⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Regulation 23 March 2026 10 min read

The EU Digital Omnibus: What Swiss Organisations Must Understand Now

A proposed delay of AI Act high-risk obligations to December 2027 and significant GDPR amendments.

MS

Marco Scarito

23 March 2026

10 min read

On 19 November 2025, the European Commission published what it described as a regulatory simplification package for the EU's digital framework. The Digital Omnibus — comprising two separate legislative proposals, one targeting the AI Act and one covering the GDPR and related instruments — represents the Commission's most significant intervention in EU digital regulation since the GDPR entered into force in 2018. For Swiss organisations operating in or with the EU market, the proposals create both short-term uncertainty and medium-term strategic opportunity.

AI Act: High-Risk Obligations Delayed — But Not Removed

The most operationally significant proposal for technology and compliance teams is the proposed delay of EU AI Act obligations for high-risk AI systems. Under current law, these requirements — covering Annex III use cases including credit scoring, biometric identification, employment screening, and critical infrastructure management — are due to apply from 2 August 2026. The Digital Omnibus proposes extending this deadline by up to 16 months, to a maximum of 2 December 2027.

The delay does not reduce compliance obligations — it shifts the timeline. Organisations that treat it as an invitation to pause their AI governance work will find themselves facing a compressed compliance sprint in 2027.

GDPR: The Most Controversial Amendments

The GDPR proposals are generating significant controversy, with the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issuing a Joint Opinion on 11 February 2026 that strongly opposes several of the Commission's proposed changes.

◆ Key Takeaway

The Digital Omnibus does not reduce the compliance obligation — it restructures it. Swiss organisations with EU exposure should treat the proposed changes as an opportunity to modernise their compliance architecture: unifying AI governance, data protection, and incident reporting into a single, auditable framework rather than managing them as separate workstreams.

  • Do not pause AI Act compliance work on the assumption the delay will be adopted. If the AI Omnibus is not enacted before 2 August 2026, current obligations apply on that date. Build compliance programmes to the August 2026 deadline and treat any extension as a bonus.
  • Revisit your breach notification procedures in light of the proposed threshold change and deadline extension — but do not implement changes until the final text is confirmed. Prepare two versions: one for current law, one for the proposed amendments.
  • Map your DORA and GDPR reporting obligations now, so you can integrate the ENISA single entry point cleanly once adopted.
  • Monitor the trilogue process closely — the Parliament is expected to take a materially different position from the Commission on several GDPR amendments.
  • Engage your DPO and legal counsel to assess whether the proposed GDPR changes — particularly the raised breach notification threshold — would alter any current reporting obligations or documentation requirements in your organisation.