What the Digital Omnibus 2026 means for EU data protection
The European Union is preparing one of the most significant changes to its data protection framework since the General Data Protection Regulation came into force in 2018. The proposed Digital Omnibus regulation, part of a broader EU simplification package, aims to reduce the administrative burden of GDPR compliance for small and medium businesses by up to 25%, according to European Commission estimates.
For the millions of SMBs operating across Europe — and particularly in countries like Italy, where micro and small enterprises make up over 95% of the business fabric — this GDPR reform in 2026 could mark a genuine turning point. But simplification does not mean deregulation, and understanding what is actually changing is essential for any business owner who wants to stay ahead.
Why the EU is revisiting GDPR now
When the GDPR took effect in May 2018, it established Europe as the global benchmark for privacy regulation. However, the regulation has also drawn persistent criticism for its one-size-fits-all approach. A 2023 European Commission survey found that nearly 60% of SMBs considered GDPR compliance costs disproportionate to their actual data processing risks. Many small businesses — from a ten-person marketing agency in Milan to a family-run e-commerce shop in Munich — face the same documentation requirements as multinational corporations.
The Digital Omnibus regulation EU lawmakers are now advancing is part of the broader Competitiveness Compass strategy. Its stated goal is to cut reporting obligations across multiple EU regulations by roughly 25%, without weakening fundamental rights. For data protection specifically, this means recalibrating obligations so that smaller organisations are not buried under paperwork designed for enterprises processing data at a completely different scale.
The push also responds to a practical reality: overly complex compliance does not necessarily produce better data protection. When small businesses struggle to understand their obligations, they are more likely to handle them superficially — or ignore them altogether. A streamlined framework, the Commission argues, could actually improve real-world privacy outcomes.
Key changes for SMBs under the proposed reform
A lighter records of processing requirement
One of the most discussed proposals involves the records of processing activities (ROPA), currently mandated under Article 30 of the GDPR. Under the existing rules, virtually every organisation must maintain detailed documentation of all personal data processing activities, even when those activities are routine and low-risk.
The Digital Omnibus proposal introduces a simplified ROPA model for businesses with fewer than 250 employees, provided their processing activities do not involve high-risk data categories. Instead of exhaustive documentation, these companies would maintain a streamlined register covering only their core processing activities. This change alone could save European SMBs an estimated several billion euros annually in compliance costs, according to preliminary impact assessments cited in the European Parliament discussions.
Revised data breach notification thresholds
The current GDPR framework requires organisations to notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to individuals’ rights. In practice, many businesses over-report low-severity incidents out of caution, flooding data protection authorities with notifications that require resources to triage but yield little protective value.
The proposed data breach notification GDPR changes are expected to refine what constitutes a notifiable breach for smaller organisations, potentially raising the threshold so that genuinely minor incidents — such as an email sent to the wrong internal recipient with no sensitive data — do not trigger the full notification procedure. This recalibration would allow both businesses and regulators to focus their attention where it matters most.
Simplified consent and transparency requirements
The reform also looks at how consent and transparency obligations apply to smaller companies. While the fundamental principle — that individuals must be clearly informed about how their data is used — remains untouched, the proposal explores standardised, pre-approved privacy notice templates that SMBs could adopt. This could significantly reduce the legal costs currently associated with drafting and maintaining bespoke privacy policies.
What this does not change
It is important to be clear about what the Digital Omnibus does not do. The core principles of the GDPR — lawfulness, fairness, transparency, data minimisation, purpose limitation, and accountability — remain fully in place. Data subjects’ rights, including the right of access, erasure, and portability, are not being weakened. The regulation still applies to every business that processes personal data of EU residents, regardless of where that business is based.
Nor does the reform eliminate the need for a Data Protection Officer in organisations that meet the existing criteria, or reduce the potential fines for serious violations. The maximum penalties — up to €20 million or 4% of global annual turnover — remain unchanged. What is changing is proportionality: the procedural obligations will be better calibrated to an organisation’s size and risk profile.
How European SMBs should prepare now
Even though the Digital Omnibus regulation is still working through the EU legislative process and final adoption is not expected before late 2026, forward-thinking businesses should start preparing today.
Audit your current compliance posture
Use this transitional period to review your existing GDPR compliance setup. Understand where your current processes are disproportionately complex relative to your actual data processing activities. If you are maintaining extensive documentation for low-risk, routine operations, you may be able to streamline significantly once the new rules take effect.
Map your data processing activities clearly
Regardless of any upcoming simplification, having a clear, accurate picture of what personal data you collect, why you collect it, and how you protect it is fundamental. Businesses that have a well-organised data inventory will be in the best position to take advantage of lighter obligations once they become available.
Stay informed and seek qualified guidance
The EU privacy law update process involves multiple readings, amendments, and potentially significant changes before final adoption. Follow developments through official EU channels and consult with a qualified data protection professional — particularly one familiar with your national supervisory authority’s approach. In Italy, the Garante per la protezione dei dati personali regularly publishes guidance that can help businesses interpret evolving requirements.
The bigger picture for GDPR compliance in 2026
The Digital Omnibus regulation represents a maturation of the European approach to data protection — not a retreat from it. After eight years of GDPR enforcement, regulators and lawmakers have enough real-world data to distinguish between obligations that genuinely protect individuals and those that simply generate paperwork.
For European SMBs, this is an opportunity. Businesses that engage with these changes proactively — rather than waiting for final legislation and then scrambling to adapt — will find themselves with a genuine competitive advantage: strong data protection practices without unnecessary administrative overhead. The companies that treated GDPR seriously from the beginning will benefit the most from this simplification, because they already have the foundations in place.
The message from Brussels is clear: privacy protection and business practicality are not mutually exclusive. The GDPR reform in 2026 aims to prove it.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.