Kingsley Napley LLP | Christopher PerrinAndy Norris and Oliver Astbury

United Kingdom

At our recent Tech Briefing, ‘What Tech businesses need to know in 2026’, we explored how the EU’s Digital Omnibus package and the UK’s Employment Rights Act will reshape compliance for UK tech SMEs.

The Digital Omnibus: what’s changing?

From speaking with founders, CTOs and COOs across SaaS, cybersecurity and applied‑AI companies, the common theme is compliance fatigue: duplicated reporting, unclear risk thresholds, and different timelines across overlapping EU laws.

The Digital Omnibus package won’t remove obligations but aims to make them more manageable if you prepare early. Rather than deregulation, think of it as a simplification drive aimed at removing duplicated reporting, conflicting timelines and unclear thresholds for businesses.

Broadly, the proposals aim to reduce administrative burden by at least 25% overall and 35% specifically for SMEs, which could generate up to 5 billion euros in compliance savings by 2029.

In terms of timing, legislatively, the proposals have now entered the EU’s ordinary process, which involves discussion and negotiation by both the EU Parliament and the EU Council. It will change, but the direction is clear.

In terms of AI specifically, time is tight. If the AI proposals are not agreed soon and in force before 2 August 2026, the AI Act’s original compliance requirements for high‑risk AI will apply for AI systems that are not subject to sectoral product regulation. The Digital Omnibus on AI seeks to postpone this deadline and implement other amendments to facilitate compliance for high-risk AI systems.

The package has two tracks:

  • Track 1 focuses on GDPR, cookies, cybersecurity and incident reporting.
  • Track 2 amends the EU AI Act, adjusting timelines, documentation, transparency and SME obligations.

Track 1: data, cookies, cybersecurity and incident reporting

  1. Personal data definition becomes more practical: pseudonymised data that cannot realistically be re-identified may fall outside GDPR for your business, reducing DPIAs and speeding up experimentation. The test is entity‑specific and based on whether that controller has “means reasonably likely to be used” to re‑identify, not a generic impossibility of re‑identification.
  2. Breach reporting shifts to high-risk focus: expect more realistic timelines, fewer filings and tools to curb abusive DSAR campaigns.
  3. Cookie reform: one-click refusal, a six-month pause after a user says no, and future browser-level consent controls. Cleaner UX, fewer intrusive banners.
  4. One EU reporting entry point: ENISA will manage a single submission covering GDPR, NIS2 and DORA, removing duplicated notifications.

Track 2: AI Act adjustments

  1. Timelines linked to standards: high-risk AI obligations begin only when technical standards are available, easing immediate pressure.
  2. SME reliefs: lighter documentation, simplified registration and easier access to sandboxes.
  3. Controlled use of special category data: very limited use of sensitive data will be allowed solely to detect and correct bias, with strict safeguards.
  4. Transparency duties will become sharper: this sits alongside the Act’s Article 50 obligations around AI‑generated and manipulated content, which are due to come into force in August this year, and a draft Code of Practice which has already been published to guide labelling, watermarking and detection approaches.

What SME founders should do now

  1. Map your data and AI use cases.
  • Maintain an internal AI register with model cards: what the system does, its data sources, risk level and owners.
  • For SaaS teams, include your analytics, experimentation platforms and support bots.
  • For cybersecurity teams, include detection models and automated decisioning.
  1. Prepare for August 2026 transparency and high‑risk obligations by building an evidence engine: this should include:
  • versioned documentation;
  • evaluation results;
  • decision logs; and
  • an incident reporting pathway.

Design your deepfake and content‑labelling approach now so it’s deployable at scale.

  1. Update your incident‑response playbook to the single entry point.
  • Define who pushes the button, what gets reported, and how you articulate risk.
  • Build standard artefact packs: affected systems, categories of data, encryption status and mitigation actions.
  1. Refresh your consent experience.
  • Implement one‑click refusal, stop re‑prompting within six months and be ready to integrate browser‑level controls.
  • If analytics becomes exempt from consent, simplify banners but maintain clear transparency and an easy opt‑out.
  1. Revisit your legitimate‑interests assessments for AI development.
  • Document necessity, balancing tests, minimisation, retention and safeguards.
  • Favour strong pseudonymisation that decouples identity from experimentation.
  1. Finally, key ownership and accountability should be set. This should include:
  • appointing a senior owner for all AI governance, if you don’t already have one;
  • aligning legal and engineering teams on the artefacts required before releases; and
  • running internal drills to test that everyone knows what they are supposed to be doing and, crucially, what to do if things don’t go to plan.

Treat compliance as an operational capability that reduces friction over time.

