Netherlands raises serious concerns about EU Digital Omnibus privacy changes

The Netherlands has expressed serious concerns about the European Commission's Digital Omnibus proposals, warning that fundamental changes to the General Data Protection Regulation could substantially weaken privacy protections without delivering the promised regulatory relief. According to a government analysis dated November 19, 2025, while many simplification measures merit support, certain amendments go beyond streamlining and threaten to undermine core data protection principles.

The Dutch Ministry of Economic Affairs, working closely with the Ministry of the Interior and Kingdom Relations and the Ministry of Justice and Security, submitted its assessment to parliament identifying significant problems with proposals affecting personal data definitions, AI training permissions, automated decision-making rules, and a controversial European incident reporting hub. The government warned that these changes could fundamentally alter how organizations process personal data, particularly concerning artificial intelligence development and individual privacy rights enforcement.

GDPR amendments draw strongest criticism

The Netherlands identified the modification to GDPR's personal data definition as potentially having the greatest impact on protection levels. The Commission claims the amendment codifies the Single Resolution Board ruling from September 2025, but initial Dutch analysis concludes the proposal extends beyond mere codification. This represents a significant departure from existing interpretations that have guided enforcement across the European Union since GDPR took effect in 2018.

The proposal introduces a subjective "relativity" approach based on a controller's reasonable means of identification. This modification states that information relating to a natural person is not necessarily personal data for every other person or entity merely because another entity can identify that natural person. Privacy advocates warn this could undermine access requests used for employment disputes, consumer litigation, and journalistic investigations.

The Dutch government also raised serious concerns about provisions establishing "legitimate interest" as an automatic legal basis for AI model training and operation. The proposal appears to eliminate the necessity test and associated balancing of interests that currently protect individuals' rights. The Netherlands warned this would mean AI companies could process personal data without the careful weighing of competing interests that forms a cornerstone of European data protection law.

Most controversially, the proposals allow processing of special categories of personal data—including religious beliefs, political affiliations, ethnicity, and health information—specifically for AI system training and operation. These sensitive categories receive extra protection precisely because their processing can have severe consequences for individuals. The Dutch analysis emphasized that when such data may be processed for AI purposes, strong safeguards become even more critical.

AI Act modifications receive mixed assessment

The Omnibus AI proposal delays compliance deadlines for high-risk AI systems. For systems listed in Annex III of the AI Regulation, rules would apply six months after the Commission determines adequate support measures are available. For systems falling under EU legislation mentioned in Annex I, rules would take effect twelve months after that Commission decision. Without such a determination, provisions would enter force by December 2, 2027 for Annex III systems and August 2, 2028 for Annex I systems—representing delays of 16 and 12 months respectively compared to current deadlines.

The Netherlands expressed preference for fixed dates rather than linking implementation to Commission decisions, which creates uncertainty for AI providers and deployers. If delays prove necessary, the Dutch government favors shorter extensions for Annex III systems—perhaps nine months instead of more than twelve—with concrete dates independent of Commission determinations.

The proposal eliminates registration requirements for high-risk AI systems that providers judge present no significant risk to health, safety, or fundamental rights. The Netherlands objected to this change, arguing it reduces transparency about AI system deployment in high-risk contexts and complicates oversight. The measure delivers only limited regulatory burden reduction while substantially hampering supervision capabilities.

Concerning AI literacy requirements, the Netherlands supports promoting knowledge among personnel working with AI systems. However, the current AI Regulation obligation—requiring organizations to ensure adequate AI literacy levels among staff—remains insufficiently clear and creates uncertainty. The Dutch government supports efforts to clarify this requirement or help organizations meet it, but found the Commission's specific proposal too vague for definitive assessment.

The proposal extends simplified compliance measures for micro-enterprises and small and medium-sized businesses to more companies, including streamlined quality management systems and elimination of mandatory templates. The Netherlands can support these changes as they facilitate AI Regulation compliance without undermining regulatory objectives.

Platform-to-Business regulation faces elimination

The Commission proposes effectively eliminating the Platform-to-Business Regulation, claiming its obligations overlap with the Digital Services Act and Digital Markets Act. The Netherlands strongly questions this approach, doubting whether it would significantly reduce regulatory burden while potentially creating substantial harm.

