For the better part of a decade, doing business under EU digital law has been challenging, with DDPR, ePrivacy updates, the NUS2 Directive, the AI and Data Acts, and others coming in rapid succession. For organizations already investing heavily in compliance frameworks like CMMC, the prospect of layering on yet another set of requirements has been a frustrating layer of work.
The Digital Omnibus, formally proposed by the European Commission in November 2025 and now working its way through the European Parliament and Council, is a sweeping effort to align overlapping definitions, consolidate reporting obligations, and bring coherence to what the Commission itself has acknowledged is regulatory “clutter.”
For companies that have already built compliance architectures, this Omnibus can help make cross-regulation compliance that much easier.
What Is the 2026 Digital Omnibus?
The EU Digital Omnibus is a legislative package introduced by the European Commission on November 19, 2025, aimed at simplifying and streamlining Europe’s growing stack of digital regulations. Here’s what it’s about:
The Commission frames it as a means of reducing duplication and regulatory friction while formally maintaining the existing rights and enforcement frameworks. In practice, the package proposes technical amendments across a broad set of digital laws. It comes in two main parts: one covering the broader digital and data framework (including GDPR and ePrivacy changes), and a second focused on the AI Act and related timelines, compliance for SMEs, and the AI Office’s powers.
What Is Included in the 2026 Digital Omnibus?
There are several areas where this Omnibus is changing how organizations interact with regulations in the EU:
A Single Entry Point for Inquiries
Non-EU companies have long struggled with the fragmented nature of EU regulatory engagement: different directives for different authorities, all working through different portals. The Digital Omnibus introduces a Single Entry Point as a unified channel for regulatory inquiries and incident notifications. Instead of coordinating with data protection authorities, Cybersecurity Incident Response Teams (CSIRTs), and sector-specific regulators, organizations will be able to engage through a single, consolidated interface.
The AI Literacy Mandate
Under the current AI Act, providers and vendors of AI systems must ensure their staff have a sufficient level of AI literacy as defined by law. The Digital Omnibus proposes reframing this as an obligation on the Commission and member states to encourage such measures rather than mandate them directly.
Business leaders remain legally accountable for the AI tools their teams deploy. The risk of shadow AI is real, growing, and carries enforcement consequences, and leaders in a given organization aren’t excused from governing their AI systems and protecting data regulated under GDPR and related regulations.
The End of the 72-Hour Notification Requirement
Under the existing GDPR, organizations have 72 hours to notify the authorities of a personal data breach. The Digital Omnibus proposes extending this window to 96 hours for high-risk incidents.
This expansion gives technical teams the time to complete forensic triage before the legal clock expires. It reduces the frequency of premature or incomplete notifications and aligns the breach notification threshold for supervisory authorities with that already used to notify affected individuals.
Centralizing Reporting
The Single Entry Point is a massive shift in how organizations interact with regulators. To add to that, the proposed Omnibus also states that a single incident report would satisfy the notification requirements under the GDPR, NIS2 (cybersecurity), and DORA (financial services). The portal, to be established under the NIS2 Directive and operated by ENISA, will automatically route notifications to the appropriate authorities.
For SOCs and incident response teams, this eliminates the need to prepare and submit different reports to different regulators.
- A single-submission workflow replaces multiple parallel notification processes under GDPR, NIS2, DORA, and sector-specific regulations.
- Automated routing ensures the right authorities receive the right information without manual coordination.
- Harmonized content requirements reduce the risk of inconsistencies between reports filed with different regulators.
- Unified timelines eliminate the need to track and manage different notification deadlines for the same incident.
- Reduced coordination overhead frees incident response teams to focus on containment and remediation rather than paperwork.
Redefining Personal Data for AI
The Digital Omnibus introduces a new technical standard for pseudonymization that could fundamentally alter how organizations approach data classification for AI development. Under the proposed framework, if an organization can demonstrate that re-identification of pseudonymized data is “practically unfeasible” using current technology, that data may fall outside the scope of GDPR for certain purposes, including AI model training.
This is one of the most politically sensitive proposals in the entire package. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have both criticized the drafting, warning that it risks significantly narrowing the concept of personal data. Council compromise texts suggest this provision may be substantially revised or removed entirely.
Training Data and “Legitimate Interest”
AI model development has been a contentious discussion under GDPR. The Omnibus settles this conversation by stating that AI model development and operation are legitimate interests under the GDPR. This provides the legal clarity that organizations have been seeking since the AI training data debate intensified in 2023 and 2024.
A new Article (88c) in GDPR would confirm that processing personal data for AI development may generally be pursued on the basis of legitimate interest, where appropriate. Additionally, a new condition under Article 9 would allow limited processing of residual special category data (such as health or biometric data) during AI development, provided that the organization implements appropriate measures to prevent such data from being included.
Organizations relying on the legitimate interest framework for AI training must implement robust technical and organizational measures. The requirements are substantive:
- Enhanced transparency obligations that clearly communicate to data subjects how their data contributes to model training, including the specific purposes, the categories of data used, and the intended outcomes of the AI system
- Functional “Right to Object” mechanisms that operate at the dataset level as a technically-implemented capability that can identify, isolate, and remove an individual’s data from training datasets upon request
- Documented balancing tests that weigh the organization’s legitimate interest against the rights and freedoms of data subjects, with particular attention to the scale of data processing and the sensitivity of the data involved
- Ongoing monitoring and audit processes that ensure compliance is maintained throughout the model lifecycle, not just at the point of initial data collection
Delay in High-Risk Obligations
The AI Act has special classifications for high-risk systems, which include a set of rules scheduled to take effect in August 2027. Organizations preparing for the AI Act’s high-risk system obligations received an unexpected reprieve. The Digital Omnibus introduces a “Stop the Clock” mechanism: a conditional grace period that delays the application of high-risk AI rules until the Commission confirms that key implementation measures, such as harmonized standards and guidance, are available.
Comparing Pre- and Post-Omnibus Regulations
| Feature | Pre-2026 | 2026 Omnibus |
| Breach Window | 72 Hours | 96 Hours |
| Reporting | Multiple portals (DPA, CSIRT, etc.) | Single Entry Point |
| AI Data Use | Legal grey area | Legitimate Interest recognized |
| Data Definition | Broad and often ambiguous | Case-law aligned |
| SME Support | One size fits all | Proportional exemptions for SMCs |
| Cookie Consent | Fragmented national rules under ePrivacy | Browser-level signals and simplified consent flows under GDPR |
| AI Act Timelines | Fixed, August 2026 deadline | Conditional grace period through late 2027/2028 |
Count on Lazarus Alliance to Stay Ahead of GDPR and EU Regulations
The proposals in the Digital Omnibus remain subject to amendment as they move through the European Parliament and Council. Negotiations are expected to be contentious, particularly on provisions touching fundamental rights and the scope of simplification measures. But the direction seems to be significant for how data privacy and AI are managed in the EU, and AI-forward companies in the US would do well to pay attention.
To learn more about how Lazarus Alliance can help, contact us.
- FedRAMP
- GovRAMP
- NIST 800-53
- DFARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- ENS
- C5
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- CJIS
- LA DMF
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
Related Posts