What’s important about the Digital Omnibus Package? A look at its GDPR implications:
The Digital Omnibus Package could change how GDPR is applied — but the core security controls that safeguard personal data remain non-negotiable.
In November 2025, the European Commission published its Digital Omnibus Package, a proposal to simplify and clarify how existing EU digital laws are applied. The package includes targeted amendments to the General Data Protection Regulation (GDPR), AI Act, and other EU digital legislation.
For CIOs and CISOs in organizations that process EU personal data, the stakes are practical. As drafted, the proposal could reshape what falls under GDPR in day-to-day operations and how teams document, report, and govern high-impact processing.
As the European Commission explained in its announcement, the proposed GDPR amendments are intended to support a more “innovation-friendly privacy framework.” While negotiations are expected to unfold over the coming year, organizations don’t need to wait to reassess their data protection practices.
To put the proposal in context, we’ll start with the key amendments under negotiation and what they could change in practice for CIOS and CISOs. We’ll then zoom out to the wider regulatory landscape across the EU, U.S., and U.K., and close with the data protection priorities that remain essential regardless of the proposal’s outcome.
Proposed amendments under negotiation in the Digital Omnibus Package
The European Commission’s proposal would introduce four targeted GDPR and privacy-related amendments, alongside digital simplification measures such as the European Business Wallet and the Data Union Strategy.
Amendment summary
1) Clarify the GDPR definition of “personal data” using an entity-specific identifiability test based on “means reasonably likely to be used,” which could affect how organizations scope inventories and decide when GDPR controls apply.
2) Define clearer criteria for handling pseudonymized data so controllers and recipients can assess when pseudonymized data may not constitute personal data for a given party — impacting analytics, AI pipelines, and shared-service architectures.
3) Streamline incident and breach reporting through a single reporting mechanism intended to reduce duplicative reporting across multiple EU laws — changing escalation paths and coordination between security, privacy, and regulatory functions.
4) Modernize cookie/tracking rules and clarify GDPR-AI intersections, shaping how organizations justify, document, and govern processing where AI development, tracking technologies, and privacy compliance overlap.
Why GDPR sits at the center of Europe’s regulatory complexity
Since GDPR became enforceable in 2018, it has served as the foundation of the EU’s digital regulatory approach. Its core principles — “fair, safe and transparent processing of personal data, ensuring that individuals remain in control” — shape how the EU governs data wherever personal information is involved.
GDPR Refresher
GDPR is the EU’s baseline data protection law. It sets rules for lawful processing of personal data, grants individuals rights (such as access and erasure), and requires organizations to implement appropriate security and accountability controls.
Notably, just one year before the Digital Omnibus Package was published, GDPR itself was not expected to change. Following its periodic evaluation in the summer of 2024, EU officials emphasized enforcement and consistency in their review, not reform.
From single framework to regulatory hub
That expectation shifted quickly as EU digital regulations expanded and AI adoption accelerated. A narrow simplification initiative introduced in early 2025 has now aligned with a broader realization: Europe’s digital rulebook had become increasingly burdensome and costly to administer.
This concern did not emerge overnight. GDPR has been layered with a steady stream of additional EU digital laws designed to address specific risks, markets, and technologies. While these regulations build on GDPR’s core principles, each introduces its own scope, obligations, and enforcement mechanisms.
Collectively, these laws have created overlapping obligations, parallel reporting requirements, and fragmented compliance expectations. The Digital Omnibus Package is one response to this EU-specific complexity — but the broader challenge of overlapping requirements is increasingly global.
Major digital laws introduced since GDPR
The following tables highlight major privacy, AI, cybersecurity, and digital governance laws introduced since GDPR across different geographies.
European Union
| EU regulation | Focus area | Year effective |
|---|---|---|
| AI Act | Regulate AI through a risk-based framework that bans harmful uses and imposes stricter rules on general-purpose AI systems. | 2025 and 2026 |
| Data Act | Strengthen the data economy by ensuring fair access from connected products and enabling easier switching between cloud and data services. | 2025 |
| Data Governance Act (DGA) | Enable data sharing by allowing the reuse of certain protected public-sector data, regulating data intermediaries, and promoting data altruism. | 2023 |
| Digital Markets Act (DMA) | Make digital markets fairer by designating large “gatekeeper” platforms and imposing rules on core platform services. | 2023 |
| Digital Operational Resilience Act (DORA) | Strengthen financial sector resilience by strengthening security requirements and tightening oversight of critical IT vendors. | 2025 |
| Digital Services Act (DSA) | Improve internet safety and accountability by setting transparency and governance rules for online platforms. | 2024 |
| Network and Information Directive 2 (NIS2) | Requires medium and large organizations in critical sectors to improve cyber risk management and incident reporting. | 2024, as applied by member states |
Europe isn’t alone in the regulatory fragmentation puzzle. The U.S. has no omnibus federal privacy law, but since GDPR took effect, it has added 19 state-level privacy statutes. For organizations operating across local, national, and global jurisdictions, each new layer — with different definitions, thresholds, and enforcement — compounds compliance complexity.
