The European regulatory framework on artificial intelligence continues to evolve. Months ago, when we analyzed the AI Act and its implications for companies in another article, some questions about timelines, compliance methods, and coordination with other regulations were still awaiting definition. Today the European Commission intervenes with the Digital Omnibus: a regulatory package that touches on the AI Act, GDPR and security all at once.
In this article we analyze the main points of the package, with a focus on news related to the AI Act and the operational impacts for those managing content, data, and digital processes.
The Digital Omnibus is a European regulatory package that aims to simplify and coordinate rules on artificial intelligence, data, and security. The logic is to reduce friction between different rules and clarify how requirements, controls, and responsibilities fit together between AI, data, and privacy.
For companies, the impact is measured in three very concrete aspects: compliance timelines, evidence to be retained and consistency between regulations (especially when AI uses data or produces content that ends up on different channels). Agenda Digitale describes the challenge in these terms: helping companies without weakening rights, with a balance that remains at the center of public debate.
On a practical level, the topic concerns anyone managing content, data, and processes because artificial intelligence is becoming an intermediation layer increasingly present between brand and users. In that context, the difference between “being present” and “being reliable” depends on how much a company manages to keep the information published structured, consistent, and traceable.
The process for the Digital Omnibus package is still ongoing: publications, proposals, discussions, and partial approvals follow one another. Unioncamere describes it with an approach oriented toward simplifying the digital framework, useful for contextualizing the topic without getting lost in technical details.
For a company, the useful part of the process is not chasing every headline, but understanding which points are already clear enough to start internal activities and which still depend on the final regulation.
The connection with the AI Act is direct: the Digital Omnibus is often read as an attempt to make the compliance phase required by the new rules on artificial intelligence more manageable for businesses, taking into account costs, complexity, and interactions with privacy and security.
The Digital Omnibus intervenes on multiple fronts, some of which directly concern those operating with AI systems, managing data, or publishing content across multiple channels. The changes touch on compliance timelines, transparency requirements for generated content, simplifications for medium-sized enterprises, and updates on cyber security and privacy.
The main changes concern:
Let’s see what they involve in practice.
One of the points discussed is the extension up to 16 months to comply with obligations related to high-risk systems. The original deadline was set for August 2, 2026: with the proposed extension, it would be pushed to December 2027. In operational terms, this does not reduce the commitment, but shifts the focus to the ability to transform requirements into verifiable processes: roles, controls, audits, supplier management, and ready documentation.
In this framework, a proposal for simplification and revision of the AI Act is also mentioned that addresses obligations for high-risk systems and strengthens governance elements and coordination with privacy, linking the AI Act and GDPR more closely. The substantial point for companies is that compliance stops being “just legal” and becomes a demonstrable capability over time.
Another update discussed concerns generative artificial intelligence and watermarking requirements, that is, the marking that identifies content as generated by artificial intelligence. The obligation comes into force on August 2 2026, but the Digital Omnibus provides a 6-month transitional period (until February 2027) for providers already on the market by that date. In practice, content generated or modified by AI will need to be recognizable as such: for companies this means equipping themselves with processes that allow them to know what was produced with generative AI tools, what was manually adapted, who approved it, and on which channels it was distributed.
When content production accelerates, transparency becomes a supply chain issue: knowing what was generated, what was adapted, who approved it, and where it was published. It’s the same type of logic that, in the AI Act, emerged through labels and logs: not as a “formality,” but as tools to reconstruct responsibilities and decisions.
The package introduces a new category of enterprises, the SMCs (small mid-cap enterprises), alongside SMEs. The idea is to extend to these entities some simplifications provided for SMEs, recognizing that there is an “intermediate” tier with real complexity but resources not comparable to those of large groups.
This point shifts the discussion from “one-size-fits-all compliance” to a more proportionate compliance. For those working in companies of this tier, it means that requirements and timelines could be addressed with greater gradualness and with a burden more consistent with structure and size.
The Digital Omnibus is not limited to updating the AI Act: it also touches on cyber security, digital identity, and privacy. Among the proposals, a single EU portal for reporting cyber security incidents and data breaches, and the development of a corporate digital wallet toward a more integrated “single identity”.
On the GDPR front, the issue of cookie banners and a possible reduction of their intrusiveness remains highly debated. Wired Italia frames it explicitly in the debate between simplification and risk of deregulation, highlighting how delicate it is to intervene on consent and tracking. But for companies the “banner” is never the only element: what matters is the complete chain of collection, preference management, and proof of consent.
The Digital Omnibus aims to make compliance more realistic for companies, especially at a time when AI enters daily processes and intertwines with data, security, and responsibility. The debate remains open on where useful simplification ends and where a derogation that weakens protections begins: balance, here, is the substance.
While awaiting the next steps in the process, the most robust approach is not chasing individual news items, but building organizational habits that remain always valid: clarity on where AI is used, traceability of content and the data that feed its processes, explicit responsibilities for approvals and controls. It’s work that reduces surprises and makes it easier to demonstrate “what was done” when needed.
Beyond compliance, it’s also important to monitor how AI is redesigning the relationship between brand and users. Protocols and agents are becoming a new level of intermediation: those who manage to keep their content and product information structured, consistent, and easily readable by these systems will have a concrete advantage in terms of visibility and conversion.
In this scenario, data consistency is increasingly a condition for not being penalized in the search and recommendation logic that these systems adopt. It’s the type of work that platforms like THRON, designed to integrate asset management and product information in a single environment, allow you to address without multiplying tools and complexity.
What is the Digital Omnibus?
It is a package of EU proposals that aims to make the digital regulatory framework more coherent and simplified, addressing topics that include artificial intelligence, GDPR and security.
What does the Digital Omnibus propose in relation to the AI Act?
It introduces or discusses updates that mainly impact timelines and compliance methods for companies, with attention to governance and coordination with other regulations.
What changes for companies and “high-risk systems” regarding Artificial Intelligence?
Among the points discussed is an extension (up to 16 months) for compliance of high-risk systems, with growing attention to the ability to demonstrate controls, responsibilities, and documentation.
What does the Digital Omnibus mean for companies and SMEs?
The introduction of an intermediate category (SMCs) is mentioned, along with the extension of some simplifications provided for SMEs, with the aim of making obligations more proportionate.
When will the Digital Omnibus come into force?
The AI Act sets the entry into force of transparency obligations (watermarking) on August 2, 2026, with high-risk system requirements on the same date. If approved, the Digital Omnibus would introduce extensions: 6 additional months for watermarking (February 2027) and up to 16 months for high-risk systems (December 2027). In the meantime, it makes sense to prepare with internal processes and responsibilities that remain valid even in case of regulatory adjustments.
How to prepare for the compliance required by the Digital Omnibus?
Regardless of final timelines, it makes sense to ensure that digital assets and product information are managed in a structured, consistent, and traceable manner. Platforms like THRON, which integrate DAM and PIM in a single environment, allow you to maintain control over what is published, where, and with which approvals.