HomeBlogDigital Omnibus + GDPR — EDPB-EDPS Joint Opinion 2/2026

The Digital Omnibus and GDPR — EDPB-EDPS Joint Opinion 2/2026: What Will (and What Will Not) Change for Bulgarian Controllers

Published: 30 April 2026 | Last updated: 30 April 2026

On 19 November 2025 the European Commission proposed the Digital Omnibus — a wide-ranging reform to simplify the EU’s digital regulatory framework, affecting the GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act, NIS2 and several other instruments. On 10 February 2026 the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 2/2026 — a wide-ranging assessment of the proposed amendments. The message is one of conditional support: the authorities welcome certain simplification measures but express serious reservations and in some cases firm opposition. This article walks through the 9 key GDPR amendments theme-by-theme, the EDPB and EDPS positions, and the practical implications for Bulgarian controllers and processors.

TL;DR: The Digital Omnibus is a horizontal reform simplifying the EU digital framework — touching GDPR, ePrivacy, Data Act, NIS2 and others. EDPB-EDPS Joint Opinion 2/2026 assesses 9 key GDPR amendments. Support for: data breach notifications (threshold raised to “high risk”, deadline extended from 72 to 96 hours); harmonised DPIA templates; biometric verification under sole user control; cookie banner reduction. Firm opposition to: the proposed contextual definition of “personal data” (which would narrow GDPR scope); softening the ban on automated decision-making. Mixed: DSAR restrictions (only on demonstrable abuse); transparency simplification; AI legitimate interest. For Bulgarian controllers: substantial changes ahead in breach notification, DPIA templates and cookie compliance. Innovires Legal and our dedicated GDPRBG.com provide end-to-end legal support.

What the Digital Omnibus is and why it matters

The Digital Omnibus is a horizontal amendment package presented by the European Commission on 19 November 2025. Its aim is to simplify and harmonise the existing EU digital regulatory framework, which the Commission considers to have become overly complex and at times inconsistent. The package simultaneously affects:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR);
  • Regulation (EU) 2018/1725 — data protection in EU institutions (EUDPR);
  • Directive 2002/58/EC — ePrivacy (cookies, electronic communications);
  • Regulation (EU) 2023/2854 — Data Act;
  • Regulation (EU) 2022/868 — Data Governance Act;
  • Directive (EU) 2022/2555 — NIS2 (cybersecurity);
  • Regulation (EU) 2018/1724 — Single Digital Gateway;
  • and several other instruments in the EU digital ecosystem.

Why this matters for Bulgarian businesses

For Bulgarian controllers and processors the Digital Omnibus matters for three principal reasons. First, much of the package would simplify existing obligations (notably breach notification timelines and unified DPIA templates). Second, some proposals would reduce data subjects’ protection, which complicates the design of corporate policies. Third, any adopted changes will apply directly in Bulgaria without national transposition and will bind the CPDP (Bulgarian DPA).

For an introduction to the area, see our general GDPR compliance guide and the dedicated analyses on GDPRBG.com.

Joint Opinion 2/2026 — positions overview

On 10 February 2026 the EDPB and the EDPS adopted Joint Opinion 2/2026. The document conducts a theme-by-theme review of all proposed amendments to the GDPR and to the ePrivacy Directive. The overall message can be grouped into three categories:

  • Firm opposition — changes that the authorities consider incompatible with the fundamental right to data protection;
  • Mixed position — conceptual support but a need for substantial textual revision;
  • Support — changes the authorities welcome as genuine simplification without prejudice to protection.

The next sections cover the 9 key GDPR amendments grouped by theme, alongside the EDPB and EDPS position and an assessment of the practical implications for Bulgarian controllers.

What follows procedurally: the Joint Opinion is advisory — not binding on the EU co-legislators. The Digital Omnibus text is being negotiated in the Council of the EU and the European Parliament under the ordinary legislative procedure. A realistic adoption window is late 2026 or H1 2027. Entry into force of the GDPR amendments will depend on the agreed transitional period (typically 12–24 months).

Theme 1: Definition of “personal data” — the red line

Commission proposal

The Commission proposes a contextual (entity-relative) definition: information would qualify as “personal data” only relative to a specific controller who can reasonably identify the data subject. The aim is to facilitate data sharing and pseudonymisation practices — if controller A holds a pseudonymised data set that A itself cannot re-identify, the set would not constitute “personal data” for A.

