In late 2025 and in the first quarter of 2026, the European Commission introduced a dual-track legislative package known as the Digital Omnibus. This package consists of the Digital Omnibus Act and the AI Omnibus, and it is not simply a set of new regulations, but rather an instrument that is designed to remove internal contradictions and lower the administrative burden on businesses. This shift is expected to help EU reach its goal of reducing reporting obligations by 25% to boost industrial competitiveness.
The Digital Omnibus: Key Provisions Regarding Data and Cyber Landscape
One of the primary legal challenges in the cyber world today is the so-called compliance fragmentation. One data breach or cyberattack could trigger different reporting requirements under four different laws (GDPR, Network and Information Systems Directive, Digital Operation Resilience Act, and the Data Act). Those requirements sometimes had conflicting timelines and formats, and the Digital Omnibus aims to address this through several structural changes. The Act establishes a Single Reporting Portal for all cybersecurity and data incidents. Instead of notifying multiple national and EU authorities, a business can send a single digital notification. The portal then automatically routes all the relevant data to the necessary regulators, thus ensuring efficiency of reporting just once.
Contrary to what was the standard in the early GDPR era, the Omnibus moves away from intrusive cookie banners. It introduces browser-level preference signals, allowing users to set their privacy choices once at the software level. Websites are legally required to respect these signals automatically, eliminating the need for accept/reject pop-ups all the time and lowering the technical expenses for businesses that are web-based.
Finally, to encourage AI development, the Omnibus clarifies the definition of pseudonymised data. It establishes that if the holder of the data can’t reasonably re-identify individuals, that data may be treated as non-personal in specific research and industrial contexts. This creates a safe space for training models without the whole administrative weight of the GDPR’s personal data requirements.
Updating the Rules on Artificial Intelligence: AI Omnibus
While the AI Act that entered into force in 2024 set the standard for safety, its implementation was met with an industrial reality check. The AI Omnibus, agreed upon by the Parliament in March 2026, serves as an adjustment that would ensure the Act does not become a constraint on innovation for European tech firms. The most visible change is the postponement of the high-risk AI deadlines. Under the original rules, obligations for high-risk systems were set to apply in August 2026. However, due to delays in the development of harmonised standards (the technical blueprints companies must follow to prove compliance), the Omnibus has extended these deadlines. Obligations for systems in areas such as biometrics or critical infrastructure are now expected to apply in December 2027, while AI embedded in regulated products (e.g. medical devices or vehicles) has been pushed to August 2028. This pause gives the industry the time it needs to adapt to the technical standards once they are made final.
A key challenge in AI development is that removing bias from a model requires developers to access the very sensitive data (those include race, health, etc.) that must be protected. The AI Omnibus creates a specific GDPR exemption for de-biasing. It allows companies to process special categories of personal data for the strict purpose of identifying and correcting discriminatory patterns in high-risk AI systems, under the condition that the tight security safeguards are in place. The Omnibus also addresses the rise of generative AI by introducing a specific grace period for content watermarking. Providers of AI systems already on the market before August 2026 now have most likely until November 2026 (the exact timeline will depend on the final trilogue agreement) to implement technical markers that identify synthetic audio, images, or text. This approach allows existing products to remain on the market without interruption and at the same time provides companies the necessary time to integrate mandatory safety features like AI content watermarking.
Strategic Impact
The Digital and AI Omnibus packages intend to aid companies by securing a more predictable market by harmonising conflicting rules and reducing legal uncertainty. By simplifying the registration of low-risk systems, the EU is attempting to lower the entry barrier for SMEs and small mid-caps. This transition represents a shift from a top-down regulatory approach which was focused primarily on prohibitions and penalties toward a model that prioritises simplifying business operations for compliant companies. At the same time, it aims to maintain strict security and sovereignty standards. In this new framework, the European Union is expected to act less as a distant enforcer and more as a strategic partner that removes administrative burden for those who align with the Union’s security and industrial goals.
Companies that proactively align their supply chains and data management with these standards will gain a competitive edge – they will be shielded by EU regulations that restrict market access for high-risk foreign rivals, while simultaneously benefiting from the expedited administrative processes that allow for faster expansion across the entire European market.
Read the full Regulatory Horizon Report by B&K Agency:
