Articles
Industry news
EU Digital Omnibus: Here's what you should know about the GDPR simplification project
Industry news
new

EU Digital Omnibus: Here's what you should know about the GDPR simplification project

Published  

11/20/2025

by 

Thierry Maout

7
min read

Published  

November 20, 2025

by 

Thierry Maout

10 min read
Summary

The European Commission officially introduced its digital omnibus initiative on November 19, 2025, presenting a number of proposed changes to the current regulatory framework in Europe, with the stated objective of simplifying the digital ecosystem, promoting innovation for European businesses, and improving the online experience for consumers.

In this article, we go over what has led us to this point and what the final version of the Digital Omnibus (so far) entails, focusing specifically on our scope of expertise, before sharing our takeaways and where we believe we should go next.

High-level takeaway: While a segment of small websites may no longer need CMPs for basic functions under the proposed changes presented in the EU Digital Omnibus, the reality for most organizations would be the opposite, making enterprise-grade CMPs more critical than ever.  

From the importance of establishing consent traceability to the critical role of configuration accountability, vendor and purpose classification, and the need to support one (or many) mandatory European standards in the future for automated consent signalling, the new proposed framework adds layers of nuance, conditions, thresholds, and exemptions that require careful interpretation and ongoing enforcement.

Keep in mind that the Digital Omnibus is a proposal, not a change in obligations. Nothing changes today.

Essential facts about the Digital Omnibus package of the European Commission: Context, timeline, and objectives

Over the past few years, and since the advent of the GDPR, the regulatory ecosystem of the European Union (EU) has grown significantly, with a number of laws and regulations coming into effect, forming what some organizations perceive as challenging and at times overwhelming to navigate.

At the same time, European consumers have been exposed to frequent consent prompts, leading to a phenomenon known as consent fatigue, in which data protection choices are arguably devalued by overexposure to consent banners and other privacy-related interfaces online.

As a result of these concerns, the European Commission has made regulatory simplification a priority and introduced the Digital Omnibus, a set of reforms aimed at reducing administrative and compliance red tape and costs, bringing greater consistency across different laws, removing overlaps, and making the rules easier to apply and navigate.

Digital Omnibus: The timeline of events so far

The European Commission launched a public Call for Evidence on September 16, 2025, to gather input on how various digital regulations could be simplified (to which we publicly responded). The consultation closed on October 14, 2025, and about a month later, an internal draft of the Digital Omnibus text leaked online, prompting a number of reactions online, including from our Chief Privacy Officer, Thomas Adhumeau.

Fast forward to this week, and the final version of the text was published on Wednesday, November 19, 2025.

What does the Digital Omnibus say in its final version?

On November 19, 2025, the European Commission formally announced its plan for a new Digital Package to simplify EU digital rules and boost innovation, focused on several key points:

  • Innovation-friendly AI rules, with proposed amendments to the AI Act.
  • Simplified cybersecurity reporting, with a single platform for companies to report incidents.
  • Amendments to the GDPR to boost innovation and support compliance for organizations.
  • Improved access to data by consolidating EU rules, introducing exemptions for smaller companies, and favoring European AI companies.
  • Modernized cookie rules to improve users’ online experience by introducing a one-click consent system.

Let’s look more closely at these last two points, which lie within our specific topic of expertise.

EU Digital Omnibus proposal on cookie banners and consent collection

The European Commission is proposing updates to the GDPR to specifically simplify the rules surrounding cookies, aligned with its announced objective to alleviate consent fatigue. The main points mentioned are:

  • Cookie rules moving to GDPR: Rules governing the management and role of cookies would move from ePrivacy to the GDPR.
  • Consent capping: A refusal would need to be respected for at least 6 months, with no specific details on a similar cap for consent granted.
  • Industry exemption: Large publishers and media would be subject to different rules to acknowledge the role of advertising revenue in media pluralism. 
  • Consent whitelist: Data collection for ‘low-risk’ uses could be exempt from requiring user consent.
  • ‘One-click’ consent: Ability for users to refuse requests for consent in an easy and intelligible manner with a single-click button or equivalent means.
  • ‘Automated and machine-readable data choices’:  Establishment of a browser or OS signal for users to select how their data can be shared and processed.

The EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, expanded on the vision behind these changes aiming at generating more than €800 million in savings for businesses annually, in official remarks accompanying the announcement of the Digital Omnibus proposal:

We are also introducing changes to the current rules on cookie banners to make sure users can express real choices and keep their devices safe:

- Users will stay in control and will be able to accept or refuse cookies with one click.
- Organisations will need to respect users' choices for 6 months.
- We also propose to define further low-risk situations for which consent should not require to collect personal data from connected devices. This would be the case for instance to maintain or restore the security of a device.

