The European regulatory landscape for data and artificial intelligence is undergoing its most significant structural realignment in years. On 19 November 2025, the European Commission launched the Digital Omnibus package, signalling a deliberate pivot toward deregulation — narrowing personal data definitions, relaxing automated decision-making rules, expanding permissible AI training data uses, and reducing cookie consent obligations. Simultaneously, EU AI Act enforcement is accelerating toward its 2026 milestones, with penalties reaching up to 4% of global annual turnover for non-compliance. For CFOs, General Counsel, and board members, these are not contradictory signals — they are a compressed window of strategic opportunity.
The Digital Omnibus: Deregulation With Conditions
The Digital Omnibus package responds directly to the Draghi Report’s call for reducing administrative friction on European competitiveness. Its proposed revisions to the GDPR, ePrivacy Directive, and AI Act are material. Narrowing the definition of personal data reduces the scope of data privacy obligations for many mid-market companies, while expanded permissions for AI training datasets remove a significant legal ambiguity that had paralysed several deployment programmes.
However, deregulation is not deregulation in full. The package does not eliminate accountability frameworks — it redistributes them. Companies that have already invested in enterprise risk management infrastructure aligned to GDPR will find the transition manageable. Those that have not may discover that a narrower definition of personal data still captures their core processing activities. General Counsel should commission a gap analysis before treating the Omnibus as a compliance holiday.
The postponement of certain AI Act deadlines offers breathing room, but the high-risk AI system obligations — covering employment screening, credit decisioning, and critical infrastructure — remain on schedule for 2026 enforcement. The window is narrowing, not closing.
AI Act 2026 Readiness: Risk Classification Is the Immediate Priority
The EU AI Act references the GDPR framework more than 30 times, deliberately building on existing data governance structures. For organisations with mature GDPR compliance programmes, this is an architectural advantage. For those without, it doubles the remediation burden.
Mandatory requirements for high-risk AI systems include:
- Risk classification and documentation — technical files must demonstrate conformity before deployment
- Human oversight mechanisms — embedded controls, not post-hoc review
- Data governance and bias mitigation — quality datasets with ongoing monitoring obligations
- Corporate governance accountability — board-level ownership of AI risk registers is increasingly expected by regulators
Platforms such as Informatica IDMC are being positioned as compliance infrastructure for AI Act data governance, enabling a single source of truth across multi-cloud environments and automating bias controls. The emergence of Europrivacy certification — integrating GDPR and AI Act requirements into a unified framework — is particularly relevant for mid-market firms in energy, financial services, and healthcare deploying AI in regulated contexts. Certification is not mandatory, but it is becoming a procurement and ESG reporting differentiator.
Implications for Business: Compliance as Competitive Positioning
The convergence of deregulation signals and enforcement escalation creates a strategic inflection point. Organisations that treat regulatory compliance as a cost centre will face compounding risk: the Digital Omnibus revisions require re-mapping existing data flows, while AI Act obligations demand new governance architecture. Doing both reactively is expensive and operationally disruptive.
Forward-looking executives are reframing this as a corporate governance investment with measurable returns. In M&A contexts, AI Act compliance status is already surfacing in due diligence questionnaires. In capital markets, ESG frameworks are beginning to incorporate AI governance metrics. In regulated industries — financial services, insurance, healthcare — AML and fraud detection systems built on AI may qualify as high-risk under the Act, requiring immediate classification review.
The actionable priorities for Q1 2026 are clear:
- Conduct an AI system inventory and apply the EU AI Act risk classification matrix
- Assess Digital Omnibus impact on existing GDPR consent and data minimisation programmes
- Evaluate Europrivacy or equivalent integrated certification as a compliance and commercial signal
- Assign board-level accountability for AI governance before regulators require it
Key Takeaway: The EU’s Digital Omnibus and AI Act enforcement cycle are not in tension — they are a coordinated recalibration of the compliance burden. Mid-market and enterprise firms that act now on risk classification, data governance, and integrated certification will convert a regulatory obligation into a durable competitive and reputational asset. Those who wait for final guidance will find themselves negotiating with enforcement timelines, not regulators.