On 21 May 2025, the European Commission released its most consequential proposed revision to the General Data Protection Regulation since the regulation entered into force in 2018. Packaged within the Simplification Omnibus IV initiative, the amendments target three persistent friction points in enterprise data governance: administrative overhead for mid-market companies, cookie consent fatigue, and the regulatory ambiguity surrounding AI development. For CFOs, General Counsel, and Chief Compliance Officers operating across European markets, these proposals represent both a near-term compliance recalibration and a longer-term signal about the direction of EU regulatory philosophy.

Revised Article 30(5): Relief for the Mid-Market, New Benchmarks for Enterprise Risk Management

The centerpiece of the proposed amendments is a revised Article 30(5), which lifts the record-keeping exemption threshold from 250 to 750 employees, provided that the organization’s processing activities do not involve high-risk data operations. This change is explicitly designed to address the compliance burden on small mid-cap enterprises (SMCs) — companies that have outgrown SME classification but lack the dedicated data protection infrastructure of large corporations.

The practical implications for enterprise risk management are significant. Organizations in the 250–750 employee band that have invested in comprehensive Records of Processing Activities (RoPA) infrastructure will need to reassess the cost-benefit calculus of maintaining those systems. However, legal counsel should note a critical qualifier: the exemption applies only where processing is demonstrably not high-risk. Given the EDPB’s expansive interpretation of high-risk activities — encompassing large-scale profiling, systematic monitoring, and sensitive data categories — many mid-market firms will still fall outside the exemption in practice.

For M&A practitioners, the amendment introduces a new due diligence variable. Target companies claiming exemption under the revised Article 30(5) will require enhanced scrutiny of their processing activity classification methodology during transaction processes.

Cookie Consent Reform and the AI Legitimate Interest Clarification

The Omnibus IV package addresses two additional regulatory pain points with material implications for digital strategy and corporate governance.

On cookie consent, the Commission proposes exempting low-risk processing purposes — including audience measurement and website performance analytics — from opt-in consent requirements, estimated to cover approximately 60% of current cookie deployments. A mandated single-click accept/refuse mechanism would replace the layered consent architectures that have generated both user friction and regulatory scrutiny. For organizations with significant digital revenue streams, this reform reduces legal exposure while simplifying UX compliance architectures.

The AI governance provisions carry broader strategic weight. The proposal explicitly permits AI providers to rely on legitimate interest as a lawful basis for AI model development and operation, subject to enhanced safeguards — a clarification that directly addresses the legal uncertainty that has constrained enterprise AI deployment under the current GDPR framework. Crucially, the amendments also permit processing of sensitive personal data for bias detection in large language models, while granting data subjects an unconditional right to object to such processing.

This provision creates an important bridge between GDPR compliance and EU AI Act obligations, particularly for organizations deploying high-risk AI systems under Annex III of the AI Act. Legal teams should begin mapping how legitimate interest assessments for AI development interact with the AI Act’s conformity assessment requirements.

EDPB Coordinated Enforcement and the 2026 Compliance Horizon

Simultaneously, the European Data Protection Board has launched its Coordinated Enforcement Framework (CEF) 2026, with a focus on transparency and information obligations. National supervisory authorities will conduct aligned assessments of how clearly organizations communicate data processing activities to individuals — a thematic priority that signals enforcement attention will intensify around disclosure quality rather than procedural box-ticking.

For boards and audit committees, this enforcement trajectory reinforces the case for integrating data privacy governance into broader ESG reporting frameworks. Transparency obligations are increasingly evaluated not only by regulators but by institutional investors applying governance screens.

Implications for Decision-Makers: Four Immediate Actions

  • Reassess RoPA obligations: Legal and compliance teams should map current processing activities against the revised 750-employee threshold and the high-risk activity criteria before the proposals are finalized.
  • Audit AI lawful basis documentation: Organizations using personal data for AI training should prepare legitimate interest assessments aligned with the proposed safeguard requirements and AI Act obligations.
  • Review cookie consent architecture: Digital and technology teams should evaluate which current consent flows would be eliminated under the 60% exemption and plan for the single-click mandate.
  • Strengthen transparency disclosures: In anticipation of CEF 2026 enforcement, privacy notices and processing communications should be reviewed for clarity and accessibility — not merely legal completeness.

Key Takeaway: The 2025 GDPR Omnibus IV proposals mark a pragmatic recalibration of EU data protection regulation, reducing administrative friction for mid-market firms while establishing clearer — and more demanding — governance standards for AI development. Organizations that treat these amendments as a compliance simplification opportunity risk missing the concurrent enforcement signal: the bar for transparency, risk classification, and AI governance accountability is rising, not falling.