Published in November 2025, EU Digital Omnibus Bill is a proposed regulation that aims to simplify and consolidate existing EU digital legislation across AI, data, privacy and cybersecurity, reducing overlapping controls and reporting obligations. The European Commission (EC) anticipates that the simplified rules could save businesses up to €5 billion in administrative costs by 2029.

A public consultation on the proposals closed in February 2026, with the legislative process expected to conclude by early 2027.

Among the bill’s most significant changes are targeted adjustments to GDPR and the AI Act, as well as a streamlined approach to cybersecurity incident reporting.

The changes to GDPR rules address concerns, particularly from small and medium businesses, related to the definition of personal data, breach notification, and cookie consent. Those related to the AI ACT focus on aspects related to high-risk AI requirements and general obligations, simplifying the application of the rules related to the processing of data for AI training and development, among other measures.

Single reporting

With regards to cybersecurity, the bill aims to establish a single reporting mechanism to consolidate incident reporting obligations across the various EU digital regulations. The European Network and Information Security Agency (ENISA) will be responsible for defining a single entry-point platform for cyber incident reporting.

Through this system, rather than filling separate notifications under GDPR, NIS2, DORA and other regulatory frameworks, organisations would respond to different legal requirements in a single platform, leading to optimised workflows and use of resources.

So far, EU digital regulation has been managed in silos, treating data protection and privacy, cybersecurity and AI compliance as separated pillars, each with its own obligations and reporting requirements. In practice, this creates complexity and inefficiencies such as:

• Fragmented incident report: A single event can trigger simultaneous communications to different entities at different times, which are then managed by different teams or business units with no shared context or coordination. For example, NIS2 requires cyber incident notifications to national Computer Security Incident Response Teams (CSIRTs) within 24 hours; GDPR mandates personal data breach notification to regulators within 72 hours, while the AI Act calls for serious-incident reporting within 15 days. Different report formats can also produce inconsistent or incomplete pictures of the same incident.
• Contradictory communications: When different teams report independently, there is risk of conflicting or partial findings reaching regulators. This lack of  harmonisation can lead todifferent perceptions of the organisations’ cybersecurity posture and resilience, increasing risk of non-compliance. 
• Unclear ownership: Fragmentation makes ownership and accountability difficult to assign, particularly at the top management and board levels. In a crisis, it becomes unclear who is responsible for making decisions and coordinating a response.
• Cross-border complexity: Differing timeframes, formats and regulatory regimes across jurisdictions create additional compliance risk, particularly for organisations operating across multiple EU member states or with third-party supply chain dependencies. 
• Increased audit burdens: Audit demands can also increase due to the overlapping frameworks with multiple duplicative requests and increased administrative workload.

An integrated governance approach – with unified registers, frameworks, controls and clear accountability at the senior and board level – can help reduce this complexity and better manage overlaps across different regulations. As a result, the level of cyber resilience of a company can be better understood, managed and improved.

“Joined-up” digital risk governance means a single framework and operating model for risk evaluation and management, evidence, and reporting across privacy, cyber, and AI:

• One single, live incident entry-point and platform which maps all the reporting requirements (i.e. NIS2, GDPR, AI)
• A single control framework integrating standards such as ISO27001, ISO42001, NIST CSF, etc., and harmonising reporting templates
• A unified EU portal for cyber incidents
• A clear and comprehensive RACI matrix with related processes and business assets, including third-party involvement and risk management.

An important aspect to consider is related to multi-jurisdictional organisations. While the regulatory convergence proposed by the EU Digital Omnibus can create opportunities – through reduced duplication of audits, cross-agency collaboration and global platforms consistency –, it also poses risks. For example, in a new, unified system, a single notification could simultaneously trigger enforcement action from various agencies, increasing operational risk for companies.

Governance best practices

Organisations should start to think about how to evolve their governance approach in response to the new EU Digital requirements. Some practical steps include:

• A review of their current organisation and operating model to manage privacy, cybersecurity and AI regulations. The review should focus on roles and responsibilites, process integration and harmonisation, collaboration and reporting standardisation
• Understanding the overlapping of the various digital regulations (e.g. NIS2 and DORA) and thinking about an overall management framework
• An evaluation of the company ability to respond efficiently and effectively to a crisis with resilience simulations, focusing on all privacy, cybersecurity and AI aspects, analisyng the possible gaps for integrated governance, unified reporting and third party risk management
• An overall evaluation of the digital risk, as a function of the business impact and the likelihood of threat, including the critical scenarios related to data privacy breach, cybersecurity event and AI incident
• A clear plan of short- and medium-term initiatives (with related investments) to mitigate the digital risk aligned with new bill.