EU Digital Omnibus proposes delay of AI compliance deadlines

The European Commission has released two major proposals that could reshape how organizations operating in the EU handle AI governance, data protection, cybersecurity incident reporting, and cookie consent. Together, these updates — known as the Digital Omnibus Regulation proposal and the Digital Omnibus on AI Regulation proposal — aim to simplify Europe’s digital rulebook while still tightening protections for users and strengthening market trust.

These proposals introduce real changes worth watching. Here’s a breakdown of what happened, what’s coming next, and what it means for your business and your customers.

What changes did the European Commission’s Digital Omnibus propose?

The European Commission proposed sweeping legislative updates in five key areas:

• AI Act high-risk requirements
• Data subject rights
• Data protection impact assessments (DPIAs)
• Cyber incident reporting
• Cookie consent rules

The EU is officially proposing to delay enforcement of high-risk AI requirements, shifting major deadlines out of 2026 and deeper into 2027.

For deeper analysis on the full scope of the EU AI Act Omnibus, visit DataGuidance.

This change is not about weakening the AI Act. Instead, the Commission is restructuring the rollout to align with the actual readiness of the ecosystem that includes standards, authorities, guidance, and tools, so organizations can realistically comply.

Why is the EU proposing to extend the AI Act timeline? 

When the AI Act was adopted, its high-risk obligations were planned to phase in by August 2, 2026, with full enforcement by August 2, 2027. But the infrastructure needed to support compliance hasn’t arrived on time.

Key gaps include:

• No harmonized technical standards
• No common specifications or conformity tools
• Many EU member states still lack operational supervisory authorities
• Businesses reported no practical way to meet 2026 obligations
• AI Pact early adopters confirmed guidance and assessment pathways were insufficient

The EU’s AI compliance ecosystem wasn’t ready, so enforcing 2026 deadlines wasn’t feasible. The Digital Omnibus proposes extended transition periods and conditional enforcement tied to the availability of standards and official guidance.

Will delayed deadlines weaken the AI Act? 

Instead of sweeping postponements, the Commission is introducing structured, legally defined extensions. These mechanisms collectively push most high-risk enforcement into 2027, while maintaining the AI Act’s core protections.

1. Enforcement linked to standards and guidance

High-risk obligations will not kick in until essential compliance tools like harmonized standards and Commission guidelines are available. This prevents organizations from having to comply based on guesswork.

2. Extra time for complex high-risk categories

High-risk systems defined in Article 6(1) and Annex I get longer transition windows, recognizing their dependence on delayed standards.

3. A six-month extension for generative AI watermarking

Machine-readable detection of AI-generated content (Article 50(2)) is now pushed to February 2027 for systems already on the market.

4. Simplified obligations for SMEs and small mid-caps

Documentation, quality management systems, post-market monitoring, and human-oversight expectations are being scaled appropriately, giving smaller companies runway to comply.

The breakdown of those company sizes include:

• Small: Less than 50 employees, and up to €10M 
• Medium: Less than 250 employees, and up to €50M 
• Small midcap: Less than 750 employees, and up to €150M

The EU also proposes removing the requirement for providers and deployers to ensure staff AI literacy, placing that responsibility on the Commission and member states instead. A new GDPR amendment would allow legitimate interest as a legal basis for training AI models, under specific conditions. Combined, these extensions amount to a de facto one-year delay in high-risk enforcement.

Impact across other areas

Incident reporting

On the topic of incident reporting, rules across NIS2, DORA, eIDAS, CRA, and GDPR create complexity. The Digital Omnibus proposes a major simplification:

• A single-entry point for incident reporting across core digital laws
• GDPR breach notification required only when high risk is likely
• Notification deadline extended from 72 to 96 hours
• A single, EU-wide standard template for breach notifications

Organizations would also be required to use the same single-entry point for GDPR notifications.

Cookie consent rules

To combat cookie banner “fatigue,” cookie rules move from the ePrivacy Directive into the GDPR.

Key updates include:

• A whitelist of scenarios where no consent is needed
• A single-click option for rejecting cookies
• No repeated consent prompts for at least six months after refusal
• Framework for browser-level, machine-readable privacy signals that websites must honor once standards exist

This will materially change how vendors collect analytics, measure engagement, and design consent UX.

Data subject rights

Controllers may now refuse or charge fees for requests that are:

• Manifestly unfounded
• Excessive
• Repetitive
• Abusive
• Misused for non–data-protection purposes (e.g., weaponized access requests)

This should reduce administrative load and abuse of access rights.

Data Protection Impact Assessments (DPIAs)

The Omnibus proposes replacing 27 different national DPIA lists with a single EU-wide list.  This unifies criteria and reduces cross-border compliance complexity.

How the Commission came to this proposal

Pulling together all concerns, three major themes emerged:

1. Uncertainty became a barrier to entry

Without standards or national authorities, organizations couldn’t plan realistically.

2. Businesses preferred targeted delays — not reopening the Act

Reopening the AI Act risked undermining legal stability. A narrow extension is considered safer.

3. Fragmentation became a serious concern

Different readiness levels across EU member states threatened to create uneven enforcement — contradicting the AI Act’s goal of a unified single market.

The road ahead

The proposal(s) must be approved by the European Council, Parliament, and Commission, which means the final agreed upon changes could look materially different from what is currently being sought. The shift, as it stands now, introduces a more flexible enforcement strategy:

• High-risk AI will not be enforced in 2026
• Most obligations now shift into 2027, tied to readiness milestones
• Enforcement may follow conditions like:
  • 6 months after relevant Annex III standards are approved
  • 12 months after Annex I standards are approved
• If milestones slip, fixed deadlines apply:
  • December 2, 2027 for Annex III systems
  • August 2, 2028 for Annex I systems

The EU also proposes removing the requirement for providers and deployers to ensure staff AI literacy, placing that responsibility on the Commission and member states instead.

A new GDPR amendment would allow legitimate interest as a legal basis for training AI models, under specific conditions.

Acting on calls from inside the EU and abroad, the Commission is realizing the uncertainty and unreadiness brought about by the current legislation. The regulations can only be enforced when the ecosystem can realistically support compliance. The proposal is not a watering-down, rather a structural recalibration.