The Digital Omnibus Package | Stefanelli& Stefanelli Law Firm

Back

The new EU Simplification Package — the so-called Digital Omnibus (COM(2025) 835 final, 19 November 2025) — has attracted considerable attention in regulatory and industry circles over the past month.

The central question for practitioners in this field is straightforward: does the Package alter the regulatory landscape for medical devices? And if so, to what extent?

This article sets out, in concise form, the principal novelties introduced by the Package and their potential implications for the medical device sector.

The Digital Omnibus Package: An Overview

On 19 November 2025, the European Commission published the Digital Omnibus Package, a comprehensive legislative initiative designed to simplify and rationalise the EU’s digital regulatory framework.

The Package comprises two distinct legislative proposals:

the Digital Omnibus on AI, which amends Regulation (EU) 2024/1689 (AI Act); and
the Digital Legislation Omnibus, which introduces amendments to a range of instruments, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2023/2854 (Data Act) and Directive (EU) 2022/2555 (NIS2).

Medical device manufacturers deploying AI systems (and therefore subject to the AI Act) and/or marketing connected medical technologies (subject to the Data Act) stand to see their applicable legal framework materially altered. Beyond these specific categories, the proposed amendments to the GDPR — which this author considers particularly significant — carry implications for all devices and for the supply chain as a whole.

Amendments to the AI Act: Deferred Timelines and Integrated Conformity Assessment

The proposed amendment to the AI Act (COM(2025) 836, 19 November 2025) introduces two significant changes: new procedural mechanisms and a deferral of the compliance deadlines applicable to high-risk AI systems under Chapter III of the AI Act.

On the question of timelines:

High-risk AI systems classified pursuant to Article 6(2) and those listed in Annex III will be required to comply with the Chapter III obligations only six months after the publication of harmonised standards, common specifications and Commission guidelines. In the absence of such publication, the backstop deadline is set at 2 December 2027.
AI systems constituting medical devices, or safety components embedded in medical devices, classified pursuant to Article 6(1) and Annex I, Section A, benefit from a transitional period extended to twelve months from the relevant decision, with a final deadline of 2 August 2028.

Of particular relevance to the sector is the provision expressly establishing that the conformity assessment procedures under the MDR and the IVDR take precedence for high-risk AI systems embedded in medical devices.

Under the proposed framework, AI Act requirements not already covered by sectoral legislation — including those pertaining to data governance, risk management, technical documentation, transparency, human oversight and cybersecurity robustness — may be integrated into the conformity assessments already required under the MDR and IVDR, thereby avoiding duplication of procedures. Similarly, quality management system (QMS) obligations under the AI Act may be fulfilled through the QMS already required by medical device legislation, enabling a single, unified system covering both the device-specific and AI-specific requirements.

The proposal also addresses a structural bottleneck that industry has repeatedly flagged: the limited availability of Notified Bodies competent to assess AI systems under both the AI Act and the applicable medical device legislation. To address this, the Digital Omnibus introduces a streamlined designation procedure allowing conformity assessment bodies to submit a single application and undergo a single assessment in order to obtain simultaneous designation under the AI Act and either the MDR or the IVDR.

Real-World Testing and Regulatory Sandboxes

The proposals concerning regulatory sandboxes and real-world testing deserve particular attention from the perspective of product development and pre-market strategy.

With regard to regulatory sandboxes, the Package introduces the possibility of establishing them not only at Member State level, but directly at EU level. Specifically, the AI Office will be empowered to establish an EU-level regulatory sandbox dedicated to AI systems falling within its exclusive competence — such as general-purpose AI models and systems embedded in large online platforms. A notable feature is the mandatory requirement that these sandboxes guarantee priority access for small and medium-sized enterprises (SMEs) and start-ups.

With regard to real-world testing, the proposal substantially broadens the scope of products that may be tested under real-world conditions outside the sandbox framework. This possibility is extended to high-risk AI systems covered by the Union harmonisation legislation listed in Annex I, Section A — a category that encompasses, among others, medical devices, machinery, toys and lifts. Providers will accordingly be entitled to conduct real-world testing at any point prior to the placing on the market or the putting into service of the system, without being confined to sandbox environments.

Amendments to the GDPR: Implications for Health Data Processing

The proposed amendments to the GDPR are, in this author’s assessment, among the most consequential elements of the entire Package — particularly in the context of scientific research and AI development.

First, the proposal aligns the GDPR framework with the Court of Justice of the EU’s recent judgment in Case C-413/23 P (EDPS v. Single Resolution Board, 4 September 2025 — the so-called “Deloitte judgment”). The proposal clarifies that information should not be treated as personal data in relation to a given recipient where that recipient does not possess the means “reasonably likely to be used” to re-identify the natural person concerned. As a result, data pseudonymised by party A (e.g. a hospital) may no longer qualify as personal data for party B (e.g. a medical device manufacturer), provided the latter demonstrably lacks the means of re-identification. It should be noted that establishing this absence involves a structured and non-trivial process; nonetheless, the legislative change carries considerable practical significance.

Second, the proposal significantly expands the available legal bases for data processing. It expressly clarifies that scientific research may constitute a legitimate interest within the meaning of the GDPR, and that the legitimate interests ground may serve as the legal basis for processing personal data for the purpose of developing or operating an AI system or model.

Third, and of particular structural importance, the proposal introduces a new point (k) into Article 9 GDPR — governing the processing of special categories of data. This new provision creates a specific legal basis for the processing of such data — including health data — in the context of the development and operation of an AI system or model as defined in Article 3 AI Act, subject to compliance with prescribed conditions.

Industry Response: The Position of MedTech Europe

MedTech Europe, the European trade association representing the medical technology industry, published a position statement on 20 November 2025 broadly welcoming the Commission’s intent to streamline digital legislation.

In particular, the association expressed support for the introduction of a dedicated legal pathway for pre-market testing and for the unified application and assessment procedure for Notified Bodies. However, MedTech Europe called for further refinement of certain key definitions, notably the concept of "substantial modification", the current formulation of which is considered insufficiently precise for operational purposes.

On the question of timelines, MedTech Europe has advocated for extending the date of full application for AI-based medical devices to 2 August 2029, on the grounds that this would more adequately reflect the current maturity of the regulatory ecosystem and the operational preparedness of both industry and Notified Bodies.

Next Steps

The Digital Omnibus Package has been transmitted to the European Parliament and the Council for examination under the ordinary legislative procedure. In parallel, an eight-week public consultation has been launched, during which stakeholders may submit feedback on the proposals.

Inter-institutional negotiations — the trilogues — are scheduled for the first half of 2026, with a possible final adoption by the end of the year.

The coming year will therefore be one of close monitoring for all operators in the digital health and medical device space — dense with regulatory developments and, for those who engage proactively, significant opportunities to shape the final legislative outcome.