Insights

The EU Digital Omnibus Package (2025)

Strategic note for Public Affairs, Compliance and Legal teams

Tomás Burgaleta Alonso

Tomás Burgaleta Alonso

December 1, 2025
5 min read
The EU Digital Omnibus Package (2025)

Executive summary

The Digital Omnibus Package from the European Commission (19 Nov 2025) is the most meaningful reset of the EU digital rulebook since GDPR. The goal is to reduce fragmentation, cut administrative friction and create real room for European AI and data innovation.

The uncomfortable truth is simple: this proposal will not survive the legislative process intact. What matters is not the current wording, but the direction of travel, and your ability to anticipate where it is likely to land.

For public affairs, legal and compliance teams, this is a strategic moment, not a narrow technical update. Organisations that build clarity early will be in a better position to capture upside and avoid regulatory misalignment, political shocks and reputational damage.

Reversa exists for exactly this kind of environment: tracking a moving target, separating signal from noise, and helping teams operationalise the right actions at the right moment, at EU level and in Spain.

The real context: why the Omnibus exists

The Omnibus is the Commission's response to three growing pressures.

Competitiveness

Investment in AI is drifting away from Europe. Compliance costs have climbed and innovation cycles have slowed down.

Geopolitics and trade

The United States is openly questioning EU digital rules as potential non tariff barriers. A new round of transatlantic tensions would be costly for both sides.

Regulatory overload

GDPR, NIS2, DSA and DMA, the Data Act and the AI Act have created overlapping and sometimes inconsistent obligations. This is particularly painful for SMEs.

The political message from the Commission is clear enough: Europe needs both protection and growth. The pendulum is moving toward a more balanced position.

What the Omnibus does (proposal stage)

This is the public affairs safe view: factual, contained and free of speculation.

AI Act: adjustment, not repeal

  • Slower enforcement timelines for several high risk categories
  • Simplified documentation duties for SMEs and mid caps
  • More regulatory sandboxes and real world testing
  • Reduced registration burdens for narrow and procedural systems

Political friction: sustained NGO pressure and concerns in LIBE and IMCO about weakening safeguards that took years to negotiate.

GDPR and ePrivacy, the most contested area

  • Breach notification moved to 96h instead of 72h
  • Clearer framing of pseudonymisation
  • Some additional room for data reuse, including AI training, under tighter accountability conditions
  • Reduction of cookie banner fatigue, including centralised consent options
  • Targeted limits to access rights where trade secrets are at stake

Political friction: high. This is where the core battle between innovation and fundamental rights is likely to play out.

Cybersecurity: a single reporting channel

  • Long term direction toward a single interface for cyber incident reporting
  • Scope, timelines and technical architecture are still undefined
  • Existing overlapping obligations remain fully in force in the meantime

Political friction: low. Broad alignment, but progress is likely to be gradual.

Data Union strategy and business wallet

  • Data spaces, experimental environments and synthetic data
  • Guidance and a legal helpdesk model
  • Reusable EU level business credentials

Political friction: medium. There is broad support, but member states will push back on data sovereignty issues.

The political map: what PA professionals need to track

Where the main fights are likely to take place:

  • Parliament committees: LIBE, IMCO, JURI
  • National DPAs, with the AEPD expected to stay on the conservative side
  • Positions of German, French and Spanish governments
  • Civil society actors such as noyb and EDRi
  • US EU trade and competition pressure points
  • The Commission's narrative on digital competitiveness

Likely fault lines:

  • AI training on personal data
  • The practical scope of pseudonymisation
  • The real extent of SME relief
  • How uniform the cyber single entry point becomes in practice
  • Cookie whitelists and exceptions
  • Interoperability between GDPR, the Data Act and the AI Act

Key truth: whoever shapes the interpretation layer will effectively shape compliance reality. That is why early and structured tracking matters.

Implications for organisations

For Public Affairs

  • The Omnibus will change significantly through the process, so positioning early is key
  • Design influence strategies with trilogues and national follow up in mind
  • Make sure internal leadership understands that simplification ≠ deregulation

For Legal

  • Build dual scenario compliance plans, from strict to more flexible outcomes
  • Map all high risk AI systems and attach timeline variants to each scenario
  • Prepare for potential shifts in GDPR legal bases and in how data reuse is interpreted
  • Revisit privacy notices, data governance frameworks and DPIA structures

For Compliance

  • Plan for a messy transition phase. Simplification, if it comes, will arrive after that, not before
  • Update privacy and AI governance workflows so they can absorb mid process changes
  • Review cookie consent models and UX dependencies
  • Map cyber reporting chains. Expect duplication to remain for some time

For Executive teams

  • Treat this as a strategic pivot, not as a footnote in the compliance agenda
  • Use early clarity to gain competitive advantage rather than simply avoid risk
  • Frame the exposure correctly: it is reputational, operational and political, not just legal

How Reversa helps

From a one off fire drill to an operating system for the regulatory cycle

The Digital Omnibus makes one point very clear. The hard problem is no longer reading a single regulation. The hard problem is managing a moving, political and multi layered legislative cycle that cuts across several internal teams.

Public Affairs needs early visibility and a clear political map.

Legal needs to work with evolving drafts and think in terms of scenarios, not static texts.

Compliance needs to know exactly when an obligation changes and how that should flow into processes, controls and reporting.

Executives need a concise view that connects regulatory direction to timing, investment and risk decisions.

Most organisations still try to do all of this with scattered PDFs, spreadsheets, email threads and knowledge that lives mainly in the heads of a few key people. That model does not scale for something as broad and contested as the Digital Omnibus.

What is missing is a system that can:

  • Follow the full lifecycle of a package like this, from Commission proposal through amendments, trilogues and national implementation
  • Connect each relevant change to concrete implications for AI governance, data, cybersecurity and internal operations
  • Align internal work so Public Affairs, Legal and Compliance teams operate from a single, shared view of what is happening and why it matters
  • Cut noise by making clear what is structural, what is marginal and what is mostly political positioning

This is the problem Reversa is built to solve. An AI driven regulatory system that helps Public Affairs, Legal and Compliance teams move past reactive monitoring and work from a shared strategic view when they face complex, fast moving EU files like the Digital Omnibus.

The goal is not just speed. The real value is strategic precision under uncertainty: managing the regulatory cycle and its business impact as an integrated, repeatable process, instead of treating each major file as an isolated fire drill.

agenda una demo hoy

Cookie Usage

We use analytical cookies to improve our website and your experience. For more information, visit our Cookie Policy.