The European Commission has introduced a proposal that could materially reshape how mid-market and multinational companies manage their digital compliance obligations. The Digital Omnibus — a legislative package aimed at reducing regulatory overlap between the GDPR and the EU AI Act — proposes narrower compliance scopes, consolidated breach reporting, and extended deadlines for certain high-risk AI obligations. For corporate leadership, the timing matters: the AI Act’s full applicability date of 2 August 2026 is approaching fast, and most organisations are still mid-implementation.
This is not yet law. But the proposal signals a meaningful shift in the Commission’s posture toward enterprise compliance burden — and it demands immediate attention from CFOs, General Counsel, M&A Directors, and board-level risk committees.
What the Digital Omnibus Actually Proposes
The Commission’s Digital Omnibus targets three areas of friction that have consistently surfaced in enterprise risk management discussions:
- Narrower GDPR scope: Selected compliance obligations would be reduced in breadth, with particular relevance for organisations using personal data in AI training workflows — a tension point that has created significant legal uncertainty since the AI Act entered force.
- Unified breach and cyber-incident reporting: The proposal would align GDPR breach notification requirements more closely with cyber-incident reporting obligations, eliminating the duplicate reporting workflows that currently burden multinational compliance teams operating across jurisdictions.
- Extended high-risk AI deadlines: Some obligations for high-risk AI systems would be pushed back, providing additional runway for companies still building governance frameworks, documentation protocols, and human oversight mechanisms.
Simplified labeling rules for AI-generated content are also included — a provision with direct implications for marketing, legal, and communications functions deploying generative AI tools at scale.
The Regulatory Landscape Remains Complex — With or Without the Omnibus
Even if the Digital Omnibus advances through the legislative process, the underlying compliance architecture remains layered. The EU AI Act’s risk-based framework is already partially in force: prohibited AI practices have applied since early 2024, and General Purpose AI (GPAI) obligations have been in effect since 2 August 2025. Transparency obligations and the bulk of remaining requirements are set to apply from August 2026, with high-risk AI systems embedded in regulated products carrying a longer runway to 2028.
Critically, AI Act compliance does not displace GDPR obligations. The two regimes operate concurrently. Data governance, lawful processing bases, transparency disclosures, and human oversight requirements must be addressed under both frameworks simultaneously. For enterprise risk and data privacy teams, this means a unified compliance operating model — not sequential workstreams — is the only viable approach.
The convergence of privacy, AI governance, and cybersecurity reporting into a single operational framework is no longer a future-state aspiration. It is the present compliance reality for any organisation deploying AI systems across EU markets.
Implications for Decision-Makers: What to Do Now
For CFOs, General Counsel, and board-level risk committees, the Digital Omnibus creates a temptation to pause investment in compliance infrastructure pending legislative clarity. That would be a strategic error. The proposal is not final law, and the August 2026 deadline is fixed under the current framework. The following actions remain urgent regardless of the Omnibus outcome:
- Complete AI system inventories and risk classifications under the Act’s four-tier framework. High-risk designations carry documentation and human oversight obligations that require months of preparation.
- Integrate GDPR and AI Act governance workflows. Legal, IT, and compliance teams operating in silos will face duplicated effort and regulatory exposure. A unified enterprise risk management architecture is the efficient path.
- Reassess data processing agreements and AI training data provenance. The Omnibus may ease some GDPR friction around AI training, but lawful basis requirements and data subject rights remain operative.
- Prepare board-level accountability structures. Regulators across the EU are increasingly focused on corporate governance accountability for AI deployment decisions. Board documentation and oversight evidence will matter in enforcement contexts.
- Monitor the Omnibus timeline actively. If deadline extensions are confirmed, reprioritise implementation sequencing — but do not deprioritise foundational governance work.
Key Takeaway
The EU Digital Omnibus represents a genuine signal that the Commission recognises the compliance burden facing European businesses — but it is a proposal, not a solution. With GPAI obligations already in force, transparency rules due in August 2026, and the GDPR continuing to operate in parallel, the window for reactive compliance is closing. Organisations that use the current period to build integrated, scalable governance frameworks will be better positioned regardless of how the legislative process resolves. Those waiting for regulatory certainty before acting are likely to find themselves behind the curve when it arrives.