Digital Omnibus: An Overview of GDPR and AI Changes for SMEs

- The EU Commission's Digital Omnibus aims to simplify current digital legislation in Europe.
- Potential consequences of the reform project include longer deadlines for reporting data breaches, lower barriers to the use of personal data, and greater freedom for companies in the deployment of AI.
- Under the "Digital Omnibus on AI," initial changes affecting the AI Act were provisionally agreed upon in May 2026.
- Data protection advocates fear disadvantages for affected individuals and increased liability risks for companies.
- SMEs should keep an eye on developments surrounding the Digital Omnibus and seek expert advice on necessary steps.
Background: What is the Digital Omnibus?
In recent years, various laws and regulations have come into force aimed at strengthening data protection and cybersecurity within the EU. In practice, however, these requirements have primarily led to increasing complexity in procedures, deadlines, and obligations.
The "Digital Omnibus" is the European Commission's attempt to simplify European digital law: On November 19, 2025, the EU Commission presented two legislative packages designed to adapt and streamline several existing legal acts. These include the General Data Protection Regulation (GDPR), the Data Act and the AI Act.
But while Brussels talks about cutting red tape, over 130 organizations are warning of the "greatest setback for digital fundamental rights in EU history to date." For compliance officers, the planned reform could primarily mean legal uncertainty , and at a time when predictability is essential.
What does the reform entail, and what has already been implemented? Key changes for your compliance management
The planned changes include, among other things, adjusted reporting deadlines, simplified reporting procedures, and adjustments to the definition of personal data and AI regulation. For example, they would have a direct impact on the Record of Processing Activities (ROPA), technical and organizational measures (TOMs) and ongoing certifications such as the ISO 27001 certification.
GDPR notification requirements
In the event of data breaches , the draft reform proposes a notification period of 96 hours instead of the current 72 hours. Furthermore, the obligation is intended to apply only to data breaches involving a "high risk." In addition, a single entry point is planned, i.e., a central reporting office. Currently, different supervisory authorities may be responsible depending on the branch location.
Potential consequences: The current 72-hour deadline forces companies to have clear processes and respond quickly. Extending the deadline to 96 hours makes it easier for companies to meet their reporting obligations, especially in complex situations such as cyberattacks. However, in certain situations, the extended notification period could also lead to increased risks for those affected, as supervisory authorities may be unable to take action in the interest of the affected parties until later.
Personal data
Another change concerns the definition of personal data. The draft clarifies that data will only be considered personal in the future if companies can identify the person behind it. Whether third parties, such as data providers, could do so is intended to be irrelevant.
Potential consequences: For data processors, the commercial use of data for analytics or AI training could become easier. However, data providers must continue to comply with data protection requirements. In addition, processing companies must assess and document this themselves, regardless of whether they can identify an individual or not. In the event of a misjudgment, all GDPR obligations would still apply, and SMEs would need to revise their records of processing activities accordingly.
AI Regulation
To simplify AI regulations, the European Parliament and the EU Council reached an agreement in May 2026 on the "Digital Omnibus on AI," thereby establishing a clear timeline for the implementation of high-risk AI regulations .
What is changing:
Deadlines for high-risk AI systems: Regulations for AI systems used in high-risk areas such as biometrics or critical infrastructure will now apply not from summer 2026, but only from December 2, 2027. For AI systems used as safety components in elevators or toys, the regulation will not come into effect until August 2, 2028 .
New ban: AI systems that generate intimate or sexually explicit content without consent are prohibited. Providers of affected systems have until December 2, 2026, to bring their systems into compliance.
Transparency obligations: The transition period for transparency obligations regarding AI-generated content has been set for December 2, 2026. This applies to generative AI systems already on the market before August 2, 2026. Deepfake labeling and transparency for texts in the public interest remain mandatory as of August 2, 2026, without changes.
AI literacy obligation remains in place: The obligation to promote AI literacy remains unchanged.
Relief for SMEs and Small Mid-Cap Enterprises (SMCs): In addition to SMEs, SMCs—companies that have grown beyond the SME threshold but are not yet large enterprises—now also receive targeted relief. This includes simplified technical documentation, flexible quality management requirements, and reduced maximum fines.
Potential consequences: On one hand, companies gain more flexibility and can better plan internal AI projects. The EU Commission has also published drafts for classification guidelines that provide practical examples for high-risk classification and support SMEs in their self-assessment. On the other hand, companies bear the full liability risk if they incorrectly classify an AI application as not high-risk.
Special relevance of the AI Omnibus for mechanical engineering
For companies in the mechanical engineering sector, the Digital Omnibus on AI brings a special feature: The Machinery Regulation (EU) 2023/1230 is explicitly excluded from the direct applicability of the AI Act. This eliminates the previously looming double regulation for AI systems integrated into machinery.
