Background information
What is the Digital Networks Act?
by Florian Bodoky
Digital Omnibus: the EU’s set to restructure digital laws
12.11.2025
Translation: Megan Cornish
The European Commission wants to consolidate its digital regulatory framework. The Digital Omnibus aims to unify and – in some cases – fundamentally change the Data Act, GDPR and AI Act.
The European Commission’s set to restructure European digital law in what it calls a digital omnibus. This primarily affects the Data Act, the AI Act and the General Data Protection Regulation (GDPR). European Commission Vice President Henna Virkkunen intends to present the draft version on 19 November. There are four key areas: data protection, data use, cybersecurity reporting and the AI Act. Netzpolitik.org has already published both drafts.
The key points
In the future, the Data Act’s set to play an even more central role, incorporating three other sets of regulations: the Open Data Directive, the regulation on the «free flow of non-personal data» and the Data Governance Act. The change is intended to prevent certain things being regulated twice or even contradicting each other. At the same time, the Commission wants to amend the cookie regulation, making it part of the GDPR and superseding the old ePrivacy Directive. What’s more, data retention will be regulated separately under the Digital Networks Act (DNA).
The GDPR’s changing
The draft has a considerable impact on data protection law. Firstly, the concept of «legitimate interest» is set to change – for example, to include training AI systems with personal data. Where your consent is often required now, a balance of interests in favour of companies could suffice in the future. This means, for example, that company X has an interest in training its AI for better customer service – using your data. However, because the data’s anonymised or pseudonymised, the company’s interest (service, efficiency) outweighs your interest in protecting your privacy. Even though balancing interests has to be transparent and justified, it’s easy for the company to do, and you can’t generally refuse.
The Commission also wants to get rid of the opt-in requirement for non-essential cookies. In the future, all GDPR bases will suffice for storing and reading them – and you’ll have to object by opting out. This means you’ll have to actively object to voluntary cookies and providers will no longer have to proactively ask for your consent. At the same time, technology for machine-readable preference signals (i.e. Do Not Track tools) will become mandatory: browsers or operating systems will send out your decision regarding tracking, and websites must automatically take it into account. Media providers (e.g. online newspaper portals) will be exempt from this in order to avoid jeopardising their advertising-funded content.
Source: nordicevs.no
Article 9 of the GDPR: in the future, only information that «directly reveals» sensitive characteristics – health, political opinions, sexual orientation, etc. – would be considered «particularly sensitive». Inferred sensitivities or those only ascertainable through «complex intellectual processes» would fall under general GDPR rules. Only genetic and biometric data would remain exempt and continue to be strictly protected.
For example, if you’ve frequently liked a particular political party’s Instagram posts, the algorithm infers a higher probability of knowing your political leanings. This information has been specially protected until now. Under the new regulations, this information falls under standard GDPR rules, as you’re not explicitly stating your political opinion.
Centralised AI and unburdened SMEs?
According to the draft, the Commission’s planning «targeted simplifications» for AI regulation. The AI Office has previously been responsible for regulating and monitoring AI under the AI Act. It’ll now assume central responsibilities – particularly relevant for very large online platforms and search engines (VLOPs) with more than 45 million users in the EU according to DSA criteria. Simultaneously, there are also planned simplifications for companies and clearer interfaces with data protection law. There’ll also be special documentation and monitoring rules for SMEs.
What does this mean? There’ll be no overlap between the AI Act and GDPR, clarifying when the AI Act applies and when the GDPR does, as well as which authority is responsible in which situation. The special rules for SMEs mean they face fewer requirements than large corporations, as they can’t fulfil them with the same administrative efficiency.
For example, a small start-up develops AI-driven software designed to help find the right person for job applications. However, this is a high-risk AI system. The new regulation aims to standardise the start-up’s risk assessment, reduce the technical details of documentation requirements and so on.
Who’s backing it, who’s holding back – and why
The driving force is the European Commission, and the German Federal Government’s supportive. According to reports, Germany’s the only member state actively advocating changes to the GDPR. The Commission argues that the changes will lead to less bureaucracy, lower costs and increased competitiveness.
Data protection organisations and individuals are putting up some opposition. Organisations such as Noyb and Max Schrems are warning of an attack on privacy. They suggest that weaker consent standards for cookies, broadly defined «legitimate interest» for AI training and more narrowly defined sensitive data could give AI companies «carte blanche» to harvest data.
What would be the consequences?
- Data Act: four acts are merged into the revised version – less overlap, more uniformity
- Cookies: opt-in’s replaced by a system that allows all GDPR legal bases; opt-out for users, with mandatory consideration of «machine-readable preference signals»; exceptions for media providers
- AI training: possibility of processing personal data based on «legitimate interest»; intensifying debate about limits and control
- Sensitive data: Article 9 tightened up; genetic/biometric data retain special protection
- AI control: expertise more strongly focused at the AI Office; relief for SMEs
- Cyber reporting: reporting structures to be streamlined; details will be outlined in the draft
Henna Virkkunen will present the Commission’s draft proposal on 19 November 2025. The standard legislative procedure will then begin in the European Council and Parliament.
Header image: Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.
Background information
Interesting facts about products, behind-the-scenes looks at manufacturers and deep-dives on interesting people.
Show allThese articles might also interest you
21 comments
later