A comprehensive analysis of the Digital Omnibus on AI proposal: changes, criticism, the Dutch position, and practical guidance for compliance professionals
Status as of December 2025: The Digital Omnibus on AI proposal was published by the European Commission on 19 November 2025. It is now going through the ordinary legislative procedure. The EDPB and EDPS published their Joint Opinion on 21 January 2026. Existing AI Act obligations β including the ban on unacceptable AI practices (since 2 February 2025) and GPAI rules (since 2 August 2025) β remain fully in force. The Omnibus proposal is NOT law and may still be substantially amended.
Why this proposal exists
On 19 November 2025, the European Commission published the Digital Omnibus on AI proposal as part of a broader Digital Package, alongside the Data Union Strategy and European Business Wallets (European Commission). Less than fifteen months after the AI Act entered into force, the Commission wants to amend the law on multiple points.
The immediate trigger is a combination of three factors.
1. The Draghi report and the competitiveness agenda
In September 2024, Mario Draghi presented his report on European competitiveness. The core message: the EU is falling increasingly behind the US and China in advanced technologies. Regulation was seen as an obstacle to investment by more than 60% of European businesses (Liberties.eu). The report became the intellectual foundation for a broader deregulation agenda within the Commission.
2. Implementation problems with the AI Act itself
The designation of national competent authorities was slow. The development of harmonised standards by CEN-CENELEC lagged behind schedule. Businesses had to comply with rules for which the practical tools β standards, guidelines, specifications β were not yet available (Gleiss Lutz). This was a real problem: the AI Act sets high requirements, but the instruments to meet those requirements were missing.
3. Political and geopolitical pressure
Major tech companies ran an intensive lobbying campaign. The Trump administration pressured the EU through the American AI Action Plan to relax digital rules (Liberties.eu). The Commission presented the proposal promising to reduce administrative burdens by at least 25% for all businesses and 35% for SMEs, with expected savings of six billion euros (IAPP).
Two omnibuses, one package: The Digital Omnibus package consists of two legislative proposals: a general Digital Omnibus (amending the GDPR, ePrivacy Directive, NIS2, and Data Act) and a specific Digital Omnibus on AI amending the AI Act. This article focuses on the AI Act amendments. For the broader GDPR changes, see our earlier article on the Digital Omnibus and digital rights.
The key changes to the AI Act
The proposal contains eight concrete amendments. Below is a systematic analysis of each component.
1. Deferred deadlines for high-risk AI systems (Article 113)
This is the most far-reaching change. Obligations for high-risk AI systems are linked to the availability of harmonised standards and other compliance instruments.
The mechanism: the Commission issues a decision when the necessary support measures (standards, specifications, guidelines) are available. The clock only starts ticking after that decision (Bird & Bird).
| High-risk AI type | Current deadline | After Omnibus | Latest date |
|---|---|---|---|
| Annex III systems | 2 August 2026 | 6 months after availability confirmation | 2 December 2027 at latest (+16 mo) |
| Annex I systems (regulated products) | 2 August 2027 | 12 months after availability confirmation | 2 August 2028 at latest (+12 mo) |
| AI content transparency (Art. 50(2)) | 2 August 2026 | Deferral for pre-Aug-2026 systems | 2 February 2027 (+6 mo) |
Assessment: Linking deadlines to standards availability is defensible on its own. CEN-CENELEC's Joint Technical Committee 21 has indicated that complete standards may not be available before December 2026 (Morrison & Foerster). But Morrison & Foerster points to a fundamental problem: the strict backstop date remains problematic if standards development faces further delays. Businesses consistently report needing at least 12 months to achieve compliance with even a single standard (Morrison & Foerster).
Note: Article 111 also changes. High-risk AI systems placed on the market before the new deadline are exempt from AI Act obligations β unless the system undergoes a significant change. This means Annex III systems on the market before 2 December 2027 are provisionally exempt (Bird & Bird).
2. AI literacy: from obligation to encouragement (Article 4)
The current AI Act requires all providers and deployers to ensure their staff has sufficient AI literacy. This obligation has been in force since 2 February 2025.
What changes: the obligation on providers and deployers is scrapped. Instead, the Commission and Member States must "encourage" providers and deployers to take measures. This could consist of offering training opportunities, informational resources, and exchange of good practices (Morrison & Foerster, Gleiss Lutz).
What remains: deployers of high-risk AI systems retain the obligation to provide training.
Assessment: This is not a technical simplification but a fundamental policy shift. A hard, enforceable duty becomes a policy recommendation. The EDPB and EDPS are "strongly against" this (see below).