Anyone integrating AI systems into machines, for example for control tasks or predictive maintenance, no longer has to automatically comply with both sets of regulations in parallel. Instead, only the limited provisions according to Art. 2 Para. 2 of the AI Act apply. The full high-risk requirements of the AI Act no longer apply to these systems by default.
However, this exception is not blanket: If an AI system in a machine poses a risk that is not covered by the Machinery Regulation, individual requirements of the AI Act may still apply. Furthermore, general obligations such as transparency, documentation, and the AI literacy requirement remain binding for mechanical engineers as well.
What does the Digital Omnibus mean in concrete terms for the work of SMEs?
With the planned adjustments to AI regulations and potential GDPR simplifications, compliance officers in companies in Germany will face numerous tasks .
How would the Digital Omnibus affect existing certifications?
Anyone operating an ISMS according to ISO 27001 has established the associated measures based on certain assumptions regarding reporting obligations, fine risks, and data subject rights. If these parameters were to change, companies with an ISMS would have to adjust their risk assessment.
The situation is similar for TISAX®: The VDA ISA catalog contains an independent data protection module with four control questions that explicitly check for GDPR compliance. If the GDPR definition of personal data or the reporting obligations change, companies would have to update their ROPA documentation. The TISAX® assessor would then verify whether the updated processes still meet the catalog requirements.
What does the reassessment of personal data status mean for SMEs?
A central point is the new, addressee-oriented assessment of personal data. In the future, companies would have to systematically document,
- what data they process, for example, pseudonymized analytical data, cloud logs, or usage statistics,
- what means of identification they possess themselves, such as key databases or access to real names, and
- whether re-identification is realistically possible using their own resources.
This assessment requires structured documentation similar to a data protection impact assessment and the updating of the record of processing activities.
Overview: What specifically changes with the Digital Omnibus
What SMEs can do now
The reform of EU digital laws has not yet been passed. The AI adjustments also still need to be formally adopted. You can therefore wait and only react once the Digital Omnibus gains momentum. Or you can start processes now that prepare you for new legislation – because the GDPR, NIS2, and the AI Act have shown that companies are repeatedly confronted with new and adjusted requirements.
- Establish responsibilities: Define who on your team will monitor developments regarding data protection and information security.
- Stay informed: Use reliable sources of information such as your data protection officer, the Stiftung Datenschutz, or the Proliance newsletter so you don't miss any updates.
- Review compliance-relevant processes: Which processing activities are based on legal grounds that could change? Which technical and organizational measures are related to reporting obligations or data definitions? Which AI applications in the company would need to be re-evaluated as high-risk?
Outlook: Between pragmatism and adherence to principles
Some refer to the Digital Omnibus as a dilution of data protection standards, while others see the planned reform as a chance to cut red tape and increase competitiveness for European companies.
For compliance officers, the Omnibus discussion primarily means uncertainty. That is exactly why it is important neither to fall into panic-driven action nor to put the issue on the back burner. Instead, the rule is: observe, evaluate, and prepare.
Focus on the requirements that are already in effect and work with experts such as your data protection officer or Proliance to ensure that you do not lose any timewhen making necessary changes to your data protection processes. Proliance supports you, for example, with AI consulting or with data protection software for centralized compliance.
Still have questions? We have the answers.
The Digital Omnibus is an EU reform package aimed at simplifying European digital law, presented by the EU Commission in November 2025. Two legislative packages adapt key legal acts: the General Data Protection Regulation (GDPR) with amended reporting obligations and data definitions, the Data Act for commercial data use, and the AI Act with postponed high-risk rules. The goal is to reduce bureaucracy and enhance competitiveness. However, over 130 organizations warn of the biggest setback for digital fundamental rights. For SMEs, the reform means legal uncertainty for ongoing compliance projects such as ISO 27001, TISAX®, or NIS2. Proliance provides information on current developments.
The Digital Omnibus plans to extend the reporting deadline for data breaches from 72 to 96 hours. In the future, the reporting obligation will only apply to high-risk data breaches, instead of all incidents. Also planned: a single entry point as a central reporting office, replacing various supervisory authorities depending on the establishment. Advantage: Simplified reporting for complex cyberattacks due to an increased time buffer. Disadvantage: Increased risks for affected individuals due to a delayed response from supervisory authorities. SMEs must review their incident response processes and adapt their documentation. Proliance Data-Breach-Management documents data breaches in a timely, traceable, and legally compliant manner.
ISO 27001 ISMS controls are based on assumptions about reporting obligations, fine risks, and data subject rights. If these parameters change due to the Digital Omnibus, companies must adjust their risk assessment. The TISAX® VDA ISA catalog includes a data protection module with four control questions on GDPR compliance. A changed GDPR definition of personal data or new reporting obligations require the revision of the VVT documentation. The TISAX® assessor checks whether the updated processes comply with the catalog requirements. Recertification might become necessary. SMEs should proactively review compliance-relevant processes: Which processing activities, TOMs, and AI applications are affected? Proliance supports with adaptation and certification preparation.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.