EDPB and EDPS position

Firm opposition
The EDPB and EDPS take their strongest stance here. The proposed definition is not a technical clarification or a codification of CJEU case law — it would narrow the concept of personal data in a way that goes beyond the simplification objective. Material risk: controllers may engineer structures to fall outside the GDPR’s reach (e.g. by outsourcing specific activities), while data subjects’ data remains exposed. The EDPB and EDPS strongly urge the co-legislators not to adopt the proposed changes.

For Bulgarian controllers

If adopted despite EDPB-EDPS opposition, the proposal would create two parallel regimes in Bulgaria: data sets falling outside the GDPR for a specific controller, and those still protected. Possible consequences: more data sharing, more pseudonymisation, but also potential protection gaps.

Innovires Legal forecast: the proposal is likely to be substantially amended in the legislative process under pressure from the EDPB-EDPS and the European Parliament. The final text will most likely retain the current definition with only limited clarifications.

Theme 2: Sensitive data — biometric exception and AI

Commission proposal

Two new exemptions are added to Article 9 GDPR:

  • Biometric data for verification — allowed where both the biometric data and the verification means are exclusively under the data subject’s control (e.g. on-device authentication);
  • AI training with incidentally encountered sensitive data — AI developers may process sensitive data that incidentally appears in training datasets, provided there are robust mitigation measures.

EDPB and EDPS position

Biometric: SUPPORT
The biometric verification exception under sole user control is welcomed. It codifies an existing good practice for on-device authentication (Face ID, Touch ID) without weakening protection.
AI: NEEDS IMPROVEMENT
The EDPB and EDPS acknowledge that when training AI systems incidental exposure to sensitive data cannot always be avoided. They recommend, however, that the enacting terms refer to “incidental and residual”, that the scope of the derogation be clarified, and that safeguards apply throughout the AI system’s lifecycle.

For Bulgarian controllers

The biometric exception is good news for fintech and online services using on-device authentication. The AI exception requires careful analysis — every use will need to be documented as “incidental and residual”. See also our article on personal data and AI.

Theme 3: Data subject access requests (DSARs) — narrowing on abuse

Commission proposal

In addition to the existing rule (Art. 12(5) GDPR) on refusal or fees for manifestly unfounded or excessive requests, controllers would also be able to refuse or charge a fee where requests are used or abused for purposes other than data protection (e.g. litigation, disciplinary or competitive use). The burden of proof remains on the controller.

EDPB and EDPS position

Mixed
Clarifying “abuse of rights” is welcome, but it should not be tied to exercising the right for purposes other than data protection — the GDPR also protects other fundamental rights. Furthermore, the CJEU has already confirmed that data subjects may exercise the right of access without justifying their motives. The EDPB and EDPS recommend tying “abuse of rights” to the existence of an abusive intention (e.g. demonstrable intent to harm the controller). This is a deliberately high bar: it is not enough that a request is inconvenient, broad, or motivated by litigation strategy — there must be demonstrable harm intent.

For Bulgarian controllers

Bulgarian controllers, especially in HR/labour disputes and consumer complaints, are given wide interpretive latitude. Recommended tactic: at the suspicion of abuse, before refusing, ask the data subject to specify the request (which the GDPR already permits), document the circumstances, and only then decide. See GDPRBG.com for dedicated DSAR management templates.

Theme 4: Transparency — simplifying information duties

Commission proposal

Information duties under Articles 13–14 GDPR may be waived where three cumulative conditions are met:

  1. The controller-data subject relationship is direct and clear;
  2. Processing is not data-intensive;
  3. It is reasonable to assume that the data subject is already informed.

Carve-outs remain: third-country transfers, onward disclosures, automated decision-making and high-risk processing.

EDPB and EDPS position

Support in principle
Reducing information duties, especially for SMEs, is an aim the authorities support in principle. The current drafting, however, is too vague for predictable application and creates a risk of interpretive fragmentation across Member States. More concrete criteria are needed for “data-intensive” and “reasonable assumption”.

Theme 5: Automated decision-making — do not weaken the principle

Commission proposal

The current Article 22 GDPR prohibits automated decisions producing legal effects, save where strictly necessary for performing a contract. The Commission proposes clarifying that a decision may be automated if necessary for performing a contract, even if a human could theoretically have taken the same decision. This expands the practical scope for AI scoring in onboarding, credit assessment and automated approvals.

