The EU has introduced a new Digital Omnibus Bill designed to streamline data protection, cybersecurity and AI regulation. How can organisations ensure their own compliance strategies are adaptable and joined-up to remain resilient as digital regulation evolves?
By Kate O’Flaherty
Navigating the multitude of digital laws across numerous jurisdictions is a minefield for most organisations. And the ongoing struggle to comply with them all individually makes little sense, when so many of the regulations’ requirements overlap.
It is with this in mind that the EU has proposed a Digital Omnibus Bill designed to streamline and align data protection, cybersecurity and AI regulation.
First announced in November 2025, the Bill is currently under consultation and targeted for implementation in early 2027. It is expected to deliver up to 5 billion euros in savings by 2029.
As digital regulation covering data protection, cybersecurity and AI converges, it is reshaping expectations around governance, accountability and risk management. Organisations now need adaptable and joined-up compliance strategies to remain resilient as digital regulation evolves.
Perfect Moment for a Bill
The Bill has arrived at the perfect moment. Over time, the accumulation of new rules on digital security, data integrity and privacy has increased complexity and driven up compliance costs for organisations operating in the EU, says Ben Lipczynski, director of security services at Origina.
Regulations such as the EU General Data Protection Regulation (GDPR), Network and Information Systems 2 (NIS2), the Cyber Resilience Act and the EU AI Act have been introduced with clear objectives.
Yet their overlap has “created unnecessary administrative burden and reduced competitiveness”, says Lipczynski. With the proposed Digital Omnibus Bill, the EU has recognised that “fragmented and duplicative digital regulation” is undermining the effectiveness of the single market, he tells IO.
The Digital Omnibus is not just another law. It should be seen as the EU admitting that the old model of treating multiple regulations as separate silos no longer works, says Tracey Hannan-Jones, consulting director, information security and GRC and group DPO at UBDS Digital. “It is the EU’s first attempt to partially unify the digital rulebook, with optimisation across data, AI and cyber, by amending existing instruments — rather layering new ones on top.”
In reality, this means it’s “a horizontal clean-up”. It amends GDPR, NIS2, EU AI Act, the Data Governance Act, and others, through “one coordinated package”, Hannan-Jones explains.
Law Overlaps
Current digital laws overlap across multiple areas. For example, NIS2, the Cyber Resilience Act and the EU AI Act overlap in relation to incident reporting and resilience requirements. These overlaps are expected to be addressed through the proposed Single-Entry Point, which aims to simplify and consolidate reporting obligations across frameworks, says Origina’s Lipczynski.
This will be a major shift away from often siloed regulatory frameworks, which can result in “increased complexity and competing requirements”, says Lipczynski. Currently, when reporting cyber incidents, organisations may be required to report to multiple independent agencies — each prioritising different datasets within the incident report. “This can create significant administrative burden at a critical time.”
Similarly, tracking and responding to changes across numerous regulations — often communicated through independent and dispersed channels — adds further complexity. “This fragmentation makes it harder to align response plans and governance structures, increasing both compliance effort and operational risk,” says Lipczynski.
Alignment could allow organisations to streamline and standardise their compliance frameworks and realise operational efficiencies — and therefore savings, says Lipczynski. “Resource can then be directed to efforts which may further develop the capabilities and competitiveness of the business.”
However, organisations should note that while regulatory convergence creates opportunities, it may also create some challenges, says David Dumont, partner, Hunton Andrews Kurth. “A harmonised and clear set of digital rules may require organisations to adopt a more comprehensive and consistent approach to their data practices and related obligations, leaving less room to hide behind the complexities and inconsistencies of the current patchwork of regulations.”
Joined-up Digital Risk Governance in Practice
The Digital Omnibus Bill is a clear sign that companies need to shake up siloed approaches to data protection, cybersecurity and AI compliance.
Firms should strive for “joined-up” digital risk governance, which means that “internal multidisciplinary stakeholders must work together and speak the same language”, says Hunton Andrews Kurth’s Dumont.
To achieve this, privacy, legal and compliance teams should try to translate legal requirements into technical terms. “This will help IT and data governance teams to identify relevant existing measures within the organisation and fully leverage them for compliance with the framework of new digital laws,” he advises.
In practice, joined-up digital risk governance means establishing a single governance layer through which all sensitive data communications — whether email, file sharing, managed file transfer, or web forms — are routed, monitored, and controlled under one consistent set of policies, says Dario Perfettibile, general manager, EMEA GTM and customer operations at Kiteworks. “It means that the same encryption standards, access controls, and audit logs that satisfy GDPR’s data protection requirements also serve as evidence for NIS2 incident reporting and Cyber Resilience Act vulnerability management.”
It also means that when an employee shares data with a third-party AI vendor, the exchange is automatically governed by the same controls that protect patient records or financial transactions. “You’ll need a complete chain of custody visible to auditors across every applicable framework,” adds Perfettibile.
Future-Proof Compliance
With the Digital Omnibus Bill coming in a year, it makes sense to start future-proofing your compliance strategy now. Aligning with governance frameworks and ISO standards such as ISO 27001 (information security), ISO 42001 (AI management), and ISO 27701 (privacy), is crucial for navigating the changes.
To ensure joined-up compliance going forward, UBDS Digital’s Hannan-Jones advises firms to consolidate their governance bodies. As part of this, she suggests the creation of a single digital risk committee to own data protection strategy (GDPR), cybersecurity posture (NIS2/CRA), AI governance (AI Act) and product compliance (CRA/sectoral rules).
At the same time, if you’re operating across multiple jurisdictions, the strategic move is to look at all laws and frameworks and map the overlap, not just the obligations, says Hannan-Jones.
She advises building a matrix that shows where regulation such as GDPR, NIS and the AI Act require risk assessments, governance roles, technical and organisational measures, incident reporting and documentation with record-keeping. “Then design shared processes where the overlaps are strongest.”
Organisations can standardise their assessments and documentation by developing one core risk assessment methodology with modules for privacy, AI, and security. “Ensure that unified baselines are captured including access control, logging and monitoring, testing and encryption,” she adds.
As digital regulations converge, this should tie back to a unified incident response programme that classifies breaches across privacy, security and AI. “And, where appropriate, automatically map them to the relevant legal reporting duties and timelines,” says Hannan-Jones. “This will enable you to create one evidence trail that can be reused for multiple regulators.”
