7 dicembre 2025
Digital Omnibus: What Changes for GDPR, AI, and SMEs
From GDPR to AI Act: How the Digital Omnibus Redesigns Rules and Compliance
The Digital Omnibus is the proposal with which the European Commission wants to “bring order” to the digital regulatory framework (GDPR, AI Act, NIS2, Data Act, ePrivacy, DORA, eIDAS), promising less bureaucracy and more competitiveness for businesses, but opening an intense debate on the risk of weakening digital rights protections. For the Italian market, made up of SMEs and highly regulated manufacturing supply chains, this reform can become both an innovation accelerator and a critical point if not accompanied by investments, skills and a clear national industrial strategy.
What Digital Omnibus is and why it was created
The European Commission published the Digital Omnibus on November 19, 2025, as part of a digital regulation simplification package that aims to reduce compliance costs and make the application of existing laws more consistent. The declared objective is to optimize the current regulatory framework, not rewrite it from scratch: fewer duplicate obligations, greater interpretive clarity and a system in which compliance becomes a competitive advantage for “responsible” businesses.
In practice, the Digital Omnibus intervenes in parallel on multiple texts: GDPR, AI Act, ePrivacy directive (cookies), NIS2 (network and information systems security), Data Act, Data Governance Act, DORA (Digital Operational Resilience Act), European digital identity framework, rationalizing definitions, deadlines and obligations. It is therefore an “umbrella” regulation that modifies other acts, with the ambition to reduce the daily administrative burden on businesses and public administrations without formally touching the fundamental principles of data protection.
Official objectives: simplification and competitiveness
According to official documentation, the Digital Omnibus is “a first step to optimize the application of digital legislation,” with the objective of maintaining the same results in terms of protection but at a lower cost for organizations. The package is part of a broader strategy to reduce regulatory burdens that, in the Commission’s intentions, should free up resources for innovation, security and growth of the digital single market.
Unioncamere emphasizes that simplification is seen as an enabling factor for competitiveness: it speaks of annual savings exceeding 200 million euros thanks to lighter technical prescriptions for SMEs and small and medium-cap companies, and one-time savings of approximately 1.5 billion euros related to cloud-switching facilitations provided in the Data Act framework. However, it is also noted that simplification alone is not enough to reduce European dependence on foreign digital services, still around 80% of total imports, and requires a coherent industrial and infrastructural strategy.
GDPR: what changes
The heart of Italian attention remains the GDPR, which the Digital Omnibus does not replace but “tweaks” to standardize its application between Member States and align it with new regulations on AI, data and cybersecurity. Among the most discussed points are the rebalancing of some definitions and the simplification of obligations that today fall disproportionately on medium-small organizations.
Commentators and industry associations have particularly highlighted the risk that, in some draft formulations, the qualification of personal data and the strength of protections could shift from a person-centered approach to one more guided by infrastructure and the declared capabilities of organizations. This possible relocation of the center of gravity – from fundamental right ex ante to protection verified a posteriori – is the basis of criticism from part of the privacy world, which fears a silent “reset” of the GDPR framework.
AI Act and artificial intelligence: the central issue
On the AI front, the Digital Omnibus introduces what Unioncamere defines as a simple rule: regulations on high-risk systems must only start to apply when technical standards and support tools are actually ready (for an in-depth look at the classification of AI systems based on associated risk read the article Whistleblower on the AI Act: the new European tool). For this reason, the application calendar is made more flexible, with a window of up to 16 months linked to the availability of standards and guidelines, and with a strengthened role for the AI Office in governance.
At the same time, the legal discussion focuses on how to frame the development and operation of AI systems in the GDPR, particularly on the possible recognition of the controller’s “legitimate interest” as a general legal basis for AI use. Such a choice, read in Italy by jurists and associations as “inverted technological neutrality,” could create a preferential regime for AI compared to other data processing, with relevant effects on transparency, data subjects’ rights and the responsibilities of companies that develop or integrate these systems.
Cybersecurity, cookies and data: towards a one-stop shop
Another very concrete piece of the reform is the simplification of cybersecurity incident reporting flows: the Digital Omnibus provides for a single digital portal for notifications, overcoming the current fragmentation between NIS2, GDPR and DORA. For Italian companies, particularly for regulated sectors such as energy, finance, healthcare and critical infrastructures, this could translate into more streamlined processes and a reduction in the risk of error in communications to authorities.
The world of cookies is also touched, with the objective of simplifying the user experience and facilitating consent management through centralized settings, overcoming the current proliferation of banners and poorly understandable interfaces. On the data front, the package consolidates the Data Act, introduces targeted exemptions for SMEs and standard contractual clauses to make data access simpler and safer, with the declared aim of feeding quality datasets for AI and supporting innovation in the European production fabric.
Simplification or deregulation?
In the Italian debate, the Digital Omnibus has been quickly framed within a key question: simplification or deregulation of digital rights? Analyses published in technology publications and specialized sites, taking up the critical reading of jurists and activists, have highlighted how some choices may favor large global platforms, equipped with robust legal structures, over the SMEs that the reform would like to facilitate.
At the same time, entities like Unioncamere emphasize that many current burdens weigh precisely on smaller businesses, often lacking internal legal teams, and that a rationalization of rules can free up economic and organizational margins crucial for their digitalization. The interpretive conflict therefore plays on the point of balance: how much bureaucracy can be cut without actually shifting the weight of protection from the citizen’s side to that of the infrastructure and organizations that manage it.
