The European regulatory landscape for data privacy, cybersecurity, and digital infrastructure has introduced critical compliance requirements as of May 2026. This update details the operational impacts of the AI Omnibus, the Cyber Resilience Act, and the Digital Networks Act for data governance professionals.
GDPR Enforcement and the AI Omnibus
EU legislators have finalised a political agreement on the AI Omnibus, amending the EU AI Act. The agreement expands the authorisation to process sensitive personal data, such as ethnicity or race, for bias detection and correction across all AI systems, subject to strict safeguards. Additionally, a late-stage provision introduces a comprehensive ban on AI systems designed to generate non-consensual sexualised deepfakes.
Concurrently, the European Data Protection Board (EDPB) is executing the active audit phase of its 2026 Coordinated Enforcement Framework (CEF). The Dutch Autoriteit Persoonsgegevens (AP) and 24 other national authorities are utilising standardised questionnaires to audit compliance with the transparency obligations under Articles 12, 13, and 14 of the GDPR. Regulators are assessing both the completeness of privacy notices and their comprehensibility, with a specific focus on the disclosure of Automated Decision-Making (ADM) and AI logic. Organisations must ensure that the explanation of data pipelines feeding into AI models is clear to end users.
Legislative friction remains regarding the broader Digital Omnibus proposal. This draft contains measures that would narrow the definition of personal data and explicitly recognise AI training data ingestion as a legitimate interest, raising concerns about deviations from established CJEU case law.
Cybersecurity Policy: CSA2.0 and CRA Deadlines
The proposed Cybersecurity Act 2.0 (CSA2.0) is advancing a revised supply chain framework. The European Commission is seeking the authority to designate specific third-country vendors as high-risk. For essential and important entities governed by NIS2, the use of components from these designated vendors will trigger a mandatory phase-out period of 36 months.
CSA2.0 also introduces posture certification. Organisations will have the capability to certify their overall cybersecurity maturity and readiness. Achieving this certification grants a presumption of conformity with NIS2, streamlining cross-border compliance audits.
Product security teams face an imminent deadline under the Cyber Resilience Act (CRA). Mandatory reporting of actively exploited vulnerabilities commences on September 11, 2026. Manufacturers are required to submit a preliminary early warning within 24 hours of discovery, followed by a full notification within 72 hours, utilising the ENISA Single Reporting Platform.
Infrastructure Digitalisation and the DNA
The Digital Networks Act (DNA) is standardising the telecommunications and cloud infrastructure market by merging four legacy acts into a single, directly applicable Regulation. A primary feature is the Single Passport Authorisation. This mechanism allows operators, including satellite and cloud service providers, to file a notification in one Member State, such as the Netherlands, and gain authorisation to operate across all 27 Member States.
The DNA mandates the creation of National Transition Plans to manage the decommissioning of legacy copper networks. Member States must facilitate the transition to full fibre and 5G/6G infrastructure ahead of a hard 2035 deadline.
To secure this modernising infrastructure, targeted amendments to NIS2 have expanded the directive’s scope. Submarine infrastructure operators, digital wallet providers, and dual-use infrastructure operators are now classified as essential entities, regardless of their organisational size.
Operational Actions for Data and IT Professionals
Privacy Documentation: Reconcile your Record of Processing Activities (ROPA) with public privacy notices to ensure all AI-driven logic and data retention schedules meet the 2026 CEF transparency standards.
Incident Response Testing: Verify that internal computer security incident response teams (CSIRT) are capable of meeting the CRA 24-hour early warning window prior to the September deadline.
Supply Chain Audits: Map existing hardware and software dependencies to identify potential exposure to high-risk third-country vendors subject to upcoming CSA2.0 phase-out mandates.
Network Expansion: Evaluate internal infrastructure scaling strategies to leverage the DNA Single Passport system for reduced administrative overhead in cross-border deployments.
More to come…
Drew Campbell
Sources and Further Reading
- Tech Policy Press: What the EU AI Omnibus Deal Changes (May 7, 2026)
- EDPB: CEF 2026 Coordinated Action on Transparency (May 5, 2026)
- Wilson Sonsini: EU AI Act Undergoes Significant Changes (May 8, 2026)
- European Commission: Digital Networks Act Policy Overview
- Hogan Lovells: Key 2026 Milestones for Cyber Resilience Act Compliance
