Stape
Language iconEN
ES
FR
DE
NL
IT
PT
TR
RU
UA
JA
ZH
KO
Search
Contact salesTry for free
Contact salesTry for free
Consent mode

Digital Omnibus: What you need to know & steps before rollout

Uliana Lesiv

Uliana Lesiv

Author
Published
Dec 19, 2025
comments
Join the conversation
i

Key takeaways:

  • The Digital Omnibus is an EU proposal aimed at amending and consolidating major data regulations to simplify compliance.
  • The first public discussions are expected in 2026.
  • A key proposal is modernizing cookie rules by introducing automated consent choices via web browser or app settings. The goal: deal with "consent fatigue."
  • For digital marketers, benefits include the potential elimination of required cookie banners and accelerated AI development for personalized campaigns.
  • Marketers face risks of collecting less data because users could pre-define rejections across all sites. The compliance with data minimization for AI datasets can be challenging.
  • Server-side tracking would become essential to ensure compliance with principles like data minimization and secure data flows.

What is the Digital Omnibus Regulation Proposal?

Digital Omnibus
Digital Omnibus

Digital Omnibus is a list of proposals aimed at amending data regulations. The European Commission published the Digital Omnibus Regulation Proposal in November 2025. It introduces amendments across the EU's data protection, data sharing, and cybersecurity regulations to eliminate overlapping requirements and provide clearer guidance on how these rules interrelate.

!

Please note:

The proposal is at the start of the legislative procedure. The first public discussions and progress in the legislative process are expected in early 2026.

Key changes proposed by Digital Omnibus

ProposalDescription
Modernizing cookie and tracking rulesThe aim is to reduce “consent fatigue”. The proposal introduces a “single-click” reject option - a mechanism for automated and machine-readable consent choices (e.g., via web browser or app settings). The exception: Media service providers (e.g., national newspapers' websites, TV channels' video platforms) could maintain direct interaction with users on consent choices.
Lawful basis for AIAmendments to clarify the definitions of "personal data" and "scientific research" to simplify the legal basis for processing data to build and run AI systems.
"Report Once, Share Many" principleThe creation of a single-entry point for security incident reporting managed by ENISA. The ENISA would route the data to relevant national authorities.
Consolidation of the EU data regulationsThe proposal repeals three acts: the Free Flow of Non-Personal Data Regulation (FFDR), the Data Governance Act (DGA), and the Open Data Directive. Certain rules from these acts can be merged into the amended Data Act. Cookie regulations, which are now governed by the e-Privacy Directive, could move into the GDPR.
Simplified compliance obligations for Small Mid-Cap companies (SMCs)Companies with up to 499 employees (or €100 million in turnover) would get simplified technical documentation requirements, limits on fines, and priority entry into regulatory sandboxes.

What does it mean for digital marketers and business owners?

For digital marketing specialists and business owners, the Digital Omnibus could provide numerous benefits and simplify data collection/management/processing. On the other hand, if it comes into force, they could face challenges connected with data collection and its security.

Potential benefits

  • Eliminate the need for cookie banners. If a mechanism for automated consent choices via web browser/app settings were implemented, there would be no need for adding cookie banners for every website. The reason for such a move: cookie banners are annoying for website users (according to research published on ResearchGate, most find banners annoying, but prefer having choices - 88% expect at least one opt-out option). If the banner is poorly designed, behavioral metrics (such as time on page, bounce rate) can drop. Creating automated user choices can remove such a problem for website owners.
  • Accelerate the development of artificial intelligence systems. Providing the legal basis for data processing by AI could accelerate and simplify systems development for marketing purposes (audience segmentation and/or running personalized marketing campaigns).
  • Unified security incident reporting. For businesses dealing with security or data breaches, it should be easier to report cybersecurity incidents. If a Single Entry Point (SEP) is adopted, the companies would submit one report to a central EU portal. No need to submit separate, overlapping notifications under different regulations, which reduces administrative work.
  • Easier to conduct business operations. The digital wallets, as part of the EU Digital Omnibus, would accelerate cross-border business operations, simplify paperwork, and save money for European companies by reducing administrative burdens.
  • The simpler EU digital rules. Instead of managing compliance across four regulations, businesses could primarily focus on two regulations: the GDPR (for personal data) and the amended Data Act (for non-personal and organizational data). This reduces the complexity of legal mapping and internal compliance checks.

Potential risks

  • Lower impact on user consent and potentially reduced volume of data collected. With cookie banners, website owners could test different options to increase the consent rate; they had direct influence on the cookies that visitors can accept. If the users pre-define (via web browser or app settings) the cookies they reject, these selections will be applied to all websites they visit, and the companies can end up collecting less data.
  • Protection of sensitive personal data. Developing general-purpose AI models can become simplified, but at the same time, data collection, storage, and usage requirements could be more challenging to comply with. The requirements for European companies or those aiming at the EU market include respecting data minimization during the source selection, training, and testing of the AI system; implementing protections against the non-disclosure of retained data in the system; and providing transparency to data subjects.
  • Technical compliance with automated user choices. Although the Digital Omnibus proposal doesn't provide the standardized requirements on how automated user choice should technically be implemented on the website's side, there are assumptions that it could work similarly to the Global Privacy Control (GPC). Currently, not all Consent Management Platforms (CMPs) support GPC, so business owners may face difficulties implementing them to receive a signal on user consents.
Digital Omnibus risks and benefits
Digital Omnibus risks and benefits

Why server-side tracking would become essential

Before starting, it is important to note that the EU Digital Omnibus regulation doesn’t mandate a switch to server-side tracking; this section is aimed at highlighting the challenges the marketers may face and how server-side tracking can help overcome them.

