The Digital Omnibus is a forthcoming package of legislative changes at the EU level that aims to streamline and simplify the increasingly complex regulatory landscape surrounding data, artificial intelligence, and digital responsibility. Its goal is not to weaken personal data protection but to reduce compliance costs, particularly for smaller and medium-sized enterprises, while maintaining high security standards.
In this article we explain:
- how the definition of personal data might change and why this is good news for smaller companies,
- when an incident is deemed to be "likely high risk",
- and why 96 hours to report a breach may soon become the new standard.
What is the Digital Omnibus and where did it come from?
The Digital Omnibus is not a single new law, but a package of coordinated changes to existing and upcoming regulations, such as the GDPR, the AI Act, and the Data Act. The European Commission noted that:
- the same concepts are defined differently in different legal acts,
- reporting obligations are often duplicated,
- and small and medium-sized businesses face disproportionately high costs of complying with the law.
The Omnibus is therefore intended to serve as a "legislative simplification" – without revolutionizing the foundations of data protection, but with a clear correction of practical obligations.
How will the definition of “personal data” change?
The most important proposed change concerns clarifying when data actually constitute personal data and when the risk of identifying a person is only theoretical.
Current status
Today, personal data is often considered to be information that:
- may potentially lead to the identification of a person,
- even if the administrator has no real means to make this identification.
In practice, this leads to a situation in which:
- highly aggregated data,
- pseudonymized data sets,
- technical data (e.g. system logs)
are treated in the same way as name, surname or PESEL number.
What is going to change?
The Digital Omnibus assumes a shift in emphasis to realistic possibilities of identification, rather than purely hypothetical ones.
This means that:
- data will only be considered personal if it is possible to assign it to a specific person using reasonable means,
- the assessment will take into account the scale of the administrator's operations, available technologies and costs.
What does this mean for smaller businesses?
For SMEs this is potentially a huge change:
- fewer documentation obligations,
- fewer DPIAs (Data Protection Impact Assessments),
- lower risk of sanctions for "overinterpreting" the concept of personal data.
When does an incident become “likely high risk”?
One of the most problematic elements of GDPR today is assessing the risk of infringement on the rights and freedoms of natural persons. In practice, many controllers:
- reports almost every incident "just in case",
- treats the Personal Data Protection Office as a “safeguard” against accusations of omission.
A new approach in the Digital Omnibus
The package of changes is intended to introduce more objective criteria for assessing when a risk becomes "likely high.".
The following, among others, are to be taken into account:
- type of data (regular vs. special categories),
- scale of the breach (number of people, scope of data),
- ease of identifying a person,
- real consequences (identity theft, financial losses, discrimination).
Practical effect
Minor technical incidents such as:
- short-term employee access to data,
- a misdirected email without sensitive data
will not automatically be classified as high risk.
This means fewer “precautionary” reports and a more rational approach to violations.
Why might 96 hours to report a violation become the norm?
Currently, the GDPR provides for a 72-hour reporting period from the moment a breach is discovered. In practice, this deadline varies:
- too short for a reliable analysis,
- difficult to maintain on weekends and holidays,
- source of incomplete or premature reports.
Digital Omnibus Proposal
The new approach assumes:
- extension of the deadline to 96 hours,
- greater emphasis on the quality of the report rather than its speed.
What does this change?
Administrators and DPOs:
- they will gain time for a real risk assessment,
- they will be able to collect more complete technical information,
- will limit the number of corrections and additions after reporting.
For supervisory authorities, this means less information chaos and better quality of incident data.
How will the Digital Omnibus impact the role of the administrator and the DPO?
The package of changes does not abolish responsibility, but organizes it.
Data administrator:
- will make decisions based on more precise criteria,
- will reduce excessive caution that generates costs,
- will gain greater legal certainty.
Data Protection Officer:
- will focus on real threats,
- instead of "ticking off" formal obligations,
- will become more of a strategic advisor than a guardian of procedures.
Summary – less formality, more sense
The Digital Omnibus is a signal that the EU recognizes the regulatory fatigue of businesses. Changes to the definition of personal data, risk assessment, and reporting deadlines could realistically:
- reduce compliance costs,
- reduce the number of unnecessary duties,
- improve the quality of data protection instead of faking it.
If you are a data controller or data protection officer, it is worth preparing for these changes now and analyzing how they will affect your internal procedures and possible proceedings.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of January 14, 2026.
Author / Editor of the series:
