The EU Digital Omnibus: What Irish Businesses Need to Know

Key Contacts: Hugo Grattirola – Partner |

What is the Digital Omnibus?

As technology advances at a rapid pace, the requirement for legislation to keep up has never been greater. Whilst the European Union (the “EU”) has been responding with digital rules as these technologies emerge, there is an equally important need to avoid a fragmented patchwork of regulations. The Digital Omnibus is the EU’s proposed answer to this.

Whilst not yet formally adopted as law, the Digital Omnibus is a wide-ranging legislative package designed to simplify the EU’s digital rulebook, without watering down the protections that already exist.

This article discusses the Digital Omnibus legislative package and explores the ways that it may impact businesses in Ireland.

Key Areas of Reform

1. Simplification of Data Rules

The planned amendments to the Data Act aim to simplify the legal landscape, strengthen competitiveness, and reduce administrative burdens. The Digital Omnibus seeks to streamline overlapping rules of the Free Flow of Non-personal Data Regulation, the Data Governance Act, and the Open Data Directive into the Data Act via new chapters and reduce inconsistency across the EU’s data legislation stack. Whilst the Data Governance Act and Data Act are structurally distinct, there are areas of interaction (for example, where data intermediaries facilitate access to data) and the Digital Omnibus proposals seek to improve coherence between these instruments.

For Irish businesses, this will allow companies to better understand and adhere to data rules, reduce maintenance costs, and switch easily between cloud and IT providers.

2. General Data Protection Regulation (“GDPR”) Adjustments

Whilst the GDPR remains a robust framework, the Digital Omnibus introduces proposals to clarify, simplify and reduce compliance burdens such as:

1. clarification of existing definitions, for example the definition of personal data gets a sharper boundary which draws a cleaner line for the processing of pseudonymised data;
2. new derogations for special category data to allow limited processing for artificial intelligence (“AI”) development and biometric verification;
3. the derogation on transparency obligations is extended to situations where processing is unlikely to result in a high risk;
4. controllers may refuse a request where a data subject abuses their rights under the GDPR for purposes other than the protection of their personal data;
5. decisions based solely on automated processing are permitted for contract performance even if a human alternative exists;
6. introduction of articles 88a and 88b will modernise cookie consent rules, with article 88a adding cookie exceptions for user-requested services and security and an easy consent refusal option to prohibit re-requesting consent for the same purpose within six months, whilst article 88b shifts toward browser-level consent signals, potentially replacing traditional banners;
7. the threshold for notifying data breaches will be raised from 72 hours to 96 hours; and
8. harmonised EU-wide templates and lists for data protection impact assessments and breach notifications will be introduced to ensure consistency.

For Irish businesses, these changes will provide further guidance on how to navigate data protection compliance.

3. Cybersecurity and Incident Reporting

The Digital Omnibus introduces a unified platform for incident reporting, which will cover obligations under regulations like the Network and Information Systems Directive (NIS2), the GDPR, the Digital Operational Resilience Act (DORA), the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation, the Critical Entities Resilience Directive and other frameworks. The platform will be piloted and assessed before full rollout, with an 18-month implementation period (extendable to 24 months).  

For Irish businesses, this will allow companies to manage cybersecurity obligations more efficiently and consistently.

4. The European Business Wallet

This proposal will provide companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person. Businesses will be able to digitally sign, timestamp and seal documents; securely create, store and exchange verified documents; and communicate securely with other businesses or public administrations in their own and the other 26 Member States.

Irish businesses will benefit from this streamlining of internal operations.

5. The AI Act

A political agreement has been reached between the European Parliament and the Council of the EU on the Digital Omnibus in respect of AI.  Key elements of the deal include:

1. rules for high-risk AI systems will apply from 2 December 2027;
2. rules for systems embedded in products such as medical devices or toys will apply from 2 August 2028;
3. AI systems generating non-consensual sexually explicit content or child sexual abuse material, including so-called “nudification” apps are prohibited;
4. a new Article 4a which expands the ability to use special category data for bias detection and correction. This is permitted only on an exceptional basis, where strictly necessary, and subject to a set of cumulative safeguards;
5. the AI Office’s enforcement powers are strengthened, particularly over general-purpose models and systems embedded in very large online platforms and search engines; and
6. the Machinery Regulation has been carved out from direct applicability of the AI Act to avoid double-regulation.

The Parliament and Council must now formally adopt the said political agreement in order for it to enter into force.

For Irish businesses, this will significantly reduce compliance burdens and costs for small to mid-size companies.

Summary

Overall, the Digital Omnibus should, if implemented effectively, lower compliance costs for Irish businesses, free up resources to innovate, facilitate cross-border operations, and support the development of new products and services.

The Digital Omnibus’s implementation does not come without its challenges. Some obstacles that businesses may face include adapting their workflows to adhere to new frameworks and reporting systems, whether it be cookie policies, data protection and cybersecurity incident reporting or internal AI governance.

How We Can Help

The Digital Omnibus represents one of the most significant overhauls of EU digital regulation in recent years. For Irish businesses, from start-ups and SMEs to multinational enterprises and critical infrastructure operators — understanding the implications of these changes and preparing for them in good time will be essential.

If you would like to discuss how the Digital Omnibus may affect your organisation, please do not hesitate to get in touch.

This article was written with the assistance of associate Laura Higgins Mulacahy.