EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?

The large number of new European digital regulations, from the AI Act to the Data Act and the Cyber Resilience Act, present companies with considerable organizational and legal challenges. Numerous obligations take effect at different times, overlap in terms of content and lead to considerable implementation effort in practice. Against this backdrop, the European Commission is currently examining how the existing regulations can be simplified and better coordinated. The focus here is on the idea of a "digital omnibus", which is intended to harmonize deadlines, reduce duplicate requirements and make the application of European digital law more practicable for business and administration. The consultation, which is open until October 14, now forms the basis for further political decisions. The following article provides an overview of the current status of the discussion and the potential impact on companies.

I. Status quo

Many of the most important regulations are already in force and partially applicable, but their obligations vary considerably in terms of scope, depth and timing. Here is an excerpt:

The AI Regulation, for example, has been in force since August 2024 and forms the uniform Europe-wide legal framework for the safe and trustworthy use of artificial intelligence. The obligations follow a risk-based approach and are staggered: While obligations to ensure general AI competence in accordance with Art. 4 must already be implemented (we reported), the transparency requirements in accordance with Art. 50 (we reported) and the comprehensive obligations for high-risk AI systems will not take effect until August 2026.

The Data Act has been applicable since September 12, 2025 (we reported in Data Protection Updates No. 214, No. 200, No. 148). The regulation governs access to and use of data generated by networked products and connected services and obliges, among other things, manufacturers and data owners to provide product and service data under fair, reasonable and non-discriminatory conditions. Central technical requirements, for example for the automated provision of data via interfaces (Art. 3 Data Act), will not become mandatory until September 2026.

The Cyber Resilience Act (CRA) sets out binding cyber security requirements for products with digital elements and obliges manufacturers, importers and retailers to ensure IT security throughout the entire product life cycle (we reported). Application is planned from the end of 2027, so the focus is currently on technical and organizational preparation. Core obligations include "security by design", regular security updates, vulnerability management and the creation of technical documentation and EU declarations of conformity.

The NIS 2 Directive is already in force at European level; national implementation in Germany will take place through the amended BSI Act (BSIG-E, we reported), which is currently in the legislative process (we reported). The directive significantly expands the group of affected organizations with regard to the NIS-1 directive and introduces comprehensive obligations for risk management, security incident reporting and supply chain security. In future, management boards will be explicitly made responsible and must approve, monitor and regularly train cyber security measures.

The DORA regulation has been applicable since January 2025 and obliges financial companies and their critical IT service providers to manage ICT risks in a uniform manner (we reported). The legal framework applies directly and includes obligations to establish robust ICT risk management, to report serious incidents and to carry out regular resilience tests. The direct supervision of European financial supervisory authorities over critical ICT service providers such as cloud services is particularly far-reaching.

The Accessibility Reinforcement Act, which implements the European Accessibility Act, has been mandatory since June 28, 2025 (we reported). It obliges manufacturers, importers, retailers and service providers to design their digital products and services to be accessible and to label them in accordance with harmonized European standards. An exception applies to micro-enterprises in the service sector, while manufacturers of products are fully obliged, regardless of their size.

II. Upcoming implementation phases

Even though most of the European Digital Act has already been adopted and is partially applicable, many of its core obligations will only take effect in the coming years. Numerous provisions provide for staggered transition periods to allow for technical standardization, the establishment of supervisory structures, and the development of practical guidelines. This is particularly evident in the AI Regulation, whose far-reaching requirements for high-risk systems and the transparency requirements under Article 50 will only become binding in August 2026. Even in the Data Act, which has been in force since September 2025, further key access and interface obligations under Article 3 will only come into effect a year later.

Other legal acts are also still in the transition phase. The amended BSI Act to implement the NIS 2 Directive is expected to apply in 2026. In addition, the eIDAS 2.0 Regulation and the European Digital Identity Wallet will add another central component of EU digital law by 2026 (we reported). The regulation requires member states to provide a standardized digital identity infrastructure across Europe and obliges companies in regulated sectors to accept the wallet as a means of identification.

This heralds a phase of intensive implementation over the next one to two years, in which the previously separate sets of rules will merge in practice and form a largely harmonized European digital legal framework.

III. Omnibus procedure of the Commission

Against the backdrop of a weak economy, high financing costs and a persistent shortage of skilled workers, the European Commission is currently examining the possibility of extending the parts of the central digital regulations that are not yet applicable by means of a so-called "digital omnibus" and at the same time eliminating overlaps between individual regulatory areas. The aim is to reduce the number of complex obligations that will take effect in parallel in the coming years and to create legal coherence between existing acts such as the AI Act, the Cyber Resilience Act, the Data Act, the NIS 2 Directive, the eIDAS 2.0 Regulation and accompanying data protection regulations. The aim is not to lower material protection goals, but rather a "stop-the-clock" regulation for individual obligations, the harmonization of divergent transition periods and more precise clarifications where overlaps and double burdens have built up. In particular, extended transitional periods for the high-risk obligations in the AI Regulation are being discussed with the argument that essential standards and test bases are only available with a delay. Additional buffers for the implementation of the CRA under product law are also being discussed in order to avoid parallel regulatory introduction waves and to dovetail supply chain compliance in an orderly manner.

The initiative is based on a consultation opened by the Commission, which ran until October 14, 2025 and served to collect research results and best practices for simplifying European digital legislation. A total of 419 responses were received, 37 % of which came from trade associations and 25 % from companies. The feedback shows a clear sentiment: industry, technology and financial companies are emphatically calling for "standards before obligations", i. e. linking the application deadlines to the actual availability of harmonized standards in order to ensure predictability and investment security. Several statements, including from the BDI, ZVEI, Siemens, IBM, DATEV and the American Chamber of Commerce to the EU, are in favor of extending the implementation deadlines in the AI Act by at least 24 months, i. e. until August 2028 or 2029. At the same time, a postponement of two to three years is also being called for for the CRA, as downstream technical standards and guidelines are still lacking and the simultaneous implementation of various digital acts would overstretch the capacities of many companies.

