EU’s Digital Omnibus Offers AI Regulatory Relief, But Questions Remain
The European Commission (EC) recently published its “Digital Omnibus” on November 19, 2025, a comprehensive three-part proposal aimed at amending and streamlining EU laws that govern data, cybersecurity, privacy, and artificial intelligence. This proposal is a direct response to a 2024 report on EU competitiveness, which highlighted the fragmented and burdensome nature of existing legal frameworks.
The Purpose of the Digital Omnibus
The focus of this article is the segment concerning artificial intelligence, particularly the regulatory relief it proposes from key provisions of the EU’s AI Act. The amendments aim to:
- Extend compliance timelines for critical requirements.
- Eliminate certain obligations.
- Simplify compliance procedures for smaller enterprises.
However, as this proposal is still in draft form, its final shape may evolve as it undergoes discussions in the EU Council and Parliament.
Key Proposals and Their Potential Impact
The Digital Omnibus encompasses several crucial proposals, particularly concerning high-risk AI systems (HRAIS) and generative AI (GenAI):
1. HRAIS Timelines
The compliance deadlines for HRAIS will depend on the EC’s decision regarding the availability of compliance support tools, such as technical standards. For high-risk contexts, obligations may apply six months after the EC’s decision. If standards are delayed, the latest deadline could extend to December 2, 2027.
2. GenAI Watermarking
A transitional period of six months will be granted to providers of GenAI systems for implementing watermarking requirements, with an extended deadline until February 2, 2027, for systems available before August 2, 2026.
3. Processing of Personal Data
The proposal allows for the processing of personal data based on “legitimate interests,” except where national law mandates consent. This broad language significantly impacts AI development, creating new formal bases for data processing.
4. Definition of Personal Data
The definition of “personal data” will be amended to reflect a recent EU Court of Justice ruling, implying that data is not considered personal if the entity cannot reasonably identify the individual associated with it.
5. Processing of Sensitive Data
Special categories of data can be processed provided that certain conditions are met, including the necessity of minimizing data collection and ensuring robust documentation of legal rationale.
6. Smaller Enterprises
The proposal introduces a new category, “small mid-cap enterprises” (SMCs), and offers simplified compliance pathways for them, allowing for proportionate quality management system obligations.
7. Regulatory Sandbox and Testing
The establishment of a centralized EU-level regulatory sandbox for AI systems will facilitate cooperation among member states, enhancing cross-border collaboration.
8. AI Literacy
While AI literacy was previously mandated, the Omnibus proposes to shift this requirement to a recommendation, potentially resulting in a patchwork of standards across member states.
9. AI System Registration
Providers will be exempt from registering AI systems in the EU database if they demonstrate the system isn’t high-risk, necessitating clear compliance criteria.
10. Post-Market Monitoring
Guidance on post-market monitoring will be provided, allowing organizations flexibility in designing monitoring plans tailored to their risk profiles.
Your Next Move
While the proposals may evolve, organizations should not delay compliance efforts. Here are strategies to prepare:
- Build a regulation-agnostic governance framework that focuses on core principles and can adapt to future changes.
- Operationalize AI governance at scale by integrating workflows related to privacy, AI, and risk assessments.
- Strengthen documentation and controls, especially regarding AI training data, to prepare for increased scrutiny.
- Monitor regulatory developments closely to stay ahead of changes and ensure compliance.
The Digital Omnibus has the potential to reshape the regulatory landscape for AI in the EU, but organizations must remain vigilant and adaptable to navigate this evolving environment.
