The European Commission's Digital Omnibus proposal, published on 19 November 2025, represents the most ambitious attempt to amend the GDPR's operational framework since the regulation took effect in May 2018. While the EDPB and EDPS have voiced support for simplification and competitiveness, they have also raised concerns about preserving the GDPR's level of protection - a tension that is now shaping the legislative debate as the proposal moves through the European Parliament and Council.

The proposed changes to breach notification are among the most consequential. The current obligation to notify supervisory authorities within 72 hours of any breach likely to result in a risk to individuals' rights and freedoms would be replaced by a 96-hour deadline - and the threshold would be raised to breaches likely to result in a high risk only. If adopted, this would significantly reduce the volume of notifications supervisory authorities receive, while also giving controllers more time to assess and respond to incidents.

On records of processing activities (ROPA), the Omnibus introduces a simplified model for businesses with fewer than 250 employees, provided their processing does not involve high-risk data categories. Instead of comprehensive documentation, these organisations would maintain a streamlined register covering only core processing activities. The proposal also envisages a single EU-wide list of processing operations that require - or do not require - a Data Protection Impact Assessment, replacing the current patchwork of 27 national lists maintained by individual supervisory authorities.

The consent framework would also change. The proposal introduces single-click accept/reject mechanisms for cookie consent, a six-month moratorium after refusal (preventing organisations from re-prompting within that period), and support for browser-level preference signals - effectively mandating a technical infrastructure for consent that operates at the device level rather than the website level. The Omnibus also proposes a single portal for incident reporting across the GDPR, NIS2, DORA, and other regulatory frameworks, replacing the current requirement to notify multiple authorities separately.

None of these changes have entered into force. The proposal is currently progressing through the ordinary legislative procedure, and most observers do not expect adoption before late 2026, with the timeline potentially extending well into 2027. However, the direction of travel is clear, and organisations should be tracking these developments closely - particularly those whose compliance programmes are built around the current 72-hour notification window and existing ROPA requirements.

Acompli perspective: The Digital Omnibus is not yet law - but it signals where the regulatory framework is heading. The proposed changes to breach notification timelines, ROPA simplification, and DPIA harmonisation will reshape compliance programmes once adopted. In the meantime, organisations should not treat the proposals as a reason to defer investment in compliance. The fundamentals - accurate data mapping, maintained records of processing, structured risk management, and tested assessment processes - remain the foundation, regardless of whether the notification deadline is 72 or 96 hours.