European Union: EDPB-EDPS adopted joint opinion on proposal for Digital Omnibus including cybersecurity regulation

On 10 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus). The opinion addressed changes to personal data breach notifications through a single-entry point (SEP) under Article 23a of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (Cybersecurity Directive). The EDPB and EDPS noted that shorter deadlines continue to apply under other reporting obligations, including the NIS2 Directive (24 or 72 hours depending on the obligation), DORA (24 or 72 hours), the eIDAS Regulation (24 hours), and the CER Directive (24 hours). The EDPB and EDPS recommended enhanced harmonisation of these notification requirements, noting that such alignment is necessary because one of the SEP’s functions is to enable controllers to submit a single notification that concurrently fulfils multiple legal obligations.