II. The planned amendments to EU law

1. Data protection (Cynthia O’Donoghue)

Overview of proposed changes

While the Commission acknowledges the value of the GDPR since coming into force in 2018, it also acknowledges that smaller companies and low-risk processing of personal data have created undue burdens on organizations. The Commission seeks to address some of these issues with a more consistent and harmonized approach and through targeted amendments, including to key definitions of personal data, pseudonymization, and streamlining data breach notifications, as well as clarifying the lawful basis for scientific research and the training and development of AI. The Commission also seeks to address abusive data access requests for access and to limit transparency requirements when an individual is likely to already have that information.

Key elements

(i) Personal data: Data is not to be considered personal data when an entity does not have means reasonably likely to identify a natural person. The proposed change is an attempt to codify the ECJ’s recent SRB case, which opined on when data can identify an individual and when it can be considered anonymous, such as when it was pseudonymized by the controller and provided in that form to a third party that did not have reasonable means to identify the individuals.

(ii) Exemption for use of biometric data when it is for the purpose of verifying identity that is under the sole control of the individual: This means that use of fingerprints or facial recognition when stored on a mobile device under the control of the device’s user would be exempt.

(iii) AI training – the use of the lawful basis of legitimate interest for scientific research and AI training and development; exemption for use of special category data when developing or operating an AI system insofar as measures are being implemented to identify and remove special category data: This change attempts to take the view of various of the supervisory authorities that have provided decisions about the use of personal data for AI training and that the lawful basis is legitimate interests rather than consent. The exemption for special category data is very limited since it requires safeguards and cannot be core to the AI training.

(iv) DSAR: Controllers could refuse to comply with access requests where the right is being abused (e.g., the right is being exercised for purposes other than the protection of their data) or could charge a fee. The objective behind the change proposed by the EC is to reduce requests for access when the data access is being used for disclosure for other purposes, such as litigation.

(v) Reduction in transparency requirements where the individual already has the information: The change would mean that where a notice is published and available, individuals would not need to be presented with their own copy of a privacy policy.

(vi) Permission for automated decision-making where it is necessary to enter into a contract with the individual: This change would have the consequence of allowing significant decisions based on automated processing even where it would be possible for a decision to be made manually, but it is likely to apply in limited circumstances given the limitation of contractual necessity.

(vii) DPIA: Harmonization by creating one authoritative list of the types of processing that require a data protection impact assessment. This change is to be welcomed as it will streamline the issues for which a DPIA is required and will hopefully harmonize the approach across the EU.

(viii) Data breaches – creation of a single-entry point for reporting personal data breaches: This is another change that is to be welcomed given the complexity of the different forms and methods among the Member States for data breach notification, particularly where a personal data breach affects users in more than one Member State.

The proposal is likely to receive some criticism for reducing the amount of personal data receiving protection and what may be seen as a watering down of individuals’ rights rather than clarifying key definitions. We suspect that the European Parliament may take a different approach to some of the changes in the omnibus proposed by the European Commission. There are several changes that are to be welcomed and are in keeping with the aim of streamlining and harmonizing compliance, such as changes to the provisions related to DPIAs and notifications of personal data breaches.

2. e-Privacy (Lukas Willecke)

Overview of proposed changes

The Commission acknowledges that addressing the issue of cookie consent fatigue, caused by repetitive and often non-transparent cookie banners, is long overdue. The new proposal moves the rules for storing and accessing personal data on users’ devices (terminal equipment) and the subsequent processing from the e-Privacy Directive (ePD) to the GDPR. Where device access leads to the processing of personal data, the GDPR will be the sole applicable regulation. This will reduce fragmented national rules, simplify consent interactions where exemptions apply, and clarify reliance on GDPR legal bases – such as legitimate interests – for subsequent processing. Importantly, article 5(3) ePD would still apply to access to and storage of non-personal data on devices or if devices are not owned by a natural person.

Key elements

(i) Consent remains the default rule to store or access personal data on a device.

(ii) Four “low-risk” exemptions allow storage/access (and the necessary subsequent processing), including two new exemptions for aggregated, controller-only audience measurement, and maintaining or restoring service or device security.

(iii) Changed consent requirements:

• Clear refusal option: A single-click mechanism to decline consent must be available.
• No repeated requests: Consent cannot be requested again for the same purpose while existing consent remains valid.
• Six-month interval: At least six months must pass before seeking consent again following a refusal.

The proposal would not eliminate cookie banners entirely but has the potential to significantly limit and simplify their design and use. Businesses may profit from reduced legal uncertainty, fragmentation, and compliance costs caused by the current dual ePD/GDPR regime.

3. Data Act (Joana Lawrence)

Overview of the proposed changes

The Commission proposes targeted amendments to the Data Act to clarify rules, reduce burdens, and strengthen competitiveness. The package includes tighter safeguards for trade secrets in cross-border contexts, a narrower and more precise B2G data-sharing trigger, consolidation of overlapping frameworks, the removal of prescriptive smart-contract requirements, and pragmatic adjustments to cloud switching.

Key elements

(i) Consolidation of existing data-related acts: The proposal consolidates and streamlines the rules of the Free Flow of Data Regulation, the Data Governance Act, and the Open Data Directive within the Data Act.

(ii) Additional trade-secret safeguards: Safeguards against the risk of trade-secret leakage to third countries in the context of mandatory IoT data-sharing are strengthened.

(iii) Narrowed scope for B2G data-sharing: The circumstances under which public authorities may request data from businesses are significantly narrowed. The trigger shifts from broadly defined “exceptional needs” to specifically defined “public emergencies” only.

(iv) Clarification for smart contracts: Article 36 of the Data Act, which sets out essential requirements for smart contracts used in data-sharing arrangements, will be eliminated.

