Skip to main content
AI omnibusdigital omnibusEU AI Act simplificationGDPR reformAI regulationEU digital policy

What Is the EU AI Omnibus (Digital Omnibus)?

The Digital Omnibus --- often referred to as the "AI Omnibus" --- is a package of simplification proposals presented by the European Commission in November 2025 to streamline the EU's digital rulebook. Rather than introducing new obligations, an "omnibus" amends several existing laws at once. This one targets the interaction between the EU AI Act, the GDPR, the Data Act, ePrivacy rules, and the cybersecurity incident-reporting regimes, with the stated goal of cutting administrative burden --- especially for SMEs --- and making compliance more coherent across overlapping laws.

The Digital Omnibus matters because it signals a shift in the EU's posture --- from rapid digital rule-making toward consolidation --- and because it is no longer hypothetical. In practice the package split into two tracks. The AI-focused part (the "AI Omnibus") moved fast: on 7 May 2026 the European Parliament and the Council reached a provisional political agreement to amend the AI Act, postponing key high-risk deadlines and easing some obligations, with formal adoption expected by mid-2026. The broader part --- proposed amendments to the GDPR and ePrivacy --- remains a separate package that has not yet reached agreement, and is the most contested, with privacy and digital-rights groups warning it could weaken hard-won protections. So the right reading in mid-2026 is: the AI timeline changes are all but settled; the data-protection changes are still very much in play.

TL;DR

The Digital Omnibus ("AI Omnibus") is a simplification package the European Commission proposed on 19 November 2025, amending several digital laws at once. It has split into two tracks. The AI Act amendments reached a provisional Parliament---Council agreement on 7 May 2026: high-risk obligations are postponed --- standalone (Annex III) to 2 December 2027 and product-embedded (Annex I) to 2 August 2028 --- partly because the harmonised standards needed to comply are not ready, plus SME-style relief extended to small mid-caps and stronger AI Act enforcement. The GDPR/ePrivacy amendments are a separate package, not yet agreed and the most contested. For data teams, postponed deadlines are breathing room, not a reprieve --- the obligations remain, and one governed source of truth is what makes meeting them tractable under any timeline.

Digital Omnibus Defined

In EU legislative practice, an "omnibus" is a single instrument that amends multiple existing laws together --- used when changes cut across several regulations that interact. The Digital Omnibus is the digital-policy counterpart to earlier 2025 simplification packages (such as the sustainability omnibus), part of a broader Commission drive to reduce reporting burden and improve EU competitiveness.

Its defining characteristics:

  • Simplification, not new rights or bans --- Its purpose is to streamline and align, not to create new categories of obligation.
  • Cross-cutting --- It touches the AI Act, GDPR, Data Act, ePrivacy, and cyber-incident reporting in one package, precisely because their requirements overlap.
  • A proposal in progress --- As of its 2025 presentation it is a Commission proposal entering the ordinary legislative procedure; its final shape depends on Parliament and Council.
  • Contested --- Industry groups broadly welcome it; privacy and civil-society organizations warn it could dilute GDPR and AI Act safeguards.

What It Proposes

The package bundles measures to reduce friction across the digital rulebook. The AI side now has an agreed shape after the 7 May 2026 deal; the data-protection side is still in negotiation. The main thrusts:

The Digital Omnibus --- One Package, Several Laws THE DIGITAL OMNIBUS --- ONE PACKAGE, SEVERAL LAWS DIGITAL OMNIBUS amends several at once EU AI ACT deadlines postponed GDPR easing duties --- not yet agreed DATA ACT · ePRIVACY alignment INCIDENT REPORTING NIS2 · DORA · GDPR · CRA GOALS Reduce burden · align overlapping duties · ease requirements for SMEs · single reporting entry points STATUS --- TWO TRACKS (as of June 2026) AI Act part: provisional Parliament---Council deal 7 May 2026 · GDPR/ePrivacy part: separate, not yet agreed
Click to enlarge

Changes to the AI Act

The most consequential part of the Omnibus is its treatment of the AI Act, where the provisional agreement of 7 May 2026 turned proposals into near-final terms. It responds to a recurring complaint: high-risk obligations were due to apply before the harmonised technical standards needed to comply with them existed. The agreed changes include:

