Europe in an AI Dilemma: Digital Omnibus Introduces Changes to EU AI Act, GDPR & Co.
The European Commission aims to establish a global benchmark for trustworthy and regulated artificial intelligence with the EU AI Act. However, the recently presented changes through the “Digital Omnibus” package indicate a significant course shift: Following resistance, particularly from major tech corporations and the US government, key high-risk AI rules are to be relaxed and postponed. At the same time, French President Macron and German Chancellor Merz have emphasized the need for Europe to achieve greater “digital sovereignty” (only in German) to avoid becoming a pawn of the US and China.
The extraordinarily complex global supply chains of many corporations and SMEs in Germany illustrate the dangers of such dependence. This vulnerability became apparent in recent months, for example, through the International Criminal Court: Following pressure from the US government, Chief Prosecutor Karim Khan’s access to his official emails was simply blocked by Microsoft. Remarkably, the entire court is now switching from Microsoft to a German office software provider. The message is clear: Those who want to act sovereignly may not be able to rely on digital solutions from US tech giants.
All these developments raise the question: Can companies afford to wait for the EU’s final regulations? Or must they already take proactive measures to protect themselves from risks associated with AI, Big Tech dependency, and more?
To approach this question, we will first take a closer look at the relevant laws, the announced changes, and the criticism – and what this means for your company.
Overview of the EU AI Act
The EU AI Act came into force in August 2024, aiming to establish strict rules for high-risk AI systems. Among other things, it includes:
- Requirements for transparency, data quality, and auditability of such AI systems
- Particular focus on sensitive areas such as healthcare, employment, or law enforcement
For companies, this entails significant obligations regarding documentation, governance, and risk monitoring. Depending on the risk level, AI systems are subject to different legal requirements and compliance obligations according to the EU AI Act. Many companies have again discovered the limits of manual evidence management or exchanging trust documents via insecure systems like email.
November 2025: New Developments for EU AI Act through Digital Omnibus
On 19 November 2025, the European Commission proposed postponing key high-risk AI rules of the EU AI Act from August 2026 to December 2027.
At the same time, the “Digital Omnibus” package aims to ease several areas of digital regulation, for example by reducing bureaucracy. A stronger synchronization of rules is also planned, ensuring that regulations do not contradict each other or create duplicative bureaucratic burdens. Official voices from the Commission emphasize that this postponement is not deregulation, but a “critical review” to better align the legal framework with technical realities.
This affects not only the EU AI Act, but also other draft digital laws covered by the “Digital Omnibus.”
What is the EU Digital Omnibus – and why does it change so much for citizens and businesses?
The Digital Omnibus is a central element of European digital and AI regulation. As a comprehensive framework, it establishes the legal basis and structure for the classification and regulation of AI systems in Europe. Companies of all sizes must engage with these new requirements to remain compliant.
Digital Omnibus – Definition & Objectives
The EU Commission’s extensive reform package aims to streamline and simplify regulations in the areas of AI, cyber security, and data.
According to the Commission, a key goal is to reduce administrative burdens for companies and create more room for innovation, without compromising high standards of safety and fundamental rights.
Which laws are included in the Digital Omnibus?
The EU Commission’s “Digital Omnibus” package includes regulations for the EU AI Act, EU Cyber Resilience Act (CRA), EU Data Act, EU Data Governance Act (DGA), GDPR, and ePrivacy.
These laws shape the development and implementation of AI technologies, as well as cyber security, data protection, and citizens’ data rights in the European Union.
Overview of Laws in the EU Digital Omnibus
Here we briefly outline the objectives of the respective legislative packages, the areas of life and business they focus on, and when each EU law comes into effect.
