European regulatory architecture is undergoing its most consequential restructuring since the GDPR came into force in 2018. The European Commission’s Digital Omnibus package — now entering trilogue negotiations between the Commission, the European Parliament, and the Council — proposes material revisions to both the GDPR and the AI Act. With no final text agreed and negotiations expected to extend well into 2026, compliance teams and executive leadership face a period of structured uncertainty that demands proactive, scenario-based planning rather than a wait-and-see posture.

A Shifting Regulatory Baseline: What the Digital Omnibus Proposes

The Digital Omnibus is not an incremental update. Proposals under discussion would revise core GDPR provisions — including definitions of personal data, the scope of data access rights, and obligations on automated decision-making — while simultaneously adjusting the timing and application thresholds of the AI Act. For organizations that have already invested in GDPR compliance infrastructure, this creates a dual risk: over-engineering controls against a framework that may change, or under-investing and facing enforcement exposure in the interim.

Critically, the AI Act’s implementation timeline is not paused pending Omnibus outcomes. Key transparency and copyright-related obligations become applicable in August 2026, with full application of the regulation also set for that date. High-risk product rules under Annex I extend to 2028. Compliance teams cannot treat the Omnibus negotiations as a reason to defer AI governance work — the existing statutory deadlines remain binding.

The practical implication: organizations should build compliance programs against the current AI Act text while maintaining sufficient architectural flexibility to absorb Omnibus amendments. This is a governance design challenge as much as a legal one.

Parallel Regimes, Compounding Obligations

One of the most operationally significant realities confirmed by EU guidance is that the AI Act and GDPR operate in parallel, not as substitutes. Organizations deploying AI systems that process personal data — which describes the majority of enterprise AI use cases in finance, HR, healthcare, and customer operations — must simultaneously satisfy:

  • AI Act requirements: conformity assessments, technical documentation, human oversight mechanisms, and transparency obligations for high-risk systems;
  • GDPR obligations: lawful basis for processing, Data Protection Impact Assessments (DPIAs), data minimisation, and vendor due diligence under Article 28;
  • Sector-specific overlays: AML transaction monitoring, automated credit decisioning under CRD VI, and HR profiling restrictions under national implementations.

EU data protection authorities have already demonstrated enforcement appetite at this intersection. Investigations and sanctions have been issued against AI-enabled biometric identification, facial recognition, automated profiling, and model training practices — all framed under existing GDPR provisions. The enforcement record makes clear that regulators are not waiting for AI-specific legislation to mature before acting.

For enterprise risk management frameworks, this convergence between data privacy law and AI governance is not a future scenario — it is the current operating environment.

Implications for Business: Governance, Investment, and M&A Due Diligence

The regulatory pressure wave has direct consequences across several executive functions:

  • CFOs and Audit Committees should reassess AI-related liability exposure in financial reporting and ensure that compliance costs associated with dual GDPR/AI Act obligations are accurately reflected in risk disclosures and ESG reporting frameworks;
  • General Counsel must map existing AI deployments against both current AI Act risk classifications and GDPR processing activities, identifying gaps before the August 2026 application date — not after;
  • M&A Directors and Transaction Teams should treat AI governance maturity as a material due diligence vector. Target companies with undocumented AI systems, unresolved DPIAs, or informal vendor oversight structures carry regulatory tail risk that will increasingly affect valuation and deal structuring;
  • CTOs and Digital Transformation Leaders need to architect AI systems with compliance by design — embedding documentation, human oversight, and audit trails from the outset rather than retrofitting controls post-deployment.

The European simplification debate embedded in the Omnibus process — balancing regulatory burden reduction against rights protection — will also have spillover effects for global governance programs. Multinationals operating across jurisdictions should monitor whether Omnibus outcomes create divergence or alignment with emerging AI frameworks in the UK, US, and APAC markets.

Key Takeaway

The convergence of GDPR reform, AI Act implementation, and active enforcement creates a compliance environment where inaction is itself a risk position. Organizations that treat the Digital Omnibus negotiations as a reason to pause should reconsider: existing obligations are live, enforcement is accelerating, and the firms best positioned for 2026 and beyond are those building adaptive governance frameworks today. The question for leadership is not whether to invest in AI and data compliance infrastructure — it is whether that investment is structured to absorb regulatory change without requiring full redesign.