Skip to main content

EU Digital Omnibus Regulation

The EU Digital Omnibus Regulation (COM(2025) 837) represents the most significant simplification of European data law since the GDPR came into force in 2018. Published on November 19, 2025, this comprehensive reform consolidates five separate data regulations into two, eliminates cookie banners for 60% of websites, and promises to save businesses €1 billion annually.

What is the Digital Omnibus?

The Digital Omnibus is part of the European Commission's broader simplification agenda to reduce regulatory complexity while maintaining strong protections for citizens and businesses.

Official designation: COM(2025) 837 final

Published: November 19, 2025

Goal: Simplify the EU data regulatory framework by:

  • Reducing the number of overlapping regulations
  • Eliminating contradictions and ambiguities
  • Lowering compliance costs
  • Maintaining high standards for data protection and privacy

The Great Consolidation: 5 Laws → 2 Laws

Laws Being Amended (Not Repealed)

General Data Protection Regulation (GDPR)

Status: Amended with targeted improvements

The GDPR remains the cornerstone of EU data protection but receives important updates:

  • Personal data definition clarified
  • Cookie consent rules integrated (new Articles 88a, 88b)
  • AI processing provisions (new Article 88c)
  • Breach notification threshold raised
  • Research exemptions expanded
  • Information requirements simplified

See: GDPR Amendments in Detail

Data Act

Status: Becomes consolidated framework for data sharing and access

The Data Act absorbs provisions from:

  • Data Governance Act
  • Open Data Directive
  • Free Flow of Data Regulation (partially)

Result: Single comprehensive regulation for data access, sharing, and portability across sectors.

Laws Being Repealed or Merged

1. Platform-to-Business Regulation (EU 2019/1150)

Status: Fully repealed

Reason: Superseded by the Digital Services Act (DSA) and Digital Markets Act (DMA), which provide more comprehensive and effective rules for platform governance.

What this means: No separate P2B compliance regime; platform obligations now governed by DSA/DMA.

2. Free Flow of Data Regulation (EU 2018/1807)

Status: Mostly repealed; core provisions merged into Data Act

Provisions retained:

  • Freedom of data flows within the EU
  • Restrictions on data localization requirements
  • Portability of non-personal data

Why consolidate: Avoids fragmentation between personal data (GDPR) and non-personal data (Free Flow) rules.

3. Data Governance Act (EU 2022/868)

Status: Merged into Data Act

Key provisions integrated:

  • Data intermediation services
  • Data altruism organizations
  • Public sector data re-use
  • Governance structures for data sharing

Benefit: Single coherent framework for data governance instead of overlapping regulations.

4. Open Data Directive (EU 2019/1024)

Status: Merged into Data Act

What's integrated:

  • Public sector information re-use
  • High-value datasets
  • Transparency requirements
  • Charging principles

Result: Public and private data sharing governed by unified rules.

The Final Landscape

Before Omnibus (2024):

  • GDPR
  • Data Act
  • Data Governance Act
  • Open Data Directive
  • Free Flow of Data Regulation
  • P2B Regulation

Total: 6 major data regulations

After Omnibus (2026+):

  • GDPR (amended)
  • Data Act (consolidated)

Total: 2 major data regulations

Plus: DSA and DMA continue to govern digital platforms

Key Changes Overview

The biggest change: Article 5(3) ePrivacy Directive repealed for personal data; cookies brought under GDPR framework.

New regime (Articles 88a, 88b GDPR):

  • Audience measurement for own use: NO CONSENT NEEDED
  • Third-party tracking: CONSENT REQUIRED
  • Single-click refuse button mandatory
  • No re-asking for 6 months after refusal
  • Browser signals for machine-readable consent (24-48 month timeline)

Impact:

  • 60% of cookies no longer need consent
  • 50% of private websites can eliminate banners
  • 80% of public sector websites can eliminate banners
  • €820M/year business savings
  • €500M/year user productivity gains

Learn more: Cookie Consent Reform

2. GDPR Clarifications

Personal data definition:

  • "Reasonably likely to be used" standard codified
  • Entity-specific determination
  • Pseudonymization clarity

AI processing:

  • New Article 88c: Legitimate interest for AI development
  • Safeguards for special category data
  • Unconditional right to object

Breach notifications:

  • Threshold raised from "risk" to "high risk"
  • Single entry point via ENISA
  • EDPB to create common template

Research exemptions:

  • Expanded definition (includes tech development)
  • Further processing compatibility
  • Legitimate interest basis

Learn more: GDPR Amendments

3. Single Incident Reporting Point

Current problem: Businesses must report security incidents to multiple authorities under different regulations.

