Digital Omnibus Regulation: What It Means for GDPR Compliance

European businesses operate within an increasingly complex digital regulatory environment that affects how data, consent and user privacy are managed. In November 2025, the European Commission published the Digital Omnibus Regulation proposal, intended to simplify and better align several core digital laws, including the GDPR, the ePrivacy Directive, the Data Act and the AI Act.

For organisations operating across EU markets, the proposal reflects an effort to reduce regulatory fragmentation and improve legal clarity. For team.blue and the over 3.3 million customers we support across 22 European countries, understanding the potential scope of these changes and their practical implications is relevant from both a compliance and an operational standpoint. In this blog, we aim to clarify what this proposal entails.

What Is Changing Under the Proposal

The Digital Omnibus Regulation does not replace existing legislation. Instead, it seeks to refine and harmonise how different digital laws interact, addressing areas where overlapping or inconsistent requirements have created practical challenges for organisations.

In particular, the interaction between the GDPR and the ePrivacy Directive has led to fragmented national implementations, duplicated compliance efforts and inconsistent user experiences across jurisdictions. The proposal aims to reduce this fragmentation by strengthening coherence between the two instruments, including clearer allocation of consent-related requirements and closer alignment of enforcement approaches, while maintaining robust protection of individuals’ rights.

Five Key Changes to Watch

1.Cookie and consent rules embedded in the GDPR

The device-access rule (cookies and similar tracking technologies) would move from ePrivacy Art. 5(3) into new GDPR art 88a, making these obligations part of the GDPR’s core, directly applicable framework, significantly reducing national fragmentation caused by differing Member State implementations. Under the proposed Article 88a, consent would remain the default legal basis for device access, subject to a defined set of exceptions listed in the provision itself, including strictly necessary purposes and certain first-party analytics activities. Where consent is required, it would have to meet full GDPR standards, including demonstrability, ease of withdrawal and accountability, and violations would fall under the GDPR’s enforcement and administrative fine regime.

By bringing consent rules under the GDPR, the proposal reinforces the role of consent mechanisms in day-to-day data processing and raises expectations around how they are built, managed and maintained.

2. Mandatory symmetry between accept and reject options

Consent interfaces would be required to present accept and reject options with equal prominence. Organisations would need to review consent banner design and user flows to ensure that refusing consent is as straightforward as granting it.

3. Enforced cooling-off periods after refusal

Once a user’s choice has been expressed, organisations would not be permitted to request consent again for as long as that consent remains valid. In cases where consent has been refused, the same purpose could not be re-prompted for a minimum period of six months.

4. Recognition of browser-based preference signals

The proposal signals a shift from a purely banner-based consent model to a more signal-aware approach, allowing users to express their preferences through browser or operating system settings, the EU Digital Identity Wallet, or similar tools. Where a valid, machine-readable preference signal is present, controllers would be required to detect and respect it without relying solely on banner-based interactions. Harmonised EU standards would define the technical formats and conditions under which such signals are recognised and applied consistently across the EU.

5. Clearer rules for AI training and operational compliance

The proposal introduces the possibility of relying on legitimate interest for AI training, subject to safeguards such as transparency obligations, documented risk assessments and an unconditional right to object. In parallel, operational requirements including incident reporting and Data Protection Impact Assessments would be further standardised.

Operational Considerations and Ongoing Compliance

While the Digital Omnibus Regulation remains a proposal and is unlikely to enter into force before 2027, existing GDPR and ePrivacy obligations continue to apply in full.

Organisations should therefore maintain current compliance measures while assessing whether consent management, documentation and governance processes can adapt to potential future requirements. Reviewing consent flows, preference handling and internal documentation practices can help reduce future implementation effort, without affecting or anticipating current legal obligations.

Supporting Compliance Across Markets

At its core, the Digital Omnibus proposal reflects a European approach to digital regulation: protecting fundamental rights while enabling innovation at scale. For organisations operating globally, this reinforces Europe’s role as a standard-setter in privacy and digital governance.

As part of its commitment to supporting businesses operating across Europe, team.blue offers a dedicated compliance cluster designed to help SMBs manage privacy, consent and data protection requirements across markets. Within this cluster, iubenda and its specialised brands - Consentmanager, Complianz and CookieFirst - actively contribute to regulatory discussions, providing industry feedback to the European Commission and participating in technical roundtables to share practical implementation insights.

This involvement gives iubenda early visibility into how regulatory intent is translating into operational guidance, helping organisations prepare for change while continuing to meet core requirements under European privacy and data protection law.

By combining regulatory monitoring with practical product capabilities, team.blue supports businesses in managing consent, maintaining privacy documentation and applying consistent compliance standards across jurisdictions.

Learn more about the team.blue ecosystem and our compliance offering on our website.