Digital Omnibus on AI: European Commission Proposes Simplifications to the AI Act

Introduction

November 19, 2025, marks an important date for the regulation of artificial intelligence in Europe. The European Commission published the proposal COM(2025) 836, known as “Digital Omnibus on AI”, which amends Regulation (EU) 2024/1689 (AI Act) and Regulation (EU) 2018/1139 (EASA regulation on civil aviation).

This legislative initiative responds to a concrete need that emerged during the first months of AI Act implementation: balancing the ambition of rigorous regulation with operational feasibility for businesses and public administrations.

Please note: This analysis is based on the proposal text published on November 19, 2025. The text may undergo modifications during the ordinary legislative process.

Context and Motivations

The AI Act, which entered into full force on August 1, 2024, established an ambitious yet complex regulatory framework. Early implementations highlighted several critical issues:

High administrative burdens for AI system providers and deployers
Stringent timelines are not always aligned with the availability of technical standards
Bureaucratic complexities are particularly onerous for small and medium-sized enterprises
Fragmented governance among national authorities with risk of divergent interpretations

The Digital Omnibus proposal aims to address these critical nodes while maintaining unchanged the objectives of protecting health, safety, and fundamental rights.

Main Proposed Amendments

1. Flexible Implementation Timelines

One of the most significant changes concerns the application deadlines for high-risk AI systems.

Current situation:

The AI Act provides for the application of rules for high-risk systems starting from August 2, 2027

Proposed novelty:

Application is linked to the availability of harmonized standards, common specifications, or Commission guidelines
New deadline dates:
- Annex III systems (high-risk by definition): maximum December 2, 2027 (6 months after Commission decision)
- Annex I systems (regulated products): maximum August 2, 2028 (12 months after decision)

Practical implications:

This amendment acknowledges that effective implementation requires clear operational tools. Companies will have more time to comply, but only if necessary to allow the development of technical standards. It’s a pragmatic approach that avoids formal but ineffective compliance.

2. Extension of Privileges to Small Mid-Caps (SMC)

The AI Act already provides simplifications for SMEs. The Digital Omnibus extends these benefits to small mid-caps (enterprises with fewer than 1,000 employees).

Provided simplifications:

Proportionate technical documentation
Quality management system adapted to company size
Consideration of economic capacity in the application of penalties

Definition of Small Mid-Cap:
Enterprises that meet both conditions:

Fewer than 1,000 employees
Do not meet the criteria to be considered SMEs

This extension is particularly relevant for the European tech ecosystem, where many scale-ups fall within this size range.

3. AI Literacy: From Individual Obligation to Institutional Responsibility

Radical change in the approach to AI training.

Current regime (Art. 4 AI Act):

Obligation for providers and deployers to ensure a sufficient level of AI literacy for their staff

New proposed approach:

Elimination of direct obligation on operators
Institutional responsibility: Commission and Member States must promote and facilitate AI literacy
Focus on public training and awareness programs

Rationale for change:

The Commission recognized that the individual obligation was:

Difficult to verify and enforce
Excessively burdensome for companies
Ineffective without a public support framework

The new approach focuses on systemic initiatives rather than widespread and uncontrollable obligations.

4. Processing of Sensitive Data for Bias Mitigation

That is perhaps the most relevant amendment from a privacy perspective. A new Article 4a is introduced, providing a specific legal basis for processing special categories of personal data (ex art. 9 GDPR).

Permitted purposes:

Detection, correction, and monitoring of bias in AI systems
Applicable both in development and deployment phases

Required safeguards:

Appropriate technical and organizational measures
Limitation to a specific purpose
Application of minimization and proportionality principles
Compliance with GDPR

Authorized subjects:

Providers of all AI systems (not just high-risk)
Deployers of high-risk AI systems

Critical analysis:

This amendment represents an interesting balance point between two needs:

The technical necessity to use sensitive data to identify and mitigate algorithmic bias
The enhanced protection provided by art. 9 GDPR for particularly delicate data

The current formulation requires “appropriate safeguards,” but it will be crucial that implementing guidelines specify in detail which measures are considered sufficient. The risk is that an overly general rule leads to divergent interpretations and possible abuses.

5. Reduction of Registration Burdens

Proposed amendment:
Elimination of the obligation to register in the EU database for AI systems referred to in Article 6(3) - systems that, while falling within high-risk categories, are intended for narrow and procedural tasks with limited actual risk.

The obligation remains to:

Document the assessment that led to the classification
Make documentation available to authorities upon request

Operational impact:

This simplification significantly reduces bureaucratic burdens for a broad category of AI systems (e.g., customer service chatbots, scheduling systems, virtual assistants for specific tasks), without compromising traceability and supervision.

6. Centralization of Governance at the AI Office

One of the most structural amendments concerns the strengthening of the role of the European Commission’s AI Office.

New competencies:

Direct supervision of providers of general-purpose AI models (GPAI)
Coordination of national authorities
Development of binding guidelines and common specifications
Management of the EU database of high-risk systems
Direct sanctioning power for GPAIs

Implications for governance:

This centralization responds to the need to:

Avoid interpretative fragmentation among Member States
Ensure uniformity in rule application
Guarantee specialized technical expertise

However, it also raises questions about the distribution of regulatory power and the AI Office’s actual capacity to handle such a large workload.

7. Amendments to EASA Regulation

The Digital Omnibus also amends Regulation (EU) 2018/1139 on civil aviation, to ensure consistency with the AI Act.