The Dutch government notes it has received no signals from businesses that P2B creates unnecessary burden. While overlaps exist with DSA and DMA, the P2B provisions differ in purpose, content, scope, and enforcement level. The P2B rules complement rather than duplicate other frameworks, with their broader reach providing extra protection particularly for small and medium-sized businesses.

The specific and detailed nature of P2B rules contributes to predictability and enforcement of other regulations. The Dutch Authority for Consumers and Markets recently gained P2B enforcement powers and now regularly receives non-compliance reports about platforms. Without P2B, ACM cannot supervise problems experienced by businesses using platforms established outside the Netherlands.

Elimination would likely result in less legal certainty and reduced protection for smaller businesses operating on platforms. The Netherlands argues the Commission should thoroughly examine elimination consequences at both European and national levels before proceeding.

Cybersecurity reporting hub raises national security questions

The proposal tasks the EU Agency for Cybersecurity with establishing a European single entry point for reporting obligations under multiple frameworks: the Cyber Resilience Act, NIS2 Directive, Critical Entities Resilience Directive, Digital Operational Resilience Act, eIDAS Regulation, and GDPR. The Netherlands has major concerns about this centralization.

Member states including the Netherlands have already established national reporting platforms for receiving incident notifications. The Dutch government is already working domestically to harmonize NIS2 and CER reporting through its national platform. The Netherlands expects regulatory burden reduction could be achieved more efficiently by building on existing national solutions rather than organizing a European hub.

National reporting structures align with how entities collaborate and communicate with the Dutch government. Establishing a European hub would shift part of national incident handling to EU level, particularly problematic for NIS2 and CER reports where incidents affecting government infrastructure and critical systems may contain sensitive national security information.

The Netherlands emphasized that national reporting structures—where member states remain the direct and primary recipients of incident information—must be preserved. The government questions whether establishing, managing, and securing a hub for different regulatory frameworks fits within ENISA's mandate, capacity, and responsibilities.

Security risks from centralizing such reporting through one hub raise serious concerns. Processing highly sensitive notifications—particularly incident information from 27 member states—creates vulnerability and involves national security matters. The Netherlands also sees risks regarding dependence on platform continuity managed at EU level.

The government expects the largest group of entities under CER and NIS2 Directives will not operate cross-border. These parties sufficiently benefit from simplified reporting obligations and a national-level hub. Member states are already collaborating in various European expert groups, including the NIS Cooperation Group, to achieve simplification objectives without this far-reaching measure.

Data regulation consolidation generally supported

The Netherlands largely supports bringing together different European data regulations in the Data Regulation. Positive changes include strengthening protections for trade secrets where risks exist of leaks to third-country entities, requirements for data requests in public emergency situations, simplified requirements for data intermediation services and data altruism organizations, and elimination of smart contract rules.

The Dutch government would support further simplification by eliminating rules about requesting data in public emergency situations, given continuing uncertainty about applying these rules and risks that created powers may be deployed too broadly. The Netherlands can also support removing provisions about data altruism organizations.

Incorporating the Open Data Directive into the Data Regulation receives support, provided national flexibility remains for reusing personal data in public registers. The Netherlands is critical about created possibilities for public authorities to impose different conditions and higher fees on very large companies. The government supports easing rules for data intermediation services but prefers mandatory certification rather than voluntary compliance.

The Netherlands has concerns about exceptions to cloud service switching provisions. These create uncertainty for cloud service users and hinder their freedom of choice. The exception for custom services particularly risks perpetuating the current vendor lock-in situation. The Dutch government prefers avoiding amendments that limit or delay this Data Regulation component, given its importance for better-functioning European cloud markets.

Cookie consent rules modified

The proposal moves cookie processing rules from the ePrivacy Directive to GDPR in modified form. The core requirement—consent for cookies and similar tracking technologies—remains but gains several new exceptions, including for analytical or security purposes. Consent and refusal actions must be executable through automation or single clicks.

The Netherlands can support solutions that maintain GDPR protection levels. Compared to ePrivacy Directive Article 5(3), new exceptions permit tracking without consent in additional circumstances. The Dutch government considers it important that alternative lawful processing bases remain required and will seek clarification from the Commission.

The Netherlands positively regards proposals enabling automated consent or refusal for cookies, provided this aligns with GDPR consent requirements. This could benefit both regulatory burden and privacy. The government also supports EDPB being required to produce lists clarifying what constitutes high-risk data processing.

