On 19 November 2025, the European Commission published its proposals for a Digital Omnibus (amending several pieces of EU legislation, such as the Data Act, GDPR, NIS 2 Directive, DORA, Directive on the Resilience of Critical Entities, and Cyber Resilience Act) and the Digital Omnibus on AI Proposal. As the Digital Omnibus has already been discussed in relation to the GDPR, we will now focus on the Digital Omnibus on the AI Act, as it proposes several amendments to it.
What: Legislative proposal
Impact score: 1
For whom: All professional actors in the AI supply chain in the EU
URL: https://ec.europa.eu/newsroom/dae/redirection/document/121744
The proposed changes are intended to achieve, if adopted, a “simplification” and a reduction of the regulatory burden for the providers of AI systems on the EU market. These proposed changes are the following:
The Digital Omnibus on AI Proposal proposes to replace the current obligation of providers and deployers of AI systems to achieve AI literacy into an obligation of Member States and the Commission to “encourage” sufficient AI literacy. This thus reduces this provision to one of soft law, where the Commission and Member States are free to choose to what extent and how they intend to “encourage” AI literacy.
The Digital Omnibus on AI Proposal proposed a major delay to the application of the requirements for high-risk AI systems, i.e. those systems that will require certification prior to being placed on the market. Normally, the deadline for application would be 2 August 2026 for the high-risk AI system use cases in Annex III and 2 August 2027 for safety components of already regulated products, which are high-risk AI systems under the AI Act. The practical implementation of these deadlines is, however, delayed substantially as the standardisation organisations enlisted to draft harmonized standards for the AI Act, i.e. CEN and CENELEC, have not been able to complete the work and are not expected to do so before the end of 2027. Without harmonized standards to trigger the “presumption of conformity”, certification under the essential high-risk AI system requirements is not possible.
Therefore, the Commission has decided to propose the following change:
The above requirements, if adopted, could give time for implementation. However, they also make the deadline for compliance trajectories more complicated, as the proposal indicates a future change, the exact contours of which are not known.
What does create an additional “grace period”, is that the time of application for high-risk AI systems is clarified to only apply to providers of high-risk AI systems that marketed their system before the date these requirements become applicable if and insofar these systems have been subject to “significant changes in their designs”. The above makes it possible to, for at least a few years, avoid application of the requirements by simply releasing them shortly – up to one day – before the date of application once the Commission decision is published or once the abovementioned cut-off dates approach.
Under the current text of Article 6(2) AI Act, providers of high-risk AI systems listed in Annex III can declare that their AI system does not really create a high risk, by claiming that the system does not pose a high risk. This provision also lists examples of such cases, which fundamentally relate to the decision by an AI system having limited impact.
The Digital Omnibus on AI does not change this exception. It does, however, simplify its implementation. Under the current text, providers using this exemption are still required to register the AI system in a database created for this purpose by the European Commission. If the Digital Omnibus on AI is adopted without changes, this obligation will be reduced to requiring to document that choice and being able to provide that documentation at the competent authority’s request. Thus, providers that release a high-risk AI system without certifying it do not have to make themselves known to the Commission.
Under the current text of the AI Act, one of the requirements is that the provider of a high-risk AI system has to draw up technical documentation that is meant to inform authorities and other economic actors about the technical design of the AI system they release. The AI Act provides the option for small enterprises to have a simplified reporting format, to be determined by the Commission. To clarify: small enterprises, in EU law, are organizations that have less than 50 staff and an annual turnover or balance sheet total not exceeding 10 million EUR.
The Digital Omnibus on AI Proposal extends the same simplified reporting format to all small and medium-sized enterprises (SMEs) and to small mid-cap enterprises. ‘Small mid-cap enterprises’ are defined as enterprises that have less than 750 employees and have an annual turnover not exceeding 150 million EUR or an annual balance sheet total not exceeding 129 million.
Thus, the amount of entities that provide high-risk AI systems that need to write extensive technical documentation would be reduced. However, by how much the cost of reporting would be reduced, depends in large part on the simplified reporting format the Commission will work out.
For high-risk AI systems that are safety components of already regulated products under the New Legislative Framework, the Digital Omnibus on AI Proposal includes a provision that would require conformity assessment bodies applying for the license to certify such products must organize the conformity assessment procedure in such a way that the provider can file a single application for both the AI Act’s requirements and the procedure under the regulation applicable to the composite product the AI system is integrated into.
The Digital Omnibus on AI Proposal contains a provision allowing the AI Office to set up its own regulatory sandbox, next to the authorities of the Member States of the EU. The same proposal also attempts to avoid large disparities between the practices of regulatory sandboxes in the EU by giving the Commission the power to adopt implementing acts regulating their functioning.
Under the current text of the AI Act, the enforcement of the AI Act is mostly left to market surveillance authorities or other authorities designated by the Member States. The Digital Omnibus on AI Proposal intends to grant the AI Office – currently a mainly advisory body, analogous to the European Data Protection Board vis-à-vis the GDPR – enforcement powers in certain cases. One such case is for each and every AI system that is based on a GPAI model and is made by the same provider, except if it is already a regulated product. The AI Office would also become exclusively competent for any obligations regarding a high-risk AI system that is integrated into a very large online platform, as defined under the Digital Services Act.
The AI Office will act as a market surveillance authority. Further details regarding the power would, if the Digital Omnibus on AI is adopted, be worked out by the Commission.
The Digital Omnibus on AI Proposal contains a provision granting to the Commission the power to organize its own pre-market conformity assessment procedures regarding high-risk AI systems that are based on a general-purpose AI model.
Koen Vranckaert
