The European Commission has introduced one of the most consequential regulatory recalibrations since GDPR came into force in 2018. The proposed Digital Omnibus package seeks to streamline overlapping obligations under GDPR, the EU AI Act, NIS2, DORA, eIDAS, and the Critical Entities Resilience (CER) Directive into a more unified compliance framework. For CFOs, General Counsel, and Chief Risk Officers managing enterprise risk management programmes across European operations, this proposal demands immediate strategic attention — even before it clears the European Parliament and EU member states.
Key Provisions: What the Digital Omnibus Actually Changes
The draft package introduces several material modifications to existing regulatory architecture:
- Extended breach-notification deadline: The 72-hour GDPR notification window would be raised to 96 hours, providing modest but meaningful operational relief for data privacy and cybersecurity response teams.
- Single-entry reporting point: A unified incident-reporting mechanism would consolidate obligations across GDPR, NIS2, DORA, eIDAS, and CER — reducing duplicative filings that currently burden compliance functions in financial services, critical infrastructure, and digital platform sectors.
- Legitimate interests basis for AI training: Controllers would be explicitly permitted to process personal data for AI training and operation under a legitimate-interests legal basis, addressing a significant grey area that has constrained enterprise AI development under current GDPR interpretation.
- Delayed AI Act high-risk deadlines: Compliance timelines for high-risk AI systems would shift from August 2026 to December 2027 or August 2028, depending on system classification — providing a longer runway for organisations building or deploying regulated AI applications.
Taken together, these provisions signal a Commission pivot toward competitiveness without formally dismantling the rights-based architecture that underpins European data privacy law.
The Enforcement Risk That Simplification Does Not Remove
Decision-makers should resist interpreting the Digital Omnibus as a relaxation of substantive obligations. EU privacy regulators have simultaneously issued updated guidance directed at AI firms, reaffirming that any personal-data processing must have a clear, well-defined, and truly essential rationale. This is not rhetorical caution — it signals continued enforcement appetite under GDPR regardless of legislative reform.
Critically, the AI Act’s prohibited practices and its August 2026 transparency rules remain intact under the current draft. This creates a dual-track compliance reality: organisations will still need to maintain parallel GDPR and AI Act governance frameworks, even if certain procedural requirements are consolidated. For companies with AI systems touching biometric data, credit scoring, HR decisions, or critical infrastructure, the high-risk classification thresholds and associated conformity obligations have not been relaxed — only deferred.
From a corporate governance perspective, boards that treat the extended deadlines as permission to delay internal AI governance programmes will be exposed. Regulators have consistently demonstrated that good-faith preparation — documented policies, data protection impact assessments, and AI risk registers — is a material factor in enforcement discretion.
Implications for Business: Strategic Priorities for 2025
For mid-market and enterprise organisations operating across EU jurisdictions, the Digital Omnibus creates both opportunity and obligation:
- Reassess your AI data strategy now. The proposed legitimate-interests basis for AI training does not eliminate the requirement for a documented balancing test. Legal and compliance teams should begin building the evidentiary record that will withstand regulatory scrutiny — particularly given watchdog guidance issued in parallel.
- Rationalise your incident-response architecture. The move toward a single-entry reporting point is an opportunity to consolidate what are often fragmented notification workflows across GDPR, NIS2, and DORA. Organisations in financial services and critical sectors should initiate a cross-functional review of their breach-response protocols before the Omnibus is finalised.
- Do not defer AI Act readiness programmes. The shift of high-risk AI deadlines to 2027–2028 provides time, not exemption. M&A due diligence processes should already be incorporating AI Act compliance status as a material risk factor — particularly in technology acquisitions and digital transformation transactions.
- Align ESG reporting and data governance. As ESG reporting obligations under CSRD intersect with data privacy and AI transparency requirements, integrated governance frameworks will reduce duplication and strengthen board-level oversight.
Key Takeaway
The EU Digital Omnibus represents a pragmatic recalibration, not a structural retreat from Europe’s regulatory ambition. The 96-hour breach window, unified reporting, and extended AI deadlines reduce friction — but the substantive obligations under GDPR, the EU AI Act, and sector-specific regimes remain firmly in place. Organisations that use this window to build robust, integrated compliance programmes will be better positioned competitively and defensively. Those that interpret simplification as deregulation will find themselves exposed when enforcement cycles accelerate post-2026.