Parts of the AI Act to be delayed
On 20 November 2025, the European Commission unveiled a long-anticipated package aimed at simplifying digital regulation, commonly referred to as the Digital Omnibus. Its purpose is to streamline the growing body of EU rules in the digital and data domain, reduce duplication and strengthen Europe’s competitiveness. For IT decision-makers, CTOs, CISOs and security leaders, this is far from a theoretical Brussels exercise; it represents a tangible shift in the regulatory environment that will directly affect roadmaps, budgets and compliance processes.
At its core, the package touches several major regulatory frameworks simultaneously: the EU AI Act, the GDPR, the NIS2 Directive and DORA. It also includes adjustments to cookie rules and a consolidation of data-related regimes linked to the Data Act. In parallel, the Commission is launching a Data Union Strategy and further initiatives designed to improve access to high-quality data for AI.
This raises key questions: What is driving these changes, what will actually change in practice, and how should companies respond?
Why the Commission is simplifying now
The EU’s digital regulatory landscape has expanded rapidly in recent years. New laws and regulations aim to make innovation safer, protect fundamental rights and strengthen cyber resilience. At the same time, businesses are faced with overlapping requirements, inconsistent definitions and parallel reporting obligations. The Commission is responding to a widely voiced concern that complex and partly redundant regulation is hampering investment and weakening Europe’s competitive position. This view was expressed prominently in the Draghi Report on EU competitiveness and is a key driver behind the simplification agenda.
The Digital Omnibus is one of several initiatives reviewing different regulatory areas for potential streamlining. In the digital sphere, the debate is particularly sensitive because the tension between protection and innovation is more pronounced than in many other sectors.
In practice, the EU is not rolling back digital rules but making them more compatible, more consistent and, in some cases, more realistic in terms of timelines. This will ease pressure for many organisations, but it also requires adjustments to internal governance and compliance structures.
What the Digital Omnibus contains
The Commission highlights several far-reaching changes, including:
- A delay in the high-risk AI provisions of the AI Act
- A unified reporting channel for cybersecurity incidents
- A reform of the GDPR to create a more innovation-friendly framework
- Modernised cookie rules
- Consolidation of multiple data regimes under the Data Act
These measures are interconnected and impact the entire chain from data processing and security management to AI development and operational workflows.
AI Act: Delay of high-risk provisions and implications for AI programmes
The most visible step is the planned postponement of the AI Act’s high-risk system requirements—by up to 16 months. The Commission argues that harmonised standards, guidelines and support tools needed for implementation are not yet sufficiently available.
For many organisations, this offers short-term relief—particularly in areas such as identity processes, fraud detection, HR screening, OT monitoring or medical and financial applications. The extra time helps companies evaluate models more thoroughly, stabilise data pipelines, build documentation and audit supply chains for AI compliance.
However, this is not an invitation to pause. Companies scaling AI should use the buffer period to prepare for high-risk obligations, including:
- Clear system classification
- Risk and impact assessments
- Training data governance
- Logging and monitoring
- Human oversight processes
Those who put these foundations in place now will face significantly less friction once the obligations fully apply.
Strategically, the delay also shows that the EU is ambitious but pragmatic. It is willing to adjust timelines if the ecosystem and standards are not ready. This makes regulatory planning more flexible, but also increases the need for scenario-based planning rather than rigid deadline-driven approaches.
GDPR, NIS2 and DORA: Less friction in data protection and reporting
GDPR reform for more innovation flexibility
The Commission plans to update the GDPR to create a more innovation-friendly data protection environment. This includes adjusting thresholds and deadlines in the data-breach notification regime, clarifying definitions such as “personal data”, and introducing new exceptions and clarifications to support the development and operation of AI systems.
For privacy and security teams, this offers more operational flexibility. Reporting obligations would become less mechanical and more risk-based, allowing resources to be focused on incidents with real impact. However, companies will need to document breach criteria and internal decisions carefully to ensure transparency and accountability.
For AI projects, clearer definitions on lawful AI-relevant data processing would provide the legal certainty needed to prevent use cases from stalling or remaining stuck in pilot stages due to unclear interpretations.
Unified incident reporting
A single entry point for cybersecurity incident reporting is also planned. Instead of submitting separate notifications under NIS2, GDPR and DORA, organisations will use a unified mechanism—potentially built on the platform developed for the Cyber Resilience Act.
This could significantly increase efficiency. Anyone who has dealt with incident reporting under time pressure knows the challenge of managing multiple deadlines and formats. A single reporting channel reduces complexity and can improve data quality through standardised fields and taxonomies.
However, this requires organisations to redesign their reporting workflows. Many have separated NIS2, GDPR and DORA into distinct compliance streams. The Omnibus will require an integrated model with centralised registers, harmonised severity criteria and coordinated communication processes.
Data law, cookies and the Data Union Strategy
Consolidation under the Data Act
The EU intends to merge several data regimes into the Data Act, including the Free Flow of Data Regulation, the Data Governance Act and the Open Data Directive. Once combined, these rules will be better aligned and streamlined.
For companies, this primarily affects governance. Today, different legal sources must be consulted depending on data type, sector and purpose. Consolidation simplifies the development of data strategies, especially for organisations using cross-border data for AI, analytics or platform models.
Modernised cookie rules
The Commission also plans to reduce the number of cookie banners and shift preference management more strongly to the browser level.
This is a practical step for digital teams: fewer banners improve user experience, raise conversion rates and reduce the operational burden of consent management. The responsibility for proper tracking and purpose limitation, however, remains unchanged.
Data Union Strategy: More high-quality data for AI
Alongside simplification, the Commission is launching a Data Union Strategy to make more high-quality data available for AI. This includes a Data Act Legal Helpdesk and measures to strengthen European data sovereignty, for example, protecting sensitive non-personal data and establishing fair-use rules for EU data abroad.
This signals a clear commitment to building a strong European AI ecosystem. Not only should regulation be safe, but data should also be readily usable. For industry, critical infrastructure and SMEs, better access to data spaces may be decisive in moving AI projects from pilots into production.
What companies should do now
Although the package still requires consultation and approval by Parliament and Council, early preparation is advisable.
- Conduct a cross-regulatory gap analysis.
Review AI Act, GDPR, NIS2 and DORA together, not in isolation. Identify definitional inconsistencies, duplicate evidence requirements and processes that may later converge. - Integrate incident reporting.
If a single entry point emerges, integration will be essential. Build a central incident register, harmonise severity scales and define responsibilities for consolidated reporting. - Accelerate AI governance.
The AI Act delay creates time but is not a suspension. Develop model inventories, classification methods, monitoring frameworks and documentation practices now. - Adapt your data strategy.
As data regimes converge, re-map data flows, data types and access rights. This can reduce long-term compliance costs, particularly in hybrid multi-cloud and edge environments. - Prepare marketing and product teams for new cookie rules.
Review your consent tools, assess readiness for browser-based preference models and ensure compliant tracking practices.
Conclusion
The Digital Omnibus package and the delayed AI Act provisions mark a clear policy shift: fewer parallel rules, greater consistency and more realistic implementation timelines. This does not eliminate requirements; it brings them closer together and makes them more risk-based. That creates room for innovation, especially in AI and data-driven applications, while simultaneously demanding adjustments to governance, integrated reporting, AI risk management and data strategy.
Damovo can support organisations throughout this transition: from assessing the affected regulations to integrating existing compliance programmes, building unified incident reporting processes and implementing AI governance and data protection measures. This helps companies achieve legal certainty and accelerate their digital and AI initiatives, without unnecessary bureaucracy, but with solid compliance.