PrivacyForgeSign In
Back to Blog

The EU Digital Omnibus: What the 2026 GDPR & AI Act Overhaul Means

A verified breakdown of the EU Digital Omnibus — the cookie consent, breach notification, and AI Act changes coming in 2026, and how to prepare without ripping out your stack.

PFMariyan ValevJun 10, 2026 · 11 min read
OmnibusRegulation

Key Takeaways

  • The Digital Omnibus is the European Commission's package to simplify the EU's digital rulebook. Published on 19 November 2025, it proposes targeted amendments to the GDPR, the ePrivacy regime, the EU AI Act, the Data Act, and NIS2.
  • The AI Act portion is the most advanced: on 7 May 2026, the European Parliament and Council reached a provisional agreement that postpones high-risk obligations and extends several deadlines. It still needs formal adoption before it becomes law.
  • The GDPR and cookie portion is still a proposal under negotiation. It would move cookie rules into the GDPR, raise the breach-notification threshold, and ease the legal basis for AI training — but data protection authorities have pushed back hard, and parts may change or be dropped.
  • For eCommerce teams, the headline changes are single-click cookie consent, a six-month rule against re-prompting declined users, machine-readable consent signals websites must honour, and a breach deadline that moves from 72 to 96 hours.
  • Simplification is not deregulation of your obligations. The smart move is to treat this as a chance to modernise consent UX now — not to pause your compliance programme on the assumption the rules will get easier.

Introduction

In late 2025 the European Commission did something it had not done since the GDPR took effect in 2018: it opened the regulation up for revision. The vehicle is the Digital Omnibus — a "simplification and competitiveness" package the Commission estimates could save businesses several billion euros a year by cutting duplicate reporting and streamlining consent.

For an eCommerce or SaaS team, that headline is tempting but misleading. The Omnibus does not make privacy compliance optional — it reshapes how you collect consent, when you report a breach, and what legal basis you can use to build AI. Some of it is close to law. Much of it is still being fought over. This guide is a verified snapshot of what is actually changing, what has only been proposed, and what to do about it right now.

This article is informational content, not legal advice. For organisation-specific guidance, consult a qualified legal professional.

What Is the Digital Omnibus?

The Digital Omnibus is not a single new law. It is a bundle of amendments to existing EU digital legislation, published by the Commission on 19 November 2025 as part of a wider deregulation drive. It touches the GDPR, the ePrivacy framework, the EU AI Act, the Data Act, and the NIS2 cybersecurity directive.

Crucially, the package is split into tracks that are moving at very different speeds:

  • The AI Act amendments reached a provisional political agreement between Parliament and Council on 7 May 2026. This is a deal on the text — it still requires formal adoption by both institutions before it applies.
  • The GDPR and ePrivacy amendments remain at the proposal stage. The EDPB and EDPS issued a joint opinion supporting some simplification but warning strongly against others, and member states have reportedly already softened the most contested elements.

Keeping that distinction clear matters for planning. Treat the AI Act timeline changes as near-certain, and the GDPR cookie changes as a likely-but-not-final direction of travel.

This is the part that touches eCommerce most directly. The proposal would pull cookie and tracking rules out of the ageing ePrivacy Directive and fold them into the GDPR itself, retiring the long-stalled ePrivacy Regulation in the process. The stated goal is to end "consent fatigue" and the endless banner problem.

What the proposal would change:

  • Single-click accept and reject. Banners must let users refuse as easily as they accept, with equal prominence — no more "Accept All" button next to a buried "Manage preferences" link.
  • A six-month memory rule. Once a user declines, you cannot re-prompt them for the same consent for six months, ending the pattern of asking on every visit.
  • Machine-readable consent signals. A companion provision would require consent, refusal, and objections to be expressible through automated, browser-level signals that websites must honour — a major step toward centralised preference management.
  • A closed list of consent exemptions for genuinely low-risk activities such as aggregated audience measurement and security, so not every cookie needs a banner.

The upside for businesses is real: fewer banners, clearer rules, less ambiguity. But it is not less work in the short term. Every one of these requires re-papering your existing consent flow — and honouring browser-level signals is a technical capability many sites do not yet have.

The Breach Notification Changes (Proposed)

The Omnibus would ease two pain points in the GDPR's breach regime under Articles 33 and 34:

  • A higher reporting threshold. Today you must notify your supervisory authority of any breach posing "a risk" to individuals. The proposal raises that to "high risk", significantly narrowing which breaches require a report.
  • More time to report. The notification deadline would extend from 72 hours to 96 hours, with a common EU template and a "submit once, share widely" single-entry portal to reduce duplicate filings across GDPR, NIS2, and other regimes.

Notably, the EDPB and EDPS support these two changes — a rare point of agreement — on the basis that they cut administrative burden without weakening protection for individuals.

