Accessibility Statement

StepTechToe | November 25, 2025

The European Commission Published Its Proposed Reform of the EU Data Protection, Privacy, Data, Cyber Incident Reporting and AI Framework

Author

Anne-Gabrielle Haie

Overview

On November 19, 2025, the European Commission published the Digital Omnibus, composed of two proposals for a regulation aimed at simplifying the EU legal framework applicable to data protection, privacy, data, incident reporting, and AI. Specifically, the Digital Omnibus is composed of a proposal for a regulation amending the AI Act, and a proposal for regulation amending EU digital laws, including the General Data Protection Regulation (GDPR).

Key Takeaways:

  • The proposed targeted amendments to the AI Act would not substantially alter the overall obligations set out in this Regulation but would introduce additional flexibility for certain specific requirements. The most significant change, however, is the proposed postponement of the application of the high-risk AI obligations, which were originally scheduled to apply starting from August 2, 2026.
  • The proposed targeted amendments to the GDPR would mark a significant shift in the EU approach to data protection, notably by explicitly stating that the notion of “personal data” is relative and depends on each recipient’s available means to identify a data subject. The amendments would also introduce greater flexibility regarding the processing of personal data in the context of AI development and operation, loosen certain transparency requirements, and significantly alter the EU’s approach to automated decision-making. It would also raise the threshold for the obligation to report personal data breaches to competent authorities and extend the deadline for doing so.
  • Further, the proposal for a regulation amending EU digital laws would remove the requirements related  to the processing of personal data in terminal equipment from the ePrivacy Directive and integrates them directly into the GDPR. It would further introduce new exceptions to the obligation to collect consent and impose additional obligations on how such consent should be collected.
  • A single-entry point for incident reporting would be created, removing the burden to notify multiple regulators.
  • The European Commission proposed to significantly reform the EU Data Legislative acquis. Specifically, it is proposed to create one single consolidated Data Regulation, by integrating the consolidated and streamlined rules of the Free Flow of Data Regulation, the Data Governance Act, and the Open Data Directive into the Data Act. This would further entail targeted amendments to the existing Data Act obligations, lighter obligations for data intermediation service providers and data altruism organizations, and the reform of the regime applicable to the re-use of public sector data and documents.

1. Proposal for a regulation amending the EU AI Act

Acknowledging some implementation challenges, the European Commission proposed targeted amendments to the EU AI Act. Please note that apart from these proposed targeted amendments, other obligations under the EU AI Act would remain unchanged and applicable, irrespective of whether the proposal for regulation amending the AI Act is adopted or not. The targeted amendments would include:

  • Postponement of the entry into application of the obligations related to high-risk AI systems: Given that key implementation elements (i.e., standards, common specifications, guidance and establishment of national competent authorities) will not be ready in time, it is proposed to delay the application of high-risk AI obligations. Their entry into application would be tied to the European Commission confirming that necessary compliance measures are available, after which the rules would apply 6 months later for high-risk AI systems listed in Annex III systems and 12 months later for high-risk AI systems covered by legislation listed in Annex I. However, this flexibility would only be extended until December 2, 2027 as regards high-risk AI systems listed in Annex III and until August 2, 2028 as regards high-risk AI systems covered by legislation listed in Annex I, by which dates those rules would enter into application in any case.
  • Postponement of the entry into application of the specific transparency obligation for providers of generative AI systems placed on the market prior to August 2, 2026: it is proposed to delay the obligation to comply with Article 50(2) to February 2, 2027.
  • Revision of the AI literacy obligation: It is proposed to replace this obligation with a more flexible approach, requiring EU Member States and the European Commission to encourage, rather than mandate providers and deployers to ensure adequate AI literacy among staff and others involved in AI use.
  • Introduction of a legal basis for the processing of special categories of personal data for the purpose of ensuring bias detection and correction: it is proposed to introduce a legal basis aligned with Article 9(2)(g) GDPR for processing special categories of personal data for the purpose of bias detection and correction applicable to all AI systems, not only high-risk AI systems. This processing would however be allowed under specific conditions and safeguards.
  • Revision of the post-market monitoring obligation for providers of high-risk AI systems: it is proposed to introduce more flexibility by removing the prescription of a harmonized post-market monitoring plan. More specifically, instead of issuing an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in this plan, the European Commission would only issue guidance on the post-market monitoring plan.
  • Extension of regulatory simplifications granted to Small and Medium-sized Enterprises (SMEs) to Small Mid-Caps (SMCs): SMCs are enterprises that employ fewer than 750 people and have an annual turnover not exceeding EUR 150 million or an annual balance sheet total not exceeding EUR 129 million. These regulatory simplifications would include simplified technical documentation requirements and special consideration in the application of penalties.
  • Removal of the registration obligation in the high-risk AI database for providers of AI systems that are used in high-risk areas but for which the provider has concluded that they are not high-risk as they are only used for narrow or procedural tasks.
  • Expansion of AI regulatory sandboxes and real-world testing: This would include the creation of an EU-level AI regulatory sandbox. Further, it is proposed to extend the scope of real-world testing outside AI regulatory sandboxes, currently applicable to high-risk AI systems listed in Annex III, to providers and prospective providers of high-risk AI systems covered by legislation listed in Annex I.
  • Centralization of enforcement by the AI Office for a large number of AI systems that are built on general-purpose AI models or embedded in very large online platforms and search engines within the meaning of the Digital Services Act.

