By Marcus Venn | Digital Rule Book | March 2026 TL;DR — Key Points The EU Digital Omnibus Package, proposed 19 November 2025, is the most significant change to EU digital regulation since the AI Act itself. It proposes to simplify GDPR, delay the AI Act's high-risk deadlines by up to 16 months, merge cybersecurity reporting into a single entry point, and modernise cookie rules. For most EU businesses, the Omnibus will reduce compliance burden — but it has not been passed into law yet, and current deadlines still apply. The Digital Omnibus is not a weakening of the AI Act. It is a restructuring of the rollout to align with the actual readiness of the compliance ecosystem. This article explains every major proposal in plain English, so you know what is changing, when, and what it means for your business. DISCLAIMER: This article is for informational purposes only. The Digital Omnibus Package is a legislative proposal subject to amendment and rejection. Information ...
By Marcus Venn | Digital Rule Book | March 2026
The name 'omnibus' is accurate. This is not a targeted amendment to one law. It is a comprehensive attempt to rationalise six years of EU digital regulation into something businesses can actually implement. Understanding it matters — not because it removes your obligations, but because it changes the timeline and structure of those obligations in ways that directly affect your planning.
Why the Digital Omnibus Exists
The EU passed an extraordinary volume of digital legislation between 2019 and 2024: GDPR, the Digital Services Act, the Digital Markets Act, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, eIDAS 2.0, the Data Governance Act. These laws overlap in scope, use different definitions, impose duplicate reporting obligations, and have staggered compliance deadlines that create constant administrative burden.
The Draghi Report — published in September 2024 — concluded explicitly that complex and overlapping EU regulations are contributing to the EU's lagging competitiveness. The Digital Omnibus is the Commission's response to that conclusion. Its primary purpose is simplification, not deregulation.
The Changes That Matter Most for Small and Medium Businesses
1. The AI Act High-Risk Delay
The most discussed Omnibus proposal is the delay to the AI Act's high-risk AI obligations. The current deadline is 2 August 2026. The Omnibus proposes to extend that to a 'stop-the-clock' period that ties the deadline to the availability of harmonised standards.
In practice, this means:
For Annex III high-risk AI systems (hiring, credit, education, healthcare): the deadline would be 6 months after the Commission confirms harmonised standards are available, with a backstop of 2 December 2027.
For Annex I high-risk AI systems (safety components of physical products): 12 months after standards are confirmed, with a backstop of 2 August 2028.
The reason for this delay is straightforward: the harmonised standards needed to implement the AI Act's technical requirements have not been completed on time. Enforcing compliance with requirements that lack the supporting technical infrastructure is not practical.
2. GDPR Simplification
The Omnibus proposes several changes to GDPR that will directly affect most businesses:
Extended breach notification deadline: from 72 hours to 96 hours. This is a practical improvement — 72 hours is extremely tight for large or complex incidents.
Narrowed breach notification threshold: notification will only be required when a breach is likely to result in high risk to data subjects' rights and freedoms.
Clarified definition of personal data: the Omnibus proposes clarifying that information an entity cannot reasonably link to an individual does not qualify as personal data.
Cookie rule modernisation: cookie rules are proposed to move from the ePrivacy Directive into GDPR, with browser-level preference signals that websites must honour.
3. Single Entry Point for Incident Reporting
One of the most practically valuable proposals in the Omnibus is the creation of a single entry point for cybersecurity incident reporting. Currently, a business that experiences a significant cyber incident may need to report it separately under GDPR, NIS2, DORA, the Cyber Resilience Act, the eIDAS Regulation, and the Critical Entities Resilience Directive — often to different authorities with different deadlines and formats.
The Omnibus proposes a single reporting portal managed by ENISA where businesses can file one notification that satisfies all parallel obligations. This alone will save significant administrative time and reduce the risk of compliance gaps in the chaos of an actual incident.