Focus Italy: SMEs, supply chains and public administrations
For the Italian market, characterized by a high density of manufacturing SMEs, industrial districts and complex supply chains, the Digital Omnibus intersects at least three dynamics already underway: the push for digitalization, the structural delay on skills and infrastructures and the constant increase of regulatory obligations in the areas of data, AI and security. Unioncamere highlights that the chamber system is already active with services to support digital transition, placing the Digital Omnibus among the key references for information pathways aimed at small businesses.
On the regulatory level, the EU proposal comes in the wake of national initiatives such as the Italian AI law approved in 2025, which the government itself has defined as needing a “tune-up” to align with the innovations introduced by the European package. This means that Italy will have to manage a double level of updating: on one hand the automatic adaptation to the European regulation, on the other hand the revision of internal regulations that govern AI, data and cybersecurity in line with the new framework.
Concrete impacts for Italian companies
For Italian companies – from tech companies to industrial manufacturers that use data and AI in their processes – the impacts can be summarized in four operational directions.
-
Rationalization of obligations: a single entry point for incident notifications, greater harmonization of authority requests and a potential reduction in duplications in compliance documents.
-
Recalibration of privacy and AI programs: legal, compliance and IT teams will need to review DPIAs, processing registers, internal policies and contracts with AI solution providers in light of the new balances between legal bases, legitimate interest and accountability.
-
Cloud and data opportunities: measures on cloud-switching and standard contractual clauses can help companies negotiate better conditions with providers and valorize their data in more open ecosystems, provided they have a clear data governance strategy.
-
Need for support: for many Italian SMEs, regulatory simplification alone is not enough if not accompanied by assistance services, incentives and operational tools that translate innovations into check-lists and concrete pathways.
In this framework, the role of entities such as the chamber system, trade associations, digital innovation hubs and specialized private operators in compliance and AI becomes central to transforming the reform into a real competitive advantage, especially for those who are currently furthest from the technological frontier.
What a company should do today
To prepare for the Digital Omnibus without waiting for the end of the legislative process, an Italian company can move on three levels.
-
Regulatory monitoring: assign clear responsibilities (DPO, legal, CISO, digital managers) to follow package developments, leveraging analyses from major Italian observatories on GDPR, AI and cybersecurity.
-
Impact mapping: identify the most affected processes – incident management, AI use in production and marketing, data sharing with partners and suppliers, cookie and consent management – and estimate where simplification can generate savings and where it will require policy and contract recalibrations.
-
Investment in skills: train internal figures (not just legal, but also IT, marketing, operations) on the new “digital grammar” that emerges from the integration between GDPR, AI Act, NIS2 and Data Act, with an eye to specific use cases in their sector (healthcare, manufacturing, finance, local PA, etc.).
For many operators, especially in B2B supply chains, the real advantage will come from the ability to present themselves to clients as reliable partners on the regulatory level as well as the technological one, transforming compliance with digital rules into a distinctive market element.
A new digital grammar
The idea of “new European digital grammar” well expresses the scope of the Digital Omnibus: it doesn’t just change the list of rules, but the way concepts such as personal data, risk, responsibility, innovation and competitiveness are connected. For Italy, which aims to bridge the digitalization gap of companies and strengthen its high value-added supply chains, this transition can become an opportunity to redefine the business culture of data and AI, moving it from defensive obligation to strategic lever.
The real discriminant will be whether the Country system will be able to combine regulatory simplification with infrastructure under European control, concrete tools for SMEs and an effective preference for solutions developed and governed in Europe and Italy, as hoped for by economic observers. The Digital Omnibus provides a new lexicon; it is now up to Italian businesses, institutions and professional communities to decide whether to use it for a narrative of pure cost reduction or to build a more sovereign, competitive and people’s rights-centered digital ecosystem.
EU institutional sources
-
European Commission, “Digital Omnibus Regulation Proposal – Shaping Europe’s Digital Future” (November 18, 2025) https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal, https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal;
-
European Commission, “Digital Package” https://digital-strategy.ec.europa.eu/en/faqs/digital-package.
Italian sources – analysis and insights
-
Agenda Digitale “Digital Omnibus, GDPR e AI Act: la nuova grammatica digitale europea” https://www.agendadigitale.eu/sicurezza/digital-omnibus-gdpr-e-ai-act-la-nuova-grammatica-digitale-europea/?utm_campaign=ad-daily_nl_20251126&utm_source=ad-daily_nl_20251126&utm_medium=email&sfdcid=003Tk00000MrD46IAF;
-
Unioncamere, “Digital Omnibus: verso un quadro digitale più semplice”, newsletter Mosaico Europa (November 20, 2025) https://www.unioncamere.gov.it/newsletter-mosaico-europa/digital-omnibus-verso-un-quadro-digitale-piu-semplice;
-
Federprivacy, “Presentato il Digital Omnibus: la proposta della Commissione UE che ridisegna il quadro normativo della protezione dei dati europea” https://www.federprivacy.org/informazione/primo-piano/presentato-il-digital-omnibus-la-proposta-della-commissione-europea-che-ridisegna-il-quadro-normativo-della-protezione-dei-dati.
Marta Magnini
Digital Marketing & Communication Assistant at Aidia, graduated in Communication Sciences and passionate about performing arts.
At Aidia, we develop AI-based software solutions, NLP solutions, Big Data Analytics, and Data Science. Innovative solutions to optimize processes and streamline workflows. To learn more, contact us or send an email to info@aidia.it.
