👋 I am a tech lawyer that breaks down all of the fun and complex legal topics that companies should know.

The European Commission just unveiled something called the Digital Omnibus (a bundle of updates to the GDPR, AI Act, Data Act, ePrivacy rules, and several other regulations that have kept legal teams heavily caffeinated for years).

Officially, the goal is simplification.

Which is charming, because the EU’s previous attempts at “simplification” have created entire job markets for privacy attorneys, consultants, and UX designers trying to make cookie banners slightly less unhinged.

Still, this package matters. And unlike some prior efforts, parts of it might actually make life easier…eventually.

Here’s what I think is worth understanding, without reviewing 700 pages of amendments or scheduling a webinar to unpack a footnote.

1. High-Risk AI Obligations Are Getting a Delay and Everyone Is Quietly Relieved

A major part of the Omnibus pushes back certain high-risk AI requirements to December 2027.

The official explanation mentions “orderly implementation.”

The unofficial one: everyone told the Commission the original timetable required supernatural staffing levels.

This extension creates an odd in-between period:

• Teams that invested early now don’t know whether they’re ahead or just prematurely enthusiastic.

• Teams that waited now get to say, “We’re pacing ourselves.”

• Vendors will happily sell “AI Act readiness packages” that will need to be rewritten as soon as Parliament negotiates the final text.

But don’t mistake a delay for a free pass. Regulators will still expect competent, well-documented practices now, even if the rules they’ll use to judge those practices aren’t fully final.

2. The Omnibus Tweaks the Definition of Personal Data (and That Will Echo Everywhere)

One of the most consequential proposals involves clarifying what counts as:

• personal data,

• pseudonymized data, and

• data that can be used for AI model training without needing the legal equivalent of a permission slip.

If these definitions expand the lawful use of pseudonymized data, organizations will have more flexibility, but they’ll also need to revisit:

• DPAs,

• vendor onboarding,

• AI training workflows,

• and any contract clauses that assume the old definitions.

And yes, it will reignite the eternal debate between engineers (“it’s anonymized because I removed the names”), lawyers (“…that’s not how this works”), and product teams (“why can’t we just get ‘implied consent’ for this?”).

Expect contract reviews.

Expect policy updates.

Expect someone to have a strong opinion about hashing.

3. The Cookie Rules Might Get Cleaner…But History Suggests Caution

The EU says it wants to reduce “cookie fatigue” and streamline consent burdens.

This is a noble mission. But the last time the EU tried to make cookie rules clearer, we ended up with:

• banners that cover half the screen,

• entire consulting firms built around button placement,

• and at least one DPA insisting that scrolling “cannot constitute informed rejection.”

The new direction might genuinely improve things…or it might invent a new style of banner we’ll all love to hate.

We’ll know soon enough.

4. The Omnibus Has a New Tone: Less “Stop Everything,” More “Let’s Be Practical”

The most interesting part of this announcement isn’t any single amendment. It’s the overall posture.

For the first time in a long time, the Commission is signaling that it wants digital rules that support innovation instead of slowing everything to a crawl.

It’s not deregulation.

It’s not loosening requirements.

It’s a recognition that AI development is moving fast, and Europe wants to remain part of that story.

For companies, the takeaway is simple: Assumptions based on last year’s timelines and definitions may no longer hold. Compliance plans built six months ago may already need a tune-up.

5. The Transition Period Is the Hard Part

The messy reality is that:

• Existing laws are still in effect,

• The Omnibus isn’t final,

• Some rules are being extended,

• And regulators expect companies to act responsibly now, even while the legal framework is being edited.

It’s the regulatory equivalent of driving while construction crews are repainting the lanes in front of you.

You can keep moving, but you need to pay attention.

6. Practical Things to Reassess

Here’s what companies should be thinking about quietly, practically, without the dramatic “action item” label:

• Review whether your current AI governance program is built around the original 2025–2026 timelines; some dates are no longer accurate.

• Scan your vendor and customer contracts for clauses tied to definitions that the Omnibus may update.

• Re-evaluate where you rely on pseudonymization; permissible uses may change.

• Monitor whether any member states diverge ( tiny differences become operational headaches fast).

• Avoid redesigning your full compliance program until the amendments settle; there will be another round of edits.

None of this requires panic. It does require attention.

Final Thought

Europe Isn’t Rewriting their Rulebook. It’s Rewriting the Footnotes That Control their Rulebook

The Digital Omnibus won’t tear down the GDPR or the AI Act.

Rather, it adjusts the parts that weren’t aging well, clarifies definitions that were creating more questions than answers, and finally acknowledges that the original timelines were a bit…optimistic.

Some changes will help organizations. Some will complicate things. But all of them matter.

Because when Europe updates the details, those details eventually show up in your compliance roadmap, your vendor contracts, your AI workflows, and your next product launch meeting.

Footnotes:

• Reply to this email if you have any legal questions or have feedback on the content.