Presented on November 19, 2025 by the European Commission, the Digital Omnibus intends to rationalize the European digital “rulebook” through targeted modifications (GDPR, ePrivacy, AI Act, Data Act, etc.)
For organizations, the promise of simplification will not result in “less compliance”, but in more contextualized and, above all, more demonstrable compliance.
A political promise: less fragmentation, fewer costs
The Commission explicitly places the initiative within a logic of competitiveness: shifting time and budget from administration to innovation, by reducing the friction generated by the superposition of texts, definitions and procedures. The Digital Omnibus is presented as a set of “technical” amendments intended to provide rapid relief to businesses and administrations, without renouncing protection objectives. The project can be summarized in three main axes:
- 1) Better articulate data regimes
Objective: reduce redundancies that cause practices to diverge (governance, formats, sharing methods).
Opportunity: industrialize the reuse and sharing of data with more readable rules.
Counterpart: more explicit arbitrations (confidentiality, business secrets, secure environments) and therefore increased traceability.
- 2) Clarify GDPR and ePrivacy
Objective: limit contradictory interpretations on highly operational points (data qualification, interfaces and consent signals, evaluation and documentation obligations).
Opportunity: bring the rule closer to product and data realities.
Counterpart: the burden shifts towards the ability to prove that the assumptions made were reasonable.
- 3) “Report once” for certain incidents
Objective: reduce declarative fragmentation (multiplication of channels, redundancies, inconsistencies).
Opportunity: more coherent coordination of declarations and deadlines.
Counterpart: more robust incident files (qualification, chronology, impacts, measurements).
The value will not come from legal reading, but from the tools of proof
To really benefit from these simplification options, three operational projects are necessary. First, map the areas of “over-compliance” born from fragmentation (multiplication of registers, duplication of impact analyses, qualification divergences) in order to define a single reference framework for decisions.
Then, move from compliance “by obligations” to compliance “by evidence”: for each processing, sharing or incident, create a file demonstrating the assumptions made, the controls applied and the decisions made.
Finally, integrate the jurisprudential dynamics: the judgment of September 4, 2025 (EDPS v SRB) recalls that the classification of personal data may depend on the reasonable capacity of the recipient to identify using this data.
Simplifying is not deregulating: a debate to take on, a discipline to install
The public debate already shows a tension between simplification and level of protection, particularly on AI and certain GDPR/ePrivacy developments. The best strategy for organizations is neither wait-and-see nor over-interpretation: it is to anticipate “audit-ready” compliance, where each technical choice and each qualification is supported by objective, shareable and verifiable elements. This is where the promise of the Digital Omnibus can become a real opportunity: less fragmentation, more coherence, provided we invest in proof.
