The European regulatory landscape for artificial intelligence and data privacy has entered a decisive execution phase. With the EU Digital Omnibus proposals unveiled in late 2025, prohibited AI practices under Article 5 of the EU AI Act now fully enforceable since August 2025, and the Compliance Checker updated as of 15 April 2026, corporate leadership can no longer treat these frameworks as horizon risks. They are present-tense obligations carrying fines of up to €35 million or 7% of global annual turnover.
For CFOs, General Counsel, and enterprise risk management teams, the central challenge is no longer awareness — it is structured, defensible compliance architecture that holds up under multi-regulator scrutiny.
The Digital Omnibus: Simplification With Caveats
The EU Commission’s Digital Omnibus package represents the most significant recalibration of the AI Act and GDPR since their respective enactments. For regulated industries — particularly mid-market pharmaceutical and MedTech firms — the headline benefit is the integration of AI Act conformity assessments with existing MDR/IVDR certification pathways. In practical terms, this means a single conformity process can satisfy both product safety and high-risk AI obligations for qualifying medical devices, materially reducing duplicative audit cycles and external counsel costs.
The package also introduces targeted GDPR adjustments for research data, easing the legal basis requirements that have historically complicated clinical trial data governance, and harmonizes breach notification timelines to a uniform 72-hour standard across AI Act and GDPR regimes.
However, the simplification narrative deserves scrutiny. Amnesty International and several civil society organizations have characterized these proposals as a rollback of fundamental rights under the guise of competitiveness. For boards and General Counsel, this tension carries a concrete governance implication: ESG reporting frameworks and internal data privacy policies must not be silently downgraded in response to regulatory relaxation. Reputational and litigation exposure from perceived rights erosion can outlast any short-term compliance saving.
Enforcement Milestones and High-Risk Classification: The Operational Pressure Points
Two enforcement developments demand immediate attention from compliance and technology leadership:
- Article 5 prohibited practices — covering unacceptable-risk AI applications such as social scoring, real-time biometric surveillance in public spaces, and manipulative subliminal techniques — became fully enforceable in August 2025. EU Commission guidelines clarify the interplay with GDPR and the Digital Services Act, confirming that violations in this tier signal the highest infringement severity. Multi-regulator oversight means that a single AI deployment incident could trigger simultaneous action from data protection authorities, market surveillance bodies, and sector-specific regulators.
- Article 6 high-risk classification guidelines, due by 2 February 2026, require providers to document assessments for systems they contend fall outside the high-risk perimeter. This is not a passive safe harbour: the burden of documented justification now sits with the deploying or providing organization. For mid-market AI deployers without dedicated legal-technical teams, the updated EU AI Act Compliance Checker — refreshed in April 2026 with AI literacy obligations and fundamental rights impact assessment templates — provides a structured self-assessment baseline.
CTOs and Chief Compliance Officers should note that general-purpose AI model obligations have also been clarified in the April 2026 update, with particular relevance for enterprises deploying large language models in customer-facing or decision-support contexts.
Implications for Corporate Governance and Enterprise Risk Management
The convergence of these regulatory milestones has structural implications for corporate governance and board-level oversight:
- M&A due diligence must now incorporate AI Act compliance status as a first-order risk factor, particularly for targets in pharma, MedTech, financial services, and HR technology. Undisclosed high-risk AI deployments represent material contingent liabilities.
- AML and data privacy programs that rely on automated decision-making tools require re-examination against both Article 5 prohibitions and high-risk classification criteria. The interaction between AI Act obligations and existing GDPR Article 22 automated decision-making rights creates compounding exposure.
- For firms with global operations, the EU framework is increasingly functioning as a de facto international standard. Jurisdictions in the Gulf, Southeast Asia, and Latin America are actively referencing EU AI Act architecture in their own draft legislation, making early EU compliance a strategic asset rather than a cost center.
Key Takeaway
The 2025–2026 EU regulatory cycle has moved AI and data privacy compliance from policy preparation to active enforcement. The Digital Omnibus offers genuine operational relief for regulated sectors — but only for organizations that have already built the underlying compliance infrastructure to take advantage of it. Decision-makers should prioritize three actions: map all AI deployments against updated Article 5 and Article 6 criteria, integrate AI Act assessments into existing MDR/IVDR and GDPR governance workflows where applicable, and ensure board-level visibility over AI risk as a standing agenda item. The firms that treat this moment as a governance opportunity, rather than a compliance burden, will be better positioned for the enforcement actions that are now a matter of when, not if.