Digital Omnibus unpacked

Managing Director Ksenia Duxfield-Karyakina outlines how the Digital Omnibus reshapes GDPR, AI regulation, data governance and cyber reporting, and what these EU reforms mean for business readiness heading into 2026.

Key Takeways

The European Commission has effectively abandoned its ambition to rationalise the chaotic patchwork of EU cyber-incident reporting. Originally envisaged as a cyber rules streamlining exercise, the Digital Omnibus delivers only a single reporting portal – not a single reporting rulebook. Substantive obligations will remain fragmented across NIS2, DORA, CRA, and GDPR, meaning businesses still face conflicting thresholds, definitions, and timelines. This is a procedural tidy-up, not a structural fix. 

The ‘stop-the-clock’ on the AI Act is a clear win for industry. This will be billed by commentators as surrender to US Big Tech pressures, but the reality is that delays to high-risk rules first and foremost benefit European deployers. And more importantly, compliance standards are not ready.  

Proposed GDPR amendments will support AI development in Europe – without reopening the Regulation – and introduce a biometric verification carve-out and simplified DPIAs and breach reporting. While this goes further than the European Commission had anticipated when omnibus discussions got underway, it should not be seen as a comprehensive review of the GDPR. Still, privacy activists will contest the proposed changes.   

The 18-month Digital Fitness Check is now running in parallel with the omnibus process, with a mandate to examine further overlaps, cumulative burdens, competitiveness impacts, and cross-sectoral inconsistencies. The European Commission acknowledges that the Digital Omnibus is just the first step, and more reforms are likely in 2026.  

1) The Digital Omnibuses are here 

The European Commission has finally delivered its long-trailed Digital Package which attempts to simplify the patchwork of digital rules.  

The package is sprawling: two Omnibus Regulations (one focused solely on the AI Act; the other bundling GDPR, Data Act, cyber and cookies reforms), a proposed Business Wallet Regulation, and a broad Data Union Strategy.  

In parallel, the Commission has kicked off an 18-month Digital Fitness Check to look at cumulative regulatory impact, overlaps, and competitiveness effects of digital rules across sectors. 

This is not deregulation as it preserves the foundational rulebooks, but whether the package will achieve the desired simplification objectives remains to be seen.  

2) GDPR: a tactical, pro-AI simplification 

The Commission insists this is not a reopening of the GDPR – and we agree.  

The Omnibus proposes targeted changes to facilitate AI development in Europe, and simplify certain processes (e.g., DPIAs) for the industry. 

Other long-standing friction points in scope of the Omnibus include clarifying definitions – especially around pseudonymisation, carveouts for biometrics, and streamlining reporting of breaches. 

Three shifts matter most. The revised definition of personal data introduces an entity-specific identifiability test. In simple terms: if you cannot reasonably identify the person, the data is not ‘personal’ for you, regardless of what others might do with it. 

A biometric carve-out for identity verification is attempted as a pragmatic exemption to enable processing of biometric data when verifying identity and when the verification means remain under the data subject’s control. This is a push towards decentralised, wallet-based identity solutions. 

An explicit legal basis for AI training and inference will probably be debated most with privacy activists. Legitimate interest becomes a viable ground for AI training and inference, subject to safeguards (data minimisation, transparency, opt-out rights, and leakage prevention). Importantly, even special category data (Article 9 of GDPR) can be processed under additional protections. 

This is perhaps the most consequential GDPR change since 2018 as it is designed to create a workable legal basis for European AI developers without reopening the GDPR’s core principles. This is largely consistent with the EDPB Opinion from last December and will provide industry with more legal certainty. 

Other clean-up measures include harmonised DPIAs and a high-risk standard for breach reporting. 

3) Data Act 

On data acquis, the Commission is executing a significant consolidation exercise: the Free Flow of Data Regulation, the Data Governance Act, and the Open Data Directive are being folded into the Data Act. Conceptually, this creates a single, integrated rulebook for both personal-adjacent and non-personal data flows, public-sector re-use, and sensitive data sharing. 

Substantively, nothing changes on the Data Act itself – except the approach to trade secrets which has been a major pain point for the industry from day one.  

The original Data Act exposed businesses to potential leakage of industrial secrets through mandatory data access provisions. The Omnibus introduces a high-risk test allowing holders to refuse disclosure where downstream exposure to foreign jurisdictions would present meaningful leakage risk. 

Cloud-switching rules largely remain unchanged, but SMEs and custom-built cloud services get a lighter regime.  

The prohibition on data localisation from the Free Flow of Data Regulation remains as well and will be transitioned into the Data Act though Member States are no longer required to publish their data localisation requirements. 

