Data privacy regulations are living documents that change as new technologies emerge and consumer expectations evolve. The EU’s General Data Protection Regulation (GDPR) is no exception.
In 2025, the European Commission introduced the Digital Omnibus Regulation proposal, which would impact certain GDPR obligations and how organizations operationalize privacy.
This article covers what changes the proposed Digital Omnibus package introduces, how it impacts your approach to data privacy compliance, and what you can do to future-proof your business.
At a Glance
- The Digital Omnibus proposal suggests a GDPR regime that’s easier to apply consistently, with clearer boundaries around what is and is not in scope.
- It signals a push to simplify consent experiences while still holding businesses to higher standards of user choice and control.
- It aims to reduce operational burden where processes are being exploited, without changing the core rights people have over their data.
- It suggests more consistency across the EU to make compliance easier to manage for teams operating in multiple countries.
- To future-proof compliance, organizations must build flexible privacy processes, track regulatory shifts, and embed transparency into everyday workflows.
How the Proposed Digital Omnibus Package Impacts the GDPR
The 2025 Digital Omnibus package has not yet been finalized as of April 2026. While proposed changes may not become official for months, it’s worth taking a closer look at what could be impacted.
Here are seven areas where businesses may need to modify their data privacy compliance approach if the proposed updates move forward.
1. Personal Data
One of the most significant updates proposed in the Digital Omnibus package relates to the topic of personal data. To begin, the proposal clarifies that information isn’t considered personal data for a given entity if that entity doesn’t have the “means reasonably likely to be used” to identify the individual.
In other words, whether information counts as personal data could depend on who is processing it. If it is not personal data for that entity, the GDPR would generally not apply to that processing.
The Digital Omnibus also clarifies that pseudonymized and anonymized datasets can be shared with third parties as long as the receiving party does not have the ability to re-identify any individuals.
An e-commerce platform shares a pseudonymized dataset of customer purchase patterns with an analytics vendor, but the vendor has no access to any data that could reasonably be used to identify specific people. For the vendor, the dataset isn’t subject to GDPR requirements.
2. Consent Fatigue
The proposal aims to reduce the total number of cookie banners and pop-ups users encounter by establishing a list of low-risk purposes that will no longer require user consent. Purposes would include audience measurement and website statistics, maintaining or restoring the security of a provided service, and transmitting electronic communications.
The Digital Omnibus estimates that consent will no longer be required for 60 percent of cookies. However, the package’s GDPR cookie reforms aren’t all aimed at loosening requirements.
For instance, the proposal would also require businesses to include a “single-click” button in cookie banners to either accept or refuse all cookies. This would help to ensure that rejecting the use of tracking technologies is just as easy as accepting it.
The package would also protect data subjects from repetitive requests by requiring websites to respect a user’s choice for at least six months. If a user refuses cookies, the controller is prohibited from asking again during that period.
Finally, the Digital Omnibus would require data controllers, except for media services, to respect browser signals, such as Global Privacy Control and other universal opt-out mechanisms, which enable users to set their privacy preferences centrally within their web browser or mobile application. The goal here would be to further reduce consent fatigue.
An e-commerce platform shares a pseudonymized dataset of customer purchase patterns with an analytics vendor, but the vendor has no access to any data that could reasonably be used to identify specific people. For the vendor, the dataset isn’t subject to GDPR requirements.
3. DSARs
The package recognizes that data subject access requests (DSARs) can sometimes be used in an “abusive manner” for purposes other than exercising data subject rights. In cases where a request is clearly abusive, a data controller may either refuse to comply with the request or charge a reasonable fee for fulfilling the request.
The proposal would lower the burden of proof for controllers to demonstrate that a DSAR was excessive or abusive. The intention is to help organizations allocate resources more effectively toward addressing genuine and justified access requests.
These provisions would not remove or weaken data subject rights; they’re simply designed to prevent bad-faith actors from exploiting the system.
