The Enforcement and Modernisation Directive, or EU Omnibus Directive, came into effect on Jan. 7, 2020 it entered into action on May 28, 2022.
The European Commission then published the Digital Omnibus Proposal on Nov. 19, 2025, which includes meaningful changes to EU cookie rules.
As part of the New Deal for Consumers initiative, the EU Omnibus Directive strengthens and expands the scope of EU consumer laws and helped modernize consumer protection rules for new market developments.
Below, I summarize the EU Omnibus Directive and the new proposal, its requirements, and how it impacts consumers and businesses.
- What Is the EU Omnibus Directive?
- What Is The Digital Omnibus Proposal?
- What Are the Requirements of the EU Omnibus Directive?
- How Are Consumers Impacted?
- How Are Businesses Impacted?
- How Can Businesses Comply With the EU Omnibus Directive?
- How Will It Be Enforced?
- Fines and Penalties
- Proposed Changes: Omnibus IV
What Is the EU Omnibus Directive?
The EU Omnibus Directive introduced changes to four pieces of EU/EEA consumer protection legislation:
- The Consumer Rights Directive (2011/83/EU)
- The Price Indications Directive (98/6/EU)
- The Unfair Contract Terms Directive (93/13/EEC)
- The Unfair Commercial Practices Directive (2005/29/EC)
The goal of the EU Omnibus Directive was to expand the scope of the existing consumer rights framework that applies to physical services and goods to cover digital content, goods, and services.
It introduced new definitions such as “ranking” and “online marketplace” and amends existing definitions such as “digital service” and “sales contract” to bring digital content, goods, and services into the scope of consumer protection legislation.
What Is the EU’s New Deal for Consumers Initiative?
The EU Omnibus Directive was part of the EU’s New Deal for Consumers initiative, which sought to strengthen the enforcement of EU consumer laws and modernize EU consumer protection rules in light of market developments.
The initiative was adopted on April 11, 2018, and includes a communication and two proposals: COM(2018) 184 and COM(2018) 185.
Since the implementation of this initiative, two EU instruments have been adopted: the EU Omnibus Directive and the Directive on Representative Actions.
What Is The Digital Omnibus Proposal?
On November 19, 2025, the European Commission published the Digital Omnibus proposal.
Some key changes from this proposal include:
The proposal adds a second channel of consent management on top of traditional consent banners: automated signals.
It’s expected that honoring browser setting opt-out preferences will become the norm for the foreseeable future.
The table below shows you what actually changes versus what would stay the same if the proposal goes through:
| What’s Changes | What Doesn’t Change |
| Some purely statistical cookies don’t require consent (truly aggregated, own-use only). | Still need consent for most common tracking purposes. |
| One-click refection becomes mandatory. | Still required to scan, classify, and manage cookies. |
| Browser signals must be respected, where available. | Still needs a preference center and granular consent options. |
| 6-month restriction on re-prompting for consent after refusal. | IAB TCF requirements for ad-supported published still relevant. |
| Consolidated regulation under the GDPR instead of a split between the GDPR/ePrivacy framework. | Obligations to document compliance still exist. |
| Enforcement of GDPR principles remains the same (purpose limitation, data minimization, etc). | |
| Right to object to legitimate interest processing still exists. | |
| Technical requirement to block cookies before consent still exists. |
Termly Is Monitoring These Potential Changes
Our legal is keeping a close watch on this legislation as it continues to gain traction.
Alongside out product team, we are monitoring and mapping both operational and product requirements, which include discussions about:
- Reading and honoring automated signals (machine-readable preferences): Translate these signals into enforceable allow/block behavior across tags and vendors.
- Fallback banners: When no signal is present from a users browser, which is likely to be common for a very long time, it’s important to include a one-click ‘Reject all’ button paired with an ‘Accept all’ button on consent banners.
- State management for ”do not re-ask’: There’s a strict 6-month re-prompting restriction after refusal, so you must avoid re-prompting during these valid consent periods.
- Dual-channel compliance evidence: It’ll be important to keep audit trails showing how consent or objection was received, via a banner or the signal. It will also be important to show how it was applied, which could include policy/versioning and ROPA-aligned record keeping.