There is little room to push for more scope on the Data Act changes – especially on data sharing aspects across industries (e.g. automotive and in-vehicle access to data), but businesses might still use this as an opportunity to reopen the familiar debates. 

4) The cyber failure 

The cyber chapter is the weakest part of the package. The original ambition – remove contradictory reporting obligations across NIS2, DORA, CRA, eIDAS, ePrivacy and GDPR – has been largely abandoned by the Commission. 

Instead, we get a single reporting gateway (to be developed by ENISA), without rationalising the underlying duties. 

The single-entry reporting obligations will apply to GDPR breaches, NIS2 notifications, DORA incident reports and CER alerts – with other sectoral rules potentially to follow (e.g. electricity and aviation). 

CRA, which has been a major friction since inception, is not included into this exercise so far. 

This creates an impression of a fragmentation fixture but leaves the underlying challenges of duplicative and inconsistent obligations unchanged.  

The biggest problems will probably be in the financial services sector: are financial supervisors ready to accept this centralisation?  

5) Cookies and the end of the ePrivacy split 

The Omnibus finally tackles the dysfunctional dual regime of the ePrivacy Directive and GDPR for cookies. The ePrivacy cookie rules are subsumed into the GDPR, creating a single legal framework for device-level access. 

This means fewer consent banners.  

Low-risk or operationally essential access to device information will not require repeated consent prompts.  

Media providers get an exemption – a nod to the political sensitivity of the advertising-funded press. 

6) AI Omnibus: the EU hits pause on the AI Act 

Here we have a formal ‘stop-the-clock’ for high-risk rules. High-risk obligations for Annex III systems are pushed to December 2027; Annex I product-linked systems to August 2028. This resets the political clock and buys time for conformity assessments, standards, and market readiness. 

The AI Office will see expanded mandate with exclusive supervision and enforcement powers over AI systems based on general-purpose AI models provided by the same provider. This is a major enlargement of its powers, centralising supervision that otherwise would have belonged to national market surveillance authorities. It will gain the full toolkit of an EU market surveillance authority – including investigative powers, corrective measures, and the ability to impose fines – and may also conduct pre-market conformity assessments for certain high-risk systems.  

National authorities will see their direct enforcement responsibilities narrowed on GEN AI – but will retain supervisory role over high-risk AI systems, including those in sectoral products (Annex III and Annex I). The challenge will be to differentiate between high-risk AI and high-risk systems built on general-purpose AI models. 

Supervision and enforcement of compliance for AI systems embedded in VLOPs under the DSA will also fall under the competence of the AI Office. 

Simplified documentation, proportionate QMS requirements and reduced penalties are introduced for both SMEs and small mid-caps which will benefit European model developers, especially MistralAI. This aligns with the EU’s industrial policy goals to nurture a domestic AI field. 

Member States must strengthen cross-border sandbox cooperation, and the AI Office gets its own EU-level sandbox.  

Meanwhile, the contested ‘AI literacy’ duties shift from industry to public authorities – an implicit admission that the initial framing was unworkable. 

7) Business Wallets: infrastructure for cross-border commerce 

The Business Wallet proposal builds on the eIDAS2 digital identity framework to give companies a secure, interoperable way to store, exchange and sign certificates, applications, attestations and contractual documents across the EU. 

This is the Commission’s attempt to reduce friction in cross-border commerce and regulatory compliance. The Wallet is essentially a trust infrastructure play: one that could eventually underpin procurement, licensing, certification and B2B interactions. 

8) Data Union Strategy – with a sovereignty twist 

The accompanying Data Strategy supplements the vision of the AI Continent: more high-quality data for AI, supplemented with an idea for trusted spaces for pooling of AI-ready datasets. 

All this needs to be built on top of reduced dependence on foreign cloud and compute – if and when. 

Key pillars of the Strategy include Data Labs – as trusted environments for secure pooling and federated learning; expansion of Common European Data Spaces (including new high-value datasets); and development of synthetic data standards to increase availability of training data. 

9) Conclusion 

The AI Omnibus will move first in Parliament and Council. IMCO, LIBE and ITRE will fight for lead roles. If the proposal is not adopted before August 2026 (when the high-risk rules come into force), the Parliament may need to trigger the urgent procedure – a politically contentious manoeuvre. 

Digital Omnibus on data and cyber will follow a regular legislative process. 

Next year we will likely see more digital simplification efforts – including an attempt of a broader GDPR review. 

Author:

Ksenia Duxfield-Karyakina

ksenia.duxfield-karyakina@forefrontadvisers.com

Our clients receive this type of analysis alongside bespoke insight and advisory services. Find out more about our Emerging Technology service and how it can support your strategy here.

