The Digital Omnibus focuses on two major areas: AI and Data
In a nutshell – what is in the Omnibus?
AI Omnibus: The EU Commission proposes to amend the AI Act to seek compliance facilitation and proposes a delay of the implementation of the Act up to 2027.
Data Omnibus: The package proposes to amend key “data acquis”, including the GDPR (e.g. facilitating the use of data for AI training), and incident reporting.
The proposal seeks to amend the following pieces of legislation:
GDPR (Regulation 2016/679)
AI Act (Regulation 2024/1689)
Data Act (Regulation 2023/2854)
NIS2 Directive (Directive 2022/2555)
ePrivacy Directive (Directive 2002/58/EC)
It seeks to repeal the following pieces of legislation by merging them into a single unified and harmonised structure:
Platform-to-Business (P2B) Regulation
Data Governance Act (DGA)
Free Flow of Non-Personal Data Regulation
Open Data Directive
Should you be interested, please find below an overview of some of the major changes proposed by the Omnibus.
Key measures of the AI Omnibus
The proposed text lists the following “targeted changes” to be made:
Clarified legal basis for providers and deployers of AI systems and AI models to exceptionally process special categories of personal data for bias detection and correction (under certain conditions) as mentioned previously.
Removal of database registration for certain high-risk AI systems that fall out of scope (when matching the "filter" conditions of the AI Act)
Stronger enforcement powers for the EU Commission, including AI Office-centralised enforcement for AI systems based on GPAI models (GPAI systems) and AI services under the Digital Services Act.
Removal of the mandatory template for a post-market monitoring plan, which was to be drafted by the Commission to adopt (to be replaced instead by guidance).
AI literacy is no longer an obligation. Instead, EU Member States will be encouraged to take AI literacy measures.
Possibility to launch a regulatory sandbox at EU level for AI systems within the Commission's exclusive supervision. Cross-border cooperation should be reinforced for national sandboxes.
A few exemptions and privileges are extended to small mid-caps (companies limited to 750 people and a maximum annual turnover of €150 million) including on technical documentation and quality management system.
New legal basis to facilitate real-world testing
Deadline specified for the changes to sectoral legislation under Annex I, section B (to integrate high-risk AI requirements into sectoral laws). The Commission will have one year to propose draft amendments, which would apply by the omnibus' "entry into force".
Clarification on the interplay with the Cyber Resilience Act (CRA).
Quite importantly, the legislation proposes to delay the AI Act’s high-risk requirements until the end of 2027. Additionally, it proposes moving the date when the high-risk requirements associated with AI systems linked to sectoral regulated products will take legal effect to August 2028.
This raises key questions regarding timeline. Indeed, should EU institutions not be able to come to an agreement on a final version of the text before August 2026 (at which time the AI Act’s high-risk regime is meant to apply), a risk exists that a window would open during which enforcement of high-risk infringements would be technically possible.
Data Omnibus
In order to address regulatory complexity, the Commission has decided to consolidate various existing frameworks into the Data Act (see above for the list of repealed legislation). However not all repealed legislation will be integrated into the new consolidated legislation equally. Indeed, nearly all of the Free Flow of Non-Personal Data Regulation will be repealed, except for a few articles, such as those defining “data localisation requirements”. Conversely, most of the Data Governance Act and the Open Data Directive will be retained and adapted within the Data Act. Overall, the newly consolidated Data Act would propose to:
Target exemptions to cloud-switching rules for SMEs and SMCs and for providers of custom-made data processing services
Remove mandatory registration and label for data intermediation service providers, fostering growth by lowering entry barriers to the market of data intermediation services;
Reduce complexity of the data altruism framework to make sharing data for the public good easier;
Limit and clarify the scope of the business to government sharing provisions to ensure that governments can have sufficient data in emergency situations (e.g. in cases of massive floodings or a pandemic) while not putting extra burdens on companies to share their data for situations that are not related to emergencies.
Ensure public sector bodies set out higher charges and fees for the re-use of open government data and protected data by very large enterprises (designated as gatekeepers under the Digital Markets Act).
Modernisation of “cookie rules” through a “one click consent” and central settings of preferences for how users want their data to be shared and processed.
Create a single reporting point for reporting of Cyber incidents for NIS2 Directive, GDPR, the Digital Operational Resilience Act Regulation, the Critical Entities Resilience Directive and the EU Digital Identity Regulation.
New interplay between the GDPR and the AI Act
Amongst the key things the Commission proposes is that anonymised data should no longer be considered “personal” and thus should find itself excluded from the scope of the GDPR. However, this would depend on whether the entity holding the data is unable to identify the person to whom the data relates to and taking into account the means reasonably likely to be used by the entity. Even if a subsequent entity might be able to later identity someone through anonymised data by using different tools, this will not be considered sufficient for the data to be classified as “personal”.
Another key issue the proposal puts forward is making the ban on “sensitive” data listed under article 9 of the GDPR (such as ethnic origin, sexual orientation, health status etc.) more flexible. Under the proposed changes, the ban would only apply to data where there is a direct risk of revealing sensitive information. Quite importantly, the proposed changes would allow for exemptions to this ban if the data is used for training and operating AI models under certain conditions (see article 88c of the omnibus).
