On November 19, 2025, the European Commission published a package of legislative proposals known as the "Digital Omnibus." Designed to introduce flexibility into the EU’s digital regulatory framework, the proposal aims to simplify the General Data Protection Regulation (GDPR), the AI Act, and the Data Act to encourage innovation and reduce administrative burdens. 

While the proposal introduces several changes, the most immediate operational impact for businesses is a significant restructuring of the compliance timeline for high-risk AI systems and new clarity regarding data processing for AI models. 

Recalibrating the High-Risk AI Timeline

The Digital Omnibus proposes delaying the application of rules for high-risk AI systems. Under the current AI Act, obligations for high-risk systems listed in Annex III were set to apply from August 2, 2026. The proposal replaces this fixed date with a conditional timeline dependent on the availability of harmonized technical standards. The high-risk obligations would apply six months after the Commission formally confirms that the relevant compliance standards are available. To prevent indefinite delays, the proposal sets a deadline of December 2, 2027, at the latest. 

This effectively potentially grants companies an extension to align product roadmaps with finalized technical specifications, though the Commission retains the power to set an earlier date if standards are ready sooner. 

GDPR Amendments: Legitimate Interest and AI Training

The Digital Omnibus proposes amendments to the GDPR to facilitate the processing of personal data for AI model training. The proposal introduces a new article confirming that "legitimate interest" is a valid legal ground for processing personal data in the context of developing and operating AI systems, provided specific safeguards (such as data minimization and opt-outs) are met. The proposal further aims to provide a legal basis for processing special categories of data (e.g., ethnicity or health data) for AI model training. This includes an exemption allowing the processing of such data for bias detection and correction, provided attempts are first made to use synthetic or anonymized data. 

Targeted Relief for Generative AI and SMCs

The Omnibus would introduce specific relief measures for providers of General Purpose AI (GPAI) and expands the definition of businesses eligible for simplified compliance. The deadline for providers of AI systems generating synthetic content to comply with machine-readable marking requirements under Article 50 would be extended from August 2, 2026, to February 2, 2027. The proposal also extends the simplified compliance regime—previously reserved for Small and Medium-sized Enterprises (SMEs)—to "Small Mid-Cap" enterprises (SMCs). SMCs are defined as entities with fewer than 750 employees and less than €150 million in revenue. Furthermore, the proposal seeks to remove the mandatory "AI literacy" obligation for providers and deployers, aiming to reduce administrative overhead. 

Next Steps

It is important to note that the Digital Omnibus is currently a legislative proposal. It must be reviewed and adopted by the European Parliament and the Council of the European Union to become law. Given that the original start date for high-risk AI rules is August 2, 2026, EU lawmakers face a tight timeline to adopt these changes to ensure the extension takes effect before the original deadline passes. Companies are advised to track the progress of the Omnibus closely, as the final text may evolve during negotiations.