3. Registration requirement scrapped (Article 49)
Under the current law, providers of AI systems falling under Annex III must register in the EU database, even if they conclude their system is not high-risk (via the Article 6(3) mechanism).
What changes: Article 49(2) is deleted entirely. Providers need only document their self-assessment and keep it available for regulators (Morrison & Foerster, Gleiss Lutz).
Assessment: Public registration disappears, and with it public verifiability. Providers who conclude their system is not high-risk no longer need to make that transparent. The documentation duty remains, but without a public database, external verification is virtually impossible.
4. Processing of special category personal data expanded (new Article 4a)
The current AI Act allows the use of special category personal data (such as ethnicity, health data, sexual orientation) for bias detection in high-risk AI systems, provided it is "strictly necessary."
Two changes:
- The possibility is extended to all AI systems, not just high-risk (Morrison & Foerster, IAPP)
- The threshold is lowered from "strictly necessary" to "necessary"
This comes with strict safeguards: state-of-the-art security, no transfer to third parties, deletion after detection or expiry of the retention period (Bird & Bird).
Assessment: Bias detection is essential for fair AI. But the extension to all AI systems combined with the lowered threshold opens a broader door than strictly needed for that purpose.
5. Conformity assessment: sectoral legislation takes priority (Article 43)
For products falling under both sectoral legislation (medical devices, machinery) and the AI Act, providers must follow the conformity assessment procedure under the sectoral legislation. AI Act requirements are integrated into that assessment (Morrison & Foerster).
New "once-only" principle: providers submit one application and undergo one assessment for both the AI Act and the sectoral law. Notified bodies under sectoral legislation must apply for designation under the AI Act within 18 months (Morrison & Foerster).
6. Centralisation of oversight at the AI Office (Article 75)
Oversight of two categories of AI systems is centralised at the Commission's AI Office (Morrison & Foerster, Gleiss Lutz):
- AI systems built on GPAI models where the same provider develops both model and system
- AI systems integrated in VLOPs/VLOSEs (very large online platforms/search engines under the DSA)
The AI Office gains authority for pre-market conformity assessments. The provider bears the costs.
7. Extension of SME and SMC provisions (Article 63)
Simplified compliance procedures previously available only to micro-enterprises are extended to all SMEs and small mid-cap enterprises (SMCs). This includes simplified technical documentation and proportionate sanctions (Gleiss Lutz).
The Commission introduces binding definitions of SMEs and SMCs in Article 3 of the AI Act.
8. More flexibility in post-market monitoring (Article 72)
The Commission's power to adopt a harmonised template for monitoring plans is removed. Providers get more room to set up monitoring systems specifically tailored to their organisations. The Commission will publish guidance instead (Gleiss Lutz).
Regulatory sandboxes: expansion at EU level
The proposal broadens the use of AI regulatory sandboxes and real-world testing. A new possibility is the establishment of an EU-wide sandbox under AI Office supervision, specifically for AI systems built on GPAI models and systems in VLOPs/VLOSEs (Morrison & Foerster). The real value depends on whether sandbox results create a presumption of conformity β something the current proposal does NOT establish.
What does NOT change
It is equally important to know what the proposal leaves untouched.
Prohibited AI practices (Article 5): The list of banned AI systems β including social scoring, untargeted facial recognition, and manipulative AI β remains fully intact. These obligations have been in force since 2 February 2025 and are not affected by the Omnibus.
Fundamental rights impact assessment (Article 27): The obligation for deployers of high-risk AI systems to conduct an FRIA remains, although Morrison & Foerster notes that its deletion was a missed opportunity given overlap with the DPIA under the GDPR (Morrison & Foerster).
GPAI obligations: The obligations for general-purpose AI models (Articles 51-56) in force since 2 August 2025 remain unchanged. The Commission centralises oversight but does not weaken the rules substantively.
Transparency obligations (Article 50, partly): The obligation to inform users they are interacting with an AI system remains applicable from 2 August 2026. Only the machine-readable marking (watermarks) gets a deferral for existing systems.
Criticism of the proposal
EDPB and EDPS: support with strong caveats
On 21 January 2026, the EDPB and EDPS published their Joint Opinion 1/2026 (EDPB press release, Joint Opinion PDF). The tone is diplomatic but firm. Reed Smith summarises the position as a tension between "promoting innovation" and "effective oversight and the protection of affected individuals" (Reed Smith).
On AI literacy: the EDPB and EDPS are "strongly against" converting the obligation into mere encouragement. AI literacy is in their view crucial for understanding AI concepts, ethical awareness, and the protection of fundamental rights. New obligations for the Commission should supplement existing obligations, not replace them (EDPB, Reed Smith).
