Media Centre

European Commission Introduced Digital Regulations Amendments

Ariel Yosefi Yuval Glazer

20 November 2025

On 19 November 2025, the European Commission (“Commission“) published two draft regulations:

  • The Digital Omnibus Regulation Proposal(the “Data Proposal”) introduces horizontal amendments to the General Data Protection Regulation (“GDPR”), the ePrivacy Directive, the Data Act and other core digital instruments; and
  • The Digital Omnibus on AI Regulation Proposal (the “AI Proposal”), which focuses on targeted adjustments to the EU Artificial Intelligence Act (the “AI Act”).

 

Taken together, the proposals aim to simplify and better align the EU’s existing digital rulebook, reduce compliance burdens and support innovation, while maintaining the EU’s high standards for fundamental rights, data protection, safety and fairness.

Below is an overview of the key changed which are included in the proposals.

Targeted GDPR and ePrivacy Directive adjustments

The Data Proposal introduces a series of clarifications and burden reduction measures related to personal data, including:

  • Pseudonymised data clarification: the draft includes an amendment to “personal data” definition under the GDPR, clarifying that data will qualify as “personal data” only where the relevant organization can reasonably identify the individual using all the means reasonably likely to be used to identify the individual directly or indirectly. The fact that other organizations could identify the individual does not automatically define the data as “personal data” in the hands of the current organization.

 

  • Data protection impact assessments (DPIA): the European Data Protection Board (“EDPB“) will establish one harmonized EU list of when a DPIA is required that will be valid across the EU and replace the national lists. In addition, the EDPB must publish a list of processing operations for which no DPIA is required and develop a common EU-wide template and methodology for conducting DPIA.

 

  • Alignment of breach notification thresholds and timing: the notification regime is tightened and aligned across instruments, with the threshold raised so that notification to supervisory authorities is required only where incidents create a high risk for individuals. The reporting period is extended to 96 hours, using the single incident portal.

 

  • Consent in tracking technologies: Consent will no longer be required where cookies or similar technologies are used only to produce aggregated audience measurements for the organization’s own online service, and security purposes. Where tracking technologies involve personal data, the GDPR would govern with no applicability to the ePrivacy directive. Therefore, organizations could rely on an appropriate lawful basis under the GDPR, not only consent (for example, legitimate interests).

 

The Data Proposal also opens the door to machine readable preference signals that would allow users to express choices once, for example in browser or device settings, which websites and apps would then be obliged to respect once standards are in place, with a specific exemption for media service providers reflecting the importance of advertising funded journalism. With that mechanism, organizations would be required to respect users’ choices for 6 months.

  • Clarification on the right of access: Where individuals submit access requests for purposes unrelated to the protection of their personal data, organizations may either refuse to comply with the request or charge a reasonable fee for processing it.

 

  • Permitted processing of special categories of data: Two new derogations allow limited processing of special category data in narrowly defined cases:
    • AI training and operation: organizations may rely on a narrow exemption where special categories of data only remain residually in AI training, testing or validation data, after reasonable efforts have been made to avoid and remove it, and where further removal would be disproportionate. In such cases, strong safeguards must ensure that this data cannot be used to generate outputs about individuals or be disclosed.
    • On-device biometrics: biometric data used for one-to-one identity verification is permitted where this is necessary for the organization purposes and the user retains effective sole control over the process (for example, where biometric templates are stored locally on the device or are encrypted and the key is held only by the user).

 

  • Transparency obligations: where personal data is collected directly from individuals, the organization is not required to provide a separate privacy notice if there are reasonable grounds to assume the individual already has the relevant information. This exemption does not apply where the data is shared with other recipients or transferred to third countries, used for automated decision-making or where the processing is likely to create a high risk to individuals’ rights.

 

  • Automated decision-making clarification: it is confirmed that fully automated decisions with legal or similarly significant effects (for example, certain credit or eligibility decisions) remain allowed where an existing legal basis applies, such as necessity for entering into or performing a contract. It is also clarified that the fact the same decision could be taken by a human does not remove it from the scope of automated decision-making, and where several equally effective automated solutions exist, organizations should use the less intrusive option.

 

  • Use of personal data in AI: processing personal data for the development and operation of AI systems and AI models is expressly recognized as capable of being based on legitimate interests, where appropriate. Organizations must still demonstrate that the processing is necessary and proportionate, carry out the usual balancing test and implement appropriate safeguards, including honoring an unconditional right to object. However, this option does not apply where EU or national law explicitly requires consent, or where the organization’s interests are overridden by the interests or fundamental rights and freedoms of individuals, in particular children.

 

Data breach notification and single incident reporting portal

A single EU incident reporting portal is introduced on a “report once, share many” basis, covering the GDPR, the Network and Information Security Directive, the Digital Operational Resilience Act, eIDAS Regulation and the Critical Entities Resilience Directive. This is intended to reduce duplication, support more consistent reporting and address under reporting of incidents.

 

Data access and the Data Act

The Data Proposal also amends certain provisions of the Data Act. Key changes in the Data Act and the wider EU data framework include:

  • The Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive are set to be repealed, with the relevant provisions moved, in amended form, into the Data Act.
  • Easier Data Act’s cloud switching rules will apply to small and medium-sized enterprises (“SMEs”) and small mid-cap companies (“SMCs”). However, these rules only apply to contracts already in place before 12 September 2025, so the practical impact is expected to be limited.
  • Data holders will not be required to disclose trade secrets where there is a high risk that such information would be unlawfully transferred to third countries outside the EU that offer weaker protection than those provided in the EU.

 

Proposed changes to the AI Act

The Commission, in its AI Proposal, has introduced targeted simplification measures to ensure timely, smooth and proportionate implementation of certain of the AI Act’s provisions. These include:

  • The entry into application of the high-risk requirements would be linked to the availability of supporting measures such as harmonised standards, common specifications and Commission guidance. Once these are confirmed, the high-risk rules would start to apply after a transition period, with final backstop dates of 2 December 2027 for Annex III high-risk systems and 2 August 2028 for Annex I high-risk systems.
  • High-risk AI systems that are already lawfully placed on the market before the high-risk rules start to apply would benefit from a clarified grace period. Systems of the same type and model could continue to be placed on the market without additional certification, provided their design does not change in a significant way.
  • Extending regulatory simplifications granted to SMEs also to SMCs, including simplified technical documentation requirements and special consideration in the application of penalties.
  • Offering more flexibility in the post-market monitoring by removing a prescription of a harmonized post-market monitoring plan.
  • Reducing the registration burden for providers of AI systems that are used in high-risk areas but for which the provider has concluded that they are not high-risk as they are only used for narrow or procedural tasks.

 

A broader use of AI regulatory sandboxes and real-world testing, benefiting key European industries such as automotive, and the creation of an EU-level AI regulatory sandbox to be established by the AI Office from 2028.

The proposals will now proceed to legislative debate in the European Parliament and Council.

If you have any questions about how these proposals may affect your organization, or how best to adapt your compliance framework in light of them, please feel free to contact us.

Related Practice Areas

Related Lawyers

More news

Alabama Joins States Enacting Comprehensive Privacy Law
Oklahoma Becomes the 20th State to Enact Privacy Law
Detecting and Mitigating Dark Patterns on Digital Platforms
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.