For the past decade, the European Commissionโs approach to digital regulation moved in a single direction: more requirements, more frameworks, more compliance obligations. GDPR in 2018. NIS2 in 2023. The Digital Markets Act, the Digital Services Act, the Data Act, the AI Act. The compliance calendar for organizations operating in Europe became one of the most complex regulatory environments in the world.
In November 2025, the Commission proposed something genuinely unexpected: a package of rollbacks.
The EU Digital Omnibus โ formally the โDigital Package on Simplificationโ โ proposes to reduce the administrative burden of EU digital regulation by at least 25% for all businesses and at least 35% for small and medium enterprises by 2029. It would amend GDPR, delay major AI Act requirements, unify breach reporting across multiple regulatory frameworks, and reduce Data Act compliance burdens.
It is counterintuitive, it is significant, and it is not yet law.
This article explains what the Digital Omnibus proposes to change, what remains stable regardless of the proposalโs fate, and how compliance teams should plan in an environment of regulatory uncertainty.
Why the Commission Proposed This
The Digital Omnibus is the product of two concurrent pressures on European policymakers.
The first is competitiveness. European business groups, led by the European Round Table of Industrialists and echoed by major national governments, have argued for years that the cumulative compliance burden of EU digital regulation is placing European companies at a structural disadvantage relative to U.S. and Chinese competitors. The Draghi Report on European competitiveness, published in September 2024, made this case in detail and received significant political attention. The Digital Omnibus is partly a policy response to Draghi.
The second is implementation realism. Several major EU digital regulations โ the AI Act in particular โ were enacted on policy timelines that preceded the development of the harmonized technical standards and regulatory guidance that businesses need to implement them. By 2025, it became clear that the August 2, 2026 high-risk AI Act deadline would arrive before many of the compliance tools required to meet it were available. The Omnibus extension proposal reflects this practical reality.
What the Digital Omnibus Proposes to Change
AI Act: High-Risk Deadline Extension
The most immediately consequential proposal for organizations currently preparing for the August 2, 2026 AI Act compliance deadline is the extension provision.
The Digital Omnibus would link the start date of high-risk AI requirements under Annex III from August 2, 2026 to the availability of harmonized standards developed by European standards bodies (CEN/CENELEC). If those standards are not available โ and current projections suggest they will not be ready by August 2026 โ the extension would push the Annex III compliance deadline to August 2, 2028.
The two-year extension is being justified on implementation grounds: the conformity assessment process for high-risk systems, the EU database registration requirements, and the CE marking process all depend on harmonized standards that do not yet exist in final form.
What this means for compliance planning: Organizations should not halt their AI Act compliance work in reliance on this extension. The Digital Omnibus has not been enacted. The August 2, 2026 deadline remains the law today. What the Omnibus proposal does is create legitimate uncertainty about whether that deadline will hold โ and that uncertainty needs to be factored into planning, not used as a reason to stop preparing.
The prudent position: continue AI Act compliance preparation on the August 2026 timeline while monitoring the Omnibus legislative progress. If the extension passes, the work done is not wasted โ it produces a stronger compliance posture regardless of the specific deadline.
AI Act: SME and SMC Relief
The Digital Omnibus would expand certain protections currently available to SMEs (small and medium enterprises) to SMCs (small mid-cap companies) โ a somewhat larger class of companies. The specific reliefs include simplified technical documentation requirements and special consideration in the application of penalties.
For compliance purposes, the SME/SMC relief is operationally significant for mid-sized enterprises that had been planning to implement the full technical documentation standard. If the Omnibus passes, a simplified documentation pathway becomes available to a broader range of companies.
AI Literacy Obligation Shift
Under the AI Act as enacted, the obligation to foster โAI literacyโ โ ensuring that personnel understand how to use AI systems appropriately โ rests with individual organizations deploying AI. The Digital Omnibus would shift this responsibility from organizations to the Commission and Member States, who would become responsible for encouraging sector-appropriate training and support.