- Cookie scanning, classification, and prior blocking: This most likely still needs to be implemented because sites need to know what’s actually running to prevent non-consented categories of cookies from firing.
- Programmatic advertising support: IAB TCF will likely still need a ‘consent vessel’ and vendor/purpose level signaling that browser signals cannot replace.
- Granular preference centers: These are likely to remain necessary because browser signals are often too broad and binary. Real compliance gives users the choice to opt-out of each specific vendor and purpose, making preference centers still relevant.
Because implementation of this proposal anticipates different clocks for controllers versus browser providers (24 months versus 48 months respectively), it could create a long gap where banners and signals must coexist.
How Will CMPs Evolve If Traditional Banners Change or Disappear?
If this proposal goes through, some businesses worry about cookie consent banners as we know them changing or even shrinking.
However, it’s more likely that CMPs will shift from a UI-first setup to an orchestration-first setup.
Consent Orchestration Layer
Consent orchestration layering is likely to become the norm, where the CMP becomes the engine that reconciles and enforces:
- Browser/OS signals,
- In-site choices,
- Geo/regime differences,
- Vendor requirements,
- Exemptions
Compliance System of Record
CMPs are also likely to become the backbone of businesses audit-trails, primarily because regulators and customer still expect evidence for:
- Consent/objection,
- Timing,
- Scope,
- Implementation proof (aka, no dark patterns, one-click reject),
- How these choices were applied.
Ecosystem Compatibility
At the end of the day, browser signals won’t satisfy everything, especially programmatic aspects of the proposed consent requirements.
CMPs are likely to remain the main integration point for TCF strings, vendors lists, and purpose-level controls.
Ongoing Discovery and Enforcement
Websites change constantly, and one of the primary value-adds of using a CMP is that it enables you to continue to scan and classify the new or changing cookies or trackers your site implements.
They also enable you to continuously monitor your site and pre-consent blocking, regardless of wheather the users’ initial preference came from their browser or a UI.
Cookie consent banners will likely become one of several ‘consent surfaces’, and CMPs will be more central as the technical bridge between regulation, browsers, and business systems.
What Are the Requirements of the EU Omnibus Directive?
The EU Omnibus Directive makes key changes to existing consumer framework legislation.
Specifically, it gives consumers more rights and places more restrictions on businesses to protect consumers.
Here are some of the most important requirements of the EU Omnibus Directive.
New Consumer Rights
Expansion of traditional consumer rights to transactions that deal with digital goods
Thanks to the EU Omnibus Directive, consumers involved in transactions that deal with digital goods can now benefit from traditional consumer rights such as:
- The right to receive necessary pre-contractual information
- The right to withdraw within 14 days
The only exception is when the consumer provides personal data that is:
- Processed solely to supply the digital content in question
- Given due to a legal requirement
Restrictions on Businesses
Restrictions on price manipulation
The EU Omnibus Directive requires businesses to make pricing more transparent for customers.
If a trader says that a discount is available, the base price to which the discount is being applied must have been available for at least a month before the discount was publicized.
This measure aims to prevent traders from artificially manipulating prices by suggesting there’s a discount when there isn’t one in reality.
However, there are exceptions for products that can expire or deteriorate quickly, such as dairy products.
The EU Omnibus Directive also requires traders to indicate when the price of a particular service or good has been altered based on automated decision-making.
Examples of such situations include:
- Automatic price alterations based on individual consumer data (e.g., price increases on certain services or products for a particular user based on recent purchasing history or age)
- Automatic price alterations reflecting seasonal periods (e.g., price increases on hotels during summer break)
Increased online marketplace transparency
All online marketplaces must provide consumers with up-front awareness of their rights and whom they can complain to if they believe they’ve been denied their rights.
Specifically, online marketplaces must establish:
- Whether a seller is a professional trader or a private individual — if a seller is a professional trader, they must follow the relevant consumer protection legislation, but if they’re a private individual, they won’t have to
- What consumer protection provisions apply to any given transaction
- How responsibility for compliance will be shared between the online marketplace and the seller
- What parameters they use to rank search results (e.g., purchase history, price, rating, or a combination of these), including the role and importance of each of these parameters in determining the ranking
Prohibition on fake reviews
The EU Omnibus Directive also prohibits fake reviews in an effort to increase transparency in online marketplaces.
