GDPR Reform 2025: What the “Digital Omnibus” Means for Data Protection & Businesses
Background: What Is the “Digital Omnibus”?
The “Digital Omnibus” is a legislative proposal by the European Commission aimed at simplifying digital regulations, including the General Data Protection Regulation (GDPR). Its goal is to make digital processes across Europe more efficient and business-friendly.
However, according to critics such as noyb.eu (Max Schrems), the current draft could significantly weaken data-protection rights and security standards.
The 5 Most Important Changes at a Glance
| Change | Risk |
|---|---|
| 1. Narrower definition of personal data | Protection would depend on “likely identifiability,” no longer on objective possibility. |
| 2. Weaker protection for special data categories | Only directly disclosed health, religious, or political data would remain protected — profiling could become unregulated. |
| 3. Restrictions on data-subject rights | Access requests (Art. 15 GDPR) could incur fees or be rejected if they “do not serve data protection.” |
| 4. Relaxed transparency obligations | SMEs would need to provide less information — in practice irrelevant, as processors are usually involved. |
| 5. More freedom for automated decision-making | Human oversight may no longer be required: increased risks for fairness, bias, and accountability. |
Assessment: Simplification or Step Backward?
Civil-society organizations warn that the Digital Omnibus could become the largest reduction in data-protection standards since the GDPR was introduced. Particularly problematic:
- Profiling-based processing without safeguards
- Ambiguous validity of data-subject rights
- Greater freedom for AI systems and automated decisions
The draft is not final, but its direction is clear: companies will need to take greater responsibility for technical security measures instead of relying solely on regulatory frameworks.
Recommended Technical Measures — Regardless of Legislative Changes
To remain compliant despite regulatory uncertainty, organizations should implement the following controls:
Encryption Across All Data Phases
- Data at Rest: Protection of stored data
- Data in Transit: Secure transfer across networks
- Data in Use: Protection during processing (e.g., in SaaS platforms)
Full Key Ownership
- No provider or third-party access
- Integration with HSM/KMS systems
Format-Preserving Encryption
- Field-level protection for IBANs, names, health data, etc.
- Transparent integration into existing applications
Crypto Agility & PQC Readiness
- Flexible algorithm switching as threats evolve
- Support for post-quantum encryption (e.g., Kyber)
Auditability & Compliance Evidence
- Logging, monitoring, and reporting
- Fulfillment of requirements under GDPR Art. 32, DORA, NIS2, Section 203 StGB, Trade Secrets Acts, HIPAA, etc.
eperi sEcure: A Technological Response to Legal Uncertainty
eperi sEcure is a client-side encryption platform that allows organizations to protect their data independently of regulatory developments.
Your advantages with eperi sEcure:
- Encryption before data reaches the cloud or application (Data-in-Use)
- Integration with Microsoft 365, Salesforce, ServiceNow, and more
- BYOK/HYOK support for full key sovereignty
- Crypto Agility & Post-Quantum Encryption
- Support for compliance with GDPR, DORA, NIS2, Section 203 StGB, Trade Secrets Acts, HIPAA, etc.
Conclusion: The Legal Framework May Change — Your Security Should Not
Whether the Digital Omnibus takes effect or is revised, organizations that invest in technical data-protection measures today gain independence from political uncertainty and secure long-term business resilience.
With eperi sEcure, you maintain full control over your data — even as data-protection laws evolve.
Did you like this article?
Then like it now or share it with colleagues, business partners, and friends.
Knowledge that protects – your next step toward greater data security
On our download page, you will find free white papers and fact sheets on data protection, data encryption, and compliance – specifically for IT managers and decision-makers.
Get concise knowledge, strategic recommendations, and practical tips to effectively protect your data and securely comply with regulatory requirements such as GDPR, NIS2, and DORA.
