Digital Omnibus: An Overview of GDPR and AI Changes for SMEs

Last updated:
17.06.2026
Ihr ISO 27001-Audit steht bevor, die NIS2-Umsetzung ist beschlossen, Ihr VVT ist auf dem aktuellen Stand – und jetzt das: Mit dem „Digitalen Omnibus“ hat die EU-Kommission ein Gesetzespaket vorgelegt, das zentrale Säulen des Datenschutz- und Compliance-Managements von KMU verändern könnte und auch KI-Regeln betrifft.
Digital Omnibus: An Overview of GDPR and AI Changes for SMEs
Key Takeaways
  • The EU Commission's Digital Omnibus aims to simplify current digital legislation in Europe.
  • Potential consequences of the reform project include longer deadlines for reporting data breaches, lower barriers to the use of personal data, and greater freedom for companies in the deployment of AI.
  • Under the "Digital Omnibus on AI," initial changes affecting the AI Act were provisionally agreed upon in May 2026.
  • Data protection advocates fear disadvantages for affected individuals and increased liability risks for companies.
  • SMEs should keep an eye on developments surrounding the Digital Omnibus and seek expert advice on necessary steps.

Background: What is the Digital Omnibus?

In recent years, various laws and regulations have come into force aimed at strengthening data protection and cybersecurity within the EU. In practice, however, these requirements have primarily led to increasing complexity in procedures, deadlines, and obligations.  

The "Digital Omnibus" is the European Commission's attempt to simplify European digital law: On November 19, 2025, the EU Commission presented two legislative packages designed to adapt and streamline several existing legal acts. These include the General Data Protection Regulation (GDPR), the Data Act and the AI Act.

But while Brussels talks about cutting red tape, over 130 organizations are warning of the "greatest setback for digital fundamental rights in EU history to date." For compliance officers, the planned reform could primarily mean legal uncertainty , and at a time when predictability is essential.  

What does the reform entail, and what has already been implemented? Key changes for your compliance management

The planned changes include, among other things, adjusted reporting deadlines, simplified reporting procedures, and adjustments to the definition of personal data and AI regulation. For example, they would have a direct impact on the Record of Processing Activities (ROPA), technical and organizational measures (TOMs) and ongoing certifications such as the ISO 27001 certification.

GDPR notification requirements

In the event of data breaches , the draft reform proposes a notification period of 96 hours instead of the current 72 hours. Furthermore, the obligation is intended to apply only to data breaches involving a "high risk." In addition, a single entry point is planned, i.e., a central reporting office. Currently, different supervisory authorities may be responsible depending on the branch location.

Potential consequences: The current 72-hour deadline forces companies to have clear processes and respond quickly. Extending the deadline to 96 hours makes it easier for companies to meet their reporting obligations, especially in complex situations such as cyberattacks. However, in certain situations, the extended notification period could also lead to increased risks for those affected, as supervisory authorities may be unable to take action in the interest of the affected parties until later.

Personal data

Another change concerns the definition of personal data. The draft clarifies that data will only be considered personal in the future if companies can identify the person behind it. Whether third parties, such as data providers, could do so is intended to be irrelevant.  

Potential consequences: For data processors, the commercial use of data for analytics or AI training could become easier. However, data providers must continue to comply with data protection requirements. In addition, processing companies must assess and document this themselves, regardless of whether they can identify an individual or not. In the event of a misjudgment, all GDPR obligations would still apply, and SMEs would need to revise their records of processing activities accordingly.

AI Regulation

To simplify AI regulations, the European Parliament and the EU Council reached an agreement in May 2026 on the "Digital Omnibus on AI," thereby establishing a clear timeline for the implementation of high-risk AI regulations .  

What is changing:  

Deadlines for high-risk AI systems: Regulations for AI systems used in high-risk areas such as biometrics or critical infrastructure will now apply not from summer 2026, but only from December 2, 2027. For AI systems used as safety components in elevators or toys, the regulation will not come into effect until August 2, 2028 .  

New ban: AI systems that generate intimate or sexually explicit content without consent are prohibited. Providers of affected systems have until December 2, 2026, to bring their systems into compliance.

