The European Digital Omnibus proposal, presented on 19 November 2025 by the European Commission, is part of a broader effort to modernize and harmonize the legal framework governing the digital environment within the European Union[1]. Although it does not specifically address intellectual property issues, the text, if adopted will have an impact on trademark protection.

Simplifying Access to WHOIS Data

The more restrictive redefinition of the concept of personal data proposed under the Digital Omnibus could help alleviate certain practical difficulties encountered when identifying domain name holders. By excluding from the scope of the General Data Protection Regulation (“GDPR”)[2] information that does not clearly identify a natural person, this change would limit the automatic application of data protection rules to technical or residual information contained in WHOIS databases[3]. Such clarification, without disrupting existing practices, could facilitate access to certain data useful in combating cybersquatting and in non-judicial proceedings[4].

This clarification is particularly valuable for trademark owners facing fraudsters who use the identities of natural persons or masked data to register infringing domain names. By clarifying what does or does not fall under personal‑data protection, the text helps strike a better balance between privacy protection and the effectiveness of actions against online trademark infringements.

Despite improved access to data, the absence of a harmonized identity verification system across all registries still allows the use of aliases or fictitious company names as registrant contact information.

Centralizing Notifications: Toward Better Responsiveness to Cyberattacks

The Digital Omnibus also provides for the creation of a single point of contact to centralize notifications in the event of a cyberattack[5].

Until now, a single attack could require multiple notifications under various regulations such as the GDPR, NIS2[6], DORA[7], and others, all with different deadlines and formats. This multiplicity significantly increased the administrative burden on companies.

The introduction of a single notification portal could genuinely simplify the process by allowing companies to report an incident to one single authority. This mechanism should improve responsiveness to cyberattacks and, indirectly, enhance the protection of intangible assets and online trademarks.

Remaining Limitations and Future Developments

However, while the Digital Omnibus facilitates access to certain data useful in combating online infringements, it does not, on its own, guarantee reliable identification of domain name holders. Without a harmonized identity‑verification system across all registries, it remains possible to provide aliases or fictitious company names as registrant contact details.

The proposal also addresses artificial intelligence, but only from the perspective of personal data. Additional legislation will likely be needed to regulate emerging AI‑related issues such as deepfakes or AI‑generated counterfeiting.

The proposal is currently being reviewed by the European Parliament and the Council. It is likely to be amended, and its progress will need to be monitored.

Notes

[1] Proposal for a Regulation of the European Parliament and of the Council COM(2025) 837 final (‘Digital Omnibus’): digital-strategy.ec.europa.eu.

[2] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data: eur-lex.europa.eu.

[3] Proposal for a Regulation of the European Parliament and of the Council COM(2025) 837 final (‘Digital Omnibus’) (digital-strategy.ec.europa.eu), Article 3(1), amending Article 4 of Regulation (EU) 2016/679 (GDPR) in order to clarify that information is not to be considered personal data for a given entity where that entity does not have means reasonably likely to be used to identify the natural person concerned. See also recitals 27 and 28.

[4] Including the Rules for the Alternative Dispute Resolution for .EU domain names (‘ADR Rules’: eurid.eu) applicable to European domain names, as well as the Uniform Domain Name Dispute Resolution Policy (‘UDRP’: icann.org) proceedings, and potentially any other equivalent procedures.

[5] Proposal for a Regulation of the European Parliament and of the Council COM(2025) 837 final (‘Digital Omnibus’) (digital-strategy.ec.europa.eu), Article 3(6), which proposes to harmonise and simplify the obligations to notify data breaches by, inter alia, providing for the use of a ‘single-entry point’ (one-stop-shop) for notifications submitted to supervisory authorities.

[6] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union: eur-lex.europa.eu.

[7] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector: eur-lex.europa.eu.