Recent developments in digital regulation: Digital Omnibus, AI Omnibus and the Cybersecurity Act
On 15 April 2026, the House of Representatives adopted (in Dutch) the Dutch Cybersecurity Act (Cbw) and the Dutch Critical Entities Resilience Act (Wwke). The Cbw implements the European NIS2 Directive and obliges organisations to adequately secure their network and information systems, with a duty of care, a reporting obligation and a registration obligation. The Wwke implements the Critical Entities Resilience (CER) Directive and protects vital infrastructure against threats such as sabotage and natural disasters.
The legislative proposals are now being submitted to the Senate, with the aim of coming into force in the second quarter of 2026. Next week, we will look in more detail at the Cbw and the Wwke.
Dutch government critical of European Commission’s Omnibus Digital legislative package
On 19 November 2025, the European Commission presented the Omnibus Digital legislative package, which proposes amendments to, among other things, the GDPR and the Data Act. For the GDPR, proposals include amending the definition of personal data, restricting the transparency obligation under Article 13 of the GDPR, and limiting the data breach notification requirement to cases where data subjects may actually suffer adverse consequences, with an adjusted notification period of 96 hours.
In the field of Artificial Intelligence, it is proposed to permit the processing of personal data for the development and operation of AI systems on the basis of legitimate interest. The processing of special categories of personal data for the development and operation of AI systems is also permitted to a limited extent, provided that the controller takes appropriate technical and organisational measures to limit the collection and other processing of special categories of personal data. Should special categories of personal data nevertheless be collected, they must be deleted after collection, or – if deletion requires a disproportionate amount of effort – their use to produce results must be prevented.
For the Data Act, the amendments include, among other things, new safeguards for the protection of trade secrets in data from IoT products and a restriction on the rules regarding switching between cloud services.
On 8 April 2026, the Dutch government announced its support for the simplification of regulations, but expressed serious concerns about fundamental GDPR amendments that substantially reduce the level of data protection without reducing the regulatory burden. Among other things, the government advocates scrapping the provision allowing the processing of personal data for AI purposes, in line with the improvements proposed by the Presidency of the Council of the European Union and the opinions of the EDPS and the EDPB.
AI Omnibus: relaxation of the AI Regulation
The European Commission’s Digital Omnibus proposal on AI aims to ease compliance with the AI Act, which has partially entered into force, by, among other things, postponing the applicability of rules for high-risk AI systems, exempting certain AI systems from the registration requirement, and assigning responsibility for AI literacy to the Member States and the European Commission.
In addition, the possibility of processing special categories of personal data for the purpose of detecting and correcting bias is being extended to all AI systems and AI models. Not all of the proposed amendments are supported by supervisory authorities. In a position paper (in Dutch) dated 13 January 2026, the Dutch Data Protection Authority (AP) expressed criticism of the changes for privacy legislation in both omnibus proposals. Further amendments can therefore still be expected.
AP launches consultation on draft enforcement policy
On 13 April 2026, the AP published (in Dutch) a draft enforcement policy for consultation. With this policy, the AP aims to provide greater clarity on the use of its enforcement tools when organisations breach privacy rules, and on the course of the enforcement procedure. The draft policy describes, among other things, the AP’s guiding principles for enforcement, including the fundamental duty to enforce, and to take action with a results-oriented approach and provides an overview of the available instruments, ranging from reprimands and orders subject to a penalty payment to administrative fines and processing bans. The policy also contains a scheme for the simplified conclusion of enforcement procedures in consultation with the offender, whereby the fine may be reduced by up to 35% in exchange for acknowledgement of the infringement and a waiver of legal remedies. Experts, stakeholders and interested parties may comment on the draft policy until 17 May 2026.