4. AI Literacy Obligation Shift
The AI Act's Article 4 currently requires organisations deploying AI to ensure their staff have sufficient AI literacy. The Omnibus proposes shifting responsibility for general AI literacy promotion to the Commission and member states through non-binding measures. Deployers retain their specific training obligations for high-risk AI systems.
5. Reduced Registration Burden
The Omnibus proposes removing the mandatory registration requirement for AI systems that the provider does not consider high-risk, where those systems perform only minor, procedural, or narrowly constrained tasks.
6. Small Mid-Cap Relief
A new category — Small Mid-Caps (SMCs), defined as businesses with up to 750 employees and 150 million euros in turnover — will benefit from reduced technical documentation requirements for high-risk AI systems.
What Is NOT Changing
It is important to be clear about what the Omnibus does not change:
GDPR's fundamental rights framework — the principles of lawfulness, fairness, and transparency, data minimisation, purpose limitation, and data subjects' rights — remain unchanged.
The EU AI Act's ban on unacceptable risk AI applications — social scoring, covert manipulation, real-time facial recognition in public spaces — remains in force with its current February 2025 application date.
NIS2's core cybersecurity obligations for critical sector entities remain. The Omnibus simplifies reporting but does not reduce security requirements.
The DSA's obligations for Very Large Online Platforms remain unchanged. The Omnibus does not touch VLOP obligations.
The Legislative Timeline: When Will This Take Effect?
The Digital Omnibus Package was proposed by the Commission in November 2025. It has now entered the ordinary legislative procedure, where it must be reviewed by the European Parliament and Council before it can become law.
The Commission is under significant time pressure: if the Omnibus amendments to the AI Act are not passed before 2 August 2026, the original high-risk deadlines apply. The practical implications for businesses:
Do not stop AI Act compliance work based on the Omnibus proposal. The delay is not guaranteed.
Do plan your GDPR processes assuming the 96-hour notification window and narrowed threshold may take effect in 2026 or 2027.
Do prepare for the single incident reporting portal — even though it is not yet operational, the direction of travel is clear.
Do monitor the Digital Fitness Check consultation (closed March 11, 2026) results — the Commission's findings will shape further regulatory amendments in 2027.
Frequently Asked Questions
Q: Is the Digital Omnibus good or bad for businesses?
A: For most small and medium businesses, it is net positive — it reduces administrative burden, extends compliance timelines where technical standards are not available, and removes duplicate reporting requirements. It does not reduce the core protections that underpin your legal obligations.
Q: When will I know if the August 2026 AI Act deadline has been officially changed?
A: You will know when the Digital Omnibus Package completes the EU legislative process and is published in the Official Journal of the European Union. Monitor the European Parliament's legislative observatory (oeil.secure.europarl.europa.eu) for progress updates.
Q: Do the Omnibus cookie changes mean I can remove my cookie banner?
A: Not yet. Cookie changes are proposed to move into GDPR and be managed through browser-level preference signals, but this requires both legislative passage and technical infrastructure that does not yet exist. Your current cookie consent implementation remains legally required.
Q: How does the Digital Fitness Check relate to the Digital Omnibus?
A: They are parallel initiatives. The Omnibus makes specific, targeted amendments to existing laws. The Digital Fitness Check is a broader assessment of the cumulative impact of all EU digital legislation, with findings expected in Q1 2027. The Fitness Check may inform further legislative reforms beyond the Omnibus.
The Digital Omnibus Package is the most important EU regulatory development since the AI Act itself. It will reshape how EU digital law is implemented in practice for every business that operates online. Understanding it now — before it is finalised — puts you ahead of the compliance curve.
Digital Rule Book will continue covering the Digital Omnibus Package as it moves through the legislative process. The next analysis examines the Cyber Resilience Act's September 2026 obligations.
AFFILIATE NOTE: This blog occasionally recommends tools and services. If you click a link and make a purchase, we may earn a small commission at no extra cost to you. We only recommend tools we genuinely find useful.