EDPB and EDPS position

Retain principle
The proposal risks turning the prohibition in principle into a default permission whenever a contract is involved. The EDPB and EDPS recommend retaining a prohibition in principle with defined exceptions and explicitly confirming that data subjects retain the right to invoke Article 22 GDPR themselves.

For Bulgarian controllers

Financial institutions, telecoms and large online platforms in Bulgaria are most affected. When implementing automated decisions the following remain mandatory: impact assessment (DPIA), right to human intervention, informing the subject, documenting the logic.

Theme 6: Data breach notifications — broad support

Commission proposal

  • The notification threshold is raised: only breaches with high risk for data subjects trigger reporting (instead of “any risk” today) — aligning the threshold with the existing one for notifying data subjects;
  • The deadline is extended from 72 to 96 hours;
  • Notifications are channelled through an EU single point of contact;
  • Harmonised templates are introduced — aligned with NIS2 and DORA.

EDPB and EDPS position

Strong support
This is one of the areas where the authorities express the strongest support. The EDPB and EDPS welcome both the threshold increase and the deadline extension. They insist, however, that the EDPB should be exclusively entrusted with the preparation and approval of the templates, with no Commission power to modify them unilaterally on adoption.

For Bulgarian controllers

This is one of the most practical changes for Bulgarian businesses. Currently the 72-hour deadline imposes significant operational pressure, especially for incidents over weekends or holidays. 96 hours provides a more realistic window to establish the facts, assess risk and prepare a quality notification to the CPDP. The higher threshold will reduce the volume of “precautionary” notifications for low-risk incidents.

Note: The existing duty to internally log all breaches (regardless of risk) remains. The change affects only external notification to the CPDP and to data subjects.

Theme 7: DPIA — EU-wide harmonisation

Commission proposal

The current patchwork of national DPIA lists is replaced with a single EU-wide framework. The list will be prepared by the EDPB and adopted by the Commission via implementing act.

EDPB and EDPS position

Support with reservation
Harmonisation is welcome. The main reservation is governance: the proposal gives the Commission the power to unilaterally modify the EDPB-prepared lists. This is considered inappropriate. The EDPB and EDPS recommend exclusive EDPB responsibility for both preparation and approval of the lists, the common template, and the methodology.

For Bulgarian controllers

Currently the CPDP maintains its own national list of processing types requiring DPIA. This list will be replaced by the EU-wide one. Positive impact: multinationals will have one and the same list across the EU — ending the “does it require a DPIA in Germany / Poland / Bulgaria?” analysis. See also our article on anonymisation and pseudonymisation.

Theme 8: Cookie rules and ePrivacy — end of “consent fatigue”?

Commission proposal

  • Cookie and terminal-equipment rules are moved from the ePrivacy Directive directly into the GDPR framework;
  • New consent exemptions for “low-risk” purposes;
  • Standards for machine-readable signals expressing the data subject’s choices (e.g. browser-level “Do Not Track”);
  • Aim: reducing cookie banners and tackling “consent fatigue”.

EDPB and EDPS position

Support of aim, structural reservation
The aim — reducing cookie banners — is strongly welcomed. Structural reservation: splitting terminal-equipment rules across two legal instruments (depending on whether personal or non-personal data is at stake) risks creating new legal uncertainty. Concrete proposal: an explicit consent exemption for contextual advertising (advertising based on the current page or search query, with no retention or cross-site tracking).

For Bulgarian controllers

E-commerce, media sites and fintech platforms are most affected. Browser-level machine-readable signals can replace today’s cookie banners — improving the user experience. Expect, however, a transitional period of 18–24 months.

Theme 9: AI as a legitimate interest

Commission proposal

Express recognition of AI development and operation as a legitimate interest under Article 6(1)(f) GDPR — provided there are no overriding rights of data subjects (especially vulnerable ones), enhanced safeguards, and an unconditional right to object for the data subject.

EDPB and EDPS position

Not strictly necessary, but workable
Per EDPB Opinion 28/2024 on AI models, no specific provision is necessary — the legitimate interest already covers these cases when properly balanced. The Joint Opinion 2/2026 nonetheless offers specific suggestions on the legitimate-interest assessment, the right to object and specific safeguards.

