← All posts

The EU Digital Omnibus Explained

On 19 November 2025, the European Commission published the Digital Omnibus legislative package — a sweeping proposal to simplify the EU's fragmented digital rulebook. For financial entities operating under DORA, the most relevant element is a plan to create a single entry point for cybersecurity incident reporting. In theory, this would replace the current tangle of overlapping notification obligations across NIS2, GDPR, DORA, the Cyber Resilience Act, eIDAS, and the CER Directive.

The headlines have called it a "report once, share many" revolution.

The reality is more nuanced — and more important to understand clearly than to either dismiss or over-rely on.

Why the Omnibus Proposal Exists

The starting point is a genuine problem. A financial entity experiencing a significant ICT incident today may face simultaneous reporting obligations under DORA (major ICT incident notification to its NCA), NIS2 (if it falls within that directive's scope), GDPR (if personal data was affected), and potentially the CER Directive (if it operates critical infrastructure). Each regime has its own template, its own thresholds, its own timeline, and its own destination authority.

In practice, this means compliance teams coordinating across legal, information security, and operations to produce multiple parallel notifications to multiple authorities — on tight timelines, with overlapping but subtly inconsistent requirements. The 4-hour DORA initial notification window and the 72-hour GDPR personal data breach notification run concurrently but are not synchronised in any way.

The Commission estimates that harmonising and centralising incident reporting could save businesses up to €5 billion by 2029. That figure reflects both the direct cost of duplicate reporting and the broader burden of navigating inconsistent frameworks.

What the Single Entry Point Would Actually Do

The core of the proposal is an EU-level Single Entry Point (SEP), to be built and operated by ENISA, the EU Agency for Cybersecurity. An organisation submits one incident notification to the SEP, and the platform automatically routes the relevant portions to the appropriate authorities — national CSIRTs, data protection authorities, financial supervisors, and others — based on each authority's legal entitlement to the information.

Think of it like a centralised tax filing portal: one submission that distributes information to multiple agencies based on a predefined mapping of who needs what. The practical complexity is substantially greater, because the underlying legal requirements across the different regimes are not identical. ENISA will need to reconcile them without inadvertently creating new inconsistencies.

The SEP is designed to cover:

  • NIS2 — essential and important entities across critical sectors
  • GDPR — personal data breach notifications under Article 33
  • DORA — major ICT incident reports and voluntary significant cyber threat notifications
  • eIDAS — incident notifications from trust service providers
  • CER Directive — incident notifications from critical infrastructure operators

Notably, the AI Act's incident reporting requirements are not included in the current proposal. Sectoral regimes such as electricity and aviation could be added later via implementing acts.

What Actually Changes for DORA-Regulated Entities

The short answer: eventually, the reporting channel changes. The obligations themselves do not.

The Commission has been explicit that the Digital Omnibus does not amend the underlying legal requirements for incident reporting under any of the covered regulations. DORA's timeline for major ICT incidents — initial notification within 4 hours of classification, interim report within 72 hours, final report within one month — remains unchanged. The classification criteria in RTS 2024/1772 remain unchanged. The information content required remains unchanged.

What the SEP changes is where you send the notification and, over time, how the template is structured. Instead of submitting to your NCA via its specific portal, you would submit to the ENISA-operated SEP, which routes the notification to your NCA and any other relevant authorities.

There is a meaningful secondary benefit. Currently, a financial entity reporting an incident to its NCA under DORA and separately notifying the data protection authority under GDPR may find those two authorities working from inconsistent information, because the two notifications were drafted separately. A single submission to the SEP that generates both notifications from the same underlying data would reduce that risk.

When Does This Actually Take Effect?

Not soon.

The Digital Omnibus is a legislative proposal, not an enacted measure. It must pass through the ordinary EU legislative procedure — examination by the European Parliament's committees (including IMCO, ITRE, and LIBE), formation of a Council position, trilogue negotiations between Parliament and Council, and final adoption. If the process moves without significant delays, final adoption could come by mid-to-late 2026.

The Omnibus then specifies that the SEP will become operational 18 months after entry into force of the adopted legislation, with an option to extend to 24 months if ENISA's readiness assessment finds the platform not yet meeting required standards for integrity, reliability, and confidentiality.

The practical implication: the SEP is unlikely to be operational before late 2028 at the earliest, and quite possibly not until 2029. Until the Commission publishes a notice in the Official Journal confirming the SEP is fully operational, existing national reporting channels remain mandatory. There is no transitional arrangement allowing financial entities to use the SEP early.