  • Postponed high-risk deadlines. Obligations for standalone high-risk systems (Annex III) move from 2 August 2026 to 2 December 2027, and for high-risk AI embedded in regulated products (Annex I) to 2 August 2028 --- explicitly tied to the readiness of standards and guidance.
  • Eased transparency timing. Article 50 transparency duties broadly hold at 2 August 2026, but the watermarking requirement gets a grace period --- to 2 December 2026 for systems already on the market.
  • Lighter burden for smaller players. Compliance reliefs previously reserved for SMEs are extended to small mid-cap companies.
  • Stronger central oversight. The AI Office's enforcement powers over general-purpose AI are reinforced.

Formal adoption by Parliament and Council is expected by mid-2026, before the original 2 August 2026 milestone. The strategic signal is clear: the obligations are not going away --- their timing is being recalibrated to when compliance is actually feasible. Until the final votes, treat the dates as provisional.

GDPR & Reporting

Beyond the AI Act, the original November 2025 proposal reaches into data protection and incident reporting --- but this part travels as a separate package that, as of mid-2026, has not reached political agreement and remains the most contested:

  • GDPR simplification. Measures aimed at easing specific requirements --- for example, clarifying definitions, lightening record-keeping for smaller organizations, and addressing the use of personal data in AI training. These are the most disputed elements, with critics warning against eroding core data privacy protections.
  • Consolidated incident reporting. Today an organization may have to report a single incident under NIS2, DORA, the GDPR, and the Cyber Resilience Act, each with its own form and deadline. The Omnibus aims to consolidate these toward single entry points, reducing duplicate notifications.

Because this track is unsettled, organizations should plan for today's GDPR obligations to remain fully in force. If eventually enacted, these changes would not lower the bar for protecting personal data so much as reduce the number of times and ways organizations must demonstrate that protection.

What It Means for Data Teams

It would be a mistake to read "simplification" as "less governance." Whatever the final text, three things hold:

  • The substance survives. Simplifying paperwork does not remove the underlying duties --- to know your data, document your AI, protect personal information, and report incidents. It changes how often and in what form you prove it.
  • Coherence rewards a single source of truth. The whole premise of the Omnibus --- one incident, one report; aligned obligations across laws --- is far easier to meet when an organization has one governed inventory of its data and AI systems rather than separate spreadsheets per regulation.
  • Uncertainty raises the value of being ready. While timelines shift, the organizations best positioned are those whose data governance is already in order --- they can comply under either the original or the simplified regime without scrambling.

This is the consistent thread across the AI Act, DORA, NIS2, and the GDPR: the paperwork differs, but the foundation is the same --- a governed catalog, clear ownership, and traceable lineage. Dawiso's AI governance approach is to maintain that foundation once, so that whichever way the Omnibus lands, the evidence is already there.

Conclusion

The Digital Omnibus is the EU recalibrating, not retreating: a bid to make a dense digital rulebook workable without abandoning its goals. For organizations, the worst response would be to wait for the dust to settle and do nothing --- because the underlying obligations remain, and the proposal's own logic favors those who govern their data in one coherent place. Simplification is a reason to consolidate, not to relax. For a strategic take on what actually changed and what to adjust in your AI strategy, see our deep dive: The AI Omnibus --- What Changed in the EU AI Act.

See it in action

AI Governance

Trust and transparency in your AI use cases.

Table of contents

Digital Omnibus DefinedWhat It ProposesChanges to the AI ActGDPR & ReportingWhat It Means for Data Teams

Related Terms

What Is the EU AI Act?

The EU AI Act is the world's first comprehensive AI law, regulating AI by risk tier. Learn the four risk levels, the compliance timeline, and what it requires.

Read more →

What is context understanding in AI

Explore context understanding in AI, how systems comprehend situations, and why it's crucial for intelligence

Read more →

What is RAG in AI

Understand RAG (Retrieval-Augmented Generation) in AI, how it works, and why it's essential for accuracy

Read more →

Why is C AI asking my age

Learn why AI systems request age information for legal compliance, safety, and personalization

Read more →

Why is context important in AI

Learn why context is crucial in AI for accurate decisions, natural interactions, and robust systems

Read more →