United States
| U.S. regulation | Focus area | Year effective |
|---|---|---|
| California Consumer Privacy Act (CCPA), as amended by California Privacy Rights Act (CPRA) | Protect consumer privacy by expanding individual data rights and imposing stricter obligations for businesses that collect, share, and use personal information. | 2020, amended in 2023 |
| Colorado Privacy Act (CPA) | Provide consumers with access, correction, deletion, and opt-out rights while requiring data minimization and accountability from controllers. | 2023 |
| Connecticut Data Privacy Act (CTDPA) | Strengthens consumer control over personal data and imposes transparency and purpose-limitation requirements on businesses. | 2023 |
| Delaware Personal Data Privacy Act | Provide consumer rights and impose obligations on businesses, including nonprofits and higher education. | 2023 |
| Indiana Consumer Data Protection Act (ICDPA) | Grant consumers rights to access, delete, and opt out of data processing, with controller accountability requirements. | 2026 |
| Iowa Consumer Data Protection Act (ICDPA) | Provide consumers with access, deletion, and opt-out rights while emphasizing notices and security obligations. | 2025 |
| Kentucky Consumer Data Protection Act (KCDPA) | Provide consumers’ rights similar to the state of Virginia’s model, with enforcement by the Attorney General. | 2026 |
| Maryland Online Data Privacy Act (MODPA) | Strengthen consumer privacy protections with enhanced limits on data collection and use. | 2025 |
| Minnesota Consumer Data Privacy Act (MCDPA) | Expand consumer rights and impose stronger accountability obligations, including data minimization. | 2025 |
| Montana Consumer Data Privacy (MCDPA) | Limit data collection to what is necessary and require reasonable data security safeguards. | 2024 |
| Nebraska Data Privacy Act (NDPA) | Grant consumers access and opt-out rights, applying them broadly across industries. | 2025 |
| New Hampshire Privacy Act (NHPA) | Protect consumer personal data through access, correction, and deletion rights. | 2025 |
| New Jersey Data Privacy Act (NJDPA) | Provide consumers with control over personal data and require contractual safeguards with processors. | 2025 |
| Oregon Consumer Privacy Act (OCPA) | Expand consumer rights and apply privacy obligations broadly, including to certain nonprofits. | 2024 |
| Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) | Grant consumers transparency and control over personal data without a statutory cure period. | 2026 |
| Tennessee Information Protection Act (TIPA) | Protect personal data through consumer rights and encourage compliance via recognized privacy frameworks. | 2025 |
| Texas Data Privacy and Security Act (TDPSA) | Impose broad privacy rights and security requirements with no minimum data-processing thresholds. | 2024 |
| Utah Consumer Privacy Act (UCPA) | Establish baseline consumer data rights and outlines business obligations. | 2023 |
| Virginia Consumer Data Protection Act (VCDPA) | Grant consumers rights over personal data and requires businesses to limit, secure, and assess data processing activities. | 2023 |
The U.K. is not left out of the digital regulation complexity equation. Following Brexit, the U.K. retained its version of GDPR and has since amended aspects of its data protection framework through the Data (Use and Access) Act (DUAA). The DUAA reflects a similar simplification and innovation focus to the EU’s Digital Omnibus Package, while taking a distinct approach.
United Kingdom
| U.K. regulation | Focus area | Year effective |
|---|---|---|
| Data (Use and Access) Act (DUAA) | Most significant overhaul of U.K. digital law since GDPR, aimed at reducing compliance burdens, streamlining cookie consent, easing automated decision-making rules, and enabling data-driven innovation while preserving core protections. | 2026 (phased) |
| Investigatory Powers Act 2024 | Expands and updates government powers for lawful interception, surveillance, and data access, including obligations on communications and technology providers. | 2024 |
| Online Safety Act | Imposes safety, risk-management, and accountability obligations on online platforms to address illegal and harmful content, with enhanced regulatory oversight. | 2023 |
| Privacy and Electronic Communications Regulations (PECR) | Governs electronic marketing, cookies, and communications privacy, operates alongside U.K. GDPR, and has been amended post-GDPR to align with evolving digital practices. | Ongoing (originally 2003; amended post-GDPR) |
| U.K. General Data Protection Regulation (U.K. GDPR) and Data Protection Act 2018 | Post-Brexit U.K. data protection framework that retains GDPR principles, governs lawful processing, and ensures individual rights, security, and accountability for personal data. | 2021 |
A recalibration rather than a reversal
The Digital Omnibus Package has emerged against this backdrop of regulatory strain. Left unchanged, the existing system risks undermining Europe’s ability to compete globally. Rather than a rollback, the proposal represents a recalibration.
As European Commission Executive Vice President Henna Virkkunen explained, the focus is on “simplifying the rules for the areas that are vital to the EU’s digital competitiveness: AI, cyber and data.”
