Digital Omnibus on AI: What EU companies must do now to align with GDPR, NIS2, and the AI Act

In today’s Brussels briefing, lawmakers and regulators converged on one message: the Digital Omnibus on AI will not dilute the EU’s fundamental rights or cybersecurity expectations—it’s meant to streamline them. With the European Parliament’s LIBE and IMCO committees advancing the Digital Omnibus on AI and the EDPS hosting a high-level debate on “From Omnibus to Opportunity,” the timing matters. If you operate AI systems in the EU, the Digital Omnibus on AI intersects directly with GDPR, NIS2, and your day-to-day cybersecurity compliance, from personal data protection to security audits and incident reporting.

Why the Digital Omnibus on AI matters now

• It clarifies and simplifies how harmonised AI rules are implemented across the single market, aiming to reduce administrative friction while preserving core data protection standards.
• It sits alongside GDPR and NIS2—not instead of them—so data protection and cybersecurity controls remain mandatory.
• Regulators want practical, auditable safeguards: privacy by design, risk management, and secure engineering—including secure document uploads and anonymization before AI processing.

As one CISO I interviewed put it this week: “If your AI pipeline can’t show data minimisation, access control, and breach-ready logging, it won’t fly in 2026 audits—Omnibus or not.”

What is the Digital Omnibus on AI?

The Digital Omnibus on AI is an EU legislative package that amends existing regulations—reported by Parliament as updates to Regulations (EU) 2024/1689 and 2018/1139—to simplify the implementation of harmonised AI rules. In practice, it is the “plumbing” that helps the AI Act’s obligations become operational across sectors, authorities, and jurisdictions.

Three points I heard repeatedly in Brussels corridors:

1. Streamlining is not a rollback. Authorities stressed that data protection, safety, and cybersecurity remain non-negotiable.
2. Documentation will drive trust. Expect emphasis on technical files, risk assessments, and traceability for AI systems.
3. Cross-regulatory alignment matters. Your AI governance should dovetail with GDPR lawful bases, DPIAs, and NIS2 risk management and incident response.

How the Digital Omnibus on AI fits with GDPR and NIS2

The Omnibus aims to reduce fragmentation, but your obligations under GDPR and NIS2 stay intact. Think of it as making the “how” of AI compliance more predictable while the “what” of data protection and cybersecurity stays stringent.

Data protection under GDPR

• Lawful basis and purpose limitation remain essential for AI training, testing, and deployment—especially when personal data is involved.
• Data minimisation and pseudonymisation/anonymization are central, reinforced by AI system documentation and privacy-by-design expectations.
• Fines remain serious: up to €20 million or 4% of global annual turnover for severe infringements.

Cybersecurity risk under NIS2

• NIS2 raises the bar for risk management, supply chain security, and incident reporting for essential and important entities.
• Expect tighter proof of secure development, vulnerability management, and business continuity in AI-enabled services.
• Administrative fines under NIS2 can reach up to 10 million euros or 2% of global turnover for essential entities (with proportionate thresholds for important entities).

GDPR vs NIS2: what auditors will ask you to prove

Dimension	GDPR (Data Protection)	NIS2 (Cybersecurity)
Scope	Processing of personal data by controllers/processors	Security and resilience of network and information systems for essential/important entities
Primary Objective	Rights and freedoms of data subjects; lawful, fair, and transparent processing	Risk management, service continuity, and incident reporting to protect critical services
Core Duties	Lawful basis, DPIA, data minimisation, storage limitation, security of processing	Security policies, vulnerability management, supply chain risk, incident response/testing
Proof of Compliance	Records of processing (RoPA), DPIAs, technical and organisational measures, DPA communications	Risk assessments, policies, logs, incident reports, audit evidence, regulator communications
Breach Reporting	To DPA within 72 hours if risk to rights/freedoms; notify individuals where high risk	Prompt notification (early warning/notification/final report) to CSIRTs/competent authorities per NIS2 timelines
Sanctions	Up to €20M or 4% global turnover	Up to €10M or 2% global turnover for essential entities; proportionate for important entities

Real-world pressure: attacks and enforcement aren’t slowing

Recent headlines—from multi-terabit DDoS attacks powered by massive IoT botnets to zero-days affecting older mobile devices—prove the stakes are rising. Under NIS2, regulators will expect evidence that you’ve addressed dependency and supply chain risk, while GDPR enforcers will continue to scrutinise unlawful processing and poor security of personal data. The Digital Omnibus on AI doesn’t relax these expectations; it makes alignment more enforceable.

Compliance checklist: AI, GDPR, NIS2 in one operational plan

• Map AI systems and data flows: identify personal data, model inputs/outputs, vendors, and jurisdictions.
• Select lawful bases and complete DPIAs where risks are likely high; embed privacy by design and default.
• Minimise and anonymize: remove direct and indirect identifiers before model ingestion or testing whenever feasible.
• Harden your pipeline: access controls, encryption, key management, code signing, and model artifact integrity checks.
• Implement secure document uploads with content scanning, malware checks, and strict role-based access.
• Supply chain assurance: vet AI providers, data brokers, and integrators; contract for security, audit rights, and incident cooperation.
• Logging and traceability: maintain technical files, datasets lineage, prompts/outputs where necessary, and audit-ready records.
• Incident readiness: align breach playbooks to GDPR’s 72-hour rule and NIS2 early-warning tiers; rehearse tabletop exercises.
• Continuous testing: red-team high-risk AI features, monitor drift, and patch model dependencies and libraries.
• Training and governance: appoint accountable owners, brief the board, and align KPIs with regulator expectations.

