Data protection authorities EDPB and EDPS issue joint opinions.

At the beginning of this year, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted two joint opinions on the Digital Omnibus proposed by the European Commission in November 2025. A first joint opinion of 20 January concerns the Digital Omnibus on artificial intelligence (AI), while a second joint opinion of 10 February addresses the Digital Omnibus covering mainly data-related aspects, as well as cybersecurity and electronic identification.

AI Digital Omnibus: Support for regulatory sandboxes, criticism of high-risk rules

With regard to the Digital Omnibus on AI, the EDPB and the EDPS express a nuanced view. They welcome the establishment of AI regulatory sandboxes at EU level to foster innovation. In this context, they advocate granting the EDPB an advisory role and observer status in the European Artificial Intelligence Board in order to ensure a coherent approach to the design and supervision of regulatory sandboxes. The authorities also recommend maintaining the obligation for AI providers and deployers to ensure an adequate level of AI literacy among their staff.

At the same time, the EDPB and the EDPS are critical of several proposed amendments concerning high-risk AI systems. They oppose the envisaged exemption from the registration requirement for AI systems that fall within a high-risk category but are classified by their providers as “not high-risk”. In the view of both authorities, this would significantly weaken accountability and create incentives for providers to inappropriately claim exemptions in order to avoid public scrutiny. They also object to the proposed postponement of the dates of application for obligations relating to high-risk AI systems and call, in particular, for transparency requirements not to be delayed.

Digital Omnibus on data: Support for notification thresholds, criticism of definitional changes

With regard to the proposed Digital Omnibus in the area of data, the EDPB and the EDPS also identify both positive and negative elements. They welcome in particular the increase of the risk threshold triggering the obligation to notify a personal data breach to the competent supervisory authority, as well as the extension of the corresponding notification deadline. The proposed common templates and lists for personal data breaches and data protection impact assessments are likewise viewed positively.

However, the two authorities are critical of the proposed changes to the definition of personal data. In their assessment, these go beyond a purely technical amendment of the General Data Protection Regulation (GDPR) and the existing case law of the Court of Justice of the European Union. Accordingly, they call on the European Parliament and the Council to refrain from adopting the proposed changes in the legislative process.

Outlook on the legislative process

In the European Parliament, rapporteurs for the two dossiers are currently being appointed. The process on the Digital Omnibus on AI is more advanced: rapporteurs Arba Kokalari (EPP, SE) and Michael McNamara (Renew, IE) from the jointly responsible Committees on the Internal Market and Consumer Protection (IMCO) and on Civil Liberties, Justice and Home Affairs (LIBE) have already presented a draft report. Particular urgency attaches to this file, as the Commission has proposed postponing the dates of application of the provisions on high-risk AI systems. Without an amendment through the Digital Omnibus on AI, those provisions would apply from August 2026.