breach notifications under the GDPR, incident reports under NIS2, and operational resilience notifications under DORA. The single-entry point consolidates all of this. File once, and the system handles the rest.
Consent rates become more predictable
Single-click consent rejection mechanisms and six-month moratoriums may reduce consent rates if opting out becomes easier. However, browser-level preference signals could increase consent stability. Once individuals set preferences, those choices persist across sites.
Marketing teams should model both scenarios. Lower consent rates that remain stable make attribution more reliable than higher but volatile rates. If banner interactions decrease through browser signals, user experience improves while compliance burden drops.
AI development gets legal certainty
The proposal clarifies that processing personal data for AI model development falls under legitimate interest in Art. 6 GDPR. This removes ambiguity around using personal data for model training.
The explicit legal basis for processing special category personal data for bias detection provides operational clarity, too. Organizations can incorporate fairness testing without navigating complex consent requirements for each data subject.
Multi-jurisdiction compliance simplifies
National implementations of various directives currently create inconsistent requirements. The Digital Omnibus emphasizes harmonized templates, unified reporting, and consolidated frameworks. This reduces complexity for organizations operating across EU Member States.
How the Digital Omnibus Act affects consent management
The digital omnibus consent requirements reshape how businesses collect and honor user choices. But organizations don’t need to wait for final adoption to see where this is headed — Google, Microsoft, and Amazon are already enforcing the future the Digital Omnibus describes.
The proposals introduce three core changes:
Single-click accept and reject
Consent banners must present “Accept All” and “Reject All” with equal visual prominence and complexity. No more multi-screen rejection flows.
Six-month moratoriums
Organizations cannot re-request consent for the same purpose for six months once it has been declined. CMPs will need to track refusal time stamps automatically.
Browser-level preference signals
Individuals can set privacy preferences in their browser or operating system, and websites must honor these without showing banners (though media providers may be exempt).
The proposals also clarify that first-party analytics for internal use only may not require consent, while third-party analytics and advertising still do.
These aren’t theoretical future requirements. Major ad platforms have already implemented similar mechanisms, showing exactly how this works in practice.
Google Consent Mode became mandatory on March 6, 2024, for Google Ads and Google Analytics users in the EEA, UK, and Switzerland. It changes how Google tags behave based on user consent. When consent is declined, Google relies on modeling and anonymized measurement instead of personalized tracking.
Microsoft UET Consent Mode followed for Universal Event Tracking users with visitors in the EEA, UK, or Switzerland. However, Microsoft takes a stricter approach than Google. There is no conversion modeling. Tracking either happens with consent or not at all.
Lastly, Amazon’s consent signal requirements reflect the same shift. Organizations using Amazon advertising or analytics tools need to ensure consent signals reach Amazon’s tracking systems to preserve campaign performance in European markets.
Together, these platform changes align with the direction of the Digital Omnibus proposals. Consent management is no longer an optional infrastructure for digital marketing in Europe. Treating it as a basic compliance task, rather than a core capability, increasingly puts organizations at a disadvantage.
What can companies do now to prepare
Waiting for final adoption means scrambling later. The proposals signal a clear regulatory direction, even if specific details change during negotiations. Organizations that start now will adapt smoothly when provisions become law.
Download ChecklistAudit current consent mechanisms
Review existing consent banners and flows against proposed requirements. Check whether “Accept All” and “Reject All” buttons have equal visual prominence and interaction complexity. Can individuals refuse all non-essential purposes with a single click from the first banner layer? Are consent requests presented repeatedly after refusal?
Document which purposes currently rely on consent versus legitimate interest or other legal bases. Organizations that already follow consent best practices will have less work when requirements become mandatory.
Map data processing purposes
Create a detailed inventory of processing purposes across marketing, analytics, and operations. For each purpose, document what personal data is processed, which legal basis applies, which third-party processors are involved, and where consent signals need to propagate.
