The European Union’s Digital Omnibus and Its Impact on Artificial Intelligence

At a Glance

• The rules relating to high-risk AI systems set out in the AI Act would only come into effect once the relevant standards, support tools and guidance have been published to support companies with the necessary resources for compliance, provided the proposed legislation is passed in time.
• The Omnibus proposes to make it easier for businesses to justify an appropriate legal basis for processing personal data for training AI. 
• There will be greater responsibility on the European Commission and EU member states to foster AI literacy, rather than somewhat vague obligations on those providing and deploying AI systems. 
• The legislative package enters trilogue negotiation with the European Parliament and Council, with potential for amendments as it goes through the process of debate and review. This process is likely to take several months.

On 19 November 2025, the European Commission published its much anticipated “Digital Omnibus” of legal reforms with respect to artificial intelligence (AI), cybersecurity and data, alongside a Data Union Strategy covering data use in AI, and the new European Business Wallets, which will streamline data into a single digital identity. 

The proposed legislative reforms have broad impact, and we set out below key points for developers and users of AI. 

Background to the Changes

An “omnibus” reform is a fast-track legislative tool used by the European Commission, usually to make a few minor adjustments to a number of laws in a noncontentious way for the purpose of streamlining or simplifying the law as it stands. 

The proposals in the Digital Omnibus cover some significant legal changes to a wide range of legislation covering AI, data privacy and cybersecurity, including the General Data Protection Regulation (GDPR), Network and Information Systems Directive 2 (NIS2), the Data Act, and the EU AI Act. 

We highlight some of the more significant changes with respect to AI below.

Timing for Entry Into Force of High-Risk AI Elements of the AI Act

The rules relating to high-risk AI systems set out in the AI Act were due to come into force on 2 August 2026. The rules are complex and subject to competing interpretations, and many businesses are struggling to determine whether their uses of AI fall within the high-risk categories and their much heavier compliance obligations. So far, there has been very limited guidance from the European Commission or national regulatory authorities (which, in many member states, have yet to be set up). The Omnibus’ changes mean that these rules would only come into effect once the relevant standards, support tools and guidance have been published to support companies with the necessary resources for compliance, provided the proposed legislation is passed in time.

Once the European Commission has formally confirmed completion of such standards and guidance through adoption of a decision, there will be a six-month transition period for compliance for all AI systems listed in Annex III (e.g., certain types of biometrics, AI systems used to recruit and manage workers ) and 12 months for Annex I systems (e.g., products that are subject to existing EU safety legislation like medical devices). Failing the adoption of any decision by the European Commission, there will be an ultimate back-stop, such that the Annex III rules shall apply from 2 December 2027 and Annex I rules from 2 August 2028.

Lawful Basis for Processing Data for AI Training

The Omnibus proposes to make it easier for businesses to justify an appropriate legal basis for processing personal data for training AI. It introduces a new legitimate-interest lawful basis under the GDPR, specifically allowing companies to use personal data, including some sensitive information, for developing or operating AI systems, provided unspecified safeguards are in place. This will still require the usual balancing of interests and be subject to the right to object by data subjects. However, it represents a step towards effectively legitimising large-scale dataset collection and processing for training AI models, provided developers can demonstrate appropriate risk mitigation is in place. 

Use of Special Category Data

The treatment of special category (i.e., sensitive) personal data is also set to change, and it will be permitted to be used for AI training provided certain security and post-use removal and anonymisation requirements are met.

AI operators will also be permitted to process special category data for ensuring bias detection and correction (again, with appropriate safeguards). This bias-mitigation permission builds on an existing right which applies exclusively to high-risk AI systems, recognising that fairness testing can require testing sensitive personal data irrespective of the risk level of the AI system in question.

Rules on AI Literacy and Governance

There will be greater responsibility on the European Commission and EU member states to foster AI literacy, rather than this being (somewhat vague) obligations on those providing and deploying AI systems. The Commission has also committed to providing additional guidance across a range of areas where concerns have been raised, including research exemptions. The European AI Office will have reinforced powers to ensure centralised oversight of AI systems built on general-purpose AI models, or those embedded in very large online platforms and search engines, rather than a more fragmented approach. Combined, this should lighten some of the burden on AI providers and simplify the approach to regulatory compliance.

Sandboxes and Real-World Testing

The proposals introduce expanded opportunities for real-world testing and regulatory sandboxes, with an EU-level AI regulatory sandbox to be set up by the AI Office and made available from 2028. This will help enable AI systems developers to test against compliance standards in a meaningful way.

Simplification of Compliance for SMEs/SMCs

The regulatory privileges already set out for small and medium-sized enterprises (SMEs) in the AI Act, such as special consideration when considering the size of penalties and simplified documentation requirements, will also apply to small mid-cap companies (SMCs). This is likely to be welcomed by SMCs, although critics still argue that it will not outweigh the inherent advantages of the bigger, established tech companies.

Interplay With Other Laws

The Omnibus package introduces changes across a range of legislation, and much of this seeks to simplify and clarify how the rules and regulations interrelate. It is hoped that this will simplify the regulatory landscape once implemented.

Registration Changes

Providers of AI systems used in high-risk areas, but which are only deployed for narrow procedural tasks and therefore considered by the provider not to be high-risk, will benefit from reduced registration requirements.

Benefits and Concerns

The European Commission is seeking to accommodate concerns that its over-aggressive and all-encompassing approach to regulation is hampering EU businesses’ ability to develop AI in a fiercely competitive global market. Equally, there has been criticism from civil liberties activists that the proposals risk watering down the existing protections under the GDPR — in particular, due to the easier access to personal data for use in AI systems. Similarly, there are concerns that the changes giving expanded exemptions and data access will disproportionately favour Big Tech, even with the targeted simplifications and exemptions drawn up to benefit SMEs and SMCs. It is the largest platforms and AI companies that already have the data scale and internal compliance teams to make use of the advantages these developments would bring quickly and at scale.

However, the Commission has highlighted that the fundamentals of data privacy in Europe remain, and that such changes are necessary to ensure the benefits of AI can be fully exploited, particularly with the provision of high-quality data. 

Next Steps

The legislative package enters trilogue negotiation with the European Parliament and Council, with potential for amendments as it goes through the process of debate and review. This process is likely to take several months. The Commission will also conduct a Digital Fitness Check to assess cumulative regulatory impact. The AI reforms have been submitted in a stand-alone package separate from the larger Digital Omnibus in an effort to accelerate the timeline for adoption. However, there is still much overlap with reforms across multiple legal frameworks and much scope for pushback in many quarters as the negotiations progress.

We shall provide further analysis of these changes and a summary of proposed amendments set out in the Digital Omnibus relating to the GDPR, ePrivacy Directive, NIS2 Directive and Data Act in a subsequent client alert.