(v) Further exemptions to switching rules: Exemptions will apply to the rules on switching data-processing services for custom-made services and for services provided by SMEs or small mid-cap companies (SMCs) under contracts concluded before September 12, 2025; it is also clarified that SMEs and SMCs may include early-termination penalties in fixed-term contracts.

(vi) Improved measures of implementation: The release of Model Contractual Terms for data access and use, Standard Contractual Clauses for cloud computing contracts, and the establishment of a Data Act Legal Helpdesk to help companies (especially SMEs) interpret the rules.

The proposal makes targeted amendments to streamline implementation – without changing the Data Act’s underlying principles – by reducing administrative burden through consolidation, increasing legal certainty, easing compliance for SMEs/SMCs with model terms and switching relief, and strengthening trade-secret safeguards for global operations.

4. AI (Dr. Andreas Splittgerber)

Overview of proposed changes

The European Commission’s November 2025 Digital Omnibus introduces targeted amendments to the AI Act to ease implementation, reduce administrative burden, and ensure that high-risk obligations apply only when practical compliance tools are available.

Key elements

These are the most important planned changes (not all listed):

(i) Flexible high-risk timeline (Standards-Linked Entry into Application): High-risk AI rules will apply only after the Commission confirms that supporting standards, specifications, or guidance exists, followed by:

+6 months for systems under Annex III (article 6(2), but not later than December 2, 2027);

+12 months for systems under Annex I (article 6(1)), but not later than August 2, 2028;

(ii) Simplifications extended to small mid-caps (SMCs): Existing SME privileges – lighter technical documentation, simplified quality management systems, and proportionate penalties – are expanded to SMCs, easing compliance for Europe’s fast-growing tech firms.

(iii) Streamlined post-market monitoring: The mandatory harmonized monitoring-plan template is removed, giving providers more flexibility while the Commission will issue guidance instead.

(iv) Narrowed registration obligations: AI systems used in high-risk contexts but exempted under article 6(3) (e.g., narrow procedural tasks) will no longer need to be registered in the EU high-risk database.

(v) Legal basis for bias-correction data processing: Providers and deployers may process special-category personal data solely to detect and correct bias, under safeguards.

(vi) Transitional watermarking deadline for Generative AI: Generative AI systems released before August 2, 2026 must meet article 50(2) detectability/watermarking requirements only by February 2, 2027.

All in all, the changes are sound and definitely business-friendly. There is still room for the changes to be even more business-friendly, but this is a good start.

5. Cybersecurity (Johannes Berchtold)

Overview on proposed changes

The proposal introduces a single-entry point through which entities can simultaneously fulfil their incident reporting obligations under multiple legal acts, including the NIS2 Directive, DORA, GDPR breaches, eIDAS wallets, and CER – reducing duplicative notifications and promoting common templates.

Key elements

(i) Single-entry point (SEP) for incident reporting: The European Union Agency for Cybersecurity (ENISA) is tasked with developing and operating a secure EU-wide gateway so that entities can “report once, share many” across multiple acts. Use of the SEP is mandated for NIS2, DORA, CER, eIDAS, and GDPR data-breach notifications; relevant aviation and electricity codes are to be aligned later.

(ii) Harmonized reporting content/templates: The Commission is empowered to adopt common templates and formats (drawing on DORA experience) to reduce duplication and align thresholds, fields, and procedures across frameworks.

(iii) Interoperability and reuse: The SEP must allow retrieval/supplementation of prior submissions and be interoperable (including with European Business Wallets); national systems should be connectable via APIs.

The proposed SEP has the potential to significantly reduce bureaucratic burdens for businesses when dealing with security incidents. Also, inter-jurisdictional and inter-agency cooperation could be enhanced.

Germany Implements NIS2: Bundestag passes Implementation Act

The German Bundestag has adopted the German NIS2 Implementation Act, expanding cybersecurity obligations for a wide range of mid-sized and large enterprises, including those in the sectors of energy, digital services, and mechanical engineering. The law will take effect upon publication in the Federal Law Gazette, with no transition period. Publication is expected by early 2026 at the latest.

Covered entities must register with the competent authorities and implement cybersecurity measures, including risk assessments, backup and recovery management, and mandatory training. The incident reporting regime is tightened, with notification timelines and expanded reporting content.

Businesses should promptly determine whether they fall within scope and align with the new requirements.

III. Next steps and outlook

1. Legislative process (Philip Thomas)

Next, the Digital Package will be submitted to the European Parliament (anticipated by late November or December 2025) and then move to committee stage. In early 2026, MEPs will discuss the package and may table amendments, with a view to adopting a final report documenting its position. In parallel, the EU Council will meet to formulate its position. Trilogue discussions will then follow in a bid to achieve a compromise. Once a compromise has been agreed, the Digital Package will be adopted (unless earlier adoption through a vote in Parliament if the fast-track option is used as with previous omnibus packages.)

2. Outlook (Philip Thomas)

Given the scale of proposed changes and their potential to ease compliance burdens, the Digital Package will face detailed scrutiny and likely multiple iterations, so regulatory change remains some way off. Even if not all amendments survive, it marks a decisive move toward a more streamlined, proportionate compliance regime without materially weakening individual rights (though digital rights activists may disagree). Simplifying rules and removing overlaps should bring welcome clarity for businesses and consumers alike. Further simplification proposals may follow, not least in light of the European Commission’s published Digital Fitness initiative.

Businesses should continue to monitor developments closely. It is never too early to consider the potential impact of the proposed changes on the organization’s cybersecurity, data, and AI governance models. Businesses could also consider actively engaging in the Digital Fitness Initiative as a means of advocating for even greater simplification.

In-depth 2025-289