BILL·legislative alert
Sign in
2025/0360(COD)E1st reading – European Parliament

Simplification of the digital legislative framework – Digital Omnibus (Omnibus VII)

With the European Parliament, which is preparing its first-reading position.

Last active 16 Jun 2026

Track this billGet an email when the proposal moves: phase change, new document, or terminal outcome.

What this bill does

In plain terms: what it changes and who it affects.

This proposal simplifies EU digital rules on data, privacy, cybersecurity reporting, and platform regulation while keeping existing protection goals.

Who it affects

It affects businesses using or sharing data, online platforms, cloud and data service providers, public bodies holding data, internet users, and organisations reporting cybersecurity or data incidents.

Core of the proposal
  • Consolidates open data, data governance, and free-flow data rules into the Data Act.
  • Narrows business-to-government data requests to public emergencies and strengthens trade-secret safeguards.
  • Moves personal-data cookies rules into the GDPR and supports automated consent choices.
  • Creates one EU entry point for reporting cybersecurity and personal-data incidents.
Key provisions
Transitional law
Some pre-12 September 2025 cloud contracts get lighter switching rules; P2B cross-references remain until amended, at latest 31 December 2032.
Articles changed · 42 across 13 laws
  • Regulation (EU) 2023/2854 (32023R2854)
    • art. 1: updates scope and adds Chapters VIIa, VIIb and VIIc coverage
    • art. 2: amends and inserts multiple definitions
    • art. 4(8): replaces trade-secret refusal rule for user access requests
    • art. 5(11): replaces trade-secret refusal rule for third-party access requests
    • art. Chapter V title: replaces title, narrowing framework to public emergencies
    • art. 14: deletes Article 14
    • art. 15: deletes Article 15
    • art. 15a: inserts obligation to make data available for public emergencies
    • art. 16: replaces paragraph 2 on exclusions from Chapter V
    • art. 17: amends requirements for public-emergency data requests
    • art. 18: amends grounds and deadlines for declining or modifying requests
    • art. 19: amends obligations for recipients of requested data
    • art. 20: replaces compensation rules for Chapter V data availability
    • art. 21: amends sharing with research organisations or statistical bodies
    • art. 22a: inserts complaint right for disputes under Article 15a requests
    • art. 31: inserts specific regimes for custom-made services and SME/SMC providers
    • art. 32: extends third-country governmental access safeguards to re-use and intermediation actors
    • art. 36: deletes smart-contract essential requirements article
    • art. Chapter VIIa: inserts Articles 32a to 32g on data intermediation and altruism
    • art. Chapter VIIb: inserts Article 32h on free flow of non-personal data
    • art. Chapter VIIc: inserts Articles 32i to 32y on re-use of public-sector data
  • Regulation (EU) 2018/1724 (32018R1724)
    • art. Annex: adds references to data intermediation services and data altruism
  • Regulation (EU) 2016/679 (32016R0679)
    • art. 4: clarifies definition of personal data
    • art. 9: adds exemptions for biometric verification and residual AI special-category data processing
    • art. 12: clarifies refusal or fee for abusive or excessive access requests
    • art. 13: extends exceptions from information obligation
    • art. 22: clarifies automated individual decision-making requirements
    • art. 33: aligns breach notification threshold, extends deadline and uses single-entry point
    • art. 35: harmonises DPIA lists, template and methodology at EU level
    • art. 88a: inserts terminal-equipment personal-data consent and lawful processing rules
    • art. 88b: inserts automated machine-readable indications of individual choices
  • Regulation (EU) 2018/1725 (32018R1725)
    • entire act: aligns data-protection provisions with amendments to Regulation (EU) 2016/679
  • Directive 2002/58/EC (32002L0058)
    • art. 4: repeals security and notification requirements
    • art. 5(3): moves personal-data terminal-equipment rules to Regulation (EU) 2016/679
  • Directive (EU) 2022/2555 (32022L2555)
    • entire act: establishes and mandates single-entry point for incident reporting
  • Regulation (EU) No 910/2014 (32014R0910)
    • entire act: mandates single-entry point for incident reporting
  • Regulation (EU) 2022/2554 (32022R2554)
    • entire act: mandates single-entry point for incident reporting
  • Directive (EU) 2022/2557 (32022L2557)
    • entire act: mandates single-entry point for incident reporting
  • Regulation (EU) 2018/1807 (32018R1807)
    • entire act: repeals the entire regulation
  • Regulation (EU) 2019/1150 (32019R1150)
    • entire act: repeals the regulation, with selected cross-referenced provisions temporarily remaining
  • Regulation (EU) 2022/868 (32022R0868)
    • entire act: repeals the entire regulation
  • Directive (EU) 2019/1024 (32019L1024)
    • entire act: repeals the entire directive

Latest update

16 Jun 2026

The most recent development in this bill's progress.

1st reading – European Parliament → 1st reading – European Parliament

1st reading – European Parliament1st reading – European Parliament

Documents

1 recent

SourcesOEILEUR-LexEU Law Tracker