Omnibus solution: ENISA (European Union Agency for Cybersecurity) operates a single entry point for incident reporting.

Benefits:

  • One report satisfies multiple obligations
  • Consistent format and process
  • Better coordination across authorities
  • Reduced administrative burden

4. SME/SMC Extended Exemptions

SMEs (Small and Medium Enterprises) and SMCs (Small and Medium-Sized Companies) receive:

  • Extended exemptions from certain Data Act obligations
  • Reduced fees for certifications
  • Simplified compliance pathways
  • Proportionate requirements based on size

Estimated savings: €5-19M annually across the SME sector.

Economic Impact

Cost Savings for Businesses

CategoryAnnual Savings
Cookie banner elimination€820 million
Data intermediation simplification€6 million
SMC fee exemptions€5-19 million
Custom cloud contracts (one-off)€1.015 billion
B2G scope narrowing€19.7 million/year
Total business savings by 2029≥€5 billion

Cost Savings for Public Sector

CategoryAnnual Savings
Cookie banner elimination€320 million
Data governance consolidationSignificant (TBD)
Simplified complianceSignificant (TBD)
Total public authority savings by 2029€1 billion

User Benefits

Time savings: 334 million hours/year currently wasted on cookie banners will be reclaimed.

Productivity value: €500 million/year in user time savings (200 million users × reduced banner interactions).

Better experience: Fewer interruptions, clearer choices, more respectful web browsing.

Timeline

Legislative Process

November 19, 2025: Commission proposal published (COM(2025) 837)

2026: European Parliament and Council negotiation (ordinary legislative procedure)

Expected adoption: Late 2026 or early 2027

Entry into force: 20 days after publication in Official Journal

Implementation Deadlines

Article 88a (cookies): 6 months after entry into force

Article 88b (browser signals):

  • Websites: 24 months after entry into force
  • Browser vendors: 48 months after entry into force

Estimated operational dates:

  • Cookie exemptions: Mid-2027
  • Website browser signal support: 2028-2029
  • Full browser controls: 2029-2030

Who is Affected?

Website Operators

All EU websites:

  • New cookie consent rules apply
  • Opportunity to eliminate banners for audience measurement
  • Browser signal support required (24 months)

Action required:

  • Audit analytics and tracking tools
  • Identify exempt vs. consent-required processing
  • Update privacy policies
  • Prepare for browser signals

Analytics and Ad Tech Providers

First-party analytics:

  • Clear legal basis without consent
  • Competitive advantage

Third-party tracking:

  • Consent still required
  • Browser signals will impact consent rates
  • Need to adapt business models

Learn more: Impact on Web Analytics

AI Developers

New legal basis:

  • Article 88c provides legitimate interest for AI development
  • Must implement safeguards
  • Respect right to object
  • Avoid special category data

Data Controllers and Processors (General)

Simplified framework:

  • Fewer regulations to navigate
  • Clearer rules
  • Reduced overlaps

New obligations:

  • Browser signal support
  • Updated GDPR compliance
  • Adapted data governance practices

Documentation in This Section

Core Documents

Implementation & Compliance

Industry Impact

Key Differences from Current Law

AspectCurrent LawDigital Omnibus
Number of data regulations5-6 separate laws2 consolidated laws
Cookie consentArticle 5(3) ePrivacy (separate from GDPR)Article 88a GDPR (unified)
Audience measurementConsent required (limited exemptions)No consent if aggregated, own use
Browser signalsNot addressedMust be supported (Art 88b)
Breach notification"Risk" threshold"High risk" threshold
Personal data definitionCJEU case lawCodified "reasonably likely" standard
AI processingUnclear legal basisArticle 88c legitimate interest
Incident reportingMultiple entry pointsSingle ENISA entry point
Research exemptionsLimited definitionExpanded (tech development)

Frequently Asked Questions

Does the Omnibus repeal the GDPR?

