Objective of the consultation

Collect the opinion of the citizens, organizations and interested actors on:

• Problems that are intended to be solved.
• Need and opportunity for reform.
• The objectives that the new standard should pursue.
• Possible regulatory or non-regulatory alternatives.

Background and problems that are intended to be solved with the new standard.

The proposal for a Digital Omnibus Regulation (2025/0360 COD) is an initiative of the European Commission aimed at simplifying, clarifying and modernising the European regulatory framework on data through a comprehensive reform that consolidates and streamlines existing legislation. Its main objective is to reduce administrative burdens for companies and public administrations, strengthen legal certainty and promote European competitiveness, without compromising the high standards of protection of fundamental rights, privacy and information security.

The proposal for a regulation addresses the amendment of various provisions at Community level in order to integrate into a single harmonised legal framework provisions currently contained in Regulation (EU) 2022/868 (Data Governance Regulation), Directive (EU) 2019/1024 (Directive on open data and re-use of public sector information) and Regulation (EU) 2018/1807 (free movement of non-personal data), which will be repealed once the new regulation enters into force. It also makes specific adjustments to Regulation (EU) 2023/2854 (Data Regulation) to improve its internal consistency, clarify key concepts and adapt certain obligations to the evolution of the digital market and emerging technologies.

Article 1 is at the heart of this reform, as it fundamentally reshapes the European regime in the field of data by:

• the normative integration of the various existing legal instruments into a single harmonised framework;
• improving regulation on data intermediation services and data altruism organisations;
• the establishment of clearer and more proportionate rules for the provision of data by companies to public administrations in situations of public emergency;
• strengthening protection against the risks of disclosure of trade secrets, especially when third countries with levels of legal protection lower than those of the Union are involved;
• the unification and updating of the framework for the re-use of public sector data, the free movement of non-personal data
• the facilitation of change of provider processes in data processing services, particularly in the area of cloud computing.

El artículo 2 introduce en el Reglamento (UE) 2018/174, en el anexo relativo a la ‘start-up, management and closure of a company’, the relevant references to data intermediation services and altruistic data transfer.

Articles 3 and 4 incorporate amendments to Regulation (EU) 2016/679 (General Data Protection Regulation) as well as to Regulation (EU) 2018/1725, in order to adapt its wording to the amendments introduced in Article 3 in order to clarify concepts in this matter and strengthen legal certainty. With regard to this matter, Article 5 provides for amendments to Directive 2002/58/EC (‘the Directive on privacy and electronic communications’) in order to bring it into line with the new regulation, in such a way that it allows the rules on the storage and access to personal data of a natural person’s terminal equipment to be transferred to the GDPR.

Articles 6, 7, 8 and 9, for their part, regulate the single entry point for notification of incidents. The one-stop shop for reporting incidents covered by different regulatory frameworks will be managed by ENISA, the European cybersecurity agency. This reform aims to ensure that notifications sent by a company or body simultaneously comply, through a single report, with the obligations arising from the NIS2/SRI2, RGPD, DORA, CER and eIDAS regulations.

Finally, Article 10 lays down derogatory and transitional provisions. This article, among others, repeals Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on the promotion of fairness and transparency for professional users of online intermediation services (Platform-to-Business Regulation) in order to simplify the regulations applicable to online platforms taking into account that, since its approval in 2019, other rules have been approved that cover, in part, the same issues as the Platform-to-Business Regulation. However, Articles 4 and 11 of the Regulation, as well as various related additional provisions, remain in force until the year 2032, due to the fact that they are articles and provisions referenced in other rules, which must be modified before 2032.

Overall, the proposal represents a strategic turning point in adapting the European regulatory framework to a highly competitive global environment, prioritising the Union’s regulatory agility, innovation and technological sovereignty, and ensuring that standards act as an engine for economic growth and the single data market.

2.Objetivos of the standard.

In order to respond to the challenges posed by the data economy and make progress in reducing administrative burdens that boost competitiveness, the main objectives of the Digital Omnibus Regulation are:

• Simplify and unify part of the data legislative package, reducing from five to two the main legal acts (the General Data Protection Regulation and the consolidated Data Regulation) to eliminate regulatory overlap and inconsistencies, and contribute to an improvement in legal certainty; as well as recasting and/or eliminating regulations that have been superseded by more recent legislation.
• Strengthen the guarantees of protection of trade secrets in B2C and B2B data exchanges, expanding the cases in which holders can deny access when there is a risk of disclosure, either by entities from third countries or by organizations established in the EU under extra-Community control.
• Simplification of the regime for making data available to the public sector in the event of public emergencies, eliminating the case of “exceptional needs”, establishing clear justification criteria, deadlines and minimum requirements for requests, and exempting micro and small companies when requests are linked to mitigation or recovery tasks.
• Promote a more agile and competitive data market by replacing the mandatory intermediary notification system with a voluntary register, creating a harmonized framework for intermediary services and data altruism entities with European markings, promoting altruistic assignments for purposes of general interest and the possibility of imposing specific conditions on large platforms (‘gatekeepers’) in the reuse of public data.
• Promote innovation and interoperability by removing rigid requirements applicable to smart contracts to allow the development of technologies such as blockchain, facilitating portability and change of provider in cloud services —especially for SMEs and tailor-made solutions— and removing restrictions on the location of non-personal data to ensure its free circulation in the EU.
• Strengthen coordinated governance of the data ecosystem, empowering the European Committee for Data Innovation (CEID), enabling agile complaints mechanisms to competent authorities, and establishing in each Member State a single access point that concentrates information on data resources and services.
• Clarify and update the personal data protection framework, specifying essential definitions such as “personal data”, facilitating compliance for SMEs and low-risk treatments, delimiting the scope of pseudonymisation, improving information and gap reporting requirements, and providing clarity on the use of data in training AI systems.
• The regime applicable to the storage and access to data on terminal equipment, including cookies, is modified. The storage and access to personal data of terminal equipment of natural persons becomes regulated exclusively by the GDPR, with the application of the ePrivacy framework being limited to all other cases (e.g. non-personal data). The new regime provided for in the GDPR extends the cases in which consent is not necessary. Likewise, it requires that the consent can be rejected in a click, that it can not be requested again until after 6 months or that it can be expressed by automated means, for example, through the browser, except in the case of media services.
• Create a centralised incident reporting mechanism that unifies obligations from different regulatory frameworks, reduces administrative burdens and ensures the appropriate transfer of information to competent authorities. The notification obligations that are created are of a different nature, addressees and purposes. In the case of the GDPR, the notification of a data breach to the data protection authority may be due to very diverse causes—internal errors, loss of devices, unauthorized access—and not necessarily to a cybersecurity incident in the strict sense. In the case of NIS2, notifications are addressed to national CSIRTs and are intended to trigger an operational technical response. Both obligations have different receiving authorities, different deadlines and purposes that are not interchangeable. The SEP will operate as a transmission channel: the entities will send the notification to the SEP, which will redirect it to each competent authority. The proposal expressly excludes ENISA from accessing the content of the notifications, unless there is a sectoral provision to the contrary.
• Regulation (EU) 2019/1150 (Platform-to-business Regulation) is repealed, although, on a transitional basis, Articles 4 and 11 of the Regulation, as well as various related provisions, remain in force until 2032.

Term of participation

March 13 to March 29, 2026.

Channel of participation

https://forma.administracionelectronica.gob.es/form/open/corp/1be942e0-53cf-4443-af69-2c7d2f7062ef/MCaM