The second Digital Omnibus proposal restructures GDPR, the Data Act, NIS2, ePrivacy, DORA, and eIDAS — adding a new lawful basis for AI training, clarifying automated decisions, expanding breach notification timelines, and consolidating four data regulations into the Data Act.
PROPOSAL — Not yet enacted law
COM(2025) 837 was adopted by the Commission on 19 November 2025 and is proceeding under ordinary legislative procedure (2025/0360(COD)). It is a proposal only. Until the European Parliament and Council adopt it and it is published in the Official Journal, none of these changes are binding. Every section of this page covers proposed changes.
Want to know how 837 affects your AI and data compliance roadmap? Regumatrix tracks proposal status and maps impacts to your systems →
| Instrument / Article | Change |
|---|---|
| GDPR Art 9(2)(k) | AI training lawful basis for special categories New derogation for AI system/model development, with safeguards to protect/remove special category data |
| GDPR Art 22 | Automated decision-making clarified Contract-necessity ground applies regardless of whether human decision-making was possible |
| GDPR Art 4(1) | Contextual personal data Data is not personal for an entity that cannot identify the person, even if another could |
| GDPR Art 33 | Breach notification: 72h → 96h, threshold raised Deadline extended; notification only required for HIGH-risk breaches; single-entry point via ENISA |
| GDPR Arts 88a/88b | Cookie consent moved from ePrivacy to GDPR Art 88a: terminal equipment access; Art 88b: machine-readable consent signals required |
| GDPR Art 35 | EU-wide DPIA lists replace national lists EDPB prepares mandatory/optional DPIA lists; Commission adopts as implementing acts |
| GDPR Art 41a (new) | Pseudonymisation criteria EU-wide implementing acts will specify when received pseudonymised data is non-personal for recipient |
| NIS2 Art 23a (new) | Single incident-reporting entry point ENISA operates unified portal for GDPR, NIS2, DORA, eIDAS, CER notifications; 18-24 months to deploy |
| Data Act | DGA + FFDR + Open Data consolidated Three new chapters (VIIa, VIIb, VIIc) replace DGA and FFDR as standalone regulations |
| Repealed | P2B, DGA, FFDR, Open Data Directive Four instruments fully repealed; superseded by DSA/DMA and Data Act consolidation |
Currently, processing special categories of personal data (health, biometric, genetic, racial/ethnic origin, etc.) for AI training requires one of the existing Art 9(2) derogations — most practically explicit consent (Art 9(2)(a)) or substantial public interest (Art 9(2)(g)). COM(2025) 837 proposes a dedicated new derogation:
“processing in the context of the development and operation of an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689 or an AI model, subject to the conditions referred to in paragraph 5.”
Safeguards under proposed Art 9(5):
The new Art 9(2)(k) creates a GDPR lawful basis for processing special category data in AI training — it does not create an exemption from the EU AI Act’s own rules. In particular, Art 5 prohibited practices remain absolutely prohibited regardless of GDPR lawful basis. A training dataset using health data to build a social scoring system (prohibited under Art 5(1)(c)) or a real-time biometric identification system in public spaces (Art 5(1)(h)) cannot be justified by Art 9(2)(k). The two regulations operate independently: GDPR governs data processing lawfulness; the EU AI Act governs what the AI system itself may do.
GDPR Article 22(1)(a) currently permits solely automated decisions producing legal effects where necessary for entering into a contract. The 837 proposal clarifies:
“...automated decision may be based on contractual necessity regardless of whether the decision could be taken otherwise than by solely automated means.”
This removes the implied requirement that a human alternative must be unavailable. The proposal also adds a new Art 22(2) data minimisation requirement: where several equally effective automated processing solutions exist, the controller must use the least intrusive one.
The consequence for AI Act compliance: deployers can now use more automated high-risk AI decision-making under GDPR Art 22(2)(a) without needing to justify the unavailability of human decision-making alternatives. This increases the relevance of Article 86’s right to explanation for persons affected by those decisions.
COM(2025) 837 proposes to add language to GDPR Article 4(1) clarifying when information is and is not personal data for a given entity:
“Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.”
For AI training pipelines, this means: pseudonymised or contextually non-identifiable data received by an AI company is not personal data for that company — even if the original controller or a third party could re-identify it — as long as the AI company cannot itself do so using reasonably likely means. This significantly simplifies AI training data classification. Article 41a (proposed) adds further certainty: the EDPB will prepare EU-wide criteria for when received pseudonymised data does not qualify as personal data for the recipient.
Cookie consent currently lives in Article 5(3) of the ePrivacy Directive. COM(2025) 837 transfers this to GDPR through two new articles:
New GDPR Art 88a — Terminal equipment consent
New GDPR Art 88b — Machine-readable consent signals
COM(2025) 837 proposes to amend GDPR Article 33(1) with two changes:
Once the ENISA single-entry point (Art 23a) is operational, all GDPR breach notifications will be submitted there, satisfying both GDPR and NIS2 reporting obligations through a single filing.
COM(2025) 837 proposes a new Article 23a in the NIS2 Directive requiring ENISA to develop and operate a single entry point for incident reporting. One notification via the ENISA portal would satisfy reporting obligations under five instruments simultaneously:
Entry into force: 18–24 months after OJ publication. The Commission may extend to 24 months if the single-entry point is not functioning reliably at the 18-month mark.