EU AI Act
- Effective: 01.08.2024
- EU-wide applicability: Prohibitions from 02/2025, GPAI from 08/2025, High-risk AI from 08/2026, Full application August 2027 (previous schedule)
- Objective: Ensure transparent, trustworthy, and safe use of AI applications in Europe
- Focus: AI systems of all types, especially high-risk AI in healthcare, law enforcement, employment, critical infrastructure
Cyber Resilience Act (CRA)
- Effective: 11.12.2024
- EU-wide applicability: Phased until December 2027
- Objective: Establish uniform cyber security requirements (only in German) for products with digital elements
- Focus: Hardware and software with digital components, e.g., IoT devices, apps, industrial control systems
Data Act
- Effective: 11.01.2024
- EU-wide applicability: From 12.09.2025
- Objective: Create a fair, unified legal framework for access to and use of data
- Focus: Data from connected devices (IoT), e.g., household appliances, industrial machines, vehicles, and related services
Data Governance Act (DGA)
- Effective: 24.06.2022
- EU-wide applicability: 24.09.2023
- Objective: Increase trust in data sharing and remove barriers to data usage
- Focus: Public sector or sensitive data, e.g., health, energy, mobility
ePrivacy
- Effective: Directive 2002/58/EC, continuously updated (only in German) since 2002
- EU-wide applicability: Since 2002
- Objective: Protect privacy in electronic communications
- Focus: Access to and storage of information on end devices, e.g., cookies and tracking
GDPR (DSGVO)
- Effective: 25.05.2018
- EU-wide applicability: Since 25.05.2018
- Objective: Strengthen personal data protection, harmonize citizens’ rights, create a unified European data protection framework
- Focus: Processing of personal data by companies and public authorities, including transparency, purpose limitation, data security, rights of individuals, breach notification, and accountability
How do the new proposals affect the EU AI Act & other Omnibus laws?
To stimulate the economy, and likely influenced by pressure from the US government and tech giants, the EU Commission has now announced changes, such as introducing stricter high-risk AI rules at a later date. Instead of August next year, these rules would take effect in December 2027.
The Commission is also proposing changes to the legal packages themselves. The focus is on simplification and de-bureaucratization, aiming to promote the EU economy and save five billion euros in administrative costs by 2029 alone. A closer look at the individual laws in the Digital Omnibus also reveals content relaxations. Critics even speak of a dilution of the initiative, at the expense of EU citizens and consumers.
Key changes proposed by the EU Commission for EU AI Act, GDPR & Co.
Here are some of the key changes that are expected to come with the Digital Omnibus:
EU AI Act
- Reduction of documentation obligations for smaller companies
- Expansion of compliance measures: New rules affect not only processes but also various applications of AI systems, regulated differently depending on risk class (e.g., law enforcement, online content personalization, critical infrastructures)
- Expansion of powers for the EU AI Office for unified governance
- Adjustments for high-risk AI (including deadline postponement)
General Data Protection Regulation (GDPR / DSGVO)
- Simplification of reporting and documentation obligations
- Objective: Promote innovation and economic growth
- The core of GDPR, providing the highest level of personal dataprotection, remains unchanged
Cyber Resilience Act (CRA)
- Introduction of a centralized reporting system for cyber incidents(“single-entry”), including attacks such as DDoS
ePrivacy / Cookie Rules
- Proposal for simplified user consent, e.g., fewer cookie banners
Why the Digital Omnibus changes delight many citizens
The proposed redesign of cookie consent aims to eliminate intrusive banners on every website. Users could set preferences once per browser and browse without interruption – a clear benefit for consumers.
Why EU AI Act & Co. changes are controversial
»This Digital Omnibus package is not sufficient to cut through Europe’s regulatory jungle. While the announced changes provide some relief for companies, the proposal does not go far enough to make Europe digitally competitive and sovereign. Cosmetic corrections are not enough. The EU needs to drastically reduce bureaucracy and overregulation, and consistently remove contradictory rules.«
Critics see the adjustments introduced by the Digital Omnibus as a drastic intervention. Representing many of these voices, we give the floor here to the Federation of German Consumer Organizations. They warn that simplification could weaken fundamental rights, especially in data protection and AI oversight. Any weakening of privacy and rights poses significant risks for consumers.
»Simplifying digital laws must not become deregulation at the expense of our core values. […] If the EU loosens these rules, it provides companies with loopholes on a silver platter while simultaneously weakening consumer rights.«
The demand is clear: unambiguous rules and maintaining current protection levels.
Necessary Deregulation or a Free Pass for Big Tech?
Is the EU Commission going too far in accommodating the demands of business? Or is it holding back growth in the European Union with excessive regulation? The issue is highly complex and the subject of intense debate among politicians, lobby groups, and NGOs. Here, we briefly outline only the most important points.