What follows for Bulgarian controllers — action plan

Expected timeline

PeriodEvent
19 November 2025European Commission publishes the Digital Omnibus
10 February 2026EDPB-EDPS Joint Opinion 2/2026
Q2–Q3 2026Negotiations in the European Parliament and the Council of the EU
Q4 2026 — Q1 2027Realistic adoption window
Q3 2027 — Q1 2028Entry into force (after 12–24 month transition)
Q1 2028 — Q4 2028Application in Bulgaria

Action plan 2026–2027

  1. By June 2026 — audit current GDPR practices; identify areas where the proposed amendments would bring relief (breach notification, DPIA, cookie consents);
  2. By December 2026 — track public consultations on the Digital Omnibus and adapt your position; engage through industry bodies if relevant;
  3. By June 2027 — prepare for the final text; begin adapting internal procedures upon adoption;
  4. 2027–2028 — implement changes in your systems (notification forms, DPIA templates, cookie banners);
  5. 2028 — full application in Bulgaria.

GDPRBG.com — Bulgaria’s dedicated GDPR resource

Innovires Legal operates a dedicated site — GDPRBG.com — focused entirely on GDPR compliance in the Bulgarian context. It complements our main blog at Innovires.com with deeper specialised resources.

GDPRBG.com — everything on GDPR in Bulgaria, in one place

What you will find on www.gdprbg.com:

  • Up-to-date analyses of GDPR developments — including the Digital Omnibus and EDPB-EDPS Joint Opinions;
  • Ready-to-use templates — data protection policies, Articles 13–14 information notices, DSAR forms, DPIA templates, Article 30 records;
  • CPDP decisions and case law — commentary on key decisions with practical implications;
  • CJEU case law — with a focus on practical application in the Bulgarian context;
  • Industry-specific guides — HR, marketing, e-commerce, fintech, healthcare, education;
  • Training materials — for DPOs, HR teams, marketing departments.
Visit GDPRBG.com Request consultation with Innovires Legal

For comprehensive coverage of GDPR in your specific context, see also: general GDPR compliance guide, workplace video surveillance, personal data and AI, anonymisation and pseudonymisation.

Get ready for the Digital Omnibus with Innovires Legal + GDPRBG.com

From a strategic impact assessment of the Digital Omnibus on your organisation, through revising internal policies and procedures, to representation before the CPDP in audits and incidents — the Innovires Legal team provides full legal support in data protection. For dedicated Bulgarian-language resources and templates, see GDPRBG.com. Request a free 30-minute consultation — we will assess your current compliance and produce a preparedness roadmap for the upcoming changes.

Direct: +359 888 787 414  ·  office@innovires.com  ·  GDPRBG.com

Frequently asked questions

When will the Digital Omnibus enter into force?
A realistic adoption window is late 2026 or H1 2027. Entry into force usually follows a transitional period of 12–24 months, so application in Bulgaria is expected during 2028.
What is Joint Opinion 2/2026?
A document adopted on 10 February 2026 by the EDPB and EDPS. A detailed assessment of the proposed amendments to the GDPR and the ePrivacy Directive in the Digital Omnibus. Not binding, but with significant political weight in the legislative process.
What is the most controversial proposal?
The contextual (entity-relative) definition of “personal data”. The EDPB and EDPS firmly oppose it — it would narrow the GDPR’s scope and risks controllers structuring activities outside the regulation. Forecast: likely to be substantially amended or dropped.
What is the most beneficial proposal for businesses?
The breach notification reform: high-risk threshold for triggering notification, 96-hour deadline (up from 72), harmonised templates. Strong support from the EDPB and EDPS. Significantly reduces administrative burden.
What changes for DSARs?
The Commission proposes that controllers be able to refuse DSARs where the right is abused for purposes other than data protection. The EDPB and EDPS recommend a higher bar — only on demonstrable harm intent. Recommended tactic for businesses: at suspicion, first ask the data subject to specify the request, then assess refusal.
Will cookie banners change?
Yes. The Digital Omnibus proposes that browser-level machine-readable signals replace cookie banners in many cases, plus consent exemptions for “low-risk” purposes. The EDPB and EDPS support the aim but raise a structural concern about splitting rules across two legal instruments. Transitional period: 18–24 months.
What should I do now?
By June 2026 — audit current GDPR practices and identify areas where the amendments would bring relief. By December 2026 — track the legislative process. During 2027 — prepare internal procedures. During 2028 — full application. Innovires Legal and GDPRBG.com provide updates and support throughout.
What is GDPRBG.com?
A dedicated Innovires Legal site focused entirely on GDPR compliance in the Bulgarian context. Analyses, policy templates, DSAR forms, DPIA templates, CPDP and CJEU case-law commentary, industry-specific guides and training materials. Available at www.gdprbg.com.