The practical effect of this shift is limited for large enterprises that have already implemented AI training programs. For smaller organizations, it reduces the compliance burden associated with demonstrating documented AI literacy programs.
GDPR: Personal Data Definition
One of the more technically significant GDPR proposals in the Digital Omnibus is a clarification of the definition of โpersonal data.โ
The Omnibus would anchor identifiability in โmeans reasonably likely to be used to identifyโ the natural person, providing a clearer standard for de-identification and anonymization assessments. Organizations that have been grappling with whether specific data sets constitute personal data under GDPRโs current broad definition would benefit from a more precise identifiability threshold.
GDPR: Special Category Data in AI Development
The Digital Omnibus includes an exemption permitting residual processing of special category personal data (health, biometric, ethnic origin, etc.) during AI model development and operation, subject to specific safeguards.
This provision directly addresses one of the most contested questions in EU AI compliance: whether training AI models on special category data requires an explicit legal basis beyond the research exemption. The Omnibus would create a defined pathway for this processing that does not currently exist with clarity in GDPR.
GDPR: DPIA and Breach Notification Clarifications
The Digital Omnibus proposes clarifications to:
- When Data Protection Impact Assessments (DPIAs) must be conducted โ the current standard produces significant variation in how organizations determine when a DPIA is required
- How and when to notify data breaches to supervisory authorities โ addressing the variation in how national DPAs interpret the 72-hour notification requirement
These are calibration changes rather than structural reforms, but they reduce the compliance uncertainty that produces variation in how organizations manage DPIA and breach notification obligations across EU member states.
Unified Incident Reporting
The most operationally significant simplification in the Digital Omnibus โ and the one that has received the least public attention โ is the proposal for a unified incident reporting entry point across multiple EU regulatory frameworks.
Currently, an organization that experiences a significant cybersecurity incident may be required to report to:
- Their national data protection authority (GDPR breach notification, 72 hours)
- Their national competent authority for NIS2 (early warning within 24 hours, full notification within 72 hours)
- Their financial regulator under DORA (for financial sector entities โ within 4 hours for major incidents)
- Additional sector-specific regulators depending on the nature of the organization
These notifications go to different authorities, on different timelines, using different templates. The compliance effort to produce simultaneous accurate notifications to multiple authorities under time pressure is substantial โ and the risk of inconsistency between notifications creates additional regulatory exposure.
The Digital Omnibus would create a single-entry point routing incident and breach notifications across GDPR, NIS2, DORA, eIDAS, and the Critical Entities Resilience (CER) directive, with harmonized templates and processes and a single notification satisfying multiple frameworks simultaneously.
This single-entry point is among the most practically useful simplifications in the package. For organizations currently maintaining separate notification procedures for each regulatory framework, it would meaningfully reduce both compliance cost and the risk of inconsistent multi-framework notifications.
Data Act Modifications
The Digital Omnibus also proposes modifications to the Data Act โ the EU regulation governing access to and use of data generated by connected products and services. The specific proposals include:
- Reduced data-sharing obligations for categories of data where the commercial sensitivity is high relative to the public interest benefit
- Simplified compliance documentation for SMEs and SMCs
- Clarification of the relationship between Data Act obligations and trade secret protections
The Data Act modifications are significant primarily for manufacturers of connected devices and IoT platforms, who face the most direct obligations under the actโs data-sharing provisions.
What Stays the Same Regardless of the Omnibus
Several important EU digital regulatory obligations are not addressed by the Digital Omnibus and remain in full force regardless of its legislative outcome:
GDPR core obligations. The fundamental GDPR framework โ legal bases for processing, data subject rights, processor agreements, DPA notification for major breaches โ is not proposed for repeal or major reduction. The Omnibus makes targeted amendments; it does not reduce the basic regulatory requirements that have been in force since 2018.