Implementation timeline concerns

The Digital Omnibus would largely take effect three days after publication, with exceptions. New Article 88a GDPR enters force six months later. New Article 88b GDPR paragraphs 1 and 2 take effect two years later, with paragraph 6 after four years. Provisions about the European hub enter force 18 months after the regulation takes effect, unless the Commission determines in its report that the hub cannot guarantee proper functioning, reliability, integrity, or confidentiality—then those provisions enter force 24 months after implementation.

For legal certainty, several Platform-to-Business Regulation articles remain applicable through December 31, 2032, because other European regulations reference them.

The Netherlands considers the proposed implementation date achievable because Article 10(4) states references to the Data Governance Act, Free Flow of Non-Personal Data Regulation, and Open Data Directive should be read as references to the modified Data Regulation. This allows provisions in Dutch implementation laws to remain valid until legislation is adapted. However, because several DGA and ODR provisions are modified and new rules added, this could create practical uncertainties. Therefore the implementing legislation must be addressed promptly.

Missing impact assessment criticized

The absence of an impact assessment makes it difficult for the Netherlands to evaluate proposal effects, particularly regarding expected regulatory burden reduction and impacts on fundamental rights and national powers. The government will seek clarification from the Commission and further examine consequences for regulatory burden, implementability, and fundamental rights protection before reaching final judgments.

The Netherlands emphasized that for amendments affecting data protection and fundamental rights, opportunity must exist to thoroughly analyze proposals and their consequences through substantive discussion. The government believes the forthcoming opinion from the European Data Protection Supervisor—possibly in collaboration with the European Data Protection Board—must be included in proposal discussions.

The Commission expects the Digital Omnibus to improve business innovation opportunities and promote entrepreneurial freedom. The Commission considers proposal impacts on privacy rights and data protection rights proportionate. The Netherlands sees that some GDPR amendments have fundamental impacts on these rights. Without impact assessment and EDPB/EDPS opinions, the government cannot assess proportionality and has concerns about several proposals.

Broader regulatory simplification context

The proposals arrive amid broader European efforts to reduce regulatory burden while maintaining protection standards. Germany previously pushed for sweeping data protection simplification beyond the Commission's proposals in October 2025, calling for immediate tactical changes through the Digital Omnibus followed by fundamental restructuring of European data protection law.

The Dutch approach differs by supporting genuine simplification while rejecting changes that weaken core protections. This aligns with the government's "Fewer Burdens Through Rules" action program, which focuses on simplifying legislation with particular attention to small and medium-sized businesses while preserving regulatory objectives.

The European Commission had previously proposed major GDPR changes for AI in internal draft documents from November 2025. Those proposals would narrow personal data definitions, establish legitimate interest for AI training, and reform cookie consent rules—themes that continue in the formal Digital Omnibus package.

The Digital Omnibus arrives as the AI Act compliance timeline accelerates, with obligations for general-purpose AI models taking effect August 2, 2025. The Commission released detailed implementation guidelines in July 2025, establishing the 10²³ FLOP computational benchmark for model classification.

Marketing technology providers face mounting complexity as multiple regulatory frameworks overlap. The European Data Protection Board adopted Guidelines 3/2025 on September 11, 2025, establishing how digital marketers must navigate intersections between DSA and GDPR obligations. The 38-page document outlines scenarios where marketing activities trigger both frameworks simultaneously.

Implications for marketing professionals

For advertising technology stakeholders, the Digital Omnibus proposals create significant uncertainty. If AI training automatically qualifies as legitimate interest without necessity testing, this could reshape how marketing platforms develop targeting algorithms and audience optimization tools. However, the Dutch government's strong concerns suggest these provisions may face substantial modification during negotiations.

The Platform-to-Business elimination particularly affects smaller advertising businesses operating through digital platforms. While the Commission argues DSA and DMA provide sufficient protection, the Dutch analysis demonstrates P2B serves distinct functions that these broader frameworks cannot fully replace. Marketing professionals relying on platform marketplaces may lose specific transparency and fairness protections if P2B disappears.

Cookie consent modifications could reduce friction in consent management while maintaining privacy protections—or they could create new compliance complexities depending on how exceptions are ultimately defined. The Netherlands' call for clarification on alternative lawful bases suggests final rules may differ substantially from current proposals.

The European incident reporting hub would affect marketing technology companies operating across multiple member states, potentially simplifying cross-border compliance. However, national security concerns and questions about ENISA's capacity to manage such a system suggest this element faces difficult negotiations.