2. Proposal for a regulation amending EU Digital Laws

2.1 Proposed amendments to the GDPR and ePrivacy Directive

The European Commission proposed targeted amendments to the GDPR and the ePrivacy Directive. Please note that apart from these proposed targeted amendments, other obligations under the GDPR and ePrivacy Directive would remain unchanged and applicable, irrespective of whether this proposal for a regulation amending EU digital laws is adopted or not. The targeted amendments would include:

  • Amendment of the definition of “personal data”: It is proposed to clarify when an individual is identifiable and, consequently, when information should be regarded as personal data. Specifically, it is proposed to clarify that the notion of personal data is a relative concept, dependent on whether a given recipient has means reasonably likely to be used for identifying the individual to whom the information pertains. Under the proposed definition, information would not be considered personal data for a recipient who could not identify the individual, even if other recipients have the means to do so. However, information would be considered personal data for recipients who have the means reasonably likely to identify the individual.
  • Introduction of two additional exemptions to the prohibition of processing of special categories of personal data: It is proposed to add two additional exemptions to the prohibition on processing special categories of personal data. The first would allow the processing of biometric data when necessary to confirm the identity of the data subject, provided that the data and the means of verification remain under the sole control of that data subject. The second would permit the residual processing of special categories of personal data for the development and operation of an AI system or AI model, subject to certain conditions, including the implementation of appropriate organizational and technical measures to avoid collecting such data and to remove it once identified.
  • Introduction of a new provision on the use of legitimate interests as a legal basis for processing in the development and operation of AI: It is proposed to allow controllers to process personal data for the development and operation of AI systems or AI models on the basis of legitimate interests, unless other EU or national laws require consent or the data subject’s rights override those interests. Such processing would nonetheless need to be subject to appropriate organizational and technical safeguards, including data minimization during data sourcing, training, and testing; protection against the disclosure of residual data within the AI system or model; enhanced transparency; and an unconditional right for data subjects to object to the processing.
  • Introduction of a right for controllers to charge a reasonable fee or to refuse to act on data access requests considered abusive.
  • Introduction of some flexibility related to controller’s transparency obligation: Subject to certain conditions, it is proposed to exempt controllers from their obligations under Article 13 (1) - (3) to provide extensive information to data subjects regarding their data processing activities, where the personal data are collected in the context of a clear and well-defined relationship between the data subjects and the controller, and where the controller’s activity is not data‑intensive. Subject to certain conditions, it is also proposed to apply the same exemption for processing activities conducted for scientific research purposes.
  • Substantial modification of GDPR provision related to automated decision-making: it is proposed to remove the right of data subjects not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Instead, the conditions under such processing may be conducted would be further clarified.
  • Alignment of the obligation to notify personal data breach to competent authorities with the notification obligation to affected data subjects and extended deadline for such notification: Instead of having to notify to competent authorities all personal data breaches that are likely to present a risk to the rights and freedoms of individuals, it is proposed to limit such notification obligation to personal data breaches likely to result in a high risk to the rights and freedoms of individuals. Further, controller would have to comply with this obligation within 96 hours upon becoming aware of the personal data instead of the 72-hour deadline currently applicable. Moreover, the proposal for a regulation clarifies that once established, such notification would be done through the single-entry point and according to a template to be prepared by the European Data Protection Board (EDPB). 
