What next for the EU Omnibus? What now for European AI?

In summary

• European regulators have raised concerns about proposals in the EU Digital Omnibus aimed at simplifying data protection rules and keeping European busiensses competitive 
• The package of proposals risks undermining data protection laws, they argue 
• Proposed amendments to the AI Act have also come in for criticism 
• How legislatures react will be key to determining the future of AI governance and data protection in Europe 

Earlier this month, the European Data Protection Board and European Data Protection Supervisor delivered their verdict on the EU Digital Omnibus – shortly before Valentine’s Day. Unfortunately, the joint opinion showed there was little love for the proposals.  

“Some proposed changes raise significant concerns as they can adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply,” they warned.  

The organisations urged the European Parliament and Council not to adopt the EU Commission’s changes, which they said “go far beyond a targeted or technical amendment of the GDPR”. The changes also failed to reflect case law from the Court of Justice of the European Union, they added.  

Much depends on whether members of the European Parliament and Council agree.

Introduced in November 2025, the Omnibus aims to simplify, clarify and streamline the EU’s digital and data regulations – and bolster the bloc’s competitiveness in an age of AI. The complete package includes proposals for both a Digital Omnibus Regulation and Digital Omnibus on AI Regulation, with the latter specifically seeking adjustments to the implementation of the AI Act.  

The former proposes amendments to a wide range of existing EU regulations, including the GDPR, ePrivacy Directive, NIS2 Directive and the Data Act, “selected to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness”, as an explanatory memo at the start of the proposal explains. 

“The immediate objective is to ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and brings in itself a competitive advantage to responsible businesses.” 

Key proposals include: 

• Confirming that information won’t be considered “personal data” under GDPR, where the recipient can’t identify the person the information relates to (even if someone else potentially could). It reflects the UK’s Information Commissioner’s Office guidance on anonymisation, focusing on the “means reasonably likely to be used to enable identification” 
• Establishing that processing personal data to train AI models may be considered a “legitimate interest” within Article 6 of GDPR  
• Expanding the exemption to provide information to data subjects on the processing of their personal data beyond situations where the subject already has the information. The Commission proposes including situations where processing is not likely to result in a high risk, there are reasonable grounds to assume the data subject already has the information, and the controller’s activity is not data intensive. It mentions the employment context as an example, as well as associations and sports clubs where the processing of personal data is confined to the management of membership 
• Empowering data controllers to refuse data subject requests or demand a reasonable fee where they are “manifestly unfounded or excessive” such that the request “abuses the rights conferred”  
• Limiting and simplifying breach reporting, with the duty to report restricted to high-risk breaches and the establishment of a “single-entry point” for incident notifications 

The Digital Omnibus on AI Regulation Proposal is also not without its critics. It outlines specific amendments to the AI Act. Among them are pushing back deadlines for compliance with obligations on high-risk AI systems until certification standards and tools are available, and simplifying obligations for smaller businesses.  

It also suggests bolstering the European AI Office so it can act as a central enforcement agency for key AI systems, general-purpose AI models and AI systems integrated into very large online platforms or search engines. The office would also operate an EUI-level regulatory sandbox – another new proposal.  

Earlier this month, DigitalEurope, a trade association representing “digitally transforming industries in Europe” called on the European Parliament and Council not to rush the legislation. It welcomed the proposal to delay implementation of the AI Act, but said the Omnibus risked, “locking unresolved flaws into its most digital law for years”. 

“A delay to the AI Act’s high-risk obligations is urgent. Standards will not be ready. Enforcement structures are incomplete. Businesses cannot comply without the missing pieces. But using urgency to force through an only lightly amended text would be a historic mistake,” it warned.  

Instead, it wants a more fundamental review of the AI Act as currently designed and whether it would strengthen or constrain the EU economy.  

Whether EU institutions will agree is yet to be seen.  

The Digital Omnibus proposals now move into the legislative negotiation phase and will be debated and potentially reshaped by the European Parliament and the Council. While the EDPB and EDPS joint opinion will be influential, it does not predetermine the outcome of those discussions. Instead, it highlights where regulators see clear red lines, and where simplification may be politically acceptable. 

For organisations, this means a period of heightened uncertainty rather than immediate change. While some proposals point towards a reduced administrative burden, regulators have made clear their concern about unintended dilution of core protections. Narrowing the scope of GDPR controls or governance prematurely would be risky. 

Instead, organisations could use this time to stress‑test existing compliance assumptions, monitor areas of potential divergence across the EU member states, and consider whether early policy engagement could help shape workable outcomes. We are supporting clients by tracking developments, translating emerging positions into practical risk scenarios, and helping leadership teams make proportionate decisions while the legislative direction remains fluid.