Digital Omnibus: what will change in the GDPR, AI Act, NIS2, and DORA - and why it is important to start anticipating changes

On November 19, 2025, the European Commission presented the “Digital Omnibus” proposal, a legislative package that aims to simplify and harmonize the European Union's digital regulatory framework. The stated goal is to reduce administrative burdens without compromising the current level of protection.

The proposal introduces changes to key pieces of legislation such as the GDPR, the AI Act, NIS2, and DORA, with a direct impact on how organizations process data, manage technological risks, and report incidents.

Key changes highlighted

GDPR – redefinition of “personal data” and articulation with AI

• The proposal clarifies that data is only considered personal when the controller can identify the data subject using reasonable and proportionate means, even if, in abstract terms, third parties could do so. This interpretation tends to narrow the scope of the GDPR, but opens up debate on the risks of re-identification by other actors.
• A more explicit alignment between the GDPR and the AI Act is also envisaged, particularly in the use of personal data - and, in certain cases, pseudonymized data - for training AI models, subject to enhanced safeguards.

AI Act – deadlines, SMEs, and sensitive data for mitigating bias

• The deadlines for full implementation of the high-risk regime are significantly postponed (in some cases until 2027), allowing for a more phased transition.
• More proportionate obligations are introduced for SMEs and small mid-cap companies, with simplified documentation and adjustments to certain compliance requirements.
• The promotion of AI literacy becomes a clearer responsibility of the European Commission and Member States.
• A specific framework is created that allows, under strict conditions, the processing of special categories of personal data to detect and mitigate biases in AI systems, recognizing that without such data, verification of non-discrimination is often unfeasible.

NIS2 – European single entry point for incident reporting

• The European Union Agency for Cybersecurity (ENISA) will take on a central role in managing a single entry point for cybersecurity incident notifications, following the principle of “report once, share many.” The entity reports once; the information is distributed to the competent authorities.
• This mechanism aims to harmonize reporting obligations currently scattered across various pieces of legislation (NIS2, DORA, GDPR, eIDAS, and potentially CER), reducing duplication and eliminating incompatible deadlines and forms.

DORA – integration into the new ICT incident reporting hub

• Entities covered by DORA will now report serious ICT incidents through the same single point of entry, aligning the financial regime with the centralized model envisaged for NIS2.
• A significant reduction in redundancies, greater consistency in reported data, and better coordination between sectoral and cybersecurity authorities are expected.

What this means in practice for companies
Although still at the proposal stage - and subject to negotiation with the European Parliament and the Council - it is prudent for organizations with significant exposure to these regimes to start thinking now about how best to anticipate likely changes in these sectors.

In particular, it is recommended that:

1. Review of data maps and legitimacy bases
In light of the new interpretation of “personal data” and the potential use of data, including sensitive data, for AI training.

2. Update of AI compliance programs
Including governance, team training, technical documentation, risk assessment processes, and adaptation to the new deadlines of the AI Act.

3. Reorganization of incident reporting processes
Anticipating the migration to a single entry point model, with alignment between cybersecurity, operational risk, legal, and compliance teams.

4. Integrated ICT risk management
Evolving towards a common NIS2/DORA framework, avoiding duplication and ensuring a single view of critical risks.

5. Clarification of internal responsibilities
Establishing who decides, who reports, and who validates, with teams and circuits prepared for the new communication flows.

6. Creation of templates and procedures
In order to facilitate the completion of harmonized forms when the single entry point is operational.

An opportunity - and a warning

The Digital Omnibus proposal represents both:

• an opportunity to streamline compliance efforts by harmonizing reporting flows and clarifying key concepts; and
• a point of attention regarding the possible reduction of safeguards in sensitive areas such as personal data and AI.

How can we help
Our team continuously monitors European regulatory developments and is prepared to support companies in the practical implementation of the GDPR, AI Act, NIS2, DORA, and now the Digital Omnibus proposal.

For more information about our compliance expertise, visit our website and contact our team.