Three new chapters are added to the Data Act (Regulation 2023/2854), absorbing the substance of three instruments that are then repealed:
Chapter VIIa — Voluntary Data Intermediation
Replaces: Data Governance Act (DGA, Reg 2022/868)
Notification → voluntary registration; single Union public register replaces national registers; legal separation abolished in favour of functional separation
Chapter VIIb — Free Flow of Non-Personal Data
Replaces: FFDR (Reg 2018/1807)
Prohibition on unjustified data localisation for non-personal data retained; FFDR repealed
Chapter VIIc — Public Sector Body Data Re-Use
Replaces: Open Data Directive (2019/1024) + DGA Chapter II
Unified framework for open data re-use, protected data categories (health, commercial secrets), and research data
The Platform-to-Business Regulation (P2B, Reg 2019/1150) is also repealed — having been superseded by the Digital Services Act and Digital Markets Act.
COM(2025) 837 proposes to replace the current patchwork of national DPIA lists with a single EU mandatory list and a non-mandatory list, prepared by the EDPB and adopted by the Commission as implementing acts. New GDPR Article 41a adds that the EDPB will prepare common criteria to specify when personal data pseudonymised by a controller and disclosed to another entity is not personal data for the recipient — providing AI companies with EU-wide certainty on their training data classification.
COM(2025) 837 — officially titled 'Digital Omnibus II — Data, Privacy & Cybersecurity' — is a European Commission proposal adopted on 19 November 2025. Its full title is: 'Proposal for a Regulation amending Regulations (EU) 2016/679 (GDPR), (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 (Data Act) and Directives 2002/58/EC (ePrivacy), (EU) 2022/2555 (NIS2) and (EU) 2022/2557 (CER) as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807 (FFDR), (EU) 2019/1150 (P2B), (EU) 2022/868 (DGA), and Directive (EU) 2019/1024 (Open Data)'. It amends seven instruments and repeals four. Its companion, COM(2025) 836, amends the EU AI Act itself. This page covers COM(2025) 837 only. NOTE: This is a proposal under ordinary legislative procedure (2025/0360(COD)). It is NOT yet enacted law.
Yes — COM(2025) 837 proposes a new Article 9(2)(k) in the GDPR, creating a specific derogation allowing processing of special categories of personal data 'in the context of the development and operation of an AI system or AI model'. The new Article 9(5) imposes safeguards: controllers must implement organisational and technical measures to avoid collecting special category data; where such data is found despite those measures, it must be removed; if removal is disproportionate, the data must be effectively protected from use in outputs and from disclosure. Critically: this new lawful basis does NOT exempt AI training from the EU AI Act's own requirements, including the Article 5 prohibited practices. An AI training dataset cannot use health data to power a social scoring system — that is prohibited by Article 5(1)(c) of the EU AI Act regardless of GDPR lawful basis.
Yes. COM(2025) 837 proposes to amend GDPR Article 22(1)(a) to clarify that an automated decision may be based on contractual necessity 'regardless of whether the decision could be taken otherwise than by solely automated means'. This resolves a longstanding ambiguity: previously, some interpretations held that GDPR Art 22(2)(a) only permitted solely automated decisions for contracts where human decision-making was genuinely not feasible. The 837 amendment explicitly removes this constraint. Additionally, new Art 22(2) requires that where several equally effective automated processing solutions exist, the controller must use the less intrusive one. The EU Institution equivalent (EUDPR Article 24) is amended in mirror form.
COM(2025) 837 proposes to amend GDPR Article 33(1) in two significant ways: (1) the notification deadline is extended from 72 hours to 96 hours; and (2) the notification threshold is raised — notification to the supervisory authority will only be mandatory for breaches 'likely to result in a HIGH risk' to natural persons (not merely 'a risk' under the current text). The EDPB will prepare a common breach notification template and a list of high-risk circumstances; the Commission will adopt these as implementing acts. Once the NIS2 single-entry point (Article 23a) is operational, all GDPR breach notifications will be submitted there rather than directly to supervisory authorities.
The COM(2025) 837 proposal amends GDPR Article 4(1) to clarify that information is not necessarily personal data for every entity just because one entity can identify the natural person. Specifically: 'Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person.' This is critical for AI training pipelines: if AI Company A receives pseudonymised data that A cannot re-identify using reasonable means, that data is not personal data for Company A — even if a third party could re-identify it.
COM(2025) 837 proposes to repeal four legislation instruments: (1) Regulation (EU) 2019/1150 — Platform-to-Business (P2B) Regulation, superseded by DSA and DMA; (2) Regulation (EU) 2022/868 — Data Governance Act (DGA), with data intermediation and data altruism rules consolidated into new chapters VIIa and VIIc of the Data Act; (3) Regulation (EU) 2018/1807 — Free Flow of Non-Personal Data Regulation (FFDR), with the principle integrated into new Data Act Chapter VIIb; (4) Directive (EU) 2019/1024 — Open Data Directive, consolidated into new Data Act Chapter VIIc. All repeals are proposals only — not yet effective.
EU AI Act + GDPR Interaction
How Regulation 2024/1689 and GDPR work together in practice
Right to Explanation (Art 86)
Art 86 explanation right — made more relevant by 837's Art 22 clarification
COM(2025) 836 — Digital Omnibus I (AI Act Changes)
836 amends the EU AI Act itself — SME exemptions, deadlines, notified bodies
Prohibited AI Practices (Art 5)
What the AI Act bans absolutely — unaffected by 837 GDPR changes
Market Surveillance & Enforcement
Arts 74–85 — 837 does not amend AI Act enforcement structures
Agentic AI Under the EU AI Act
How Art 3(1) captures autonomous AI — 837 GDPR changes affect training pipelines
Regumatrix monitors proposal status and maps each change in COM(2025) 837 to your specific AI systems and data flows — so you know exactly what to update when the Omnibus II is enacted.
Get started free