Transparency obligations: The transition period for transparency obligations regarding AI-generated content has been set for December 2, 2026. This applies to generative AI systems already on the market before August 2, 2026. Deepfake labeling and transparency for texts in the public interest remain mandatory as of August 2, 2026, without changes.

AI literacy obligation remains in place: The obligation to promote AI literacy remains unchanged.  

Relief for SMEs and Small Mid-Cap Enterprises (SMCs): In addition to SMEs, SMCs—companies that have grown beyond the SME threshold but are not yet large enterprises—now also receive targeted relief. This includes simplified technical documentation, flexible quality management requirements, and reduced maximum fines.

Potential consequences: On one hand, companies gain more flexibility and can better plan internal AI projects. The EU Commission has also published drafts for classification guidelines that provide practical examples for high-risk classification and support SMEs in their self-assessment. On the other hand, companies bear the full liability risk if they incorrectly classify an AI application as not high-risk.

Special relevance of the AI Omnibus for mechanical engineering

For companies in the mechanical engineering sector, the Digital Omnibus on AI brings a special feature: The Machinery Regulation (EU) 2023/1230 is explicitly excluded from the direct applicability of the AI Act. This eliminates the previously looming double regulation for AI systems integrated into machinery.

Anyone integrating AI systems into machines, for example for control tasks or predictive maintenance, no longer has to automatically comply with both sets of regulations in parallel. Instead, only the limited provisions according to Art. 2 Para. 2 of the AI Act apply. The full high-risk requirements of the AI Act no longer apply to these systems by default.

However, this exception is not blanket: If an AI system in a machine poses a risk that is not covered by the Machinery Regulation, individual requirements of the AI Act may still apply. Furthermore, general obligations such as transparency, documentation, and the AI literacy requirement remain binding for mechanical engineers as well.

What does the Digital Omnibus mean in concrete terms for the work of SMEs?

With the planned adjustments to AI regulations and potential GDPR simplifications, compliance officers in companies in Germany will face numerous tasks .

How would the Digital Omnibus affect existing certifications?

Anyone operating an ISMS according to ISO 27001 has established the associated measures based on certain assumptions regarding reporting obligations, fine risks, and data subject rights. If these parameters were to change, companies with an ISMS would have to adjust their risk assessment.  

The situation is similar for TISAX®: The VDA ISA catalog contains an independent data protection module with four control questions that explicitly check for GDPR compliance. If the GDPR definition of personal data or the reporting obligations change, companies would have to update their ROPA documentation. The TISAX® assessor would then verify whether the updated processes still meet the catalog requirements.

What does the reassessment of personal data status mean for SMEs?

A central point is the new, addressee-oriented assessment of personal data. In the future, companies would have to systematically document,

  • what data they process, for example, pseudonymized analytical data, cloud logs, or usage statistics,
  • what means of identification they possess themselves, such as key databases or access to real names, and
  • whether re-identification is realistically possible using their own resources.

This assessment requires structured documentation similar to a data protection impact assessment and the updating of the record of processing activities.

Overview: What specifically changes with the Digital Omnibus

| Aspect | Current | Planned | Tasks and Obligations for SMEs | | :--- | :--- | :--- | :--- | | **Data Breach Notification Deadline** | 72 hours | 96 hours (only in case of high risk) | Review incident response process | | **Reporting Authority** | different authorities depending on establishment | Single-entry-point (centralized) | Simplified communication, unified processes | | **Personal Data** | clear definition under Art. 4 GDPR | softening of the definition planned | Records of processing activities (ROPA) and legal bases need revision | | **AI High-Risk System** | conformity assessment from summer 2026 | postponed to December 2027 or August 2028, exceptions for mechanical engineering | Classify AI systems, adjust compliance roadmap |

What SMEs can do now

The reform of EU digital laws has not yet been passed. The AI adjustments also still need to be formally adopted. You can therefore wait and only react once the Digital Omnibus gains momentum. Or you can start processes now that prepare you for new legislation – because the GDPR, NIS2, and the AI Act have shown that companies are repeatedly confronted with new and adjusted requirements.

  • Establish responsibilities: Define who on your team will monitor developments regarding data protection and information security.  
  • Stay informed: Use reliable sources of information such as your data protection officer, the Stiftung Datenschutz, or the Proliance newsletter so you don't miss any updates.
  • Review compliance-relevant processes: Which processing activities are based on legal grounds that could change? Which technical and organizational measures are related to reporting obligations or data definitions? Which AI applications in the company would need to be re-evaluated as high-risk?