Three security practices that outlast regulatory change
Regulatory interpretations may evolve, but the operational work of protecting personal data does not. At its core, effective data protection depends on understanding where regulated data lives, how it is handled, and who or what can access it.
Organizations that anchor their security programs in data-centric security, tested incident response, and third-party risk management build the flexibility needed to meet changing regulatory expectations without repeatedly re-engineering their security posture.
Data-centric security
According to Fortinet’s 2025 Data Security Report, “the top categories of exposed data were customer records (53%) and personally identifiable information (47%).” Unsurprisingly, these are precisely the data types that draw regulatory scrutiny and elevate compliance risk.
Mature programs take a more deliberate approach, focusing protection on what matters most — sensitive and regulated data.
A data-centric security approach enables organizations to:
- Gain visibility into where sensitive data resides, how it flows, and where it is most at risk.
- Classify sensitive data, an increasingly critical exercise as regulatory definitions of personal data evolve.
- Monitor and control data use, including how data is accessed, shared, stored, and potentially misused.
Key technologies: Data discovery, data classification, data loss prevention (DLP), identity and access management (IAM), data governance tools, cloud access security brokers (CASBs), and encryption.
Incident response
According to IBM’s Cost of a Data Breach Report 2025, organizations that regularly test their incident response plans identify and contain breaches faster. This approach has cut breach lifecycle to an average of 241 days — the fastest response time recorded in nine years.
Rather than assuming incidents are rare, mature programs expect recurring security events and invest in repeatable response motions that hold up under pressure.
A well-defined incident response approach enables organizations to:
- Reduce mean time to identify (MTTI) and mean time to contain (MTTC) incidents.
- Meet strict notification obligations, including GDPR’s 72-hour breach notification requirement.
Key technologies: Security information and event management (SIEM), endpoint detection and response (EDR), extended detection and response (XDR), security orchestration, automation, and response (SOAR), threat intelligence platforms (TIPs), digital forensics and incident response (DFIR), and backup/recovery/system resilience technologies.
Third-party risk management
Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in data breaches doubled to 30%. At the same time, vendor ecosystems continue to expand. In 2025, 56% of companies worked with more than 100 vendors, according to Whistic’s Mid-Year Check-In 2025 Impact Report.
As vendor ecosystems grow, third parties increasingly represent a primary path for security compromise. Effective programs treat vendors as an extension of the organization’s attack surface, not just procurement relationships.
A strong third-party risk management approach enables organizations to:
- Identify which vendors have access to sensitive systems, data, or privileged credentials.
- Detect and prioritize vendor-driven risk based on security posture, access pathways, and concentration risk.
- Limit blast radius when a partner is compromised through scoping, segmentation, and rapid revocation.
Key technologies: Third-party risk management (TPRM) platforms, continuous security monitoring and external attack surface management, and network segmentation and zero-trust controls.
Enduring principles in a shifting regulatory landscape
The proposed Digital Omnibus Package may reshape how GDPR is applied as policymakers balance simplification with innovation and AI adoption. But regardless of legislative outcomes, the operational standard remains: protect sensitive and regulated, manage risk, and demonstrate accountability.
Instead of chasing each possible change, organizations should build around what endures. Strengthening data-centric security, tested incident response, and third-party risk controls provides a stable foundation across regulatory scenarios — reducing ambiguity, limiting incident impact, and preventing vendor access from becoming the easiest path into the environment.
How SHI and Stratascale can help
Stratascale, SHI’s cybersecurity division, helps organizations navigate regulatory complexity through governance, risk, and compliance (GRC) services.
To support data-centric security
We assess data protection gaps, align controls to regulatory expectations, and operationalize security governance.
To strengthen incident response preparedness
We facilitate certified tabletop exercises (TTXs) to test decision-making, escalation, and regulatory response under real-world pressure.
To address third-party risk management
We support vendor risk assessments, program design, and continuous oversight across the supply chain.
NEXT STEPS
Ready to move from reactive compliance to operational resilience? Speak with one of SHI’s security experts today to see how SHI and Stratascale can help you build security programs that adapt as regulations, technologies, and threats evolve.
Speak with an SHI expert
-
Incident response readiness: Training today to win when it counts:
An effective incident response practice is a continuous improvement cycle.Reading Time: 7 minutesIn a cyber incident, every minute is crucial. Too often, incident response fails due to a lack of rehearsal, not a lack of technology.
Read More -
5 strategic imperatives for cybersecurity and AI success in 2025:
What should resilient organizations do now to address the accelerating threat landscape while remaining mindful of looming new challenges like quantum computing?Reading Time: 9 minutesExplore cybersecurity and AI strategies to safeguard your organization against today’s perfect cyber storm.
Read More -
How defense in depth can help cybersecurity teams win the big game:
No single control can stop every offensive play, but a well-coordinated and responsive cyber defense can.Reading Time: 6 minutesDefense in depth turns isolated tools into a layered strategy that anticipates gaps and stops threats.
Read More
