Archimag : The specialized reference in digital information management
For organisations, the logic is shifting. Fewer parallel rules and more shared tools - but in return, demonstrating compliance becomes more demanding, especially as the Court of Justice of the European Union (CJEU) continues to apply a strict interpretation of the effectiveness of rights.
The Digital Omnibus can represent an opportunity - provided that simplification is not treated as administrative relief, but as a genuine governance challenge.
Three pillars to reduce fragmentation
The proposal is structured around three main pillars, all following the same logic: reduce overlaps while strengthening evidentiary requirements.
- First pillar: aligning rules on data access and reuse within a framework anchored in the Data Act. This includes unifying definitions, improving interoperability between regimes, and regulating the reuse of both public-sector data and certain privately held datasets.
- Second pillar: adjusting key aspects of the GDPR (identifiability, health data, research) while partially integrating elements from ePrivacy, particularly regarding terminal equipment and consent. It also revisits automated decision-making and certain data processing activities relevant to AI.
- Third pillar: introducing a European single reporting gateway for incidents covered by multiple frameworks (GDPR, NIS2, DORA, CER), based on a “report once” principle.
Across all three pillars, the underlying mechanism remains the same: less duplication, but stronger proof requirements. Organisations will need up-to-date records, documented criteria, auditable logs, reliable timelines and traceable decisions.
Data reuse: inventories and metadata become critical
The first pillar aims to consolidate rules currently spread across the Open Data Directive, the Data Governance Act and the Free Flow of Non-Personal Data Regulation, which are expected to be repealed.
This restructuring is intended to enable more structured access to data and a more controlled reuse of public-sector data - including data subject to restrictions such as confidentiality, trade secrets or third-party rights - as well as certain privately held datasets, while maintaining strict requirements for secure environments.
In practice, compliance will rely less on contractual clauses and more on tangible governance mechanisms: up-to-date inventories, enriched data catalogues, detailed metadata describing origin, purpose and usage restrictions, documented access rules, and effective traceability of data reuse.
Organisations already equipped with robust data classification frameworks are likely to absorb these changes with limited impact. Others will need to address gaps in their data inventories before fully benefiting from the new framework.
GDPR and ePrivacy adjustments: more flexibility, greater accountability
The second pillar addresses areas that have long generated divergent interpretations, including identifiability, the scope of health data and research-related processing.
It introduces methodological clarifications and brings certain ePrivacy-like rules closer to the GDPR, particularly regarding terminal equipment and consent, with the aim of improving consistency and user readability.
A key point concerns identifiability: data is considered “personal” depending on the actor processing it and the means reasonably available to identify an individual. This approach aligns with recent case law and introduces greater flexibility - but also turns data qualification into an ongoing evidentiary exercise.
Organisations will need to justify their assessments through documented criteria and periodic reviews, especially when datasets are no longer considered personal data.
The same applies to consent management: organisations must demonstrate consistency between user preferences and actual system settings, maintain versioned interfaces and keep detailed logs capable of reconstructing who consented to what, when and for which purpose.
A similar logic extends to AI use cases, requiring comprehensive, use-case-based documentation aligned with the future AI Act.
A single incident reporting gateway: external simplification, internal complexity
The third pillar introduces a European single entry point for incident reporting across multiple regulatory frameworks, reducing the need for multiple notifications.
While this promises better coordination between regulators and a consolidated view of major incidents at EU level, such simplification can only work if organisations first streamline their internal incident management processes.
This requires a shared taxonomy across teams, reliable and time-stamped timelines, effective coordination between CISOs, DPOs, legal teams and business units, and robust evidence retention capabilities.
Organisations already aligned with standards such as ISO 27001 (information security management) and ISO 27035 (incident management) typically have these mechanisms in place. For others, the single gateway may expose internal inconsistencies: without prior documentation discipline, simplification will remain largely theoretical.
Three priorities to anticipate the shift
Although the proposal is not yet finalised, its direction is clear: simplification comes with stronger expectations in terms of demonstrability.
Three priority actions can already be initiated:
- Map documentary impacts: build a compliance matrix linking regulatory obligations, internal processes, responsible stakeholders and required evidence, in order to identify documentation gaps.
- Establish a reusable evidentiary framework: standardise documentation across multiple regulations (GDPR, NIS2, AI Act, DORA), ensuring that documents are not only formal but supported by verifiable evidence.
- Align data, cybersecurity and records management: create a shared language and governance framework across DPOs, CISOs, data teams and records managers. Key areas include data classification, access rules, retention policies, traceability and incident management procedures.
What to remember
While the Digital Omnibus aims to simplify the regulatory landscape, it simultaneously raises expectations for organisations: the ability to quickly produce relevant, consistent and evidence-based documentation - supported by reliable records - when required by regulators, clients or courts.
