How the EU's Digital Omnibus package may shape Spanish digital regulation

In November 2025, the European Commission formally presented the EU Digital Omnibus legislative package, comprising a general proposal to simplify and recalibrate the EU digital regulatory framework and a separate, complementary proposal focused on the implementation of the Artificial Intelligence (AI) Act (the Digital Omnibus on AI). Both proposals are currently subject to negotiation under the ordinary legislative procedure and remain open to amendment before adoption.

The general Digital Omnibus proposal would amend, among others, the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Data Act, the Data Governance Act and the Network and Information Security Directive 2 (NIS2), while repealing certain instruments that the Commission considers partially superseded (for example, the Platform to Business Regulation). The stated objective, in line with the recommendations included in Mario Draghi's report on the future of European competitiveness, is to reduce fragmentation, clarify overlaps and lower administrative burdens, without altering the underlying policy goals of existing legislation.

In parallel, the Digital Omnibus on AI proposes adjustments to the AI Act, focusing on implementation mechanics rather than substantive risk classifications or prohibited practices. 

Clarification of the concept of personal data

Current framework. Under the GDPR, defines personal data broadly as any information relating to an identified or identifiable natural person. However, the Court of Justice of the EU decision in Case C‑413/23 P examined and clarified the concept of personal data when pseudonymised data is processed and shared with third parties. 

The CJEU held that identifiability of a natural person should be assessed considering "the means reasonably likely to be used" by the relevant actor to identify the natural person directly or indirectly. In other words, pseudonymised data would qualify as personal data for actors who hold a re-identification key, while the very same data might be regarded as anonymised data (non-personal data) for those who do not hold a key.

Proposed approach. The Digital Omnibus would introduce targeted clarifications to the definition of personal data, effectively incorporating CJEU's interpretation for pseudonymised data as explained above and adopting a relative approach to anonymised data. 

Potential implications. Although Spanish practice, including interpretations from the Spanish Data Protection Authority (AEPD), has traditionally applied the concept of personal data expansively, particularly where re-identification risks cannot be fully ruled out, the cited interpretation by the CJEU should already be binding and the concept of personal data should not change in practice. In any case, with the Digital Omnibus, businesses could benefit from greater legal certainty when assessing whether datasets fall within or outside the GDPR.

Special-category data and AI-related processing

Current framework. The GDPR generally prohibits the processing of special-category data unless a specific legal exception applies. In AI development, Spanish organisations often rely on explicit consent, substantial public interest grounds or scientific research exemptions, subject to strict safeguards.

Proposed approach. The Digital Omnibus on AI would expressly allow the processing of special-category personal data for the purposes of bias detection and correction in AI systems, provided appropriate safeguards are in place. This proposal seeks to align the AI Act more closely with data protection law and to address concerns raised during early implementation phases.

Potential implications. For Spanish AI developers and deployers, this could reduce uncertainty when conducting fairness and bias assessments. That said, compliance with GDPR principles such as data minimisation and purpose limitation would remain essential, and national supervisory authorities would retain their enforcement powers. 

Consent mechanisms and cookies

Current framework. Cookie consent requirements in Spain are primarily shaped by the ePrivacy Directive as implemented nationally, complemented by GDPR standards and detailed AEPD guidance. This has resulted in widespread use of complex consent banners and ongoing scrutiny of consent validity.

Proposed approach. The Digital Omnibus would modernise cookie rules by promoting express, machine-readable consent choices, including the use of browser-level signals, with the stated aim of reducing “consent fatigue” while maintaining user control.

Potential implications. These changes could allow Spanish website operators to re-think current consent management solutions. More importantly, since rules on the use of cookies would move from the ePrivacy Directive to GDPR, GDPR fines will apply to cookie-related infringements (up to EUR 20 million or 4% of the annual turnover). Accordingly, the materiality of compliance gaps will need to be re-assessed if the proposals are adopted. By way of a comparison, the maximum fine currently established under the implementation of the ePrivacy Directive into the Spanish laws for infringements of this kind is EUR 30,000.

Streamlining incident reporting obligations

Current framework. Digital businesses in Spain may be subject to multiple incident reporting regimes, notably under the GDPR (personal data breaches) and NIS/NIS2 (cybersecurity incidents) – also sector-based incident reporting obligations such as the requirements for telecommunications providers – each with different thresholds and timelines.

Proposed approach. The Digital Omnibus proposes a single, streamlined incident-reporting mechanism covering overlapping obligations, and also extending the deadline to notify data incidents under GDPR from 72 hours to 96 hours, with the objective of reducing duplication while preserving sector-specific safeguards.

Potential implications. For Spanish operators of digital services and essential entities, this could eventually simplify internal incident response processes. Nevertheless, coordination between data protection and cybersecurity authorities would remain necessary, and transitional complexity should not be ruled out.

Adjustments to the implementation of the AI Act

Current framework. The AI Act entered into force in 2024, with most high-risk AI obligations applying from 2026-2027. Spanish businesses are currently preparing for compliance amid evolving standards and guidance.

Proposed approach. The Digital Omnibus on AI would adjust implementation timelines by linking certain obligations to the availability of harmonised standards, extend small and medium-sized enterprise simplifications to small mid-cap companies, and introduce more flexible post-market monitoring and registration requirements.

Potential implications. These adjustments could provide additional breathing space for Spanish organisations developing or deploying AI systems. However, the core risk-based structure of the AI Act would remain unchanged, and early compliance planning would still be advisable.

Osborne Clarke comment

The Digital Omnibus package represents an attempt to recalibrate the EU digital rulebook through targeted, technical amendments rather than wholesale reform. For Spanish digital businesses, the proposals highlight the importance of monitoring legislative developments, mapping existing compliance obligations against potential changes and maintaining robust governance frameworks that can adapt as the negotiations progress.