In November 2025, the European Commission introduced its Digital Omnibus and Digital Omnibus on AI Regulation — a pair of legislative proposals designed to streamline compliance obligations under the GDPR and the EU AI Act. The stated objective is to reduce regulatory friction and restore European competitiveness in the global technology race. But for corporate legal, risk, and technology functions, the proposals introduce a new layer of strategic uncertainty that demands immediate attention.
What the Digital Omnibus Actually Proposes
The Commission’s package targets two of the most operationally demanding frameworks in European regulatory history. On data privacy, the proposals introduce a notable carve-out: AI-driven data removal obligations under the GDPR would apply only where compliance does not require “disproportionate efforts” — a threshold that remains undefined in the current draft text, creating interpretive risk for data protection officers and General Counsel alike.
On artificial intelligence, the proposals seek to soften enforcement timelines and documentation burdens under the EU AI Act, particularly for high-risk AI systems as defined under Annex III of the Act. This comes despite the Act’s Article 5 prohibitions on manipulative AI and its strict regime for real-time biometric identification in public spaces — provisions that require judicial authorisation, mandatory impact assessments, and supervisory notifications, and which are explicitly excluded from the simplification agenda.
Organisations that have already invested in AI Act compliance infrastructure — including human oversight protocols, technical documentation, and conformity assessments — should not assume that simplification translates to rollback. The high-risk and prohibited AI categories remain substantively intact.
The Tension Between Competitiveness and Rights Protection
The political momentum behind the Digital Omnibus is real. Discussions across European policy and technology communities reflect mounting frustration with the cumulative compliance cost of the GDPR, AI Act, Digital Services Act, and ePrivacy Directive. For mid-sized enterprises and scale-ups, the burden is disproportionate — a concern the Commission has acknowledged explicitly.
However, civil society organisations, including Amnesty International, have raised substantive objections. The “disproportionate efforts” carve-out on data removal, they argue, risks creating a structural loophole that undermines the foundational rights architecture of the GDPR — particularly for AI systems that process personal data at scale. For multinational corporations, this tension is not merely reputational. It has direct implications for enterprise risk management frameworks, ESG reporting obligations, and cross-border data transfer strategies.
Boards and audit committees should note that the EU’s qualified transparency mandates for high-risk AI — requiring explainability, audit trails, and human oversight documentation — remain a compliance baseline regardless of the Omnibus outcome. Academic analysis of the AI Act’s transparency architecture confirms that enforcement challenges are structural, not merely procedural, and are unlikely to be resolved by simplification alone.
Implications for Business: What Decision-Makers Must Do Now
The Digital Omnibus proposals will not be finalised before mid-2026 at the earliest, following European Parliament and Council review. In the interim, the operative legal framework remains the GDPR as currently enforced and the AI Act’s phased implementation schedule — with prohibitions applicable from February 2025 and high-risk system obligations entering force from August 2026.
For CFOs, General Counsel, and CTOs, the priority actions are clear:
- Do not defer AI Act compliance investments on the assumption that simplification will reduce obligations for high-risk systems. The core requirements — human oversight, technical documentation, conformity assessments — are structurally stable.
- Audit existing GDPR data removal workflows to assess exposure under a “disproportionate efforts” standard. Define internal thresholds now, before regulators do.
- Engage with the legislative process through industry associations and public consultations. The Omnibus is still in proposal stage; corporate input on workable definitions matters.
- Align compliance programs with ESG and corporate governance reporting requirements. Data privacy and AI governance are increasingly material disclosures under CSRD and investor due diligence frameworks.
- Assess AML and biometric AI exposure separately. Article 5 of the AI Act imposes categorical prohibitions and strict authorisation requirements that are not subject to the simplification agenda.
Key Takeaway
The EU’s Digital Omnibus signals a political shift toward regulatory pragmatism, but it does not represent a fundamental retreat from the rights-based architecture of European digital law. For corporate compliance and risk functions, the strategic imperative is precision: distinguish between provisions that may be relaxed and those — particularly in high-risk AI and biometric identification — that will not be. Organisations that treat simplification as a reason to pause compliance investment risk being materially exposed when enforcement catches up with ambition.