DPO, AI Act, and Digital Omnibus: compliance strategies for 2026
The role of the DPO is changing following the gradual entry into force of the Digital Omnibus (DSA, DMA, Data Act) and the AI Act. These texts require organizations to move from traditional GDPR compliance to a global data and AI governance strategy. The DPO is becoming a strategic player that must guarantee algorithmic transparency, data interoperability and the classification of AI systems according to their level of risk. The challenge for 2026 is the integration of compliance by design to prevent sanctions and transform these regulatory challenges into competitive advantage.
The DPO at the heart of the regulatory revolution
In 2025, the European regulatory landscape is undergoing an unprecedented change. Between the gradual entry into force of Digital Omnibus (DSA, DMA, Data Act, Data Governance Act) and the imminent adoption ofAI Act, the DPO (Data Protection Delegates) are seeing their role evolve towards a dimension that is both more strategic and more complex.
This article explores the new responsibilities of the DPO, the concrete impacts on organizations, and the strategies to adopt to transform these challenges into opportunities.
The new missions imposed by the Digital Omnibus
The Digital Omnibus, a set of European regulations aimed at framing the digital economy, requires DPO to rethink their approach to compliance and data governance.
Impacts of the DSA, DMA, Data Act and Data Governance Act
For the DPO : It's no longer just about protecting data (RGPD), but to guarantee their accessibility, portability and fair use, while avoiding the risk of sanctions (up to 6% of the global turnover for DMA).
Practical case: The application of the Data Act
Scenario : An industrial company uses sensors IoT to optimize its production chain. The Data Act now requires sharing this data with subcontractors or end customers on request.
Role of the DPO :
- Map data flows and identify shareable data
- Negotiate contractual clauses to regulate sharing (rights of use, duration, security)
- Train technical teams in the anonymization and pseudonymization of sensitive data
Risk : Poor management exposes the company to sanctions and a loss of trust from partners.
AI Act: The DPO, architect of ethical AI compliance
THEAI Act, the first global legal framework onAI, classifies the systems ofAI in 4 risk levels (minimal, limited, high, unacceptable)
Key requirements of the AI Act and risk classification
Les DPO must now:
- Identify the systems ofAI used in their organism and their level of risk
- Documenting compliance processes (transparency, traceability, risk assessment)
- Collaborate with technical teams to audit algorithms (bias, discrimination, security)
example : A hospital using a medical diagnostic algorithm (AI at high risk) must:
- Register the system in a European database
- Guarantee the quality of training data (diversity, absence of bias)
- Provide a recourse mechanism for patients in case of error
Interface between legal and technical teams
Problem : The technical teams (Data scientists, engineers) and lawyers often speak different languages.
Solution :
- Create a committee AI Bringing together DPO, lawyers, Data scientists and jobs
- Use tools like AI registers or compliance checklists (Adequacy for example)
- Train technical teams to the challenges RGPD and AI Act
Objective : Integrate compliance by design (Privacy by design) and avoid correction costs a posteriori.
{{newsletter}}
Organizational disruptions: From compliance to data strategy
The DPO is no longer a simple “controller”: it is becoming a key player in strategy Data of the organism.
The DPO as a strategic data player
Concrete actions :
- Participate in management committees to align strategy Data on business goals
- Manage data valorization projects (e.g.: creation of Data Spaces sectoral)
- Anticipating the risks associated with new technologies (Blockchain, metaverse, AI generative)
example : A bank uses theAI to personalize its offers. The DPO must:
- Validate the legality of the treatment (consent, legitimate interest)
- Evaluate the risks of discrimination (e.g. exclusion of certain customer profiles)
- Communicate transparently on the use ofAI (obligation ofAI Act)
Integrated risk management (GDPR, AI Act, Digital Omnibus)
With the multiplication of regulations, the risks of non-compliance, cyber attacks, and reputation loss are increasing.
Recommendations :
- Implement an integrated risk management system RGPD, AI Act and Digital Omnibus
- Simulate crisis scenarios (e.g. data leak, complaint for algorithmic bias)
- Collaborate with RSSI (Information System Security Managers) for a global approach
Tools : Use risk mapping software and automated treatment records, such as the solution SaaS Adequacy.
2026 Perspectives: Future Challenges
The emergence of specialized DPOs
The role of DPO will specialize in:
- DPO sectoral (health, finance, energy) to master business challenges
- DPO IA to oversee artificial intelligence systems
- DPO international to manage the data transfers outside the EU
The challenge of digital sovereignty
With the Cloud Act American and extraterritorial laws, the DPO must:
- Assess the risks associated with data storage outside the EU
- Favour European solutions (e.g. hosting with OVH, Scaleway)
- Negotiate strict contractual terms with non-European service providers
The DPO, a pillar of responsible transformation
In the era of Digital Omnibus And of theAI Act, the DPO is no longer a simple guarantor of compliance: it is the architect of digital trust within organizations. His role is evolving towards a strategic dimension, where he must combine legal expertise, technical expertise and business vision.
To make this transition a success :
- Continuously learn about new regulations
- Collaborate with business lines and technical teams
- Anticipate the risks and opportunities associated withAI And at the Data
And you, how does your body prepare for these upheavals?
FAQ - DPO, AI Act, and Digital Omnibus
What is the main role of the DPO in the era of the AI Act and the Digital Omnibus?
The role of DPO evolves from a guarantor of compliance RGPD to a strategic player who must oversee the governance of all data and systems ofAI. It guarantees transparency and data portability (Data Act) and the absence of algorithmic bias (AI Act).
What are the main regulations grouped under the term “Digital Omnibus”?
The Digital Omnibus brings together several key texts that frame the digital economy: the Digital Services Act (DSA), the Digital Markets Act (DMA), the Data Act And the Data Governance Act, thus completing the RGPD and the future directive NIS 2.
What should the DPO do in the face of high-risk AI systems according to the AI Act?
The DPO must identify, classify, and document these systems. He must ensure that the organization registers them in the European database, guarantees the quality of training data and sets up traceability and supervision mechanisms.
How does Adequacy SaaS software help DPOs with these new requirements?
The solutions SaaS suchlike Adequacy allow the DPO to automate risk mapping, to maintain treatment records orAI update and integrate compliance By design. This facilitates collaboration with technical teams to meet the requirements of RGPD, of theAI Act And of Digital Omnibus.
{{newsletter}}