On registration: the supervisory authorities advise against scrapping the registration requirement. The change would "significantly undermine" the accountability of providers and create an undesirable incentive to avoid high-risk classification (EDPB).
On special category personal data: they acknowledge the importance of bias detection but insist on restoring the "strictly necessary" threshold and limiting use to situations where the risk of adverse effects is "sufficiently serious" (Reed Smith).
On deferral: "genuine concerns" about the delay, given rapid AI developments. The co-legislators are called upon to maintain the original timeline for transparency requirements (EDPB).
EDPB Chair Anu Talus: "Innovation and efficiency are crucial and can coexist with maintaining accountability of AI providers." (EDPB)
Civil society: "historic rollback"
133 civil society organisations and trade unions signed a joint statement calling on the Commission to halt the proposal (EDRi).
- EDRi called it "a fundamental rollback of EU digital protection" and "a point of no return" for digital rights (EDRi)
- Civil Liberties Union for Europe stated that the Omnibus "gives Big Tech exactly what it wanted" and that the Commission skipped the impact assessment during drafting β while claiming the changes had "no impact on fundamental rights" (Liberties.eu)
Missing impact assessment: A notable procedural point: the Commission did not conduct an impact assessment on fundamental rights consequences when drafting the proposal. This while several proposed changes directly affect fundamental rights protections. Both civil society organisations and the Dutch government have flagged this as problematic.
What critical lawyers say
Morrison & Foerster concludes that the proposal "offers only limited substantive reductions in regulatory requirements" and "fails to address pressing needs articulated by the industry." Their key question: "If even the Commission and standardisation organisations fail to meet their own clarification goals and deadlines, how can businesses be expected to comply with often complex and unclear requirements?" (Morrison & Foerster)
Gleiss Lutz positions the changes as "not deregulation, but concessions at a practical level" (Gleiss Lutz). Bird & Bird warns that accelerated treatment via Rule 170 (urgency procedure) would significantly limit opportunities for amendments and stakeholder engagement (Bird & Bird).
Dutch position: the BNC assessment
On 12 December 2025, the Dutch government published its BNC assessment on the Omnibus AI and Omnibus Digital (Rijksoverheid). The position: supportive of the goal, critical of the execution.
The Netherlands acknowledges that reduced regulatory burden benefits businesses, particularly SMEs. But the government states that several changes "materially reduce" the level of data protection. Specific concerns:
- Personal data for AI training: the expanded use of sensitive personal data conflicts with fundamental rights and goes beyond what is needed for burden reduction
- GDPR amendments in the broader Omnibus: relaxation of the "legitimate interest" processing ground and data breach notification weakens citizen protection
- Centralisation of cyber reporting: the Netherlands fears national reporting systems will be bypassed
- Missing impact assessment: unclear what the proposals concretely deliver and what the consequences are
The government wants the omnibuses to "simplify, clarify, and streamline" without undermining the legislative objectives β protection of fundamental rights, safety, and privacy (Rijksoverheid).
The Dutch position in one sentence
Simplification yes, weakening no β but the government wants more clarity from the Commission before rendering a definitive judgement.
Timeline: where does the process stand?
The proposal goes through the ordinary legislative procedure. This is the expected timeline based on Bird & Bird (Bird & Bird):
| Phase | Period | Status |
|---|---|---|
| Publication of proposal | 19 November 2025 | β Completed |
| EP committee assignment (IMCO, ITRE, LIBE) | December 2025 | β Completed |
| EDPB/EDPS Joint Opinion | January 2026 | β Published (21 Jan 2026) |
| EP amendments and committee report | Q1 2026 | π In progress |
| Council position (general approach) | Q1 2026 | π Technical discussions |
| Trilogue negotiations | Springβsummer 2026 | β³ Planned |
| Expected adoption | MidβQ3 2026 | β³ Subject to change |
Possible fast-track: the EP may apply Rule 170 (urgency procedure), allowing the proposal to bypass the full committee stage and go directly to a plenary vote. This could enable adoption as early as Q1 2026 but significantly limits amendments and stakeholder engagement (Bird & Bird).
Digital Fitness Check: in parallel, the Commission is working on a second phase β a comprehensive "stress test" of the entire Digital Rulebook. Stakeholders can provide input until 11 March 2026 (Morrison & Foerster).
What to do now as a compliance professional
The Omnibus proposal is a proposal, not law. But it creates uncertainty that must be actively managed. Below are three scenarios and a concrete action plan.
Scenarios
Scenario 1 β Omnibus largely adopted (Q2/Q3 2026): up to 16 extra months for Annex III systems, AI literacy becomes soft law, registration for self-assessed systems drops away.