  • Harmonization of Data Protection Impact Assessment (DPIA) criteria at EU level: It is proposed to shift the determination of instances where a DPIA is required from the EU Member States to the EDPB. The EDPB would be required to publish both a list of cases in which a DPIA is mandatory and a list of cases in which it is not, as well as a common template and common methodology for conducting DPIA.
  • Introduction of a new provision related to pseudonymization: This provision would grant the European Commission with the power to adopt implementing acts specifying the means and criteria to be used to assess whether pseudonymized data still constitutes personal data.
  • Introduction of a new provision related to the processing of personal data in terminal equipment: To simplify the interplay between the GDPR and the ePrivacy Directive, it is proposed to integrate the requirements related to such processing directly into the GDPR and remove them from the ePrivacy Directive. The proposed new provision reiterates the need to obtain consent for this type of processing and maintains the existing exceptions to consent, namely, when access to or storage of data is necessary to transmit communications or to provide a service requested by the user. It would also introduce two new exceptions: when the processing is carried out to produce aggregated audience measurements for the service provider’s own use, or to maintain or restore the security of the requested service or device. Further, when consent is used, individuals would need to be able to refuse easily (e.g., with a single click). If consent is granted, the controller could not make repeated requests for the same purpose while the consent remains valid. If consent is refused, the controller could not request it again for the same purpose for at least six months. These rules would also apply to any subsequent processing based on consent.
  • Introduction of a new provision related to automated and machine-readable indications of data subject’s choices with respect to processing of personal data in the terminal equipment of individuals: This new proposed provision would introduce an obligation for controllers to ensure that their online interfaces allow data subjects to give or decline consent through automated and machine-readable means, such as browser settings, and to respect those choices. Media service providers would be exempt from this obligation when providing a media service. The provision would also give the European Commission a mandate to request the relevant standardization bodies to develop standards for encoding automated and machine-readable indications of data subjects’ choices, and for communicating those choices from browsers to websites and from mobile applications to web services.
  • Removal of the security of processing obligation and related notification requirement under the ePrivacy Directive: It is proposed to repeal article 4 of the ePrivacy Directive.

2.2 Creation of single-entry point for incident reporting

The proposal for a regulation would introduce a single-entry for incident reporting through which entities could simultaneously fulfill their incident reporting obligations under the GDPR, the NIS2 Directive, DORA, eIDAS Regulation, and CER Directive. Such single-entry point would be developed by ENISA, the EU cybersecurity agency. Please note that except for the channel to be used to report incidents, other provisions under these laws would remain unchanged and applicable, irrespective of whether the proposal for a regulation amending EU Digital Laws is adopted or not.

2.3 Reform of the Data Legislative Acquis

The European Commission proposed to create one single consolidated data regulation, by integrating the consolidated and streamlined rules of the Free Flow of Data Regulation, the Data Governance Act, and the Open Data Directive into the Data Act. Please note that apart from these proposed targeted amendments, other obligations under the Data Act would remain unchanged and applicable, irrespective of whether this proposal for a regulation amending EU digital laws is adopted or not. The targeted amendments would include:

