The European Commission’s Digital Omnibus proposal represents the most consequential recalibration of EU digital regulation since the General Data Protection Regulation entered into force. By simultaneously amending GDPR, the EU AI Act, NIS2, DORA, eIDAS, and the Critical Entities Resilience Directive, the Commission is signalling a structural shift: from fragmented, deadline-driven compliance sprints toward a more integrated, operationally coherent regulatory architecture. For CFOs, General Counsel, and enterprise risk officers, the implications are immediate and strategic.

Key Regulatory Changes and What They Mean in Practice

Three reforms in the Digital Omnibus proposal warrant immediate attention from compliance and governance teams.

Legitimate interests as a basis for AI training. The proposal would expressly clarify that data controllers may process personal data for AI model training and operation under the legitimate-interests legal basis. This resolves a persistent ambiguity that has forced many organisations into overly conservative data strategies or costly consent architectures. It also narrows certain GDPR scope questions around identifiability, reducing the universe of data that triggers full regulatory treatment. For enterprises with active AI development pipelines, this is a material change to risk posture and data governance design.

Extended breach-notification window and unified reporting. The proposal extends the data-breach notification deadline from 72 to 96 hours—a modest but operationally meaningful extension for organisations managing complex incident-response workflows. More significantly, it introduces a single-entry reporting point spanning GDPR, NIS2, DORA, eIDAS, and the CER Directive. For mid-market firms currently maintaining parallel notification tracks across multiple regulators, this consolidation could reduce both cost and the risk of procedural non-compliance during a crisis.

AI Act deadline extensions and expanded SME relief. High-risk AI system compliance deadlines under Annex III would shift to 2 December 2027, with Annex I systems moving to 2 August 2028. Labelling requirements for certain AI-generated content are also extended. Critically, the proposal may broaden SME-style regulatory relief to cover small mid-caps with up to 499 employees and €100 million in annual turnover—a threshold that would materially reduce the compliance burden for a significant portion of European technology and professional services firms currently outside existing exemption frameworks.

The Governance Imperative: Integration Over Siloed Compliance

The Digital Omnibus does not simplify the underlying regulatory substance—it simplifies the procedural surface. The AI Act remains a layered governance regime that operates alongside, not instead of, GDPR. Organisations that treat these frameworks as separate workstreams will continue to face duplicated effort, inconsistent risk assessments, and gaps that regulators are increasingly equipped to identify.

The convergence of data privacy, AI governance, and cyber incident reporting into fewer, more operational processes demands a corresponding evolution in enterprise risk management. Boards should expect their compliance functions to present unified frameworks that address:

  • Data lineage and lawful-basis mapping for AI training datasets, aligned with the forthcoming legitimate-interests clarification
  • Integrated incident-response protocols that satisfy the consolidated reporting point across GDPR, NIS2, and DORA simultaneously
  • AI risk registers that distinguish between Annex I and Annex III system classifications under the AI Act, with revised milestone planning against the 2027–2028 deadlines
  • Governance documentation sufficient to demonstrate accountability under both corporate governance standards and AI Act conformity requirements

For organisations with cross-border operations, the European framework increasingly functions as a de facto global baseline—particularly in jurisdictions that have modelled their own AI and data privacy legislation on EU precedents. Compliance programs designed to satisfy the Digital Omnibus architecture will carry significant transferability to emerging regulatory environments in the UK, Singapore, and Canada.

Implications for Business: What Decision-Makers Should Prioritise Now

The Digital Omnibus is a proposal, not yet law. Legislative passage and national transposition will take time. However, the direction of regulatory travel is unambiguous, and organisations that wait for final text before adjusting their programs will find themselves compressing implementation into an already demanding operational calendar.

Immediate priorities for executive and legal teams include:

  • Audit current AI data pipelines against the anticipated legitimate-interests standard, identifying where consent-based architectures can be rationalised without compromising data subject rights
  • Map multi-regime notification obligations to understand where the single-entry reporting point will create efficiency gains and where residual national requirements may persist
  • Reassess AI Act compliance roadmaps in light of the revised 2027–2028 deadlines, ensuring that extended timelines do not become an excuse for deferred investment in risk-based AI governance
  • Evaluate eligibility for expanded mid-cap relief, particularly for portfolio companies or subsidiaries approaching the 499-employee and €100 million thresholds

Key Takeaway

The EU Digital Omnibus signals a regulatory maturation: less fragmentation, more operational coherence, and a clearer framework for AI-era data governance. For boards and senior leadership, the proposal is not a reason to delay compliance investment—it is a prompt to redesign compliance architecture around integrated, durable programs that will remain fit for purpose as the legislative landscape continues to evolve. Firms that move now will convert regulatory change into competitive advantage; those that wait will find the window narrowing.