The Digital Omnibus Proposal Promises GDPR Simplification. Your Compliance Program Just Got More Complicated.
On 19 November 2025, the European Commission published proposed amendments to the GDPR covering DPIAs, breach notification thresholds, ROPA exemptions, and the definition of personal data itself. The Commission calls it "simplification." For multi-entity privacy programs, it means new thresholds, parallel compliance frameworks during transition, and a patchwork of obligations across subsidiaries of different sizes.
Priverion is already tracking every proposed change and preparing configuration updates so your privacy program adapts without starting over.
750
New employee threshold proposed for ROPA exemptions, up from 250
EDPB/EDPS Joint Opinion, July 2025
96 hrs
Proposed breach notification deadline, extended from 72 hours
Digital Omnibus Regulation Proposal, Art. 33
EU-wide
Harmonized DPIA lists to replace fragmented national requirements
Proposed amendments to Art. 35 GDPR
Six Digital Omnibus Changes That Reshape Your Compliance Program
The European Commission published its Digital Omnibus Package on 19 November 2025, proposing targeted amendments to the GDPR, ePrivacy Directive, NIS2 Directive, and more. Each change below carries real implications for multi-entity privacy programs.
ROPA Thresholds
ROPA Exemptions for Organizations Under 750 Employees
The proposed amendment to Article 30 would require organizations with fewer than 750 employees to maintain a ROPA only when processing is likely to result in a high risk to data subjects. For multi-entity groups, this creates a split: some subsidiaries may qualify for the exemption while others do not, forcing your privacy team to manage two parallel standards across the group.
Considerati analysis of proposed Article 30 GDPR amendment, 2025
DPIA Harmonization
EU-Wide DPIA Lists Replace National Requirements
The EDPB would compile unified lists of processing activities that do or do not require a DPIA, superseding all existing national DPA lists. A standardized template and methodology would also be introduced, reviewed at least every three years. Until the Commission adopts implementing acts, existing national lists remain in force, creating a transitional period of dual requirements.
White & Case analysis, proposed Art. 35 Amended GDPR, Dec. 2025
Breach Notification
Higher Threshold and Extended Deadline for Breach Reports
The notification threshold would rise to "high risk" only, and the reporting deadline would extend from 72 to 96 hours. A single entry point for incident reporting across GDPR, NIS2, and DORA would also be introduced. For organizations that have already built 72-hour playbooks across multiple DPAs, every workflow and escalation matrix will need recalibration.
EDPB and EDPS Joint Opinion on Digital Omnibus, Feb. 2026
Personal Data Definition
Relative Identifiability Narrows the Scope of "Personal Data"
Data would only qualify as "personal" for an entity that has the means reasonably likely to be used to identify the individual. The EDPB and EDPS strongly urge co-legislators not to adopt this change, warning it could "significantly weaken individual data protection." For privacy programs, this means re-evaluating data inventories to determine which datasets remain in scope, entity by entity.
EDPB/EDPS statement on Digital Omnibus, Feb. 2026
AI and Legitimate Interest
New Legal Basis for AI Training on Personal Data
The proposal would explicitly recognize AI development and operation as a legitimate interest under the GDPR, subject to necessity and proportionality tests. Controllers must still minimize data used for training and grant data subjects an unconditional right to object. For organizations deploying AI across subsidiaries, this introduces a new category of processing activities that must be tracked, assessed, and documented group-wide.
Covington analysis, Inside Privacy, Nov. 2025
Legislative Timeline
Trilogue Negotiations Ahead: Nothing Changes Today, Everything Changes Tomorrow
The proposal now moves through ordinary legislative procedure with the European Parliament and Council. Trilogue negotiations are expected by spring 2026, with final adoption possible by mid-2026 or later. During this transition period, organizations will need to maintain current GDPR compliance while preparing for amended requirements. The goalposts may shift multiple times before the final text is settled.