If you act now, you can start to simplify your compliance stack, speed up your product delivery and be ready when the revised standards and enforcement arrive.

Employment Law Changes

A significant number of employment law reforms are coming into effect in 2026 and 2027 following the introduction of the Employment Rights Act 2025 at the end of last year. We set out below some of the key changes businesses should be aware of in the next 12 months.

April 2026

  1. The maximum potential protective award that may be made against employers for failing to collectively consult in redundancy situations involving 20 or more employees at a “single establishment” will double from 90 to 180 days’ pay per affected employee.
  2. Paternity leave and unpaid parental leave will become day‑one rights for employees, though the position on pay during such leave remains the same, with parental leave continuing to be unpaid, and paternity leave remaining subject to a requirement to have 26 weeks’ continuous service.
  3. The current “waiting period” for Statutory Sick Pay (SSP) is being removed and SSP will instead become payable from day one of sickness absence. The rate of SSP will be the lower of 80% of average weekly earnings or the applicable annual fixed rate of SSP.
  4. In respect of whistleblowing, sexual harassment will become one of the specific heads of wrongdoing about which a disclosure may be a protected disclosure for the purposes of whistleblowing legislation.

What employers should do now

Review and update, where necessary, your sickness absence, parental leave, paternity leave, whistleblowing and anti‑harassment policies. Check your reporting and payroll processes to ensure they are ready for the change to SSP. If you do not have whistleblowing or anti-harassment policies in place, we would recommend introducing these.

October 2026

  1. Employers will be placed under an enhanced duty to take all reasonable steps to prevent sexual harassment of their employees in the course of employment. Unhelpfully, regulations covering “reasonable steps” are not currently expected to come into force until some point in 2027 or 2028.
  2. Employers will also be required to take all reasonable steps to prevent third-party harassment of their staff. This is not just limited to sexual harassment.
  3. The time limit for bringing Employment Tribunal claims will be increased from three to six months. This was expected to come into effect in October 2026, but the Government’s implementation timetable has recently been updated to specify that this change will take effect “no earlier than October 2026”.

What employers should do now

Review and update harassment policies in advance, to reflect the enhanced duties and the wider remit covering third parties. If you do not currently have an anti-harassment policy in place, we would recommend that one is introduced. Because of the enhanced harassment duties, it will be even more important for employers to take steps to prevent harassment from occurring, including through the provision of appropriate training for employees, carrying out appropriate risk assessments, having clear policies and ensuring that staff know how to report concerns and the potential consequences of inappropriate behaviour.

January 2027

  1. “Fire and rehire” practices, which is the practice of dismissing and reengaging employees on new terms, will be further restricted. Dismissals linked to an employee’s refusal to agree to “restricted variations” (including changes to pay, hours and time off) will become automatically unfair. This will be the case unless the business can demonstrate that it faces serious “financial difficulties”. This is a very high bar. In essence, a business will need to demonstrate that the changes were unavoidable and without them the business would not be able to continue operating as a going concern.
  2. The qualifying period of service required for employees to be able to bring an unfair dismissal claim will reduce from two years to six months. This is forward-looking and any employee who has six months’ service as at 1 January 2027 will meet the qualifying service requirement and be able to bring such a claim. Additionally, the current cap on compensation for unfair dismissal claims will be removed entirely.

What employers should do now

If you need to make changes to employees’ terms and conditions which would constitute a “restricted variation”, we would suggest that this is done in advance of the further restrictions on “fire and rehire” coming into force. Whilst dismissing an employee for refusing to agree to a change in terms is very much considered a last resort and subject to compliance with a code of practice and existing unfair dismissal protection, it will almost certainly be more difficult to dismiss and re-engage on new terms with effect from January next year.

In preparation for the reduction in the qualifying period for unfair dismissal, employers should look to tighten up recruitment procedures and introduce clear probation management, which addresses underperformers in good time before they reach the six-month qualifying period. If you have new staff who are underperforming or who are not at the level required, we recommend taking steps to deal with underperformance now and considering dismissal in advance of 1 January next year.

Let us know if we have missed any key takeaways or considerations!

Kingsley Napley is a law firm with a long-standing reputation for excellence, innovation, and integrity. For over 85 years, we have supported individuals, businesses, and organisations through complex legal challenges, often at moments that matter most.

We offer a full-service, multidisciplinary approach across a wide range of legal areas, including:
Corporate, Commercial & Finance
Criminal Litigation
Dispute Resolution
Employment
Family & Divorce
Immigration
Medical Negligence & Personal Injury
Private Client
Public Law
Real Estate & Construction
Regulatory

This article first appeared on Lexology | Source