No. The GDPR is amended, not repealed. It remains the foundational data protection regulation but receives targeted improvements.

Partial elimination starting mid-2027 (6 months after entry into force, estimated).

60% of cookies will no longer need consent (first-party, aggregated, own use).

40% of cookies (third-party tracking, advertising) will still require consent.

What happens to the ePrivacy Directive?

Article 5(3) is repealed for personal data processing. Cookie consent moves to GDPR (Articles 88a, 88b).

Rest of ePrivacy Directive remains in force for:

  • Non-personal data cookies
  • Electronic communications confidentiality
  • Marketing communications rules

Long-term: ePrivacy Regulation (currently stalled) may eventually replace the entire ePrivacy Directive.

It depends on what you're doing:

No banner needed if:

  • ✅ First-party analytics only
  • ✅ Aggregated measurement
  • ✅ For your own use only
  • ✅ Functional cookies for requested services

Banner still needed if:

  • ❌ Third-party tracking
  • ❌ Advertising pixels
  • ❌ Cross-site profiling
  • ❌ Selling or sharing data

See: Cookie Consent Reform for detailed guidance.

How does this affect my GDPR compliance?

Mostly simplifies:

  • Personal data definition clearer
  • Breach notification threshold higher (fewer reports needed)
  • Information requirements more flexible (Article 13 exemption)
  • Research exemptions broader

New requirements:

  • Cookie consent under GDPR framework (Articles 88a, 88b)
  • Browser signal support (24 months)
  • AI processing safeguards (Article 88c)

Overall: Compliance becomes clearer and less burdensome for most organizations.

What should I do to prepare?

Immediate steps:

  1. Audit analytics and tracking

    • What tools do you use?
    • Which need consent vs. are exempt?

  2. Review data processing inventory

    • Update for Article 88a framework
    • Identify browser signal impact

  3. Update privacy policies

    • Reference new legal bases
    • Explain exempt processing

  4. Plan infrastructure changes

    • Browser signal support
    • Consent management updates

  5. Consider switching to consentless analytics

    • Sealmetrics, Plausible, Fathom, etc.
    • Eliminate banner costs
    • Gain complete data

Timeline: Finalize plans by late 2026, implement by mid-2027.

Additional Resources

Official EU Documents

  • GDPR (EU 2016/679) - Data protection foundation
  • Data Act (EU 2023/2854) - Data sharing and access
  • Digital Services Act (EU 2022/2065) - Platform governance
  • Digital Markets Act (EU 2022/1925) - Gatekeeper regulation
  • ePrivacy Directive (2002/58/EC, as amended) - Electronic communications privacy

Industry Guidance

  • EDPB guidelines on Articles 88a and 88b (expected 2026)
  • National DPA guidance on cookie exemptions
  • European standardisation bodies: Browser signal standards

Conclusion

The EU Digital Omnibus represents a pragmatic evolution of European data law. By consolidating five regulations into two, eliminating cookie banners for benign processing, and clarifying ambiguities in the GDPR, the Omnibus promises to reduce compliance costs by €1 billion annually while maintaining the EU's world-leading privacy standards.

For website operators, the message is clear: privacy-respecting, first-party analytics will become the norm, while invasive tracking faces increasing barriers. Organizations that embrace consentless analytics and first-party data strategies will gain competitive advantages in compliance simplicity, data quality, and user experience.

The transition period (2026-2030) provides ample time to adapt. Those who prepare early will reap the greatest benefits.

Stay Updated: This documentation will be updated as the Omnibus proceeds through the legislative process and implementing acts are adopted.

Questions? Explore the detailed analyses linked above or consult with privacy counsel on your specific situation.