⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Regulation 23 March 2026 10 min read

Digital Omnibus Enters Trilogue: What Swiss Compliance Teams Must Do Before the Final Text Lands

The EU Digital Fitness Check consultation closed on 11 March. Trilogue negotiations are expected to begin in spring 2026. Swiss organisations that wait for the final text before acting are making a strategic mistake.

MS

Marco Scarito

23 March 2026

10 min read

The European Commission published its Digital Omnibus package on 19 November 2025. Since then, the legislative process has moved steadily forward: the Digital Fitness Check consultation closed on 11 March 2026, the IMCO and LIBE parliamentary committees voted on 18 March, and trilogue negotiations between the Commission, Parliament, and Council are now expected to begin in spring 2026. Final adoption is anticipated by mid-2026 — though that timeline is under significant pressure from the August 2026 AI Act deadline. For Swiss organisations with EU market exposure, the Omnibus is not a future consideration. It is an active legislative development that is reshaping the compliance landscape in real time.

What the Omnibus Proposes — and What Has Already Changed

At its core, the Digital Omnibus is a regulatory simplification exercise — but simplification in this context means structural changes to existing obligations, not the removal of compliance requirements. The package touches five major legislative instruments: the GDPR, the EU AI Act, NIS2, DORA, and the Data Act. The headline measures that are most relevant to Swiss organisations operating in or with the EU are as follows.

AI Act: Conditional Delay to December 2027 — but August 2026 Still Applies Until Adopted

The AI Act's obligations for high-risk AI systems — covering use cases including credit scoring, biometric identification, employment screening, and critical infrastructure management — were originally due to apply from 2 August 2026. The Omnibus proposes a conditional extension: once the European Commission confirms that sufficient compliance support (primarily harmonised standards from CEN-CENELEC) is available, organisations will have six months to comply (for Annex III systems) or twelve months (for Annex I systems). The hard backstop is 2 December 2027, regardless of when standards are confirmed.

The critical legal point that every Swiss compliance officer must internalise: the August 2026 deadline remains the law today. The Omnibus is a proposal. If trilogue negotiations run long and the text is not formally adopted before 2 August 2026, the original obligations apply by default. Parliament co-rapporteurs, in their March draft report, have proposed making December 2027 the fixed deadline rather than a conditional backstop — removing the ambiguity. But that position still needs to survive trilogue. Political groups within the Parliament are divided: the EPP and Renew broadly support the proposal, while the S&D and Greens have raised concerns about both substance and geopolitical optics, increasing the risk of extended negotiations.

GDPR: Four Structural Changes with Direct Compliance Impact

The Omnibus proposes significant amendments to the GDPR that have generated controversy within the European Data Protection Board and European Data Protection Supervisor, who issued a Joint Opinion in February 2026 opposing several of the Commission's proposals.

The most consequential proposals are: first, a clarification of the personal data definition, particularly for pseudonymised data — potentially narrowing GDPR scope in ways the EDPB argues contradict CJEU case law; second, an explicit legitimate interest basis for AI model training using personal data, with additional provisions for processing special category data for bias detection; third, a raised breach notification threshold requiring supervisory authority notification only for breaches likely to result in high risk of harm rather than any risk; and fourth, an extension of the notification deadline from 72 to 96 hours, combined with a single entry point for incident reporting across GDPR, NIS2, DORA, and eIDAS — operated by ENISA.

◆ Key Takeaway

The ENISA single reporting point for incidents is the most operationally significant GDPR change for Swiss organisations with EU operations. Mapping your current DORA and GDPR reporting obligations now — before the final text — allows you to design a reporting architecture that accommodates both current law and the proposed unified channel.

The Parliamentary Committee Vote: What Happened on 18 March

The IMCO and LIBE committee votes on 18 March marked the formal beginning of the Parliament's position-building process. Key proposed amendments from the co-rapporteurs include reinstating AI literacy obligations for providers and deployers — which the Commission had proposed removing — and pushing to set December 2027 as a definitive rather than conditional backstop for high-risk AI obligations. Several member states in the Council are also reportedly pushing to add new prohibited AI practices, including a ban on AI-generated non-consensual intimate imagery. These amendments increase the likelihood that the final text will differ meaningfully from the Commission's original proposal.

The Swiss Dimension: What Changes and What Stays the Same

Switzerland is not a member of the EU and is not directly subject to EU law. However, three dynamics make the Omnibus directly relevant to Swiss compliance strategy.

First, the Brussels effect: any Swiss organisation that processes personal data of EU residents, offers products or services to EU customers, or has subsidiaries or operations within the EU is already subject to GDPR and increasingly subject to AI Act obligations. The Omnibus amendments apply directly to those activities. Second, the nDSG alignment: Switzerland's revised Federal Act on Data Protection was modelled closely on the GDPR and Swiss adequacy status with the EU depends on maintaining regulatory convergence. GDPR amendments — particularly the proposed changes to the personal data definition and the legitimate interest basis for AI training — are likely to prompt corresponding discussions within Switzerland's own regulatory update cycle. Third, DORA: Swiss financial institutions with EU subsidiaries, EU-based counterparties, or EU-clearing relationships are already managing DORA obligations. The proposed single entry point for incident reporting under DORA and GDPR would materially simplify the reporting architecture for these institutions.

Concrete Actions for Swiss Compliance and Legal Teams — Now

  • Do not pause AI Act compliance work. Classify your AI systems against the Annex III and Annex I risk categories now, regardless of whether the Omnibus delay is adopted. If August 2026 applies as written, organisations that have not started classification have no credible path to compliance. The Omnibus, if adopted, buys time — it does not eliminate the work.
  • Prepare two breach notification procedures. One aligned to current law (72-hour window, 'any risk' threshold) and one aligned to the proposed amendments (96-hour window, 'high risk' threshold). Do not implement the amended version until the final text is confirmed, but have it ready.
  • Map your DORA and GDPR reporting channels. Identify every reporting obligation your organisation currently has under GDPR, NIS2, DORA, FINMA, and the Swiss ISA. Document the current processes, deadlines, and responsible owners. When the ENISA single entry point is adopted, you will be able to integrate it cleanly rather than rebuilding from scratch.
  • Monitor the trilogue process with legal counsel. The Parliament's March amendments and the Council's parallel position will determine the final text. The gap between the Commission's proposal and Parliament's amendments is already significant on several points. Organisations that track this process will have weeks of advance notice to prepare; those that wait for official adoption will have days.
  • Assess the personal data definition change against your data architecture. If the Omnibus narrows the scope of what constitutes personal data for pseudonymised datasets, you need to know in advance which of your processing activities may be affected — and whether your legal basis strategy will need to be revised.
  • Engage your DPO and board. The Omnibus is not a technical compliance matter. The proposed change to the AI training legitimate interest basis, the narrowing of the personal data definition, and the restructuring of incident reporting all have strategic governance implications. Boards should understand that the regulatory environment is actively shifting, not stabilising.

A Note on the Geopolitical Context

The Omnibus was explicitly shaped by the Draghi report's warning about European economic stagnation relative to the United States and China. The Commission's stated goal is to reduce administrative burdens by 25% for all businesses and 35% for SMEs by 2029. This framing — regulatory simplification as competitiveness strategy — is coming under pressure within the Parliament from groups that view some of the proposed changes, particularly on the personal data definition and AI training, as substantive deregulation rather than administrative simplification. The final text will reflect this political tension. Swiss organisations should plan for a range of outcomes rather than assuming the Commission's original proposal will survive trilogue intact.