Bird & Bird legislative timeline analysis, Nov. 2025
Priverion's regulatory change tracking keeps your privacy program aligned as these proposals evolve, so you never have to rebuild from scratch.
Explore the PlatformEvery Proposed Change Has an Operational Answer in Your Privacy Platform
The Digital Omnibus doesn't just change the rules. It changes how you operate across every entity. Here is how Priverion keeps your program ready, change by change.
ROPA Threshold Split
Manage Two Standards Across One Group
When some subsidiaries fall below 750 employees and others do not, your ROPA requirements fracture. Priverion's cross-entity ROPA management lets you configure obligations per entity, with automated recertification for those that still require it and clear audit trails for those that qualify for exemption.
AXA achieved 100% ROPA recertification rate with fully automated workflows
DPIA Transition Period
Navigate Dual Requirements Without Duplicating Work
Until the EDPB's unified DPIA lists are adopted, national lists remain in force. Priverion's AI-assisted DPIA automation maps your processing activities against both current national requirements and proposed EU-wide criteria, flagging where your obligations will shift so you can prepare, not react.
AI assists with drafting and risk scoring; every output is reviewed before becoming a compliance record
Breach Notification Recalibration
Update Every Playbook, Across Every DPA Relationship
Moving from 72 to 96 hours and from "risk" to "high risk" means every incident workflow needs recalibration. Priverion's incident management module lets you update notification thresholds and escalation timelines centrally, then cascade changes to every entity's breach response process.
Data Inventory Re-Evaluation
Reassess What Counts as Personal Data, Entity by Entity
If "relative identifiability" becomes law, datasets that are personal data for one subsidiary may not be for another. Priverion's cross-entity data mapping gives you the visibility to assess each entity's means of identification and document the rationale, producing audit-ready evidence packages in minutes, not weeks.
Zurzach Care achieved 100% vendor risk assessment coverage across all entities
AI Processing Documentation
Track a New Category of Processing Activities Group-Wide
With AI development recognized as a legitimate interest, every subsidiary deploying AI needs documented necessity and proportionality assessments. Priverion's AI Register, built for EU AI Act readiness, provides the structure to inventory, assess, and document AI-related processing activities across your entire group.
No customer data is used for model training. AI assists, humans decide.
Regulatory Change Tracking
Stay Current as the Goalposts Move
Trilogue negotiations mean the final text could differ significantly from the current proposal. Priverion's regulatory change tracking monitors every evolution, alerts your team to material changes, and prepares configuration updates so your privacy program adapts without starting over. You maintain current GDPR compliance while preparing for what comes next.
Operational in weeks, not months. Aircraft manufacturer went live in under 6 months.
Results that speak for themselves
Real outcomes from real compliance teams
200+
Hours saved on ISO 27001 prep
Medtec cut over 200 hours of manual documentation and evidence gathering for their ISO 27001 certification, while the industry average timeline sits at 6 to 12 months.
Medtec, measured during ISO 27001 preparation
60%
Lower cost vs. legacy platforms
Enterprise privacy suites routinely cost six figures annually, with modular pricing that escalates as you scale. Priverion's predictable, per-company pricing eliminates expansion traps and per-user fees.
Based on customer cost comparisons; Vendr data, Feb 2026
60%
Less compliance admin time
Aircraft manufacturer reduced compliance admin time by 60% in their first six months, shifting from manual ROPA updates across subsidiaries to fully automated recertification.
Aircraft manufacturer, first 6 months on Priverion
Enterprise-grade privacy management, without enterprise complexity
Mid-market privacy teams need tools built for how they actually work: lean teams, multiple entities, tight budgets. Here is how Priverion compares to legacy platforms like OneTrust across the areas that matter most.
Priverion
Built for multi-entity mid-market teams
Swiss data sovereignty
All data processing stays within Swiss infrastructure. Switzerland holds an EU adequacy decision, meaning your compliance data never touches a jurisdiction with mass-surveillance risk.