Outlook: Between pragmatism and adherence to principles

Some refer to the Digital Omnibus as a dilution of data protection standards, while others see the planned reform as a chance to cut red tape and increase competitiveness for European companies.

For compliance officers, the Omnibus discussion primarily means uncertainty. That is exactly why it is important neither to fall into panic-driven action nor to put the issue on the back burner. Instead, the rule is: observe, evaluate, and prepare.

Focus on the requirements that are already in effect and work with experts such as your data protection officer or Proliance to ensure that you do not lose any timewhen making necessary changes to your data protection processes. Proliance supports you, for example, with AI consulting or with data protection software for centralized compliance.

Frequently Asked Questions

Still have questions? We have the answers.

What is the EU Digital Omnibus and which laws are affected?

The Digital Omnibus is an EU reform package aimed at simplifying European digital law, presented by the EU Commission in November 2025. Two legislative packages adapt key legal acts: the General Data Protection Regulation (GDPR) with amended reporting obligations and data definitions, the Data Act for commercial data use, and the AI Act with postponed high-risk rules. The goal is to reduce bureaucracy and enhance competitiveness. However, over 130 organizations warn of the biggest setback for digital fundamental rights. For SMEs, the reform means legal uncertainty for ongoing compliance projects such as ISO 27001, TISAX®, or NIS2. Proliance provides information on current developments.

What changes for GDPR reporting obligations with the Digital Omnibus?

The Digital Omnibus plans to extend the reporting deadline for data breaches from 72 to 96 hours. In the future, the reporting obligation will only apply to high-risk data breaches, instead of all incidents. Also planned: a single entry point as a central reporting office, replacing various supervisory authorities depending on the establishment. Advantage: Simplified reporting for complex cyberattacks due to an increased time buffer. Disadvantage: Increased risks for affected individuals due to a delayed response from supervisory authorities. SMEs must review their incident response processes and adapt their documentation. Proliance Data-Breach-Management documents data breaches in a timely, traceable, and legally compliant manner.

How does the Digital Omnibus affect ISO 27001 and TISAX® certifications?

ISO 27001 ISMS controls are based on assumptions about reporting obligations, fine risks, and data subject rights. If these parameters change due to the Digital Omnibus, companies must adjust their risk assessment. The TISAX® VDA ISA catalog includes a data protection module with four control questions on GDPR compliance. A changed GDPR definition of personal data or new reporting obligations require the revision of the VVT documentation. The TISAX® assessor checks whether the updated processes comply with the catalog requirements. Recertification might become necessary. SMEs should proactively review compliance-relevant processes: Which processing activities, TOMs, and AI applications are affected? Proliance supports with adaptation and certification preparation.

Do you have further questions on this topic? Our experts will be happy to advise you free of charge.

If you're looking for a partner to support you on your journey to data protection and information security, feel free to contact our team of experienced experts.
60+ Expertinnen und Experten
Book a consultation
Topics
Editorial
Sabrina Schaub
Freelance Editor
Leveraging her content expertise, Sabrina supports the Proliance team in communicating complex topics clearly. As a freelance writer, she understands the data privacy requirements across different sectors and translates even complex information into content tailored to specific target audiences.
Zum Autorenprofil
Zum Expertenprofil
Stefan Rühl
Information Security Lead
In his role as Head of InfoSec and as an ISO27001 Lead Auditor, Stefan supports our clients with the implementation and optimization of ISMS systems. His specialized area includes establishing BCM environments, emergency and crisis management teams, and developing and testing emergency processes for both SMEs and large corporate structures. Additionally, he advises managing directors and board members on decision-making related to cyber resilience and the optimization of IT organizations.
Zum Autorenprofil
Zum Expertenprofil
About Proliance
Proliance stands for Professional Compliance for businesses. We are a digitally driven Legal Tech company based in Munich, established in 2017 and now with over 90 privacy enthusiasts. Our more than 2,500 clients include start-ups, medium-sized businesses, and corporate groups from almost all industries.
About us
Latest Articles

Topics you might be interested in