The EU Digital Omnibus: What Legal Teams Need to Know About AI, Data Privacy and Cybersecurity
Updated November 25, 2025. On November 19, 2025, the European Commission unveiled a "Digital Omnibus" of reforms spanning artificial intelligence, data protection and cybersecurity, alongside a Data Union Strategy and a new European Business Wallet. Below are the key legal shifts and immediate takeaways for counsel advising on AI.
At a glance
- High-risk AI obligations under the AI Act would kick in only after relevant standards, support tools and guidance are formally adopted, followed by transition periods (six months for Annex III; 12 months for Annex I). If no Commission decision is adopted, back-stop dates apply: December 2, 2027 (Annex III) and August 2, 2028 (Annex I).
- The Omnibus introduces a GDPR legitimate-interest lawful basis to process personal data-including some sensitive data-for developing and operating AI, subject to safeguards, balancing tests and the right to object.
- Responsibilities for AI literacy shift more squarely to the European Commission and member states, with the European AI Office gaining stronger centralized oversight over general-purpose AI and systems embedded in very large platforms and search engines.
- The package enters trilogue with the Parliament and Council. Expect amendments over several months of debate and review.
Background
The Omnibus is a fast-track method to adjust multiple EU laws at once. Here, the changes reach across the GDPR, NIS2, the Data Act and the EU AI Act. The stated aim: clearer rules, aligned obligations and more workable compliance for AI development and deployment.
High-risk AI timing and transition
High-risk AI rules will not apply until the Commission adopts a decision confirming the necessary standards, tools and guidance are ready. Once that happens, Annex III systems (for example, certain biometrics or AI in workforce management) get six months to comply; Annex I systems (products already under EU safety rules, such as medical devices) get 12 months.
If no decision arrives, an automatic back-stop applies: Annex III from December 2, 2027 and Annex I from August 2, 2028. This creates a clearer compliance runway while companies wait for workable standards.
Lawful basis for AI training data
The Omnibus proposes a new legitimate-interest basis under the GDPR for using personal data in AI training and operation, subject to safeguards. Controllers must still perform the balancing test and honor the right to object. Practically, this could validate large-scale dataset building if risk controls are demonstrable and documented.
Reference text: GDPR Regulation (EU) 2016/679 on EUR-Lex: EUR-Lex: GDPR
Use of special category data
Special category data may be processed for AI training where security measures, post-use removal and anonymization are in place. The Omnibus also permits processing such data to detect and correct bias, beyond high-risk use cases, recognizing that meaningful fairness testing often requires sensitive attributes.
AI literacy and governance
Obligations to foster AI literacy move toward the Commission and member states, easing vague burdens on providers and deployers. The European AI Office will gain reinforced powers for centralized oversight of general-purpose AI and AI within very large platforms and search engines, reducing fragmentation and duplicative supervision.
Sandboxes and real-world testing
An EU-level AI regulatory sandbox will be created by the AI Office and made available from 2028. This is meant to enable controlled, compliant real-world testing aligned to the evolving standards and guidance.
Simplification for SMEs and SMCs
Existing AI Act advantages for SMEs-like leniency in penalties and simplified documentation-will extend to small mid-cap companies (SMCs). Helpful, though critics argue larger providers will still benefit more due to scale, data access and internal compliance capacity.
Interplay with other laws
The package also clarifies overlaps across the GDPR, NIS2, the Data Act and the AI Act to streamline obligations. For context on NIS2, see the directive on EUR-Lex: EUR-Lex: NIS2 Directive
Registration changes
Providers whose systems are used in high-risk domains but only for narrow, procedural tasks-and assessed by the provider as not high-risk-will face reduced registration requirements. This narrows administrative load where the actual risk profile is limited.
Benefits and concerns
Business groups welcome clearer timing and a more accessible legal basis for AI training. Civil liberties groups worry about dilution of GDPR protections and the potential tilt toward Big Tech, which can capitalize quickly on expanded data access. The Commission's response: core privacy safeguards remain, and access to high-quality data is essential for safe, effective AI.
What legal teams should do now
- Map AI use cases to Annex I and Annex III, including vendor-provided tools. Prepare two implementation plans: one tied to standards publication and one aligned to the back-stop dates.
- Draft or update legitimate-interest assessments for AI training. Build clear objection workflows and data subject response playbooks.
- Set guardrails for special category data: security controls, minimization, retention/deletion, and anonymization pathways. Document bias testing protocols and justification.
- Refresh DPIAs and records of processing for training pipelines, synthetic data generation, and model evaluation.
- Align contracts with providers on data provenance, model lineage, risk controls, and cooperation duties for audits and incident response.
- Track standards, guidance and AI Office sandbox access. Pre-plan pilots that can move quickly once the sandbox opens.
- Brief the board on timing scenarios, budget implications and cross-regime impacts (GDPR, NIS2, Data Act, AI Act).
- Upskill legal, privacy and security teams on AI risk and data governance. For practical training options by role, see Complete AI Training - Courses by Job.
Next steps
The package moves into trilogue with the European Parliament and Council. Expect several months of debate and possible amendments. The Commission will also run a Digital Fitness Check to gauge cumulative impact. The AI reforms are being advanced as a stand-alone track to accelerate adoption, but there is still significant overlap with broader data and cybersecurity reforms.
Disclaimer: This communication is informational and general in nature and is not legal advice. Do not rely on it without consulting counsel about your specific circumstances. Laws and guidance may change after publication.
Your membership also unlocks:
