The European Commission's announcement on 19 November 2025 that the EU delays high-risk AI rules has reverberated across industry, civil society and political circles. Under a so-called "Digital Omnibus" package, Brussels proposes targeted amendments to several major tech laws , including the AI Act, GDPR, e‑Privacy and the Data Act , framed as measures to simplify obligations and reduce administrative burdens for businesses.
The package says companies will "only have to apply the rules for high‑risk AI systems once the necessary support tools and standards are in place," effectively providing some providers with up to 16 months to comply for certain obligations. The move is presented as pragmatic alignment of rules with implementation capacity, but it has also intensified debate about regulatory ambition and safeguards for rights and safety.
What the Digital Omnibus proposes
The Commission's Digital Omnibus, published on 19 November 2025, packages a series of focused amendments intended to streamline compliance across overlapping digital rules. Officials say the changes will make it easier for businesses to adopt common processes, reduce administrative burdens and accelerate rollout of digital services across the bloc.
Among the concrete measures, the Commission estimates administrative savings of up to €5 billion by 2029. It also highlights potential efficiency gains from European Business Wallets, which the Commission claims could unlock as much as €150 billion in savings per year by simplifying identity and data handling for firms and citizens.
Crucially for AI providers, the package signals a postponement of certain high‑risk obligations until harmonised standards, guidance and conformity assessment infrastructures are ready. That is meant to avoid enforcement gaps and costly legal uncertainty for companies rushing to comply without practical tools in place.
Scope and timing of the delay
Reuters reporting and Commission material indicate the omnibus would delay the EU's stricter rules for "high‑risk" AI uses , such as biometric identification, CV and exam scoring, health services, creditworthiness assessments, law enforcement, road traffic management and utilities , from August 2026 to December 2027. The effect is to pause the original timetable set out in the AI Act's phased application schedule.
The Commission framed this as a targeted, temporary reprieve: companies would have additional time to meet obligations while standardisation bodies and notified conformity assessment bodies finish technical work. Officials insisted the intent is simplification, not a weakening of rules, with the mantra communicated to journalists: "Simplification is not deregulation."
Nevertheless, the delay raises practical questions about enforcement readiness at national level. Member states still need to set up or bolster enforcement structures, and the formalisation of harmonised standards by bodies such as CEN‑CENELEC remains a key dependency for on‑time application of the strictest obligations.
Changes to data rules and training uses
The omnibus also proposes targeted tweaks to the GDPR to clarify lawful bases for AI training data. Reporting from late 2025 indicated the Commission would allow certain AI training uses under a "legitimate interest" legal basis , a change long requested by industry actors seeking clearer grounds for large‑scale model training.
Proponents argue that refining GDPR language will reduce legal uncertainty for developers who currently navigate a patchwork of interpretations across member states. The Commission frames the amendments as technical clarifications to help AI projects comply with data protection rules without lowering privacy standards.
Opponents, however, warn that expanding legitimate interest exceptions could undercut core privacy protections and make it easier to use personal data for model development without explicit consent. This tension between usability for innovative services and individual rights protections is at the heart of much of the debate.
Industry pressure and political context
The delay follows months of intense lobbying by big technology firms, industry coalitions and dozens of major European corporate CEOs who warned the original timelines risked harming competitiveness. Coalitions such as the EU AI Champions Initiative and trade groups like the Computer & Communications Industry Association publicly urged a pause while standards and guidance matured.
Letters, public campaigns and business statements in mid‑2025 argued implementation uncertainty, coupled with the potential for severe fines, could stifle innovation and investment in Europe. Under the AI Act as written, placing prohibited AI systems on the market can carry fines of up to €35 million or 7% of total worldwide annual turnover, a stick that magnified industry calls for clearer rules and smoother enforcement pathways.
Observers also note geopolitical and transatlantic pressures: U.S. government and Big Tech lobbying, combined with a desire to preserve European industrial competitiveness, have pushed Brussels toward a more "innovation‑friendly" or lighter touch stance. Some commentators see this as a strategic shift that risks ceding regulatory leadership on AI safety, while others call it a pragmatic move to ensure enforceability.
Civil society reaction and rights concerns
Civil‑society and consumer groups reacted strongly against the omnibus. European digital rights networks and consumer associations (including EDRi and BEUC among many NGOs) warned the changes would amount to a rollback of key protections and cautioned that clarifying GDPR lawful bases or delaying obligations could erode privacy and accountability.
Some organisations described the proposed package as the "biggest rollback" of digital protections in EU history, arguing that extended timelines and expanded legitimate interest allowances would reduce immediate safeguards for individuals subjected to high‑risk AI systems, especially in areas like biometrics, employment screening and law enforcement.
The clash between business-friendly reform and defenders of robust digital rights sets a politically charged scene. Lawmakers in the European Parliament and member states will now have to balance competitiveness arguments against civil‑liberties concerns as the omnibus proceeds to formal adoption discussions.
Standards, reporting and practical bottlenecks
A central technical rationale for the delay has been the absence of ready‑to‑use standards and conformity assessment capacity. The Commission had published draft guidance on reporting "serious AI incidents" (Article 73) in September 2025 and opened consultations, but harmonised technical standards and notified bodies remain works in progress.
Standardisation organisations, national authorities and the EU Ombudsman have been involved in preparing the ecosystem needed to enforce high‑risk rules. Until those pieces , guidance, testing standards, and accredited conformity assessors , are in place, enforcing the strictest obligations risks inconsistency, legal disputes and divergent national practices.
For businesses, the promise of "up to 16 months to comply" for certain obligations buys breathing room to adapt processes, but it also prolongs regulatory uncertainty. For regulators and rights advocates, the delay underscores the challenge of marrying ambitious legislation with operational readiness on a technical and administrative level.
As the Digital Omnibus advances to the European Parliament and Council, political negotiations will determine whether the package becomes law as proposed or is amended. Lawmakers will weigh the Commission's economic savings claims and industry appeals against civil society objections and the risk that perceived loosening of rules could weaken trust in EU digital governance.
The EU delays high-risk AI rules represents a consequential moment for Europe's AI strategy: it could either be a practical recalibration that ensures robust enforcement when standards exist, or a retreat that delays critical protections. The subsequent debates in Brussels will therefore shape both the regulatory landscape and Europe's influence in global AI governance.