A former employee submits dozens of repetitive DSARs within a few weeks, each demanding the same records in slightly different formats. Their clear aim is to disrupt the company rather than access new information. Under the proposal, the company could refuse the excessive requests or charge a fee, provided it can show that they’re abusive.
4. DPIAs
The main change that the Digital Omnibus proposes for data protection impact assessments (DPIAs) is replacing national lists with EU-wide lists.
Currently, national lists help determine when a DPIA is required. Replacing them with a common EU-wide list would help create consensus around what qualifies as a “high-risk” processing activity.
The package also proposes publishing an EU-wide list of processing operations that don’t require a DPIA to further clarify GDPR compliance obligations.
A health tech company that handles special category data for users across various GDPR countries can rely on one EU-wide list to see if the activity is classified as high risk. If it appears on a “no DPIA needed” list, it can proceed without duplicating assessments across multiple national rules.
5. Breach Notifications
The Digital Omnibus also introduces updates to GDPR notification requirements for personal data breaches. Specifically, it aims to raise the threshold for notifying a supervisory authority. The proposal would create a uniform “high-risk” threshold for notifying both supervisory authorities and impacted data subjects.
In other words, controllers will only be required to notify the relevant supervisory authority of a data breach in the event that it’s likely to result in a high risk to the rights and freedoms of individuals.
Additionally, the package introduces a single-entry point for reporting cybersecurity incidents and data breaches, managed by the European Union Agency for Cybersecurity (ENISA). Organizations would be able to submit a single report to meet compliance obligations with various laws, including the GDPR, NIS2 Directive, and the Digital Operational Resilience Act (DORA).
A university discovers that hashed student data was exposed, but there’s no evidence of misuse and the data isn’t likely to create a high risk to individuals. That means the university wouldn’t need to notify the authority under the proposed threshold. If the same institution suffers a security incident that does create a high risk, it could file one report through ENISA’s single-entry point to fulfill its breach reporting obligations across the GDPR, NIS2, and DORA.
6. SMB Exemptions
Because small and medium-sized businesses (SMBs) are central to Europe’s digital economy, the Digital Omnibus would introduce several exemptions to reduce the administrative and financial burdens placed on smaller businesses.
Smaller businesses in low-risk industries, like tradespeople, hairdressers, or bakers, won’t have to provide repetitive privacy notices if there are “reasonable grounds” to assume the data subject already has the information.
The breach notification thresholds and abusive DSAR provisions mentioned above would also alleviate some of the compliance pressures faced by small businesses with limited resources.
A local nail salon with an online booking system doesn’t have to periodically send privacy notices to returning clients if it has reasonable grounds to believe the client already received the information and nothing has changed.
7. AI
The Digital Omnibus proposes specific amendments to the GDPR to specify how personal data can be used to train and operate AI systems.
The proposal clarifies that AI providers may rely on the legitimate interest legal basis for AI development and operation, as long as they apply enhanced safeguards. However, data subjects must be granted an unconditional right to object to this processing.
The package also introduces special exceptions for the handling of certain sensitive personal data. AI providers and businesses that use this technology are permitted to process sensitive personal data specifically to support bias detection and correction in LLMs, subject to strong safeguards.
An HR software company trains an AI recruiting assistant on past job applications under legitimate interest, but any applicant can object at any time. The company can temporarily analyze sensitive data like gender or disability status, but only for bias detection and correction, and with strict limits and safeguards in place.
