On 19 November 2025, the European Commission released two landmark legislative packages — the Digital Omnibus and AI Omnibus proposals — signalling the most significant recalibration of EU digital regulation since the GDPR came into force in 2018. For CFOs, General Counsel, and Chief Compliance Officers, these proposals are not a distant legislative exercise. They are a live compliance variable that demands immediate governance attention.
Key Regulatory Changes: What Is Actually Being Proposed
The proposals touch three pillars of EU digital law with material implications for enterprise risk management:
- GDPR Amendment — Extended Breach Reporting Window: The 72-hour data breach notification deadline, long criticised as operationally unworkable for complex organisations, would be extended to 96 hours. The European Data Protection Board (EDPB) would introduce a standardised breach-reporting template, reducing procedural inconsistency across member states. For multinationals managing cross-border data flows, this represents a meaningful reduction in acute compliance pressure — though it does not diminish the underlying obligation to maintain robust incident response infrastructure.
- EU AI Act — Delayed High-Risk Obligations: The Omnibus proposes postponing compliance deadlines for high-risk AI systems, while explicitly allowing organisations to leverage existing GDPR compliance frameworks to satisfy certain AI Act requirements. The risk-based classification model is preserved, but the transitional relief gives enterprises additional runway to align AI governance with operational realities.
- EU Data Act and Platform-to-Business Regulation: Enhanced trade secret protections under the Data Act address a longstanding concern from technology-intensive industries. The proposed repeal of the Platform-to-Business Regulation reduces regulatory overlap — a pragmatic consolidation that simplifies the compliance landscape for digital platform operators and enterprise software vendors.
Enforcement Consistency and the ‘Brussels Effect’ — The Risks Beneath the Relief
While the headline narrative is simplification, the compliance and legal community should resist a purely optimistic reading. Several structural risks warrant scrutiny.
First, enforcement consistency remains a critical vulnerability. GDPR’s track record demonstrates that harmonised rules do not guarantee harmonised enforcement. National Data Protection Authorities — from Ireland’s DPC to Luxembourg’s CNPD — have diverged significantly in investigative priorities and penalty thresholds. The Omnibus proposals do not fundamentally alter this dynamic. Organisations operating across multiple EU jurisdictions must continue to map their exposure at the member-state level, not merely at the regulation level.
Second, the global ‘Brussels effect’ remains potent. Non-EU companies serving European customers, processing EU personal data, or deploying AI systems that interact with EU users will be subject to the revised frameworks regardless of their headquarters jurisdiction. Mid-market firms in the United States, the United Kingdom, and Southeast Asia that have deferred EU compliance investment on the assumption that enforcement would not reach them face increasing regulatory and reputational risk as the Commission signals intent to extend its extraterritorial reach.
Third, the integration of GDPR frameworks into AI Act compliance — while administratively efficient — creates a dependency risk. Organisations with legacy gaps in their data privacy governance will find those gaps amplified when AI Act obligations come into full effect. The delay is not an exemption; it is a grace period.
Implications for Business: Governance Actions Before 2026
The 2026 enforcement horizon for several AI Act obligations means that the window for proactive governance alignment is narrowing. Decision-makers should consider the following priorities:
- Audit existing GDPR compliance infrastructure to identify gaps that will directly affect AI Act readiness — particularly around data minimisation, purpose limitation, and algorithmic transparency documentation.
- Engage with Europrivacy certification and Luxembourg’s CNPD framework as early-mover tools for demonstrating dual GDPR and AI Act compliance — a credible signal to regulators, investors, and counterparties in M&A due diligence contexts.
- Reassess data breach response protocols to incorporate the proposed 96-hour window, while ensuring that internal escalation and legal notification processes are robust enough to meet the new EDPB template requirements.
- Review AI system inventories against the high-risk classification criteria under the AI Act. The delay in obligations does not delay the classification exercise — and misclassification carries significant downstream liability.
- Brief boards and audit committees on the intersection of these regulatory developments with ESG reporting obligations and AML frameworks, where data governance and AI-assisted monitoring are increasingly intertwined.
Key Takeaway
The EU’s Digital Omnibus proposals represent a considered attempt to balance regulatory ambition with economic pragmatism. For corporate leaders, the extended GDPR deadlines and delayed AI Act obligations offer operational relief — but not strategic deferral. Organisations that treat these proposals as an invitation to slow down their compliance investment will find themselves structurally exposed when enforcement intensifies in 2026 and beyond. The firms that use this window to build integrated, scalable data and AI governance frameworks will be better positioned — not only for regulatory compliance, but for the trust-based competitive advantage that robust corporate governance increasingly commands in global markets.