- Michael McGrath, EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection (Source: Remarks by Executive Vice-President Virkkunen, Commissioner Dombrovskis and Commissioner McGrath on the digital simplification package, European Commission)

While theoretically enticing, what would these changes mean in practice for European businesses, including many of our clients?

Three key takeaways from Didomi about the Digital Omnibus and its potential impact on CMPs

We have naturally been following this story very closely and have already shared our opinion publicly through educational content surrounding the initiative, opinion pieces from our leadership, and the process presented by the commission

Opinions about the Digital Omnibus tend to polarize: the cautious view that this initiative could defraud European consumers of their rights and favor Big Tech, and the optimistic outlook that it could boost European competitiveness on the global stage. Our opinion lands somewhere in between.

Below, we outline the key areas of the proposal that will matter most to privacy, compliance, marketing, and product teams.

1. Vendor classification, exemptions, and accountability will add new layers of complexity 

While the stated objective of the EU Digital Omnibus is simplification, particularly for small websites with limited data use, the reality for most organizations is more nuanced.

By moving cookie rules under the GDPR and introducing new categories of exemptions, the proposal underscores the importance of precise configuration, ongoing governance, and evidence-based consent lineage

Organizations will need to assess far more conditions before deciding whether consent is required, an exemption applies, or another pathway is possible. The role of a modern CMP would naturally evolve to help teams answer questions like:

  • Does this specific processing activity still require consent, or does it fall under one of the new “low-risk” exemptions, and how do we document that decision?
  • How do we accurately classify each vendor and purpose, especially when exemptions vary by purpose, technology, and data category?
  • What evidence do we need to demonstrate consent lineage and accountability now that cookie rules are enforceable under GDPR-level penalties?
  • How do we manage consent capping (honouring refusals for six months) across banners, analytics, and user journeys without losing business insights?
  • How do we reconcile potential browser-level preference signals with the granular, vendor-specific choices required by our marketing, analytics, and advertising stack?

For many organizations, especially those with advertising, analytics, personalisation, cross-domain tracking, or AI training workflows, the Digital Omnibus proposals make the CMP layer even more critical, and businesses will increasingly require trusted partners to operationalize these rules consistently across markets and technologies.

2. Privacy-preserving and server-side data architectures will become increasingly important

The introduction of low-risk exemptions, the possibility to perform certain operations without relying on data extracted from user devices, and the movement of cookie rules into the GDPR all point to a shift in how organizations will need to think about collecting and processing data. 

Traditionally, many of these operations have relied on cookies or other client-side signals. But as the Omnibus tightens accountability and introduces new exempted categories that depend on the nature and sensitivity of the data involved, businesses will need technical architectures that support minimization, aggregation, and secure-by-design data flows.

We see an opportunity for Privacy-enhancing technologies (PETs) and most specifically server-side tagging to address some of these challenges by helping:

  • Limit exposure to raw device-level data
  • Reduce reliance on client-side tracking
  • Design compliant data pipelines that fit within “low-risk” or “device-independent” processing
  • Maintain business-critical insights while respecting evolving regulatory expectations

Crucially, this does not eliminate the need for consent management. Instead, it creates new decision points for enterprises: when consent is required, when an exemption might apply, when a privacy-preserving setup is appropriate, and how to document these choices. 

While the Omnibus doesn’t prescribe these technologies, its structure nudges organizations toward privacy-first, server-side, and minimization-driven data strategies. Our role will be to help businesses navigate these choices and implement them responsibly.  

3. Automated and machine-readable data choices are impossible without standardization

From a technical perspective, our Chief Privacy Officer has long been vocal about the limitations of various proposed “simplification” consent mechanisms, which often overlook the practical feasibility for organizations. We can find detailed comments in this very blog dating back to 2023:

In essence, the idea is great: Users can set their preferences related to data collection once in their browser, and the technology does the rest, by communicating these preferences to every single website the person visits. That communication occurs in the backend, and users are thus less exposed to consent banners - while their choices are respected.

In practice, however, it’s not so simple.

The lack of standardization makes the idea very impractical. When user choices can reach a high level of complexity, how can we ensure that they are accurately respected and carried over without a clear framework to refer to? From one website to another and one service to the next, the categories of purposes for data collection, third-party vendors, and the overall set of choices might be vastly different.