An Overview of Current GDPR Requirements vs Proposed Changes
| Theme | What the GDPR requires now | Proposed Digital Omnibus update |
| Personal data | Information counts as personal data if someone can be identified directly or indirectly. Pseudonymized data can still be considered personal data if a party could realistically re-identify people using other information. | Clarifies that data isn’t categorized as personal data for a specific organization if that organization doesn’t have “reasonable” means to identify the person. Pseudonymized/anonymized datasets could be shared if the recipient can’t re-identify people. |
| Consent fatigue (cookies and tracking) | Consent is usually needed for non-essential cookies and similar tracking. Cookie banner design varies, and many sites frequently request consent. Browser privacy signals aren’t consistently honored. | Creates a list of low-risk uses that would not need consent and estimates that this will constitute 60% of cookies. Requires one-click “Accept all” and “Refuse all” options. Requires organizations (except media services) to honor a user’s choice for at least six months and respect browser privacy settings. |
| DSARs | You can refuse or charge a reasonable fee for requests that are clearly unfounded or excessive, but it can be difficult to prove and defend that decision. | Would make it easier for businesses to demonstrate that a request is excessive or abusive, so they could refuse it or charge a reasonable fee in clear bad-faith situations, while keeping normal access rights intact. |
| DPIAs | DPIA triggers are shaped by country-specific lists of what counts as high-risk data processing. If you operate across the EU, you often have to check multiple lists. | Replaces national lists with one EU-wide list for what counts as high-risk processing. Also adds an EU-wide list of activities that require a DPIA, so it’s clearer when you do and do not need one. |
| Breach notifications | If there is a breach, you generally notify the regulator unless the breach is unlikely to create risk for individuals. You notify affected people only when the breach is likely to create a high risk. | Uses one standard for both regulator and affected individual notifications. Adds a single reporting entry point managed by ENISA so one report can cover GDPR, NIS2, and DORA reporting requirements. |
| SMB exemptions | The GDPR applies to most businesses in similar ways, even when a small business has limited time and budget. | Adds SMB-friendly carve-outs in low-risk cases, like not having to repeat privacy notices when you have reasonable grounds to assume the person already has the information and nothing has changed. SMBs also benefit from the DSAR and breach-threshold updates. |
| AI and model development | The GDPR applies to AI training and use like any other processing: you need a legal basis and sensitive data is tightly restricted, but the rules aren’t very AI-specific. | States that AI providers can use legitimate interest for AI development and operation if they add stronger safeguards, but people get an unconditional right to object. Allows limited use of sensitive data for LLM bias testing and correction, but also requires appropriate security measures. |
How to Future-Proof Your Approach to GDPR Compliance
It is still unclear when or if the Digital Omnibus will take effect, and in what final form. Regardless, businesses need to stay on top of updates to GDPR requirements, both from this proposed package and beyond.
Sometimes, GDPR changes are more nuanced than legislative proposals. “Smart teams track enforcement trends and ongoing regulatory guidance, not just new laws,” says Usercentrics CMO Adelina Peltea.
“GDPR expectations evolve through regulator decisions and real-world cases,” she explains. Staying close to trusted privacy partners and keeping legal, product, and marketing teams aligned helps businesses spot shifts early and adapt faster.
While it’s impossible to completely future-proof your GDPR strategy, you can still create a resilient approach to data privacy compliance.
“Build privacy into your products and marketing from the start, invest in flexible consent infrastructure, and treat transparency as a core user experience principle,” recommends Peltea. “When privacy supports trust, compliance becomes far more resilient.”
Stay on Top of Evolving GDPR Requirements With Usercentrics
Stay on Top of Evolving GDPR Requirements With Usercentrics
The Digital Omnibus proposal may reshape how personal data is defined, reduce cookie banner noise while tightening banner design standards, and more.
Even if the package changes before it becomes law, the direction is clear: regulators want privacy to be easier to apply consistently and harder to exploit.
Businesses need to keep consent and privacy workflows flexible so they’re able to adapt as guidance shifts and new requirements emerge. Usercentrics helps make that ongoing work manageable.
A consent management platform (CMP) like Usercentrics is designed for evolving GDPR compliance requirements. That means you can keep your consent banner aligned with current guidelines, document and enforce consent choices, and stay up to date with automatic updates as standards change.
Instead of scrambling every time new guidance emerges, you get a trusted partner and a system that stays current so your team can focus less on compliance maintenance and more on building lasting relationships with customers.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
