top of page
Suche

The Digital Omnibus and Expected GDPR Changes

  • Autorenbild: Tsanko Kalchev
    Tsanko Kalchev
  • vor 1 Tag
  • 3 Min. Lesezeit

Digital Omnibus


The European Union is entering a new phase of digital regulation. While the General Data Protection Regulation (GDPR) remains the cornerstone of EU data protection law, policymakers are increasingly moving toward a more integrated legislative approach—commonly referred to as the “Digital Omnibus.”


This approach is not a single legislative act, but rather a coordinated update of multiple EU digital frameworks, aimed at reducing fragmentation, improving enforcement, and adapting to emerging technologies such as artificial intelligence.


For businesses operating in or targeting the EU market, understanding these developments is critical to maintaining compliance and mitigating regulatory risk.


1. What Is the “Digital Omnibus”?


The “Digital Omnibus” describes a policy trend toward harmonizing and aligning key EU digital laws, including:


  • GDPR

  • AI Act

  • Data Act

  • Digital Services Act (DSA)


The objective is clear:


Simplify compliance while strengthening regulatory effectiveness

Unlike previous standalone regulations, the EU is now focusing on a holistic digital regulatory ecosystem.


2. Why Is GDPR Being Revisited?


Since its entry into force in 2018, GDPR has:

  • Established a global benchmark for data protection

  • Strengthened individual rights

  • Created significant compliance burdens, particularly for SMEs


Regulators are now evaluating how to:

  • Reduce administrative complexity

  • Improve consistency across Member States

  • Ensure compatibility with newer legislation (especially AI-related laws)


3. Key Expected Developments (“GDPR 2.0”)


a) Simplification for SMEs


A major focus of reform is proportionality. Likely changes include:

  • Reduced documentation requirements

  • Simplified record-keeping obligations

  • Clearer guidance for small and medium-sized enterprises


Expect a more risk-based and business-friendly compliance model. Businesses should also consider jurisdiction-specific requirements, such as those applicable in Bulgaria, discussed in our GDPR compliance for foreign businesses in Bulgaria article.


b) Alignment with the AI Act


The interaction between GDPR and AI regulation is one of the most important future developments.


Expected changes:

  • Clarification of automated decision-making rules

  • Enhanced transparency obligations for AI systems

  • Harmonized definitions of high-risk processing


Businesses using AI should prepare for dual compliance frameworks


c) Stronger and Faster Enforcement


One of the main criticisms of GDPR has been inconsistent enforcement across Member States.


Potential improvements:

  • Expanded powers for the European Data Protection Board (EDPB)

  • Streamlined cross-border case handling

  • Faster dispute resolution mechanisms


d) Updated International Data Transfer Rules


Following the Schrems II ruling, international data transfers remain a high-risk area.

Future reforms may include:

  • More robust transfer mechanisms

  • Clearer guidance on third-country risk assessments

  • Possible new adequacy frameworks


Cross-border businesses should expect stricter scrutiny of data flows


e) Enhanced Accountability and Risk-Based Approach


The future GDPR framework is likely to emphasize:

  • Risk-based compliance obligations

  • Greater flexibility for low-risk processing

  • Increased focus on high-risk technologies (e.g. biometrics, AI)


4. Interaction with Other EU Digital Laws


The GDPR will increasingly operate within a broader regulatory framework:

  • Digital Services Act (DSA) → platform responsibilities

  • Data Act → data sharing and access rules

  • AI Act → risk-based AI governance


Compliance will require an integrated legal strategy, not a siloed approach.


5. What Businesses Should Do Now


Even before formal reforms are adopted, organizations should take proactive steps:

  • Implement privacy-by-design and by-default principles

  • Map data flows and identify AI-driven processing

  • Review international transfer mechanisms

  • Monitor EU legislative developments closely


Conclusion


The GDPR is not being replaced—but it is evolving. The “Digital Omnibus” signals a shift toward a more integrated, technology-driven regulatory landscape, where data protection, AI governance, and digital platform regulation are increasingly interconnected.


Organizations that anticipate these changes and adapt early will be best positioned to navigate the next phase of EU digital law.


For a general overview of GDPR obligations, see our article on GDPR compliance for foreign businesses in Bulgaria.


Contact


Preparing for upcoming GDPR reforms and AI regulation? We help businesses stay compliant with evolving EU law.


Our team supports international businesses with EU compliance.




Contact us:


Phone: 00359 88 44 55 39

 
 
 

Kommentare

bottom of page