It has blacklisted manipulation of reviews, including:
- Posting fake reviews
- Transferring endorsements from one product to another
- Not disclosing paid search rankings
- Deleting negative reviews
- Claiming that consumer reviews have been verified when they haven’t been
Interaction between consumers and traders
The EU Omnibus Directive allows businesses to use any type of online communication as long as:
- Customers can maintain a written trail of correspondence
- The chosen method enables efficient and reliable communication
Suggested methods of communication include conversational AI, speech-based assistants, and chatbots.
How Are Consumers Impacted?
Under the EU Omnibus Directive, consumers can now exercise traditional consumer rights when buying digital goods, services, and content.
This means they have more individual remedies when harmed by unfair business practices such as fake reviews and overly aggressive marketing.
Increased transparency in online marketplaces will also help consumers make better choices and buy the products they really want.
How Are Businesses Impacted?
Thanks to the EU Omnibus Directive’s stringent standards, businesses now have more restrictions to follow.
This means that businesses need to review and renew their pricing processes, terms and services, transparency practices, and methods of protecting consumers’ personal data.
How Can Businesses Comply With the EU Omnibus Directive?
Complying with the EU Omnibus Directive can be difficult, particularly if you’re a new company.
Here’s what you should review and renew in light of the EU Omnibus Directive.
Process for Verifying Consumer Reviews
The EU Omnibus Directive requires you to review and update your process for verifying consumer reviews, so every review is genuine.
Ask yourself the following questions as you go through its requirements:
- Where are your reviews hosted?
- What review management software do you use, and how will you be managing consumer reviews?
- If you don’t have the time or energy to manage customer reviews, consider using a third-party consumer review platform to simplify the process of documenting customer reviews. You can use this tool to automate, reply to, and organize reviews across different platforms.
- How will you verify a consumer’s identification?
- How will you inform consumers about your process for verification?
- Will it be in your terms and conditions, for instance?
- How can influencers substantiate their reviews?
- In other words, how can you prove that you aren’t paying influencers to give you five-star reviews?
Pricing Processes
Look at your current pricing processes and ensure that all of your prices have been available for at least 30 days in their respective member states.
If you use any form of automated or personalized pricing, you need to disclose this in your listings as required.
Keep in mind that these particular rules apply only to goods, not digital services or content.
Existing Terms and Services for Digital Services or Goods
Review and renew your current terms and services for every digital service or good you sell to EU consumers — all of these now need to incorporate traditional consumer rights.
Remember to be up front and transparent about how consumers can exercise these rights.
How Will It Be Enforced?
The EU Omnibus Directive leaves enforcement to each EU member state.
The New Deal for Consumers initiative required each member state to implement the provisions of the EU Omnibus Directive into their national laws by Nov. 28, 2021.
They have until May 28, 2022, to bring their national legal provisions into effect.
Fines and Penalties
If you don’t follow the EU Omnibus Directive, you can face heavy fines at similar levels to those levied under the EU’s General Data Protection Regulation (GDPR).
The EU Omnibus Directive imposes the following penalties if you violate the first three directives that make up the existing consumer rights legislation:
If you violate the fourth directive, you will receive a fine similar to the one described above.
However, the EU member state will apply the fine in relation to your usage of any contractual term that is:
- Deemed unfair according to the member state’s national law.
- Found to be unfair by a final court decision.
This means that there will be a variety of approaches depending on which member state you’re selling services and products to.
Proposed Changes: Omnibus IV
Currently, a proposal known as Omnibus IV is pending approval by the European Parliament & Council.
The changes include shifting from consumer-driven rules to a more digital-first, business friendly framework.
It was proposed on May 21, 2025 and is building strong political momentum from both the Council and Parliament.
Check back at a later time for future updates.
The EU Omnibus Directive makes significant changes to four existing EU directives on consumer protection.
It expanded the scope of the current framework by giving consumers the ability to exercise traditional consumer rights when buying digital goods, services, and content.
Businesses must follow the strict set of standards outlined by the Directive when listing and marketing their digital offerings.
Failure to comply with the EU Omnibus Directive results in heavy fines at levels similar to those levied under the GDPR.