This mapping exercise often reveals purposes that should rely on consent but currently don’t, or processing that could shift to legitimate interest with proper documentation.
Evaluate CMP capabilities
Assess whether your consent management platform (CMP) infrastructure can accommodate Digital Omnibus requirements. This entails:
Single-click accept/reject mechanisms
Six-month moratorium tracking after refusal
Machine-readable signal recognition (when standards are published)
Purpose-based consent granularity
Consent signal propagation to all downstream systems
Audit trails and consent lineage documentation
If current capabilities fall short, investigate CMP upgrades or alternatives that provide the flexibility needed to adapt as requirements evolve.
Discover the 8 leading consent management platforms of 2025.
Test consent signal propagation
Verify that consent choices actually propagate to every system that processes personal data. Common failure points include analytics platforms that load before consent is captured, marketing automation systems that don’t receive updated consent status, and third-party tags that fire regardless of consent state.
Use browser developer tools, tag monitoring solutions, and consent signal validators to identify and remediate these gaps.
Prepare for machine-readable signals
While technical standards for browser-level preference signals aren’t finalized, organizations can prepare by monitoring standard development through W3C and other standards bodies, engaging with browser vendors to understand implementation timelines, and building CMP architectures that can accept consent input from multiple sources.
Plan how to reconcile browser-level preferences with granular purpose-based consent. Consider how media service provider exemptions might apply to specific business lines.
Review incident reporting processes
Assess current breach notification and incident reporting procedures against the single-entry point model. Which incidents currently require reports under the GDPR, NIS2, DORA, or other frameworks? What information overlap exists across different reporting requirements?
Early preparation for consolidated reporting reduces scrambling when the system goes live.
Document AI processing legal bases
For organizations developing or deploying AI systems, conduct legitimate interest assessments for AI model training using personal data, bias detection using special category personal data, and AI system performance testing.
Document these assessments now, before the Digital Omnibus clarifies that legitimate interest can apply. If legitimate interest doesn’t withstand scrutiny, organizations will need consent infrastructure for AI development activities.
Build cross-functional alignment
Digital Omnibus compliance spans legal, privacy, marketing, product, and technology functions. Establish working groups that monitor legislative developments, assess business impact, coordinate implementation planning, identify budget requirements, and align on risk tolerance.
Organizations where compliance, marketing, and technology teams work in silos struggle to implement complex regulatory changes effectively.
How Usercentrics can help you prepare for the Digital Omnibus Act
The Digital Omnibus proposals confirm what privacy-focused organizations already understand: Consent management has evolved into critical business infrastructure. Organizations need systems built for regulatory change, not point solutions that address yesterday’s requirements.
Usercentrics provides consent management infrastructure designed for the regulatory environment that the Digital Omnibus describes.
Usercentrics is designed for evolving EU regulation
The platform architecture anticipates regulatory changes rather than reacting to them. When the Digital Omnibus introduces machine-readable preference signals, organizations won’t rebuild their consent infrastructure. When six-month moratoriums become mandatory, the logic to enforce them will already exist.
We deliver flexible consent logic
Purpose-based granularity is built in. Users can consent to analytics while declining advertising. They can accept functional cookies while refusing personalization. This flexibility becomes critical as the Digital Omnibus clarifies low-risk exemptions while maintaining strict requirements for marketing and profiling.
UX-safe consent design
Equal prominence for accept and reject options isn’t an afterthought. Single-click refusal isn’t a feature. These are baseline design principles. Dark patterns and manipulative interfaces have drawn regulatory scrutiny. Organizations need consent experiences that individuals can understand and trust.
Easy updates as regulations evolve
The platform can be configured rather than custom-coded for each regulatory change. When the Digital Omnibus becomes law, organizations update configurations, adjust purpose classifications, and verify signal propagation. No redevelopment required.
The reality is that the Digital Omnibus won’t be the last change to Europe’s digital regulatory framework. Organizations need consent management infrastructure that handles ongoing complexity without constant reinvention.