More Posts

Starmer’s UK-EU reset: rhetoric rises, reality lags 

Managing Director James Nation outlines how Starmer and Reeves are advancing a more openly pro-EU stance to reset UK–EU relations, while highlighting the persistent gap between political rhetoric and practical constraints, and what this means for domestic politics, negotiations with Brussels, and the risks facing Labour ahead of the next election.

Forefront Advisers Limited, 20 St Thomas St, London SE1 9RS, registered in England and Wales, no. 13248974

TERMS & CONDITIONS

DIGITAL SERVICES TERMS OF BUSINESS

PRIVACY POLICY

COOKIE POLICY

GDPR STATEMENT

Scroll to Top

Discover more from Forefront

Subscribe now to keep reading and get access to the full archive.

Continue reading

Joseph Steward

Director

Joseph works across Forefront’s digital assets and UK political teams. He joined Forefront from the FCA, where he worked on developing the UK’s crypto policy, with a particular focus on stablecoins. During his time at the FCA he also covered UK strategy and engagement in the Asia-Pacific region and was seconded to HM Treasury ahead of the 2024 general election to support the government transition and cover US and Canada financial services policy. He holds a degree in politics from University College London, which included a year at the Higher School of Economics in Saint Petersburg.

Linkedin

Jessica Hazel

Senior Analyst

Jess works on coverage of Energy and Sustainability policy, typically focusing on activities in the UK market.

She previously worked as a Hydrogen Policy Official for the Scottish Government, covering a range of different policy areas in her time there. 

Jess completed her MSc in Environment and Development at the University of Edinburgh.

Linkedin

Manon Quénel

Associate Director

Manon works on the coverage of the EU sustainability policy focusing on the sustainable finance agenda and corporate accountability rules.

Before joining Forefront, Manon worked for a Brussels-based public affairs consultancy where she was supporting corporate clients navigate the EU political and regulatory landscape, focusing on the Green Deal and the financial services’ agenda. Previously, she worked in the policy department of the French Economic and Social Council in Paris and interned in the European Parliament in Brussels.

Manon holds a dual degree of master’s in public administration from SciencesPo Strabourg and York University and a specialized master in EU studies from Universite Libre de Bruxelles.

Linkedin

James Nation

Managing Director

James is a Managing Director of UK Politics. He previously worked as the Deputy Head of the Number 10 Policy Unit from 2022 until May 2024 and before that was a Special Adviser to the Chancellor of the Exchequer. Recently, he led the team responsible for the Conservative Party Manifesto in the 2024 General Election campaign. Earlier in his career, James worked as a civil servant in MHCLG and the Treasury, following on from a role in tax and fiscal policy at the CBI. 

Linkedin

Ksenia Duxfield-Karyakina

Managing Director

Ksenia is the Managing Director of Emerging Technology at Forefront. She has spent most of her career in technology policy, working across the UK, Europe, Asia-Pacific, and Emerging Markets. Her expertise spans AI, data governance, cloud, content, and fintech policy areas.

Before joining Forefront, Ksenia led public policy and regulatory affairs for Google Cloud in Europe, and was responsible for YouTube Policy in APAC and Eurasia, based out of Hong Kong. Prior to entering the big tech industry, Ksenia worked in financial services, focusing on anti-fraud and policies addressing financial crime within the OECD ecosystem. She is a journalist by training and holds a PhD in new media economics. Ksenia is a parent to two daughters, an art lover, and an avid reader (of paper books).

Linkedin

Dustin Benton

Managing Director

Dustin is the MD of sustainability at Forefront. Previously, he was policy director at Green Alliance, leading its work across energy, resources, and the natural environment. He previously worked at Defra, where he was chief analytical advisor to Henry Dimbleby’s National Food Strategy and led the department’s analysis of food vulnerability. Earlier in his career, Dustin led on climate and renewables at the Campaign to Protect Rural England. He holds an MA in Political Thought and Theory from the University of Birmingham and an MA in International Relations and French from the University of St Andrews.

Linkedin

Max Kemp

Associate Director

Max works in the EU team on energy & net zero, with a focus on industrial policy. He joins Forefront with several years’ experience in industry associations, first advising local energy companies on EU policy and then representing the glass sector on energy issues. He has also worked in legal and policy consulting for the EU institutions. 