In addition to the call for a delay, the consultation also calls for administrative and procedural simplifications. These include the consolidation of notification and reporting obligations across legal acts, the standardization of thresholds and reporting procedures as well as the possibility of recording incidents via a central European reporting channel in future. Mutual recognition of reports between national authorities and regimes such as NIS-2, DORA or the GDPR is also suggested in order to avoid double reporting. For data protection and communication law, the reduction of excessive consent dialogs ("consent fatigue") is on the agenda, with the aim of creating clear, technology-neutral requirements that are based on the system of the GDPR.

The planned Digital Omnibus is also intended to promote a more uniform implementation of the EUDI Wallet Regulation. In future, this is to be more closely interlinked with existing data and security regulations in order to avoid multiple certifications and redundant security checks. Here, too, the Commission is aiming to ease the burden and harmonize, not to relax the content.

Regardless of this debate, it should be noted that the omnibus procedure, should it be adopted at the end of 2025 as planned, will postpone, but not abolish, obligations. Even within a stretched timetable, each legal act remains binding in itself; a group-wide general exemption is not envisaged. The benchmark remains consistent, coherent enforcement across the EU, which maintains a balance between the protection of fundamental rights, cybersecurity, innovation and competitiveness. Although this gives companies time for technical and organizational implementation, the material requirements will still have to be complied with as soon as the respective application deadlines are reached.

IV. Scope for action and recommended implementation steps

Even if the planned omnibus procedure could provide some relief in the short term, the direction of European digital policy remains unchanged. The requirements will not be lifted, but merely extended in time. For companies, the question is therefore not so much whether, but when and to what extent the respective obligations will apply. In a phase in which numerous deadlines and implementing acts are still in flux, it is advisable to adopt a step-by-step, resource-saving approach with a clear prioritization of the requirements that already apply today or are highly likely to become applicable in the near future.

A compliance approach that is limited in terms of content and maps the essential elements of a legally compliant basic structure without tying up unnecessary resources makes sense at present. The aim is to establish those procedures and documentation that are already subject to existing auditing obligations and at the same time serve as a foundation for future requirements. These include, in particular, current obligations from the GDPR, the transparency and governance requirements of the AI Regulation as well as evidence of IT and product security, which will later become mandatory under the CRA. These building blocks can be designed in such a way that they can both withstand an official audit and be expanded in the future without structural disruption.

The trick is to do as little as possible but as much as necessary. Those who set up central processes such as risk management, documentation, training and assignment of responsibilities in a consistent and auditable manner today already meet a significant proportion of the requirements that will arise from digital files in the coming years. Such a basis allows new requirements to be added on a modular basis as soon as they become binding, thus avoiding expensive conversions or duplication of work.

Our consulting practice is currently focused on implementing this content-limited compliance structure in a legally compliant and future-proof manner for our clients. The consulting packages we have developed bundle the currently relevant requirements from data protection, AI, IT security and data law and also take into account the content of the outstanding implementing acts.

In times of unclear deadlines and still open guidelines, this is a popular but also pragmatic way to achieve the greatest possible degree of legal certainty with the minimum amount of effort. Nevertheless, this should always be only a first step in order to create sufficient leeway for the complete implementation of the new legal requirements.

V. Consequences of non-compliance

Similar to the GDPR, the European digital regulations provide for fines, some of which are considerable. Depending on the legal act, infringements can be penalized with fines of up to several million euros or a significant percentage of annual global turnover. For example, a fine of up to EUR 35 million is possible for the use of prohibited AI systems.

Nevertheless, it is unlikely that sanctions will be imposed across the board in practice. Many supervisory authorities are still in the process of setting up the relevant departments or have yet to precisely delineate their responsibilities. As long as central implementing acts, technical standards and reporting platforms are still being developed, the initial focus is likely to be on advice and supervision through guidelines. In a second step, however, much more consistent enforcement can be expected as soon as staff, procedures and IT systems have been established at the authorities.

In practical terms, the most serious consequences are currently those on the market. Large clients, especially (listed) corporations and the public sector, are already demanding robust proof of compliance (e. g. on InfoSec risk management, AI governance, GDPR implementation or accessible digital offerings). Our current experience is that those who cannot provide this evidence will increasingly be unable to succeed in tendering procedures and pitches.

The consequences are just as clear in the transaction environment. Financial investors and strategic buyers now check digital compliance as standard as part of due diligence and provide comprehensive guarantees. If gaps are identified, purchase prices are adjusted or earn-outs are tightened. If a sale is made despite outstanding issues, buyers often demand indemnities in the purchase agreement for pre-contractual compliance violations and thus for subsequently imposed fines, with the result that a significant portion of the purchase price may subsequently flow away again. In borderline cases, the buyer backs out or postpones the process until viable digital compliance has been established.

VI. Conclusion

It was only reported this morning that Digital Minister Karsten Wildberger (CDU) will be in Brussels today to discuss the above digital omnibus with the EU Commission. The initial focus is likely to be on the AI Act, Data Act and Cyber Resilience Act. The good news is therefore that there is currently a good chance that the implementation deadlines will be extended (probably by one or two years). However, there is no discussion of withdrawing the new EU digital requirements. Companies should therefore not sit back and wait and see, but should use the possible extension of the deadline to take a compliance approach that is initially limited in terms of content. We at HEUKING have prepared ourselves for this and will be happy to show you how you can already achieve a high level of compliance with reduced effort.

This article was created in collaboration with our student employee Emily Bernklau.