  • Targeted amendments to the Data Act obligations: This includes:
    • The introduction of a new rule allowing data holders to refuse disclosure of trade secrets to a user or third parties designated by the user when there is a high risk of unlawful acquisition, use, or disclosure to third countries, or entities under their control, that are subject to jurisdictions with weaker protections than those available in the EU;
    • The obligation to share data with EU or Member States’ public sector bodies would be narrower and limited to “public emergencies” instead of applying to “exceptional needs”;
    • It would introduce additional flexibility for providers of data processing services. This would include exempting custom-made data processing services (i.e., services that are not off-the-shelf and cannot function without prior adaptation to the user’s needs and ecosystem) and small and medium-sized enterprise or a small mid-cap from most obligations under Chapter VI of the Data Act, with the exception of the obligation to reduce and ultimately eliminate switching and egress charges, when such services provided under contracts concluded before or on September 12, 2025.  Such providers would further not be required to renegotiate such contracts.
    • It would remove the provision related to the obligations applicable to providers of smart contracts.
  • Integration of Data Governance Act obligations into the Data Act and modifications of such obligations:
    • The notification regime for data intermediation services would become voluntary and the obligation to keep data intermediation services legally separate from any other service will be replaced by an obligation to keep services functionally separate paired with an additional set of conditions.
    • The obligations applicable to data altruism organizations would be reduced.
  • Integration of the ban on data localization requirements for non-personal currently under the Free Flow of Non-personal Data Regulation into the Data Act, with streamlined notification rules.
  • Reform of the regime applicable to the re-use of public sector data and documents: 
    • The provisions on re-use of public sector data and documents from the Data Governance Act and Open Data Directive would be merged into the Data Act.
    • Harmonized rules for both open data and certain categories of protected data would be introduced, including clearer definitions distinguishing digital data from non-digital documents, applicable principles, and detailed rules for re-use of open data and protected data.

Next steps

  • The proposals for regulation will need to be reviewed and adopted by the Council and the European Parliament.
  • Intense lobbying is expected, which may jeopardize the European Commission’s intention to have these two proposals adopted in the coming months.
  • In light of the numerous concerns already raised by various stakeholders, including the European Data Protection Board, it is highly likely that the European Commission’s proposals will be significantly amended during the legislative adoption process.

What does it mean for businesses?

  • There is an opportunity to engage with the EU co-legislators as they review and further develop the Digital Omnibus.
  • Organizations should not pause their AI Act compliance efforts, as there is currently no certainty that the European Commission’s proposals will be endorsed by the co-legislators. In particular, there is no assurance that the proposal to postpone the entry into application of high-risk AI obligations will be approved by the Council and the European Parliament, nor that it will be adopted before the August 2, 2026 deadline.
  • Organizations should refrain from changing their data protection, privacy, and data practices until the Digital Omnibus is formally adopted.

If you have any questions or need assistance related to the Digital Omnibus, please contact Anne-Gabrielle Haie.

Professionals

Anne-Gabrielle Haie
Anne-Gabrielle Haie advises clients on a wide range of digital-related matters, with a strong focus on data protection, privacy and cybersecurity. In addition, she has developed considerable expertise...

Partner

AI, Data & Digital, Privacy & Cybersecurity, Internet, Telecom & Media, Blockchain & Cryptocurrency

Practices

Artificial Intelligence

AI, Data & Digital

Click below to subscribe to StepTechToe
Press Releases The Hill Names Leslie Belcher, Elizabeth Burks, and Rowan Bost to Top Lobbyists 2025 December 12, 2025 Press Releases Chambers Asia-Pacific 2026 Recognizes Steptoe's Top International Trade Practice December 11, 2025 Seminars & Events Year End Tax Conference and Celebration December 9, 2025
Press Releases Steptoe Earns Four Practice and Three Individual Rankings in Chambers FinTech 2026 December 5, 2025 Press Releases Steptoe Names New Partner Class and Counsel Promotions for 2026 December 2, 2025 Press Releases Law360 Names Pantelis Michalopoulos an MVP in Telecommunications for the Second Consecutive Year December 1, 2025 Press Releases Federal Circuit Overturns Jury Verdict in Favor of Sandoz in Latisse® Patent Dispute November 24, 2025 Press Releases Securities Docket Names Sandra Hanna to the 2025 'Enforcement Elite' November 13, 2025 Press Releases Steptoe Secures $170 Million Jury Verdict for Express Mobile in Landmark Web-Design Patent Case Against GoDaddy November 7, 2025 Press Releases Steptoe Files Amicus Brief Defending Music Industry’s Copyright Protections November 3, 2025 Press Releases Steptoe Launches Dedicated Data Center Energy Regulation Tracker Amid AI-Driven Infrastructure Boom October 30, 2025 Press Releases Steptoe Receives Individual and Practice Rankings in Legal 500 US Elite October 29, 2025

View More