The delayed AI Act deadlines provide additional preparation time for marketing platforms deploying high-risk AI systems. Companies gain breathing room to develop compliance capabilities, though the Netherlands prefers fixed dates over Commission-dependent timelines to reduce planning uncertainty.

Member state positions diverging

A majority of member states are expected to welcome the Commission's simplification effort while expressing concerns about maintaining regulatory objectives and fundamental rights protection. Many states share Dutch reservations about the European reporting hub.

The European Parliament's position remains unknown. Committee assignment and rapporteur selection have not yet occurred, making it difficult to predict how legislative negotiations will unfold.

The divergent positions among member states and anticipated parliamentary scrutiny suggest extended negotiations before any changes become law. The Dutch emphasis on thorough analysis of fundamental rights impacts—rather than rushing simplification for its own sake—reflects a broader question facing European policymakers: whether regulatory burden reduction can proceed without compromising the protections that distinguish European digital policy.

Timeline

• July 2, 2002: European Parliament adopts ePrivacy Directive concerning personal data processing and privacy protection in electronic communications
• April 27, 2016: European Parliament adopts GDPR on protection of natural persons regarding personal data processing
• May 25, 2018: GDPR implementation creates unified privacy framework across EU
• August 1, 2024: EU AI Act enters into force establishing comprehensive regulatory framework for AI development
• April 17, 2025: Privacy organization noyb warns that GDPR Procedural Regulation creates unprecedented complexity
• August 2, 2025: AI Act obligations for general-purpose AI models take effect
• September 4, 2025: European Commission opens consultation for AI transparency guidelines under Article 50 of AI Act
• September 11, 2025: European Data Protection Board adopts Guidelines 3/2025 on DSA-GDPR compliance intersection
• October 23, 2025: Germany submits comprehensive GDPR reform proposal to European Commission calling for immediate simplification
• November 10, 2025: Internal draft documents emerge showing Digital Omnibus proposals for fundamental GDPR changes
• November 19, 2025: European Commission formally presents Digital Omnibus AI and Digital Omnibus proposals
• November 19, 2025: Netherlands submits parliamentary analysis expressing serious concerns about privacy protection weakening
• November 20, 2025: German data protection authorities propose enhanced GDPR protections for children
• December 13, 2025: European Commission proposes machine-readable consent signals for GDPR compliance

Summary

Who: The European Commission proposed two omnibus regulations affecting digital policy, with the Netherlands—represented by the Ministry of Economic Affairs, Ministry of the Interior and Kingdom Relations, and Ministry of Justice and Security—submitting critical analysis to parliament. The proposals affect AI providers, data controllers, marketing technology companies, privacy advocates, and digital platform operators across all 27 EU member states.

What: The Digital Omnibus AI and Digital Omnibus proposals modify existing EU legislation on data protection, artificial intelligence, and digital services. Key changes include delaying AI Act compliance deadlines by 12-16 months, modifying GDPR personal data definitions, establishing legitimate interest for AI training, creating a European incident reporting hub, and eliminating the Platform-to-Business Regulation. The Netherlands identified serious concerns about privacy protections, automated decision-making rules, special category data processing for AI, and national security implications of centralized reporting.

When: The European Commission presented the proposals November 19, 2025, with most provisions taking effect three days after publication. Cookie consent changes would phase in over two to four years. The European incident reporting hub would launch 18-24 months after implementation. AI Act deadline extensions would push high-risk system compliance to December 2027 and August 2028 absent earlier Commission determinations.

Where: The regulations apply across all European Union member states and affect any organizations operating in EU markets regardless of location. The Netherlands specifically excluded the Faroe Islands and Greenland from certain provisions. Implementation requires coordination between national authorities, the European Commission, ENISA for cybersecurity reporting, and various data protection supervisory bodies. The proposals particularly impact organizations with cross-border operations or platform-based business models.

Why: The Commission aims to strengthen EU business innovation capacity and reduce administrative burdens through targeted simplification of existing digital legislation. The Netherlands supports genuine regulatory streamlining but warns that fundamental changes to data protection—particularly affecting AI development and automated decision-making—could substantially weaken privacy protections without effectively reducing regulatory burden. The Dutch government emphasized that protecting fundamental rights must not be sacrificed for administrative efficiency, and that thorough impact analysis should precede any weakening of core GDPR protections established since 2018.