Main amendments:

AI systems in aeronautical products are subject to EASA sectoral rules, not the general AI Act
EASA maintains exclusive competence for certification
Enhanced cooperation between EASA and AI Office
Alignment of conformity assessment procedures

Rationale:

The aeronautical sector already has rigorous and consolidated safety standards. The amendment avoids regulatory overlaps and competence conflicts, ensuring a single certification framework managed by EASA.

8. Legislative Timeline

Expected ordinary procedure:

Current phase: Commission proposal (November 19, 2025)
First reading: European Parliament and Council of the EU
Trilateral negotiations: If necessary, trilogue between Commission, Parliament, and Council
Final adoption: Presumably during 2026
Entry into force: 20 days after publication in the Official Journal
Application: Immediate for timeline amendments; gradual for other provisions

Estimated timeline:

Q2 2026: Possible final adoption
Summer 2026: Entry into force
August 2027 - August 2028: Gradual application for high-risk systems

9. Practical Implications for Businesses

For AI System Providers

Immediate actions:

Assess classifications of AI systems in portfolio, verifying if they fall under Art. 6(3)
Plan documentation for bias management, if processing sensitive data
Monitor the development of harmonized standards for high-risk systems

Medium-term actions:

Adapt quality management systems if falling within SMCs
Prepare procedures for bias detection compliant with the new Art. 4a
Implement simplified registration processes when available

For Deployers

Immediate actions:

Map AI systems used, identifying high-risk ones
Verify conformity assessments of providers
Document purposes of use to demonstrate compliance with Art. 6(3) conditions

Medium-term actions:

Implement bias monitoring procedures if using high-risk systems
Prepare contractual agreements with providers specifying responsibilities and guarantees
Train staff on new compliance procedures

For National Authorities

Operational challenges:

Coordination with AI Office: clearly define division of competencies
Inspection capacity: develop technical expertise to assess compliance
Uniform interpretation: participate in AI Board work for shared guidelines

10. Open Questions and Critical Issues

1. Ambiguity on Bias Mitigation

The formulation “appropriate safeguards” in Art. 4a leaves wide room for interpretation. It is necessary that the Commission rapidly publish detailed guidelines specifying:

Which technical measures are considered appropriate
How to balance the need to use sensitive data with minimization
How to document the necessity and proportionality of processing

2. Operational Capacity of the AI Office

The centralization of competencies at the AI Office raises questions about its operational capacity:

Will it have sufficient human and technical resources?
How will it manage the workload of direct supervision of GPAIs?
What accountability mechanisms will be provided?

The new Art. 4a creates a specific legal basis for processing sensitive data, but:

How does it coordinate with other legal bases of Art. 9 GDPR?
Is a GDPR impact assessment necessary in addition to AI Act compliance?
How to handle situations where national legislation is more restrictive?

11. Future Perspectives

Expected Evolution

It is likely that during the legislative process, there will be:

Technical adjustments to definitions and timelines
Clarifications on AI Office responsibilities
More detailed specifications on requirements for sensitive data processing

Impact on the European AI Ecosystem

The proposed simplifications could:

Reduce the competitive gap between Europe and other jurisdictions (USA, China)
Facilitate innovation in SMEs and scale-ups
Improve regulatory clarity and reduce legal uncertainty

However, much will depend on the effectiveness of implementing guidelines and on the authorities’ ability to provide proactive support, rather than just ex post controls.

Conclusions

The Digital Omnibus on AI represents a pragmatic evolution of the European regulatory framework on artificial intelligence. The Commission demonstrates listening and adaptation capacity regarding the critical issues that emerged during the initial implementation phase.

Strengths:

Greater flexibility in timelines without compromising protection objectives
Concrete administrative simplifications for companies of different sizes
Centralization of governance at the AI Office for greater coherence
Pragmatic approach to AI literacy

Open questions:

Need for detailed guidelines on bias mitigation and sensitive data processing
AI Office’s operational capacity to manage new competencies
Coordination with GDPR and national regulations

For businesses, the message is clear: the regulatory framework is stabilizing, but requires preparation, accurate documentation, and continuous monitoring. It is no longer time to wait; it is time to implement compliant processes grounded in the principles of ethics, transparency, and accountability.

References

Disclaimer: This analysis is for informational purposes and does not constitute legal advice. For specific assessments of your organization’s compliance, it is advisable to consult specialized professionals.

Related Hashtag

#AIAct #DigitalOmnibus #ArtificialIntelligence #EURegulation #AICompliance #PrivacyByDesign #GDPR #BiasMitigation #AIOffice #LegalTech #AIRegulation #EULaw #TechCompliance #AIGovernance #DataProtection

Introduction#

Context and Motivations#

Main Proposed Amendments#

1. Flexible Implementation Timelines#

2. Extension of Privileges to Small Mid-Caps (SMC)#

3. AI Literacy: From Individual Obligation to Institutional Responsibility#

4. Processing of Sensitive Data for Bias Mitigation#

5. Reduction of Registration Burdens#

6. Centralization of Governance at the AI Office#

7. Amendments to EASA Regulation#

8. Legislative Timeline#

9. Practical Implications for Businesses#

For AI System Providers#

For Deployers#

For National Authorities#

10. Open Questions and Critical Issues#

1. Ambiguity on Bias Mitigation#

2. Operational Capacity of the AI Office#

3. Coordination with GDPR#

11. Future Perspectives#

Expected Evolution#

Impact on the European AI Ecosystem#

Conclusions#

References#