The Personal Data Definition (Contested)

The most controversial GDPR proposal would amend the definition of personal data (Article 4) so that pseudonymised information is not treated as personal data for a party that lacks the "means reasonably likely to be used" to re-identify someone. In plain terms: the same dataset could be personal data for one company and non-personal for another.

This is the change privacy regulators want stopped. The EDPB and EDPS warned it goes far beyond a technical fix and would "significantly narrow the concept of personal data," out of step with Court of Justice case law. Member states have reportedly moved to drop or rework it. Do not build any plan on this change — it is the single least settled element of the package.

What Changes for AI (Provisionally Agreed)

The AI Act track is where the 7 May 2026 deal lands. The verified changes:

ChangeDetail
High-risk deadline (Annex III / Art. 6(2))Obligations postponed from 2 August 2026 to 2 December 2027
High-risk deadline (Annex I / Art. 6(1))Sector-regulated systems apply from 2 August 2028
Content marking (Art. 50(2))Synthetic-content labelling obligations apply from 2 December 2026
New prohibitionAI generating non-consensual intimate imagery banned from 2 December 2026
Regulatory sandboxesNational sandbox deadline extended to 2 August 2027
SME and small mid-cap reliefSimplified framework extended to firms with up to 750 employees and €150m turnover

On the data side, the package would make it easier to use special-category data for bias detection under a strict-necessity standard with mandatory safeguards, and it reinforces that controllers can rely on legitimate interest (Article 6(1)(f)) to process personal data for developing and operating AI systems.

This directly updates the picture in our [GDPR and EU AI Act interplay guide](/resources/blog/gdpr-eu-ai-act-interplay-2026): the high-risk gate that pointed at August 2026 has now, provisionally, moved to December 2027.

What This Means for eCommerce: Three Scenarios

Your banner is the thing most likely to change. Start designing for symmetrical single-click accept/reject and the six-month no-re-prompt rule now — both are low-regret improvements even under current law, since regulators already frown on asymmetric banners. Plan, but do not yet build, for honouring browser-level consent signals.

Scenario 2: You use AI for recommendations, support, or fraud

The high-risk compliance clock has likely moved to December 2027, buying time — but transparency and content-marking duties for AI-generated content still arrive in December 2026. Your legitimate-interest basis for AI gets firmer footing, but the EDPB's three-step balancing test still applies.

Scenario 3: You handle frequent low-level data incidents

The move to a "high risk" reporting threshold and a 96-hour window could meaningfully cut your notification overhead — but only once the GDPR track is adopted. Until then, the 72-hour, any-risk rule remains binding.

Common Mistakes to Avoid

  • Treating "simplification" as "deregulation." Your accountability obligations are intact. The paperwork changes; the duty to protect data does not.
  • Acting on proposals as if they were law. The cookie and breach changes are not adopted. The personal-data-definition change may never be. Build against today's rules, prepare for tomorrow's.
  • Assuming the AI deadline shift means you can stop. December 2027 is still a deadline, and content-marking and prohibition dates land in 2026.
  • Ignoring machine-readable consent. If browser-level signals become mandatory, sites that cannot read them will be non-compliant overnight. This is an architecture decision, not a banner tweak.

How PrivacyForge Helps

The Digital Omnibus rewards teams that can adapt their consent and compliance posture quickly — not those who rebuilt everything for one rule and now have to rebuild again. PrivacyForge is designed for exactly that kind of regulatory motion:

  • Consent management that already supports symmetrical accept/reject patterns and region-aware banners, so moving to single-click parity and a six-month memory rule is a configuration change, not a re-platform.
  • Embeddable forms and preference centres built to evolve toward machine-readable, browser-level consent signals as the standard firms up.
  • AI governance that tracks each AI system's risk tier, legal basis, and deadlines in one registry — so a shifting high-risk date or a new content-marking duty updates your plan instead of breaking it.
  • Breach and incident workflows that adapt to changing thresholds and deadlines, with audit-ready records whether the rule is 72 or 96 hours.
  • Compliance scoring that shows GDPR and AI Act posture in a single dashboard, flagging what changes when guidance or legislation moves.

For a free first read on where you stand today, try our [compliance scan](/scan), or see our [complete GDPR compliance guide](/resources/blog/complete-guide-gdpr-compliance-2026) for the foundations these changes build on.

Conclusion

The Digital Omnibus is the most significant rework of EU privacy law since the GDPR began. But "significant" does not mean "settled." The AI Act deadline extensions are provisionally agreed; the cookie, breach, and personal-data changes are still proposals being negotiated, some of them contested by the very regulators who will enforce them.

The teams that come out ahead will not be the ones who deregulate their own programmes in anticipation. They will be the ones who treat this as a prompt to modernise — cleaner consent UX, tighter AI inventories, faster incident workflows — so that whichever version becomes law, they are already most of the way there.

Start by mapping where you rely on cookie consent and AI today. The rest follows.