If the digital package is passed in the form that is currently publicly available, the server-side tracking can help stay in compliance with the regulations while collecting data.

First-party data collection is the key shift that can be noticed over the past years; it has become a trend in digital marketing. The EU's proposed changes, along with trends, push marketers toward switching to server-side tracking. The Digital Omnibus focuses on general data protection regulation mechanisms that client-side tracking struggles to meet without data loss/security vulnerability:

  • Data minimization
  • Secure data flows

Both principles are required to follow while collecting data, particularly for training AI systems.

Data minimization. The regulations could demand that marketers only collect the minimum data necessary. Client-side tracking isn't a flexible approach to data gathering. Third-party data-collecting scripts can gather all available data (IP address, browser type, device identifiers, etc.) right away. Such an approach violates the principle of data minimization.

Secure data flows. Client-side tracking is vulnerable to browser exploits and man-in-the-middle attacks, as the data is sent directly from the user's browser to third-party services. With server-side tracking, the data is collected and processed in your server environment before it is forwarded to any third-party platform. This reduces the attack surface available to external threats.

We don't know what exact approach will be selected to ensure automated user choice. Still, the thing is clear - business owners can have less impact on the users' consent preferences and the volume of data they collect. In this case, server-side tracking can help keep the balance between data collection and regulation compliance.

A server-side tracking solution provides complete control to comply with signals on consent (by blocking sharing), and at the same time, it can help you achieve higher data accuracy due to bypassing ad blockers and browser restrictions.

Impact of server-side tracking
Impact of server-side tracking

Steps to take before the EU Digital Omnibus rollout

Audit your Consent Management Platform

Since the implementation mechanism of automated user choice hasn't been published yet, it is just guesswork based on the currently available technologies.

The research states that Global Privacy Control (GPC) can be mapped to the various legal bases for processing under the GDPR and can become a prototype for automated user choice adoption in the EU. Currently, GPC has an explicit legal requirement under laws in the USA (CCPA/CPRA) only.

How Global Privacy Control works
How Global Privacy Control works

For now, you can check whether your CMP supports GPC, and you may test how it works for your case. The CMS platforms can have a separate option to activate GPC signal receiving. Another option is a separate toggle to activate compliance with the USA data privacy regulations, for example, as in iubenda:

US State Laws toggle in iubenda
US State Laws toggle in iubenda

For the test, you will also need to activate the GPC within your web browser or install a browser extension that sends the GPC signal.

A few browsers currently support GPC: Brave, DuckDuckGo Browser, and Mozilla Firefox. For other browsers, you can use extensions such as Privacy Badger, OptMeowt, and Dedicated GPC Enabler.

Consider implementing server-side tracking

Configuring server-side tracking is a good strategy to follow before the EU Digital Omnibus rollout. Although it may have additional adjustments, the commitment to safeguarding the fundamental rights of website users will be preserved.

Collecting and processing data in a secure server environment is the most effective way to implement the mandatory data minimization and protection rules required for AI datasets. Server-side tracking helps filter, pseudonymise, and protect sensitive data from leaking. In addition, with its help, you can track more data while staying compliant (server-side tracking allows you to minimize the impact of ad blockers and browser restrictions).

With server-side tracking, a cloud server acts as a proxy between your website and any third-party tools. Your site sends data to the cloud server first, and the server then forwards that data to third-party vendors and tracking platforms.

How server-side tracking with a cloud server works
How server-side tracking with a cloud server works

Stape provides hosting for server GTM containers as well as numerous solutions to smoothly implement server-side tracking. Check our guides to get deeper into the topic of server-side tracking and decide if it works for you:

What’s next?

The Digital Omnibus is still at the proposal stage, but political and economic factors suggest that reforms in EU data collection and processing rules are on the horizon. 

The European Commission views the Omnibus as a necessary step to reduce the “compliance thicket” created by existing regulations. It is seen as limiting European businesses and preventing competitiveness with the US and Asia in fields like AI. 

The exact amendments and their timing are unknown, but some of the currently published proposals will likely come into force. Businesses and marketers should be ready to meet the changes, understanding both the opportunities they may offer and the challenges they can bring.

Want to switch to the server side?Sign-up now!

Subscribe for updates:

we don’t spam!
author

Uliana Lesiv

Author

Uliana is a Content Manager at Stape, specializing in analytics and integration setups. She breaks down complex tracking concepts into clear insights, helping businesses optimize data collection.

Comments

Related to this post

Server-side tracking and GDPR
Dec 14, 2021

Blog

Server-side tracking and GDPR

Learn how to use server-side tracking to comply with GDPR. Tips on using consent mode in the server GTM and protecting users' data included.

EU-owned proxy server for sGTM or how to use Google Analytics GDPR compliant way
Sep 6, 2022

Blog

EU-owned proxy server for sGTM or how to use Google Analytics GDPR compliant way

Make Google Analytics GDPR compliant! Learn about EU data transfer concerns and how Stape Europe's EU proxy server for sGTM helps you comply with regulations..

Cookies, the GDPR, and the ePrivacy Directive
May 28, 2024

Blog

Cookies, the GDPR, and the ePrivacy Directive

What cookies do and why they matter. How cookies are affected by the GDPR, CCPA, ePrivacy Directive and ePrivacy Regulation. Cookie compliance best practices.

Try Stape for all things server-side