The omnibus also aims to introduce a new article which would make legal for AI developers to rely on the “legitimate interest” legal basis when training their AI models on personal data. Indeed the text states that “The development and use of AI systems and the underlying models such as large language models and generative video models rely on data, including personal data, in various phases in the AI lifecycle, such as the training, testing and validation phase and may in some instances be retained in the AI system or the AI model” (see recital 30 of the omnibus).
What does this all mean and what’s next?
The EU Commission, through this legislative proposal is making an ambitious first step in seeking to simplify major pieces of legislation such as the AI Act and the GDPR. Should this be achieved, the EU Commission would be able to “bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness”
However, some members of the European Parliament from the Greens, Renew, and S&D political groups have already expressed some scepticism and discontent at the EU. The Omnibus will now go to the Council (EU Member States) and European Parliament, who will have to agree on their respective negotiating positions before beginning interinstitutional negotiations. Agreeing on a final text as soon as possible will be crucial to guarantee certainty for businesses operating in the EU.
techUK will continue to analyse the proposal and its evolution throughout the legislative process and provide membership with relevant updates.
For more information, please contact:
Theophile Maiziere
Policy Manager - EU, techUK
Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.
Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.
Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.
Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam.
techUK International Policy and Trade Programme activities
techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.
techUK Report - Enabling Growth and Resilience: the UK Tech Sector in an Uncertain World
New techUK report outlines key policy recommendations to boost the UK’s growth through the tech sector amid global challenges, emphasising resilience, trade leadership, and strategic investment.
Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.
Senior Policy Manager for International Policy and Trade, techUK
Daniel Clarke
Senior Policy Manager for International Policy and Trade, techUK
Dan joined techUK as a Policy Manager for International Policy and Trade in March 2023.
Before techUK, Dan worked for data and consulting company GlobalData as an analyst of tech and geopolitics. He has also worked in public affairs, political polling, and has written freelance for the New Statesman and Investment Monitor.
Dan has a degree in MSc International Public Policy from University College London, and a BA Geography degree from the University of Sussex.
Outside of work, Dan is a big fan of football, cooking, going to see live music, and reading about international affairs.
Sabina Ciofu is International Policy and Strategy Lead at techUK, where she heads the International Policy and Trade Programme. Based in Brussels, she shapes global tech policy, digital trade, and regulatory cooperation across the EU, US, Canada, Asia-Pacific, and the Gulf region. She drives strategy, advocacy, and market opportunities for UK tech companies worldwide, ensuring their voice is heard in international policy debates.
With nearly a decade of previous experience as a Policy Advisor in the European Parliament, Sabina brings deep expertise in tech regulation, trade policy, and EU–US relations. Her work focuses on navigating and influencing the global digital economy to deliver real impact for members.
A passionate community-builder, Sabina co-founded Young Professionals in Digital Policy (800+ members) and now runs Old Professionals in Digital Policy (more experience, better wine, earlier nights). She is also the founder of the Gentlewomen’s Club, a network of 500+ women supporting each other with kindness.
She holds advisory roles with the UCL European Institute, Café Transatlantique (a network of women in transatlantic tech policy), and The Nine, Brussels’ first members-only club for women.
Recognised by ComputerWeekly as one of the most influential women in UK tech, Sabina is also a sought-after public speaker on tech, trade and diversity.
Sabina holds an MA in War Studies from King’s College London and a BA in Classics from the University of Cambridge.
Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.
Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.
Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.
Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam.
Lewis' programmes cover a range of policy areas within Market Access (international trade regulation, sanctions and export controls, technical standards and product compliance, supply chains) and Consumer Tech (media and broadcast policy, consumer electronics, and connected home technology).
Prior to joining techUK, Lewis worked in government affairs and policy roles for international trade associations in Southeast Asia including the American Malaysian Chamber of Commerce and the European Chamber of Commerce in Cambodia.
He holds an undergraduate degree in Social and Political Sciences from the University of Cambridge and an MSc in Public Policy & Management from SOAS University of London.
Tess joined techUK as an Policy and Public Affairs Team Assistant in November of 2024. In this role, she supports areas such as administration, member communications and media content.
Before joining the Team, she gained experience working as an Intern in both campaign support for MPs and Councilors during the 2024 Local and General Election, and working for the Casimir Pulaski Foundation on defence and international secuirty. She has worked for multiple charities, on issues such as the climate crisis, educational inequality and Violence Against Women and Girls (VAWG). In 2023, Tess obtained her Bachelors of Arts in Politics and International Relations from the University of Nottingham.
Theo joined techUK in 2024 as EU Policy Manager. Based in Brussels, he works on our EU policy and engagement.
Theo is an experienced policy adviser who has helped connect EU and non-EU decision makers.
Prior to techUK, Theo worked at the EU delegation to Australia, the Israeli trade mission to the EU, and the City of London Corporation’s Brussels office. In his role, Theo ensures that techUK members are well-informed about EU policy, its origins, and its implications, while also facilitating valuable input to Brussels-based decision-makers.
Theo holds and LLM in International and European law, and an MA in European Studies, both from the University of Amsterdam.