EC adequacy decision for Switzerland under GDPR Art. 45
Predictable pricing
One price based on number of companies and organizational size. No per-user fees, no per-module charges, no expansion surprises at renewal.
Operational in weeks
Designed for lean privacy teams. Aircraft manufacturer went from manual spreadsheets to automated ROPA recertification in their first 6 months, cutting 60% of compliance admin time.
Aircraft manufacturer, first 6 months of deployment
All-in-one platform
ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, data mapping, AI register, and compliance dashboards in a single platform. No module bundles to assemble.
AI-assisted, human-controlled
AI assists with DPIA drafting, risk scoring, and regulatory mapping. Every output is reviewed before becoming a compliance record. No customer data is used for model training.
Typical Enterprise Platform
Built for Fortune 500 buyers
US-based data hosting
Cross-border transfer risk remains a live concern. The EU-US Data Privacy Framework faces ongoing legal challenges, and a potential "Schrems III" challenge looms on the horizon.
DLA Piper GDPR Fines and Data Breach Survey, January 2026
Opaque, modular pricing
Each module is billed on its own metric, and costs can climb in unexpected directions as teams or data footprints grow. Implementation fees alone can add $10,000 to $50,000 to first-year costs.
Vendr pricing analysis, February 2026; Enzuzo market research, March 2026
Weeks-to-months setup
Users frequently cite the need for extended configuration periods. One mid-market reviewer noted spending "several weeks just configuring the workflows and mapping our data" before going live.
G2 verified reviews, 2025
Module-based architecture
Five separate product lines, each priced independently. Configuring and maintaining the platform requires significant time and effort, especially for smaller teams managing privacy across entities.
Capterra verified reviews, 2025
Broad but overwhelming UX
Comprehensive feature set, but multiple reviewers note the interface can feel cluttered. The steep learning curve and complexity add overhead for privacy teams that don't have dedicated platform administrators.
G2 and Capterra aggregated reviews, 2025
What we do not cover (and why that is a feature)
Priverion does not include ESG reporting, ethics hotlines, or cookie consent management. We focus entirely on privacy program management for organizations operating across multiple entities and jurisdictions. If you need a privacy platform that does one job exceptionally well across your entire group, that is exactly what we built.
We integrate deeply with the systems that matter for privacy workflows, including HR, procurement, and IT asset management, rather than offering 200 shallow connectors that create maintenance overhead.
Curious how the switch actually works?
See how Aircraft manufacturer moved from 47 spreadsheets to automated group-wide privacy management.
Book a 30-min walkthroughWhat DPOs and Compliance Leads Are Asking About the Digital Omnibus
When will these GDPR changes actually take effect?
The Digital Omnibus proposal must pass through ordinary legislative procedure, including European Parliament committee review, Council negotiations, and trilogue. Final adoption is expected around mid-2027 at the earliest, with an implementation period after that. Nothing changes in your legal obligations today, but the time to prepare your program is now, not after the final text is published.
Bird & Bird legislative timeline analysis, Nov. 2025
Our group has subsidiaries both above and below 750 employees. What happens to our ROPA?
Under the proposed changes, subsidiaries below 750 employees would only need a ROPA for high-risk processing activities. Larger subsidiaries retain full ROPA obligations. This creates a split compliance standard within a single group. Priverion lets you configure ROPA requirements per entity, so you can manage both standards from one platform without duplicating work or losing visibility.
Considerati analysis of proposed Article 30 GDPR amendment, 2025
We've already built 72-hour breach notification playbooks. Do we need to rebuild them?
If adopted, the extended 96-hour deadline and higher "high risk" threshold will require recalibrating every incident workflow, escalation matrix, and DPA reporting template. Priverion's incident management module lets you update these centrally and cascade changes to every entity, so you reconfigure once instead of rebuilding playbooks subsidiary by subsidiary.
EDPB and EDPS Joint Opinion on Digital Omnibus, Feb. 2026
How does the proposed change to "personal data" affect our data inventories?
