Imperfect AI Omnibus arrives - all eyes turn to Digital Omnibus

At 4 a.m. on Thursday, the European Parliament and Council reached a provisional agreement on the AI Omnibus, an EU effort to simplify AI rules.

The simplification process was anything but simple. Discussions were marked by heated debates over a lack of ambition, last-minute proposals for machinery exemptions, legal challenges to the simplification efforts themselves, and fears from some that the AI Omnibus would undermine the original AI Act.

While negotiations were difficult and key negotiators are naturally celebrating the outcome, some doubts remain. Some say that EU lawmakers could have done more to help European businesses navigate complex rules that few seem ready for, despite the EU’s investments in AI service desks, ambitious statements about simplification, or plans for AI regulatory sandboxes.

AI Omnibus agreements: not great, not terrible

The hottest topic in the EU over the past weeks was proposed exemptions for medical devices, toys, lifts, machinery, and watercraft - with some Member States claiming that Germany failed to collaborate in a timely manner, resulting in an imperfect outcome. The outcome of yesterday’s all-night negotiation is that AI Act provisions that overlap with sectoral rules will only be removed for machinery products. This is a far more modest outcome than expected, while overlaps for medical devices, toys, lifts, and watercraft will be attempted to be resolved through implementing acts, which often arrive long after the problems they are meant to fix. 

Additionally, negotiators agreed to narrow down the definition of “safety component” and allow personal data processing to detect and correct biases in both high and non-high-risk systems.

A welcome development is the agreement to extend small and medium enterprise (SME) exemptions to small and mid-caps (companies with up to €200 million euro turnover), a move that can practically support the EU’s tech scale-ups.

Thanks to recent incidents on AI-generated nudification content, stricter rules will apply to AI systems that can be used to create child sexual abuse material or non-consensual deepfake nudity and sexually explicit content. These systems will have until December 2 2026, to comply. 

Deadline-wise, the application of high-risk rules was pushed to 2 December 2027 (for stand-alone high-risk AI systems) and 2 August 2028 (for high-risk AI systems embedded in products).  The grace period for watermarking AI-generated content was actually shortened, moving from 2 February 2027 to  2 December.

A telling postponement is the delay of AI regulatory sandboxes, which is likely to receive little attention but illustrates the lack of capacity among EU Member States to help companies navigate the AI Act. Originally planned for August 2 2026, the new deadline is now 2 August 2027. 

Focus shifts to the Digital Omnibus: reversing a watered-down course

While the EU Council and the European Parliament must still formally approve the AI Omnibus, focus now shifts to the second leg of the EU’s simplification efforts - the Digital Omnibus package centered on AI development and data. 

The Central European AI Chamber, alongside 15 other associations (including our parent organisation Consumer Choice Center Europe), shared an open letter urging EU Member States to correct course on watered-down Digital Omnibus proposals. The letter calls for a better balance between data protection and the EU’s broader strategic goals, such as innovation and economic growth, seeing the compromise texts moving in the opposite direction.  

Among the main pain points in the Digital Omnibus will be defining how and in what way data can be used for AI development and scientific research. The EU’s political spectrum is split: while industry and scale-ups argue that without access to data, the EU’s AI competitiveness plans are pointless, others defend the status quo, fearing even modest proposals would threaten the very concept of the European data protection framework. So far, it looks like the status quo is winning - we’ve written before that the Commission's initial proposal to balance the two worlds - data protection and economic growth & innovation - was significantly watered down in the Council. 

We suspect that the key debates in the coming months will focus on: a) definition of personal data (or the definition of what does not constitute personal data after it has been sufficiently pseudonymized); b) AI-related processing exemptions under legitimate interest basis (Article 88c); c) the incidental processing of sensitive data (Article 9(5)). 

The signatories of the AI Chamber’s letter stress that the Commission’s initial proposals on pseudonymization and AI-related exemptions and legitimate interest were pragmatic, whereas the current draft reverses the process and returns it to the status quo. Without clear distinctions, companies and researchers remain exposed to fragmented interpretations across Member States, forced to rely on the European Data Protection Board’s (EDPB’s) guidelines, which focus on data protection but, by design, are not built to promote economic growth and innovation. 

Current proposals for the scope of scientific data for AI development suggest the definition is being narrowed, which, in essence, contradicts the EU’s ambition to bridge the gap between its strong research and weak commercialization muscle. The letter calls for a broad, clear, and binding definition to ensure predictable rules for both public- and private-sector R&D.

Lastly, under the Digital Omnibus proposals, the notorious “cookie fatigue” may be replaced by a new mechanism (Article 88b) that risks creating further consent chaos, worsening the consumer experience, and failing to meet GDPR requirements for specific and informed consent.