An early look at the European Commission's proposed digital law reforms

On 19 Nov. 2025, the European Commission is due to publish a Digital Package on simplification. This is intended to simplify, clarify and improve the EU’s digital laws. A leaked version of the Commission's proposals published 6 Nov. shows there will be two legislative instruments: One primarily focuses on the EU General Data Protection Regulation, ePrivacy and Data Act; the other focuses on the EU AI Act. The text that will be published 19 Nov. will change from the leaked version. For a preview of what the Commission has in mind for the reform of the GDPR, ePrivacy, and Data Act via the Digital Omnibus, read on. 

One breach portal to rule them all

There is a proposal for a single reporting point for all incidents, following the "report once, share many" principle. This would address requirements under the GDPR, Network and Information Security Directive, Digital Operations Resilience Act and the eventual Critical Entities Resilience Directive. The reporting obligation for communications service providers under the ePrivacy Directive would be repealed on the basis that it would be superfluous.

The threshold for reporting personal data breaches to data protection authorities would be raised — only incidents posing a high risk to data subjects would be reported. The period for reporting to authorities would be increased to 96 hours and a single incident reporting form would be introduced.

Taking the sting out of DSARs used as ammunition in employment tribunal proceedings