Digital Omnibus
On 19 November 2025, the European Commission presented a new legislative package entitled Digital Omnibus. The main objective of this package is to simplify regulation and reduce administrative burdens. Digital Omnibus primarily affects the Digital Services Act (DSA), Digital Markets Act (DMA), AI Act, Data Governance Act, Data Act, and, to a more limited extent, also the GDPR and ePrivacy framework.
Digital Services Act
With regard to the DSA, the Digital Omnibus does not alter the substantive obligations of platforms or liability for illegal content. Instead, it focuses on the procedural and institutional alignment of the DSA’s enforcement with other EU digital regulations, in particular the GDPR, AI Act, DMA, and Data Act. The aim is to increase legal certainty and predictability of supervision, reduce duplicative proceedings and uncoordinated sanctions, and clarify the allocation of competences among supervisory authorities, without weakening or simplifying the substantive obligations arising from the DSA.
AI Act
Relief measures are proposed for companies that develop or use artificial intelligence systems. Under the original rules of the regulation known as the AI Act, companies are required to register certain high-risk AI systems in an EU database. The new proposal seeks to abolish this obligation for systems that formally fall within the high-risk category but do not, in practice, pose a significant risk to fundamental rights (for example, systems designed solely for narrow procedural tasks). Instead of registration, companies would only be required to prepare their own internal assessment and retain it for potential supervisory review.
The proposed changes also affect education and training. The AI Act introduced an obligation for operators and providers of AI systems (including employers) to ensure AI literacy, i.e. the ability to understand how AI systems function. Digital Omnibus proposes to shift primary responsibility for this obligation to the Member States and the European Commission, which should ensure appropriate awareness-raising and tools.
In addition, EU-wide AI “sandboxes” are planned from 2028, enabling developers to test AI systems safely in real-world environments without the risk of immediate sanctions.
GDPR
In the area of personal data protection, the proposal aims to enhance legal certainty and predictability for developers and operators of digital technologies, in particular by clarifying the relationship between the GDPR and other EU digital legislation and by promoting a more consistent application across the EU.
The proposal does not change the rules for determining a legal basis under the GDPR. However, it clarifies that legitimate interest pursuant to Article 6(1)(f) GDPR may, under certain circumstances, be considered a relevant legal basis for the training of AI models or for scientific research, provided that the proportionality test is met and appropriate safeguards are implemented, such as pseudonymisation or purpose limitation. The proposal thus reinforces a risk – based and contextual approach, rather than broadly expanding the use of personal data.
Cookies
A notable change for both users and website operators is the planned limitation of pop-up consent banners for cookies. In addition, cookies that do not pose a risk to users’ privacy (such as those used for basic traffic measurement or essential website functionality) would no longer require user consent.
NIS2
In the area of incident reporting, the rules are expected to be harmonised. Currently, companies are required to report a single incident to multiple authorities under different legal frameworks (GDPR, NIS2, DORA). Under the proposed changes, a single contact point for all incident reporting should be established.
Data Act
With regard to the Data Act, the Digital Omnibus focuses on clarifying and coordinating its application with other EU digital legislation, in particular the GDPR, DSA and AI Act. The objective is to enhance legal certainty for entities subject to the Data Act, reduce duplicative notification and supervisory obligations, clarify procedures for public sector data requests, and align the roles of supervisory authorities, without limiting the core obligation to share data in cases provided for under the Regulation.
European Business Wallet
Another key development is the introduction of the European Business Wallet. This will be a digital tool enabling companies to easily prove their identity and verify business partners across the EU, with the aim of accelerating and securing cross-border business activities.
The entire legislative package is currently at the proposal stage within the European Commission, which has also launched a public consultation known as the “Digital Fitness Check.” The consultation will run until March 2026, and the final shape of the rules may therefore still change.
Implementation of the AI Act in the Czech Republic
The Ministry of Industry and Trade has prepared a draft Act on Artificial Intelligence.
As EU legislation is directly applicable, the national act does not introduce new substantive rules for the operation of AI systems. Instead, it takes a minimalist approach, focusing solely on the necessary procedural and institutional arrangements that fall within the competence of the Member States.
The Ministry of Industry and Trade will act as the main coordinating authority, while market surveillance and the role of the single contact point will be performed by the Czech Telecommunication Office. The Czech National Bank and the Office for Personal Data Protection will also be involved, while the Office for Technical Standardization, Metrology and State Testing will assume the role of the notifying authority and will accredit conformity assessment bodies. In the area of the protection of fundamental rights, a significant role will be played by the Public Defender of Rights. At the same time, the establishment of a national regulatory sandbox is envisaged, enabling companies to safely test AI systems prior to their placement on the market and to create an appropriate environment for the designation of notified bodies responsible for the certification of selected artificial intelligence systems.
The draft further defines administrative offences and sets out the procedure for imposing sanctions for breaches of the rules. The maximum level of fines is derived directly from the EU Regulation and may reach up to EUR 35 million or 7% of the undertaking’s worldwide annual turnover.
The interministerial consultation procedure has been completed, and the individual comments are currently being processed.
Chat Control
On 27 November 2025, the Council of the EU approved its negotiating position on the proposed CSAM Regulation (sometimes referred to as “chat control”), which aims to protect children in the digital environment and combat online child sexual abuse. The proposal requires providers of digital services to assess the risks of misuse of their services and, in justified cases, to implement measures to mitigate such risks, including the detection and reporting of illegal content..
The possibility of automated content detection, which in extreme cases could lead to interference with private communications and pressure to weaken end-to-end encryption, has sparked significant controversy. The Council of the EU has therefore sought to find a compromise that would allow for child protection without leading to blanket monitoring of communications. Nevertheless, the proposal remains politically sensitive, and some Member States, including the Czech Republic, continue to oppose solutions that could result in widespread content monitoring or the weakening of encrypted services.
Digital Legal Update 01/2026 here.