The European Commission’s newly unveiled Digital Omnibus Package represents the most significant recalibration of the EU’s digital regulatory architecture since GDPR came into force in 2018. Driven in part by the recommendations of the Draghi Report on European Competitiveness, the package proposes targeted revisions to the General Data Protection Regulation, the ePrivacy Directive, and the EU AI Act — with the explicit objective of reducing compliance costs for mid-market firms while preserving core data protection principles. For CFOs, General Counsel, and enterprise risk officers, this is not a deregulatory holiday. It is a structural reset that demands immediate governance attention.
Key Regulatory Changes: Scope, Definitions, and Enforcement Timelines
The Omnibus Package introduces several substantive changes that will directly affect corporate compliance programmes across the EU and, given the extraterritorial reach of GDPR, globally:
- Narrowed personal data definitions and expanded permissions for the use of pseudonymized data in AI training, a move that directly addresses a long-standing tension between data minimization obligations and large-scale AI model development.
- Relaxed automated decision-making rules under Article 22 GDPR and revised consent mechanisms, reducing friction for customer-facing AI deployments in sectors such as financial services, insurance, and HR technology.
- Reduced cookie-banner requirements under the ePrivacy Directive, acknowledging widespread user fatigue and enforcement inconsistency across Member States.
- Postponed AI Act enforcement deadlines, providing additional runway for organizations preparing for the 2026 rollout of obligations applicable to high-risk AI systems — including those used in credit scoring, recruitment, and biometric identification.
These changes do not eliminate regulatory exposure. They reframe it. Boards and legal teams that interpret the Omnibus Package as a signal to deprioritize compliance investment will be making a strategically costly error.
AI Act Readiness: The 2026 Deadline Remains a Governance Imperative
Despite the postponement of certain AI Act milestones, enforcement preparations are intensifying across EU Member State supervisory authorities. Compliance officers are being urged — with explicit parallels drawn to the 2018 GDPR implementation cycle — to begin adapting governance frameworks, third-party oversight protocols, and internal reporting structures now.
The AI Act’s four-tier risk classification system — ranging from unacceptable risk (prohibited systems) to minimal risk — creates differentiated obligations that intersect directly with existing GDPR accountability requirements. High-risk AI applications in hiring, consumer credit, and biometrics face the most stringent requirements: mandatory conformity assessments, human oversight mechanisms, and detailed technical documentation. For enterprises operating at scale, the Europrivacy certification framework is emerging as a practical instrument for demonstrating alignment across both GDPR and AI Act obligations, particularly for mid-market firms without dedicated regulatory affairs functions.
Critically, organizations deploying conversational AI in customer-facing environments must now navigate a convergence of GDPR data flow requirements, AI Act bias testing obligations, DMA interoperability rules, and an increasingly fragmented U.S. state privacy law landscape. Enterprise risk management frameworks that treat these as separate workstreams are structurally inadequate for the regulatory environment taking shape in 2025 and 2026.
Implications for Business: Governance, Investment, and M&A Due Diligence
For decision-makers, the practical implications of this regulatory reset span multiple functions:
- CFOs should reassess compliance cost models. The Omnibus Package may reduce certain operational burdens — particularly around consent management infrastructure — but investment in AI governance tooling, data lineage documentation, and third-party vendor oversight is non-negotiable ahead of 2026 enforcement.
- General Counsel and CCOs must update data protection impact assessments (DPIAs) and AI risk registers to reflect revised definitions of personal data and pseudonymization thresholds. Existing GDPR compliance programmes should not be assumed to be AI Act-compliant without a structured gap analysis.
- M&A Directors and deal teams should embed AI Act readiness as a standard due diligence checkpoint. Target companies utilizing high-risk AI systems in regulated sectors carry material compliance risk that will affect valuation and post-close integration planning.
- CTOs and Chief Data Officers have a narrow window to architect AI training pipelines and data governance frameworks that are compliant under the revised pseudonymization rules — before those rules are finalized and enforcement positions harden.
Key Takeaway
The EU Digital Omnibus Package signals a pragmatic recalibration, not a retreat. The Commission is attempting to align regulatory ambition with competitive reality — but the core obligations of data privacy, AI risk governance, and corporate accountability remain firmly in place. Organizations that use this window to build integrated, future-proof compliance architectures — rather than waiting for final legislative text — will be better positioned for enforcement, investor scrutiny, and cross-border operational resilience. The 2018 GDPR experience taught boards that late preparation is expensive. The 2026 AI Act cycle will be no different.