Scenario 2 β Omnibus significantly amended (most likely): the EP and Council add stronger safeguards but retain deferred deadlines. Expect at least retention of the registration requirement and a compromise on AI literacy.
Scenario 3 β Omnibus stalls: political disagreements delay the process such that original deadlines remain in force. Unlikely but not impossible.
Concrete action plan
Rule of thumb: plan for the current law, monitor the Omnibus.
The obligations around prohibited AI practices (since February 2025) and GPAI models (since August 2025) remain fully in force. The expected deferral for high-risk is NOT a reason to pause compliance efforts β but it is a reason to phase them pragmatically.
1. AI literacy: keep investing
Regardless of the Omnibus. The EDPB and EDPS support enforcement. The Dutch Data Protection Authority has published concrete guidance. And it is simply good risk management. Organisations investing in AI literacy now are better prepared for any outcome.
2. Registration: register proactively
If the registration requirement disappears, you have lost nothing. If it stays, you are prepared. Registration also forces a structured inventory of AI systems that is needed regardless.
3. High-risk compliance: start gap analyses now
Even with 16 months of deferral, the implementation time is tight. Begin with risk assessments and gap analyses. Actively follow the development of standards.
4. Documentation and governance: build the foundation
The documentation duty for self-assessed systems remains in all scenarios. Ensure a governance structure that does not depend on the Omnibus outcome.
5. Monitor actively
Follow the parliamentary proceedings, the Council position, and the trilogue negotiations. Assign an internal team or external advisor to adjust the compliance strategy based on developments.
Immediate (Q4 2025)
Inventory all AI systems. Classify by risk category. Start AI literacy plan.
Short term (Q1-Q2 2026)
Conduct gap analyses for high-risk systems. Begin FRIAs. Track standards development.
Ongoing (2026-2027)
Monitor Omnibus progress. Adjust compliance timeline upon adoption. Document all decisions.
Analysis: where is the line between simplification and erosion?
The AI Act had real implementation problems. Missing standards, undesignated supervisory authorities, delayed guidelines β these are legitimate obstacles. Linking deadlines to standards availability is a defensible choice.
But the proposal goes beyond pragmatic adjustment. The distinction is crucial:
Implementation support (more time, better standards, practical guidelines) is welcome and needed. Nobody benefits from enforcing rules for which the instruments are missing.
Regulatory relief (fewer obligations, lower thresholds, less transparency) is a political choice packaged as technical simplification. Scrapping the AI literacy obligation, removing the registration requirement, and lowering the threshold for special category personal data fall into this category.
The Commission conflates these two goals. And that is precisely why the EP, the Council, the EDPB, the EDPS, and 133 civil society organisations are responding so critically.
The most likely outcome is an amended proposal that retains the deadline deferrals but partially reverses the substantive weakenings. That would be the pragmatic solution the political centre can support.
Conclusion
The Digital Omnibus proposal addresses real implementation problems but simultaneously packages substantial policy changes as "simplification." In the coming months, the European Parliament and the Council will determine whether the core of the AI Act β transparency, accountability, protection of fundamental rights β remains intact.
For compliance professionals, the message is clear: don't wait for the Omnibus. The current AI Act is the law. The prohibitions are in force, the GPAI rules apply, and the high-risk deadlines are approaching. Use any potential deferral not as a reason to lean back, but as extra time to get it right.
Digital Omnibus & AI Act Quiz
Test your knowledge of the Digital Omnibus proposal. Do you know which changes are coming and what stays the same?
Sources
- Digital Omnibus on AI Regulation Proposal β European Commission
- EU Digital Omnibus on AI: What Is in It and What Is Not? β Morrison & Foerster LLP
- EDPB and EDPS support streamlining AI Act implementation but call for stronger safeguards β EDPB
- EDPB-EDPS Joint Opinion 1/2026 β EDPB/EDPS (PDF)
- Commission's digital omnibus proposal to simplify the Artificial Intelligence Act β Gleiss Lutz
- AI Act 2.0 β The Commission's regulatory remix proposal β Bird & Bird
- EU Digital Omnibus: Analysis of key changes β IAPP
- Forthcoming Digital Omnibus would mark point of no return β EDRi
- The Digital Omnibus: What It Means for AI Regulation β Civil Liberties Union for Europe
- Fiche 2 - Omnibus AI en Omnibus Digitaal β Dutch Government (BNC assessment)
- Fiche 2 - Omnibus AI en Omnibus Digitaal β Dutch Government
- EDPB & EDPS issue Joint Opinion on the EU Digital Omnibus on AI β Reed Smith LLP