On 19 November 2025, the European Commission published the Digital Omnibus package of proposals to change aspects of digital data governance across Europe.
The proposals aim to improve competition and growth across Europe by lessening the administrative and compliance burden on businesses, streamlining the legal and regulatory landscape and supporting innovation.
Key proposals in the Digital Omnibus
The main areas of proposed change are:
- Consolidation of the EU’s data laws into the Data Act and the GDPR, which will aim to simplify regulatory compliance for businesses.
- Definition of personal data could be changed so that data is only considered to be personal data if the relevant controller can identify an individual from the data.
- Lawful bases for processing expand to include use of personal data to develop an AI system
- Data Subject Access Requests (DSARs) – if a DSAR is considered to be excessive, repetitive or for purposes other than protection of the data subject’s personal data, the controller may charge a reasonable fee or refuse to act.
- Data breach – if a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify their supervisory authority within 96 hours using the new single channel for reporting breaches.
- Cookies governance to become less onerous through a one-click central setting option for preferences which will alleviate cookie banner fatigue.
Preparing for the Digital Omnibus Changes
The proposals are yet to be finalised, but businesses can start planning now to be ready for a smooth transition when the changes are finalised.
- Current GDPR and e-privacy policies should be reviewed, ensuring they are robust and compliant with legislation as it stands.
- When dealing with data breach or cyber incidents, preparation is key, so we recommend having a comprehensive breach response plan in place.
- Businesses also need to have a comprehensive understanding of how to respond to DSARs with staff trained accordingly.
Timeline of next steps for proposed changes
As of May 2026, the European Parliament, Council and Commission are continuing to debate the data privacy aspects of the Digital Omnibus and no changes to regulations or laws have been finalised. However, depending on how negotiations proceed, some of these changes may still happen before the end of the year.
How 3CS can help
We recommend reviewing your data processing documents, governance and practices to determine whether anything needs to be amended or updated because of these changes. We have experience assisting clients understand their data privacy obligations and taking steps to ensure compliance under regulations including GDPR and UK GDPR, so we can help you with this assessment.
We regularly provide training and workshops for staff as well as conducting privacy compliance audits and drafting documents including privacy policies and notices, records of processing activity, contracts for transfer of personal data overseas and cookies policies. We also advise on data breach management and responses to data subject access requests.
For advice and guidance, please get in touch.