The relative identifiability approach means a dataset could be "personal data" for one entity in your group but not for another, depending on each entity's means of identification. This requires reassessing data inventories entity by entity and documenting the rationale. Priverion's cross-entity data mapping provides the visibility to do this systematically and generates audit-ready evidence packages.
EDPB/EDPS statement on Digital Omnibus, Feb. 2026
Can Priverion scale to 50+ entities across multiple jurisdictions?
Yes. Priverion is designed for multi-entity groups. We serve organizations with 50+ entities across multiple jurisdictions, with cross-entity data mapping, automated ROPA recertification, and centralized compliance dashboards. The platform is operational in weeks, not months. Aircraft manufacturer went from 47 spreadsheets to automated group-wide privacy management in their first 6 months.
Aircraft manufacturer, first 6 months on Priverion
Is the AI in Priverion safe for compliance work?
All data is processed within Swiss infrastructure. AI assists with DPIA drafting, risk scoring, and regulatory mapping, but every output is reviewed by a human before becoming a compliance record. No customer data is used for model training. AI assists, humans decide.
The DPO's Briefing: What the Digital Omnibus Means for Your Privacy Program
The European Commission's Digital Omnibus proposal introduces the most significant changes to the GDPR since 2018, with adoption expected around mid-2027. This plain-language guide cuts through the legal complexity and tells you exactly what changes to prepare for across your group entities.
Inside the guide, you'll find:
- 1. A breakdown of every proposed GDPR amendment: from the new ROPA exemption for organizations under 750 employees, to streamlined DPIA requirements and the single breach-reporting entry point
- 2. What the EDPB and EDPS Joint Opinion flags as "significant concerns," including the proposed changes to the definition of personal data that regulators urge co-legislators not to adopt
- 3. A multi-entity readiness checklist covering cookie consent migration from the ePrivacy Directive to the GDPR, new AI-related processing derogations, and cross-border harmonization changes
- 4. A realistic legislative timeline so you know when to act, not just what to track, with trilogue negotiations and potential adoption milestones mapped out
Sourced from the European Commission's official proposal and the EDPB/EDPS Joint Opinion (February 2026).
Download Your Free Copy
Get the guide that's already helping DPOs across Europe prepare for the Digital Omnibus changes.
Free PDF. No demo required. We'll send it to your inbox.
Why this matters now
The Commission aims to cut red tape by 25% overall and 35% for SMEs. Nearly 38,000 EU companies qualify under the new small mid-cap category.
European Commission, Simplification Package (May 2025)
From Spreadsheet Chaos to Strategic Privacy Work
"We went from spending the majority of our compliance admin time on manual ROPA updates — chasing business units across multiple subsidiaries — to fully automated recertification. Our DPO now focuses on strategic privacy work instead of spreadsheet maintenance."
Aircraft manufacturer
60% reduction in compliance admin time, first 6 months
"Priverion gave us complete visibility over vendor risk across every entity. We achieved 100% vendor risk assessment coverage, something that would have taken months of manual effort with spreadsheets."
Zurzach Care
100% vendor risk assessment coverage across all entities
Stop managing compliance in spreadsheets
Your DPO has better things to do than chase ROPA updates across 47 spreadsheets
With cumulative GDPR fines now exceeding 7.1 billion EUR and regulators receiving over 443 breach notifications per day, manual compliance processes are a liability. Multi-entity organizations need a platform that scales with them, not against them.
Sources: DLA Piper GDPR Fines and Data Breach Survey, January 2026; CMS GDPR Enforcement Tracker
60%
reduction in compliance admin time
Aircraft manufacturer, first 6 months
200+
hours saved in ISO 27001 preparation
Medtec
100%
ROPA recertification, fully automated
AXA
Swiss-built and Swiss-hosted
AI-assisted, human-controlled
Predictable pricing, no per-user traps
No sales pitch. See Priverion working with your use case. Operational in weeks, not months.
The Privacy Compliance Briefing
Monthly insights on GDPR enforcement, Swiss FAD
