The European Commission’s proposed ‘Digital Omnibus’ package marks one of the most consequential regulatory recalibrations in the EU’s digital governance landscape since the GDPR entered into force in 2018. For CFOs, General Counsel, and enterprise risk management teams navigating overlapping obligations under the EU AI Act and GDPR, the proposal offers meaningful relief — but it does not eliminate the underlying compliance imperative. Strategic inaction during this window would be a costly miscalculation.

What the Digital Omnibus Actually Changes

The draft proposal, sourced from the European Commission and reported by Law.com, introduces two headline changes of immediate relevance to corporate governance teams.

First, the mandatory compliance deadline for high-risk AI systems under Annex III of the EU AI Act — covering use cases such as recruitment automation, credit scoring, and biometric identification — is extended from August 2, 2026 to December 2, 2027, a 16-month reprieve. Annex I systems, which intersect with existing EU product safety legislation, face a further extension to August 2, 2028. Critically, the proposal also confirms that high-risk obligations will apply 36 months post-entry into force (the Act entered force in August 2024), unless harmonized technical standards are confirmed earlier by the Commission.

Second, the proposal targets GDPR administrative friction directly. It introduces a single-entry point for data breach reporting, consolidating notification thresholds to reduce the multi-jurisdictional burden that currently requires parallel filings with supervisory authorities across Member States. Additionally, the draft proposes narrowing GDPR scope in specific contexts to facilitate the use of personal data in AI training datasets — a provision that will be of particular interest to technology-intensive enterprises and financial institutions developing proprietary models.

A further provision extends the Article 50 labeling obligation for AI-generated content to February 2, 2027 for providers who placed systems on the market prior to the original deadline, providing operational breathing room for product and compliance teams.

Why This Is Not Permission to Pause

The instinct among mid-market firms may be to treat deadline extensions as a compliance holiday. That interpretation carries significant enterprise risk. Several structural realities argue for continued forward momentum:

  • Harmonized standards may accelerate timelines. The Commission retains the authority to confirm harmonized standards ahead of the extended deadlines, potentially restoring the original August 2026 applicability window for high-risk systems. Organizations that have deprioritized AI Act readiness assessments are exposed to a compressed implementation scenario.
  • GDPR enforcement is not paused. The proposed GDPR streamlining measures remain draft proposals subject to legislative process. Existing data privacy obligations — including breach notification, lawful basis documentation, and data subject rights — remain fully enforceable. The data governance integration between GDPR and the AI Act means that gaps in one framework create cascading exposure in the other.
  • Board-level scrutiny is intensifying. In the context of broader ESG reporting and AML compliance frameworks, regulators and institutional investors are increasingly treating AI governance as a material risk disclosure item. General Counsel should anticipate that AI Act readiness will feature in due diligence processes for M&A transactions and financing rounds within the next 12 to 18 months.

Implications for Business: A Prioritization Framework

For decision-makers, the Digital Omnibus creates a defined strategic window. The following priorities should be addressed before Q4 2025:

  • Conduct an Annex III system inventory. Map all AI systems currently in deployment or procurement against the high-risk categories defined in Annex III. Recruitment tools, credit decisioning engines, and risk-scoring models used in financial services are among the most exposed asset classes.
  • Integrate AI Act and GDPR data governance workstreams. The Commission’s intent to align these frameworks operationally means that siloed compliance programs will generate redundant costs and gaps. A unified data privacy and AI governance function is now a structural necessity, not a best practice.
  • Engage legal counsel on the single-entry breach reporting mechanism. While not yet enacted, the proposed consolidation should inform how corporate governance teams are structuring their incident response protocols today.
  • Update third-party and vendor risk assessments. AI Act obligations extend to deployers of third-party high-risk AI systems. Vendor contracts executed before the extended deadline should be reviewed for compliance representation and warranty provisions.

Key Takeaway

The EU Digital Omnibus proposal provides a 16-month extension for high-risk AI compliance and meaningful GDPR administrative relief — but it does not alter the fundamental architecture of the regulatory obligations that European and globally operating enterprises must meet. For CFOs and General Counsel, the most defensible posture is to treat this window as an acceleration opportunity: use the additional runway to build durable, integrated compliance infrastructure rather than defer investment. Organizations that arrive at December 2027 unprepared will face a compressed, high-cost remediation cycle — and a regulatory environment with significantly less tolerance for delay.