Pros (for simplification and postponement)
- Relief for SMEs from overbearing compliance burdens
- France and Germany support postponement to strengthen innovation and enable realistic implementation
- Opportunity to establish technical standards, guidelines, and infrastructure (e.g., for audits) before widespread application
Cons (criticism and risks)
- Consumer protection and data privacy may be endangered
- Risk of weakening important safeguards, especially regarding AI transparency
- Concerns that large tech companies could gain excessive freedom, creating a “free pass” for Big Tech
- Fundamental rights could be undermined, increasing dependence on powerful corporations
»Simplification, yes – but not as a coverfor deregulation that strips citizens of their rights. Europe urgently needs toensure that capital is invested in European companies and digital innovationthat truly benefits people. But hollowing out fundamental rights, such as usingpersonal data for AI training against people’s will, does not create innovation– it only creates more dependency on powerful corporations that work closelywith an increasingly authoritarian government.«
Applications of AI and regulation in Europe
AI is already integral to numerous sectors: healthcare, transportation,industrial production, energy. AI drives innovation, efficiency, and newbusiness models. At the same time, risks increase: databreaches, manipulation, and unclear accountability for automated decisions.
The EU regulatory framework, anchored by the EU AI Act, ensuresAI innovation does not come at the expense of data security,transparency, or consumer protection. Companies must adapt processes,applications, and services to comply and reduce risks of leaks, misuse, orlegal consequences. High-risk AI requires extensive documentation, riskassessment, and evidence – tasks nearly impossiblewithout digital solutions like Kevla TrustDocS and automated workflows.
What the EU AI Act changes mean for companies today
Even if key AI regulations from the European Union are set to be postponed again, this does not change the reality for many companies: investors, business partners, and auditors already expect proof of risk management, documentation, and governance for AI systems. Compliance with the new rules can be crucial for strengthening credibility and competitiveness in the digital environment.
As part of a “Call for Evidence” consultation, the EU Commission explicitly invited companies, research institutions, and other stakeholders to share their best practices and experiences in implementing data laws, cybersecurity measures, and AI regulations. This clearly shows that the Commission expects companies to start establishing structures for AI risk management, governance, and compliance today.
In addition, the new changes introduced by the Digital Omnibus may offer short-term relief or a grace period for businesses. At the same time, however, new uncertainties arise, as rules could be adjusted again.
Critical point: Security measures are already a corporate duty
Regardless of the final form of the EU AI Act and other laws, European companies – from startups to large enterprises – cannot wait. They must protect data, trade secrets, supply chains, compliance, and reputation. Structured organization is essential for effective cyber security and integrating processes, people, and technology.
Key risks include:
- Faulty or insecure AI-generated information
- Unclear legality of AI training data in the EU
- Inadequate documentation, causing reputational damage or audit issues
- Cybersecurity gaps from unclear certificates
- Leakage of sensitive data to AI solution providers
These risks multiply with complex supply chains. Expectations from partners and customers rise regardless of postponed AI Act deadlines. Companies must demonstrate the reliability, documentation, and security of third-party AI modules.
Digital Omnibus & EU AI Act: How companies can act now
Companies can take measures to prepare for future legal changes,additional stages of the EU AI Act, and potential crises. This includesauditing supply chains for weaknesses, making the organization audit-ready, andimplementing tools to ensure compliance with laws like the EU AI Act. KevlaTrustDocS can help automate document management and secure exchanges of trustdocuments.
Conclusion: Waiting for the EU and EU AI Act is not a viable strategy
The Digital Omnibus shows that bureaucracy may be reduced, but risksfrom unsafe AI use and cyber threats remain. Companies must act now to ensuretransparency, security, and compliance across the supply chain. Proactivemeasures lay the foundation for AI and cyber security at serviceproviders, suppliers, and manufacturers. With smart IT solutions like KevlaTrustDocS, businesses of all sizes can minimize risks today and strengthenprocesses and supply chains.
Kevla supports your company in implementing this efficiently andreliably: automated certificate management, tamper protection, and ad-hoc auditreadiness – a secure solution for today and a foundation for tomorrow’srequirements.
Our experts are happy to advise you!
