The European Commission published its Digital Omnibus package on 19^th November 2025. The package seeks to simplify and bring consistency to the EU’s broad range of digital laws across artificial intelligence, cybersecurity and resilience, and data governance. Insurance Ireland believes that that a more coherent regulatory environment in this space is essential for competitiveness of the European insurance market.

Key GDPR amendments

AI Training: Legitimate Interest

The Digital Omnibus proposal introduces a new provision under the GDPR establishing that the development and operation of AI systems or models constitutes a legitimate interest of the controller for the purpose of processing where such processing is necessary for that purpose and subject to the rights and freedoms of data subjected. If implemented, this amened would bring to an end the ongoing debate over whether legitimate interest can lawfully allow for use of personal data in AI model training.

Automated Decision-Making

GDPR Article 22 provides individuals with a right not to be subject to solely automated decisions that have legal or similarly significant effects subject to limited qualifications, including a contractual exemption.  Proposals under the Digital Omnibus would amend the contractual exemption by clarifying that an automated decision may be taken even where the same outcome could also be reached by human means.

Sensitive Data

The Digital Omnibus proposes to refine the scope of the GDPR’s protection for special categories of personal data under Article 9. Under the proposal, information deduced through profiling or cross-referencing would no longer automatically qualify as “sensitive” data under Article 9.

Data Breaches

The current obligation to document and report low-risk incidents such as certain instances of misdirected emails and SMS often results in formal notifications that are not reviewed due to limited enforcement capacity. Proposed targeted amendments to Article 34 of GDPR limit mandatory breach reporting to where there is a ‘high risk’ rather than the current threshold of ‘[any] risk’, with alignment for the threshold for both reporting to regulators and notification to affected individuals. The deadline for reporting would also be extended from 72 to 96 hours.

AI Act

The AI Act initially established a clear implementation timeline: high-risk systems were expected to fall under binding obligations in 2026 and 2027. The Digital Omnibus introduces uncertainty over actually implementation date. Under the revised framework, these obligations will only take effect once the European Commission issues a formal decision confirming that harmonised standards, common specifications, and supporting tools are in place. For Annex III systems, covering areas such as employment, law enforcement, and access to public services, the rules will apply six months after that decision.

In addition to implementation timelines, the Commission is also proposing targeted amendments to the AI Act that will:

• Reinforce the AI Office’s powers and centralise oversight of AI systems built on general-purpose AI models, reducing governance fragmentation;
• Extend certain simplifications that are granted to SMEs and SMCs, including simplified technical documentation requirements;
• Require the Commission and Member States to promote AI literacy and ensure continuous support to companies by building on existing efforts;
• Facilitate sandbox testing;
• Adjust the AI Act’s procedures to clarify its interplay with other laws and improve its overall implementation and operation.

DORA

The Digital Omnibus proposes a mandated use of a single-entry point for a series of closely interconnected incident reporting obligations set out in NIS2, GDPR, and DORA.

The European Union Agency for Cybersecurity, ENISA, will be tasked to establish and maintain the single-entry point for reporting. The introduction of the single-entry point will not modify existing reporting obligations or the authorities designated as recipients of such reports. As such, it is not yet clear the operational benefits this change will have on insurers. How this single point of reporting will operate in practice remains to be seen.

Other developments

In addition to regulatory change, the Digital Omnibus Package introduces initiatives in the space of enabling digitalisation, including the European Business Wallet, and the Data Union Strategy.

The European Business Wallet introduces a cross-border digital identity framework for companies, enabling secure and legally valid transactions across all Member States.

The Commission has also unveiled its Data Union Strategy to improve access to high-quality data for AI development. Dedicated data labs will offer controlled environments where companies can access curated datasets and receive guidance on privacy-preserving techniques.