EU AI Act prohibited practices. The prohibitions on unacceptable-risk AI (social scoring, real-time biometric surveillance in public spaces, subliminal manipulation) are in force and not proposed for change.
EU AI Act general-purpose AI model obligations. Obligations on providers of general-purpose AI models (including most frontier AI providers) are not significantly addressed in the Omnibus.
NIS2 core obligations. Network and Information Security requirements remain in force. The unified reporting mechanism, if enacted, changes how notifications are routed but does not reduce the underlying obligation to notify.
DORA financial sector obligations. The Digital Operational Resilience Actโs requirements for financial entities remain in force. The unified reporting simplification affects the mechanics of notification, not the substance of resilience obligations.
Legislative Status and Timeline
The Digital Omnibus was proposed by the European Commission on November 19, 2025. It entered the EUโs ordinary legislative procedure, which requires approval by both the European Parliament and the Council of the EU (member state governments).
The comment and feedback period closed January 29, 2026. The proposal is now in active negotiation within the Parliament and Council. Based on the pace of similar EU digital legislation, a final decision is unlikely before late 2026 at the earliest โ and some provisions may take longer to resolve given disagreements among member states and parliamentary factions.
Several national data protection authorities and privacy advocacy organizations have criticized aspects of the proposal โ particularly the GDPR personal data definition changes and the special category AI processing exemption โ as weakening privacy protections in ways that undermine the GDPRโs original purpose. The Jacques Delors Centre, a prominent EU policy think tank, published a critical analysis arguing the Omnibus is โheading in the wrong directionโ on AI regulation.
These critiques create real legislative risk for the more ambitious simplification provisions. The unified reporting entry point and the documentation burden reductions for SMEs are less controversial and more likely to survive negotiation intact. The AI Act extension and GDPR personal data definition changes face more headwinds.
How Compliance Teams Should Plan
The Digital Omnibus creates genuine uncertainty for organizations planning their EU digital compliance programs for 2026 and beyond. The appropriate response is not to pause compliance work โ it is to build compliance programs that are robust to either outcome.
For AI Act compliance: Proceed on the August 2, 2026 timeline for Annex III obligations. If the extension passes, your preparation is not wasted. If it does not pass and you have not prepared, the exposure is material. The asymmetry strongly favors preparation.
For GDPR DPIAs and breach notification: Follow existing guidance and national DPA practice. The Omnibus clarifications, if enacted, will likely align with current conservative compliance practice. Organizations already meeting the current standard will not need to change their approach.
For incident response planning: Begin planning for unified reporting even before the Omnibus passes. The framework is likely to survive in some form; building your incident response structure around a single-entry-point model reduces the risk of having to restructure again post-enactment.
Monitor the legislative progress. The Digital Omnibus is moving through the EU legislative process with higher political priority than most EU digital legislation has received. Quarterly monitoring of parliamentary votes and Council positions is sufficient for most organizations.
The EU regulatory simplification trend is real โ and the Omnibus represents a genuine inflection point in European digital regulation. It is the first serious attempt by the Commission to reduce the compliance burden it has been building since 2018. Whether it succeeds in its most ambitious provisions will depend on a legislative negotiation that is still underway.
What is certain is that compliance planning in 2026 must account for this uncertainty โ not by ignoring it, and not by deferring preparation, but by building programs that remain sound under both the current legal framework and its most likely amended version.
Sources: European Commission Digital Package Proposal; EU AI Act Regulation 2024/1689; IAPP EU Digital Omnibus Analysis; White & Case Digital Omnibus Analysis; PWC EU Digital Omnibus Regulatory Relief; Wilson Sonsini EU Omnibus Proposals; Morrison Foerster EU Digital Omnibus on AI; Freeths Digital Omnibus Business Impact; Jacques Delors Centre Digital Omnibus Critique; Sourcingspeak Digital Omnibus Changes. This article is for informational purposes only and does not constitute legal advice.