Joseph Steward

Director

Joseph works across Forefront’s digital assets and UK political teams. He joined Forefront from the FCA, where he worked on developing the UK’s crypto policy, with a particular focus on stablecoins. During his time at the FCA he also covered UK strategy and engagement in the Asia-Pacific region and was seconded to HM Treasury ahead of the 2024 general election to support the government transition and cover US and Canada financial services policy. He holds a degree in politics from University College London, which included a year at the Higher School of Economics in Saint Petersburg.

Linkedin

Ramona Visenescu

Associate Director

Ramona is an Associate Director focusing on sustainable finance and circular economy. Ramona previously worked in Brussels at Teneo, where she also covered ESG legislative priorities and interned at the European Commission in DG Economy and Finance. She earned her Bachelor degree in International Relations and European Studies from the University of Bucharest and completed an Advanced Master in Financial Markets at the Solvay Brussels School of Economics & Management.

Pietro Candia

Associate Director

Pietro works across EU Politics and is based in Brussels. Before joining Forefront, he interned in other political risk advisory firms and worked in the government relations division of a major oil corporation. He holds a Bachelor’s degree in International Politics from Georgetown University and a Master’s degree in European and International Public Policy from LSE.

Linkedin

Imogen Stead

Senior Analyst

Imogen works across the Emerging Tech service, covering EU, UK and multilateral policy and regulatory developments in AI and critical technologies. She previously worked on Forefront’s UK Politics note, with a focus on post-Brexit trading relations and foreign policy, and has prior experience of policy and stakeholder management in two UK Civil Service departments. She holds a BA, MPhil and DPhil in Classics from the University of Oxford. 

Linkedin

Michele Grassi

Analyst

Michele works on EU digital assets policy and Italian politics. He previously interned as MEP assistant at the European Parliament and as a Policy analyst at the Lombardy Regional Council. Michele holds a double degree MSc in European Public Policy from LSE and Bocconi University.

Linkedin Twitter

Pascal LeTendre-Hanns

Director

Pascal leads on Forefront’s Energy & Net Zero and Sustainability insights. Pascal previously worked in the Paris-based pro-European think tank, EuropaNova. He is leading sustainability policy coverage and following political developments in France and Spain. He graduated from UCL with a First Class Honours degree in European Social and Political Studies, specialising in international relations and French, which included a year at Sciences Po Paris. 

Linkedin

Charles d’Arcy-Irvine

Director

Charles works on political and policy insight advising businesses across different industries. He previously worked in investment banking at Goldman Sachs and Deutsche Bank, as an official at HM Treasury, as a political adviser to George Osborne, and in real estate. He holds a master’s degree in public administration from the John F. Kennedy School of Government at Harvard University and is a Trustee of the Epping Forest Schools Partnership Trust. 

Linkedin

Christopher Glück

Managing Director

Chris leads Forefront’s EU political analysis and insights team. He previously led Hanbury’s EU Public Affairs work. Previously, Chris worked on EU financial services policy in HM Treasury and as policy advisor for Jakob von Weizsäcker in the European Parliament. Chris holds a master’s degree from the College of Europe and read history at the University of Munich. 

Linkedin

Matt Gravelle

Managing Director

Matt leads on the Financial Services and Digital Assets team.  He joined in late 2024 from Kraken, a leading cryptoasset exchange, where he was Head of Policy and Government Relations for the UK and APAC.

Matt has worked in financial services policy since moving to London in 2013. Before his time at Kraken, he spent more than 5 years as a Director in Standard Chartered’s regulatory affairs team, where he focused on crypto and broader markets regulation across the bank’s global footprint. He previously held policy roles at Deutsche Bank and CME Group.  

Matt is originally from Ottawa, Canada, where he worked for the Canadian government and a policy think tank before moving to the UK. Matt studied at Queen’s University (BA) and McMaster (MA) in Ontario and the University of British Columbia (PhD) in Vancouver.

Linkedin

Gergely Polner

Managing Director

Gergely heads Forefront’s EU team. He was previously Head of EU Affairs at Standard Chartered Bank and at the British Bankers Association. Before his City career, he spent eight years at the EU institutions, including as a spokesperson for the EU Council Presidency and Head of UK Public Affairs for the European Parliament. While at the EU Institutions, Gergely worked on the EU’s sanctions regime and the regulatory reform in financial services. He started his career as a lawyer and built a successful legal translation business.

Linkedin

Get in touch

Fill out the form below, and we will be in touch shortly.

James McBride

Managing Director

James leads Forefront’s work on political and policy insight, advising businesses across a range of industries. James previously worked in the Labour Party’s Policy Unit, where he led on economy and business policy. James worked on the ‘Labour In’ 2016 EU Referendum and 2017 General Election campaigns, as well as the party’s response to Budgets and other fiscal events. Prior to this, James worked in five government departments across Whitehall.