The 2026 Digital Omnibus

The EU’s digital regulatory landscape has become a maze of overlapping directives, from the GDPR to the AI Act and the NIS2 cybersecurity framework. Companies that have invested heavily in compliance architectures, such as CMMC or ISO‑27001, now face the prospect of navigating yet another layer of rules. The Digital Omnibus, proposed by the European Commission in late 2025, is designed to cut through this clutter by harmonising definitions, consolidating reporting mechanisms, and reducing duplication across statutes. By offering a single, ENISA‑run portal for breach notifications and regulator inquiries, the package promises to simplify the day‑to‑day workload of data‑protection officers and security teams.

Among the most consequential provisions are the extension of the GDPR breach‑notification window from 72 to 96 hours and the formal recognition that AI model training can be pursued under the GDPR’s legitimate‑interest basis. This legal certainty removes a long‑standing gray area that has hampered AI development in Europe. The Omnibus also proposes a new pseudonymisation benchmark, allowing data deemed “practically unfeasible” to re‑identify to fall outside GDPR’s strictest controls—a move that could reshape data‑classification strategies for AI firms. Additionally, the “Stop the Clock” mechanism postpones high‑risk AI obligations until the Commission certifies that harmonised standards and guidance are in place, giving companies extra time to adapt.

For U.S. and other non‑EU multinationals, the Digital Omnibus signals a shift toward more predictable, streamlined compliance, potentially lowering legal spend and accelerating product roll‑outs. However, the proposals remain contentious, especially the pseudonymisation clause, and will undergo rigorous parliamentary scrutiny. Firms should begin mapping their current reporting workflows to the upcoming single‑entry architecture and reassess AI data‑processing practices to align with the anticipated legitimate‑interest framework, ensuring they are ready for the post‑Omnibus regulatory environment.