Practical moves you can take this week

1) Anonymize aggressively, earlier in the pipeline

Before sending any document or dataset to an AI system, strip personal data and sensitive attributes. Professionals avoid risk by using Cyrolo’s anonymizer at www.cyrolo.eu—a fast, AI-powered way to enforce data minimisation and reduce GDPR exposure while maintaining analytical utility.

2) Lock down uploads and sharing

Implement a secure intake for case files, claims, medical records, and HR packets. Try our secure document upload at www.cyrolo.eu — no sensitive data leaks, no shadow IT file swaps, and clear audit trails for security audits.

3) Evidence everything

Auditors increasingly ask: “Show me.” Keep DPIAs, technical files, training data provenance notes, and vendor attestations in one place. Link data minimisation (e.g., anonymization runs) to your RoPA and risk register so GDPR and NIS2 reviewers can trace decisions.

4) Prepare for cross-regulator questions

Expect cross-checks: data protection authorities may query your security controls; NIS2 competent authorities may explore your data governance for critical services. Your story should be consistent across regulators and geographies, including US branches where state privacy laws may also apply.

Mandatory reminder: When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

Sector scenarios: where the Omnibus meets reality

Banks and fintech

• Use cases: fraud analytics, customer service chat, credit scoring.
• Risks: profiling under GDPR, model bias, and incident reporting overlaps with NIS2 and DORA operational resilience tests.
• Action: anonymize training data, restrict PII in prompts, and maintain traceability for model decisions that affect individuals.

Hospitals and healthtech

• Use cases: triage assistants, diagnostics support, scheduling.
• Risks: special category data, supply chain attacks on imaging and lab systems, strict breach notification.
• Action: robust pseudonymisation/anonymization, vetted medical AI vendors, and downtime playbooks aligned with NIS2.

Law firms and corporate legal

• Use cases: e-discovery triage, contract analysis, research assistants.
• Risks: confidentiality breaches, inadvertent disclosure via LLMs, retention conflicts.
• Action: controlled, secure document uploads; on-prem or EU-based processing where possible; strict access logs; anonymize parties in drafts via anonymization.

Governance signals from Brussels

From the EDPS debate to committee reports, a consistent refrain emerged: the Digital Omnibus on AI is meant to turn administrative overlap into operational clarity. But a senior regulator told me plainly: “Simplification is not simplism.” Expect more guidance on documentation formats, templates for risk assessment, and how to show “effective” human oversight in high-impact AI use cases. Enforcement will hinge on whether your safeguards work in practice—can you prevent privacy breaches, detect misuse, and recover swiftly after an incident?

Timelines and coordination: what to watch in 2026

• AI Act obligations are phasing in through 2025–2026; the Omnibus is designed to make the interfaces with sectoral regimes workable.
• NIS2 has been in force with national transpositions; enforcement is maturing, with focus on supply chain and incident reporting discipline.
• GDPR remains the backbone for personal data; DPAs are increasing scrutiny of AI-driven processing, lawful bases, and DPIAs.

If you’re late to implement, prioritise quick wins that cut the most risk per euro: anonymize upstream, restrict access, organise your documentation, and rehearse your incident processes.

FAQ: Digital Omnibus on AI, GDPR, and NIS2

What is the Digital Omnibus on AI in simple terms?

It’s an EU legislative effort to streamline how harmonised AI rules are implemented across sectors and authorities, aligning documentation, oversight, and enforcement with the AI Act—without weakening GDPR or NIS2 expectations.

Does the Digital Omnibus on AI replace GDPR or NIS2?

No. It complements them. You still need lawful processing under GDPR and strong cybersecurity under NIS2. The Omnibus helps make compliance more consistent across the single market.

How should we handle personal data in AI pipelines?

Practice data minimisation: anonymize or pseudonymize early, limit access, and log processing. Many professionals use www.cyrolo.eu for anonymization and secure document uploads to reduce risk and create audit evidence.

What fines are we exposed to?

GDPR: up to €20 million or 4% of global turnover. NIS2: up to €10 million or 2% of global turnover for essential entities (with proportionate thresholds for important entities). Separate sanctions and corrective orders can apply under the AI Act framework.

Do we need new teams or tools?

You’ll likely adapt existing GDPR/NIS2 teams with AI-specific roles (model risk, data governance, security engineering). Tools that enforce anonymization, secure intake, logging, and technical file assembly will accelerate readiness.

Conclusion: Turn the Digital Omnibus on AI into a competitive advantage

The Digital Omnibus on AI can help EU organisations reduce red tape—but it won’t reduce accountability. Companies that align AI governance with GDPR data protection and NIS2 cybersecurity now will pass audits faster, ship features with confidence, and avoid costly privacy breaches. Start with practical steps that matter most to regulators: data minimisation and traceability. Use www.cyrolo.eu to anonymize sensitive inputs and enforce secure document uploads before your models ever see personal data. Then build the evidence pack to show your controls work—because in 2026, proof beats promises.