Then, how can the technology effectively and accurately enforce user choices? Is that consent still valid? Take, for instance, the use of personal data for "analytics" purposes. While one website might label it as 'site performance', another could call it 'user behavior measurement,' and yet another might refer to it as 'visitor insights.'

This disparity in language makes it nearly impossible for technology to consistently and accurately communicate a user's preferences across different websites or apps, further complicating the validity of the consent provided.

- Thomas Adhumeau, Chief Privacy Officer at Didomi (source: Cookies, consent fatigue, and privacy standards: What's next for the AdTech industry?, Didomi blog)

The pitfalls remain the same in this latest proposal by the European Commission as they did in many previous attempts to address the same problem. 

The idea of “automated, Machine-readable and central settings of preferences” is excellent. Still, it falls short of establishing a clear pathway towards making it a reality without a comprehensive standard in place.

Final takeaways from our CEO, Romain Gauthier 

More than anything, the text confirms our conviction that consent management actors and data privacy technology vendors like Didomi are called to play a key role in the future of data privacy in the European Union. 

Organizations require trusted partners that can bring clarity, transparency, and the solutions and expertise needed to navigate changing rules and regulations, ensuring they maintain business results while respecting consumers’ rights. 

Critically, for simplification to occur, global standards must emerge, in collaboration with all parties involved, as highlighted by our CEO and co-founder, Romain Gauthier:

As it stands, the Digital Omnibus is likely to increase the complexity of digital activities for sophisticated European businesses. The principles behind the initiative are good, the details that we see in this version need to be ironed out. It’s like the spirit is there, but the letter is not quite there yet.

At Didomi, we are evaluating how to best support our clients through these adjustments. We also agree that the way out of consent fatigue is a global, machine-readable standard that we are actively working to build with other stakeholders across the data privacy, technology, business, and policy spaces. We think this has the potential of becoming a global standard if done the right way.

Additionally, we see an opportunity for organizations to leverage Privacy-Enhancing Technologies, including server-side tagging, to navigate some of the new exemptions outlined in the proposal.

We will continue to engage in discussions with all parties involved to reach a common goal of empowering European businesses while maintaining the highest standards of data protection for consumers.

- Romain Gauthier, CEO and co-founder at Didomi 

Without comprehensive standards, the European Union's ambitions will be stunted by the lack of resources and framework that empower organizations to maintain their operations while respecting the highest privacy standards Europeans have come to expect.

What are the next steps for the Digital Omnibus?

Now that the final text has been submitted, the legislative process is underway. It is difficult to draw an exact timeline of when the following stages will happen (especially for such a controversial piece of legislation). Still, the usual regulatory pathway is as follows:

  1. Proposition by the European Commission: The final text is submitted to the Parliament and the Council.
  2. Review from the Parliament and the Council: Each creates its position, amends the text, and sets a negotiation mandate.
  3. Trilogues: The three institutions negotiate and agree on a single final version.
  4. Adoption and entry into force: The Parliament and the Council approve the agreement. The law is then published and enters into force, usually 20 days later.

The length of the entire process will depend on many factors. Omnibus initiatives are subject to the same procedure but are generally expected to be faster, as they do not introduce a new law but a package of targeted amendments. Still, the earliest realistic timeline for any practical impact could be late 2026 or 2027.

Watch this space and follow us on LinkedIn as we continue to share our work and report on upcoming developments.

The author
The authors
Thierry Maout
Lead content manager at Didomi.
Managing content at Didomi. I love reading, writing, and learning about data privacy, technology, culture, and education.
Access author profile
Thierry Maout
Lead content manager at Didomi.
Managing content at Didomi. I love reading, writing, and learning about data privacy, technology, culture, and education.
Access author profile
Access author profile

Related Articles

Industry news
The next chapter of data privacy: a live discussion with Max Schrems
October 20, 2025
Read article
Industry news
European Commission's digital omnibus package: The end of consent fatigue?
October 14, 2025
Read article
Industry news
Understanding the CJEU ruling on data controller accountability and pseudonymized data
October 8, 2025
Read article
Industry news
Does Google Tag Manager (GTM) require user consent? Breaking down the 2025 decision from Germany
September 24, 2025
Read article
Industry news
What can you learn from Healthline’s $1.55M CCPA settlement?
July 21, 2025
Read article
Industry news
Is the TCF illegal? A rational look at the IAB Europe vs Belgian APD situation (May 2025)
May 16, 2025
Read article