For compliance teams planning their 2026 and 2027 DORA programmes, this means:

  • Your current DORA incident reporting processes and tools remain fully necessary
  • No changes to NCA notification channels are appropriate before the SEP goes live
  • The Omnibus provides no basis for relaxing investment in incident detection, classification, and notification capabilities
  • Building DORA incident management infrastructure now remains the right course of action, because the underlying obligations are not changing

The Real Limitations of "Report Once"

The "report once, share many" framing is appealing, but it conceals genuine complexity. There are four limitations worth understanding clearly.

The timelines are still different. DORA's 4-hour initial notification window and NIS2's 24-hour early warning are not the same. GDPR's 72-hour breach notification has different triggers and different content requirements. The SEP cannot reconcile these differences — it can only route the same underlying submission to multiple authorities. Financial entities using the SEP will still need to understand which regulatory timeline is shortest and whether a single submission can satisfy multiple regimes simultaneously for any given incident. The thresholds are still different. What constitutes a "major" incident under DORA is defined differently from a "significant" incident under NIS2. The Digital Omnibus does not harmonise these thresholds. An event that crosses the DORA threshold but not the NIS2 threshold — or vice versa — still requires understanding which obligations are triggered. ENISA's capacity is a genuine concern. ENISA is currently resourced as a coordinating and advisory body, not as an operator of a high-availability, high-security incident notification platform serving tens of thousands of regulated entities across the EU. The proposal significantly expands its mandate without, at this stage, a clear commitment to expand its budget and staffing. Several member states have raised this in Council working groups as a practical risk. Data security at the SEP is a potential single point of failure. An incident notification to a financial supervisor contains detailed information about which systems failed, how they were exploited, and what vulnerabilities exist. Concentrating all of that information in a single ENISA-operated platform creates a high-value target. Member states have raised this explicitly, and while the Commission's proposal requires stringent confidentiality and security measures, the technical architecture for meeting those requirements has not yet been specified.

What to Do About It Right Now

The practical message for compliance and legal teams is straightforward.

Do not defer DORA incident reporting improvements in anticipation of the SEP. The SEP will not be available within your current planning horizon. Every investment you make in DORA-compliant incident detection, classification, documentation, and NCA notification processes will still be required when the SEP eventually launches — because the SEP changes the channel, not the obligation. Follow the Digital Omnibus legislative process actively. The Council and Parliament will likely amend the proposal before final adoption. Amendments affecting DORA-specific provisions — such as how the SEP handles the 4-hour initial notification window, or how DORA's voluntary significant cyber threat notifications are incorporated — will matter for how financial entities eventually operationalise the system. Tracking industry association submissions is a good way to stay current without monitoring every committee session. Start aligning your templates to the DORA RTS structure now. One concrete benefit the Omnibus offers, even before the SEP goes live, is a signal about where EU incident reporting templates are heading. The Commission has stated that SEP templates will draw on DORA's existing RTS templates as a baseline. If your current notifications are structured around your NCA's specific preferences rather than the RTS template, moving toward the RTS format now will reduce adaptation work later. Use the Omnibus framing in board communications. For financial entities where board engagement with DORA incident reporting has been limited, the Digital Omnibus offers a useful framing: the EU is moving toward a regime where incident reporting to regulators is centralised, automated, and cross-regulatory. That direction reinforces the case for building robust, system-supported incident management capabilities rather than manual processes that will become increasingly inadequate as reporting becomes more visible and more coordinated.

The Broader Significance

The incident reporting single entry point is the most DORA-relevant element of the Digital Omnibus, but it is part of a broader effort to reduce compliance complexity across EU digital law. The same package includes reforms to GDPR consent mechanisms, simplifications to the Data Act's data sharing obligations, and partial delays to certain AI Act requirements for smaller providers.

The Omnibus represents the EU acknowledging that the proliferation of digital regulation since 2018 has created genuine compliance complexity that is starting to weigh on investment and operational efficiency. Whether the proposed solutions are technically deliverable on the proposed timelines — particularly the ENISA-operated SEP — is a legitimate open question. But the direction is clear: the EU is moving toward a more integrated digital compliance landscape, and DORA sits at the centre of that effort for the financial sector.

The final shape of the SEP, its timeline, its technical architecture, and the way it handles DORA-specific features are all still being determined through the legislative process. That process benefits from the input of practitioners who understand what DORA incident management actually looks like in practice. Engaging as an informed participant — rather than a passive observer — is the right posture for compliance teams now.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →