European data protection law is entering a period of structural recalibration. Two forces are reshaping the compliance landscape simultaneously: a push to simplify and harmonise GDPR enforcement across member states, and the phased entry into force of the EU AI Act, which introduces a parallel — and in several respects intersecting — layer of data governance obligations. For mid-market companies and multinationals alike, the window to align internal frameworks before full enforcement begins in August 2026 is narrowing.

Harmonised Enforcement: The EDPB’s 2026 Agenda

The European Data Protection Board has taken two significant steps that signal a more coordinated supervisory posture across EU regulators. First, the EDPB adopted a common data breach notification template, designed to standardise the format and speed of breach reporting across all 27 member states. For organisations without large in-house privacy functions — particularly mid-market firms operating across multiple EU jurisdictions — this reduces ambiguity but also raises the baseline expectation for response readiness.

Second, the EDPB launched the Coordinated Enforcement Framework (CEF) 2026, with a focus on transparency and information obligations under GDPR Articles 13 and 14. CEF rounds have historically resulted in coordinated investigations across national Data Protection Authorities, culminating in fines and binding decisions. CEF 2026 signals that transparency disclosures — privacy notices, data subject communications, and processing records — will face synchronised scrutiny at scale. General Counsel and Data Protection Officers should treat this as a near-term audit trigger, not a future consideration.

The GDPR–AI Act Overlap: A Compliance Blind Spot in the Making

The EU AI Act entered into force in August 2024 and reaches full application in August 2026. Its obligations do not exist in isolation from GDPR. For any AI system classified as high-risk under Annex III of the AI Act — including systems used in HR, credit scoring, biometric identification, and critical infrastructure — organisations must satisfy data governance requirements that directly interact with personal data processing obligations under GDPR.

The key convergence points include:

  • Lawful basis for AI training data: Processing personal data to train or fine-tune AI models requires a defensible legal basis under GDPR Article 6, and in many cases Article 9 for special category data. Reliance on legitimate interests is under increasing scrutiny.
  • Automated decision-making: GDPR Article 22 restrictions on solely automated decisions interact directly with AI Act requirements for human oversight of high-risk systems.
  • Data minimisation vs. model performance: AI systems often require large, diverse datasets; GDPR’s data minimisation principle creates a structural tension that must be resolved at the system design stage.

CTOs and Chief Data Officers who have treated GDPR and AI governance as separate workstreams are now facing a convergence that demands integrated enterprise risk management frameworks.

The Digital Omnibus: Operational Relief With Transition Costs

The European Commission’s Digital Omnibus proposal introduces targeted amendments to GDPR that could materially alter operational workflows. Among the most significant changes under consideration: raising the breach notification threshold (currently requiring notification of any breach likely to result in risk to individuals), extending the 72-hour notification deadline, and establishing a single point of contact for cross-border breach notifications. Cookie consent requirements are also under review, with proposals to reduce friction for low-risk processing.

While these changes represent genuine administrative relief, they are not passive. Each amendment will require updates to incident response playbooks, vendor contracts, and board-level risk reporting. Organisations that delay policy revision until final legislative text is adopted will face compressed implementation timelines.

Implications for Decision-Makers

The regulatory signals are consistent: the EU is moving toward higher enforcement coordination, broader scope, and deeper integration between privacy and AI governance. For CFOs, General Counsel, and board members, the practical priorities are clear:

  • Conduct a gap assessment against the EDPB’s CEF 2026 transparency priorities before Q3 2025.
  • Map AI systems against the EU AI Act’s risk classification framework and identify where GDPR obligations are triggered at the data governance layer.
  • Revise breach response procedures in anticipation of Digital Omnibus changes — particularly around notification thresholds and cross-border coordination.
  • Ensure that corporate governance structures assign clear accountability at board level for both GDPR and AI Act compliance, reflecting the ESG reporting and enterprise risk management expectations of institutional investors and regulators alike.

Key Takeaway

The GDPR–AI Act convergence is not a future compliance scenario — it is an active regulatory condition with an August 2026 enforcement deadline. Organisations that treat data privacy, AI governance, and regulatory compliance as integrated disciplines, rather than siloed legal functions, will be better positioned to absorb regulatory change without operational disruption. The firms that act now will set the terms; those that wait will be managing enforcement risk instead.