On 19 November 2025 the European Commission published its “Digital Omnibus Package”, meaning its proposals to reform data and cyber laws (the GDPR, ePrivacy Directive, Data Act, Data Governance Act and the NIS2 Directive) and the EU AI Act, which are made within a broader context of simplification and with the aim of enhancing the competitiveness of EU companies. See our previous article about the proposals.
On 21 January 2026 the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) published a Joint Opinion on the Digital Omnibus Proposal on AI (“Opinion”). The EDPB is made up of representatives of EU national data protection authorities (DPAs) and the EDPS, and the EDPS is the authority that oversees the use of personal data by EU institutions. The Opinion states that, while the EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the EU AI Act, this must not lower the protection of fundamental rights, in particular the right to the protection of personal data.
Proposed amendments to the EU AI Act and the EDPB/EDPS concerns
The key concerns raised in the Opinion relate to:
Use of special category data for bias detection and correction
The Digital Omnibus proposes extending, in certain circumstances, the right to process special category data for the purpose of ensuring bias detection and correction (which is currently limited to providers of high-risk AI systems where it is strictly necessary) to deployers of high-risk systems and models and providers and deployers of other types of AI systems.
In the Opinion, the EDPB and the EDPS recommend specifying that the use of special category data for bias detection and correction should be clearly circumscribed and limited to situations where it is strictly necessary and the risk of adverse effects from bias is sufficiently serious. The Opinion also recommends other changes to clarify the relationship between these provisions and the GDPR.
High-risk AI systems - delay to deadline for compliance with core provisions
The Digital Omnibus proposes delaying the deadline for compliance with some key obligations that are due to come into force in August 2026:
- the core obligations on providers and deployers of high-risk AI systems; and
- the transparency, or “watermarking” obligation for AI systems.
The EDPB and the EDPS express concerns regarding this proposed postponement. Given the rapid evolution of the AI landscape, they encourage the European Commission and the other institutions to consider whether the original timeline can be maintained for certain obligations, such as the transparency requirements, and to minimise delays to the extent possible.
AI literacy
The Digital Omnibus proposes that the duty for AI providers and deployers to ensure AI literacy among their staff (which became applicable in February 2025) should move from the organisation itself to the EU and national authorities.
The EDPB and the EDPS recommend maintaining this duty for providers and deployers, and emphasise that any new obligation to foster AI literacy placed on the European Commission or member states should complement, not replace, the responsibilities of the organisations actually developing and using these systems.
Expanded exemptions for small mid-cap entities
The Digital Omnibus proposes expanded exemptions from the AI Act’s obligations for small mid-cap entities. The Opinion expresses concerns about this, stating that, in light of AI’s scalability and autonomy, company size may not be a decisive factor to assess the possible risks of AI systems such enterprises place on the market.
Registration in the EU database for high-risk AI systems
The Digital Omnibus proposes providing an exemption from the obligation for providers to register AI systems in the database for high-risk AI systems where the system does not pose a significant risk of harm to health, safety or fundamental rights. The Opinion argues that this would significantly decrease the accountability of AI system providers and provide an undesirable incentive for providers to unduly invoke this exemption.
EU-level AI regulatory sandboxes
The Digital Omnibus proposes the introduction of EU-level AI regulatory sandboxes. The Opinion supports the creation of these sandboxes, but suggests improvements, including increased involvement of the EDPB and national DPAs.
Supervision and enforcement by the EU AI Office
The Digital Omnibus proposes changes to the supervisory and enforcement role of the EU AI Office. The Opinion welcomes the introduction of a requirement for active cooperation between the AI Office and national AI authorities, but emphasises the need for a clear role for the national DPAs and (where relevant) the EDPS.
Cooperation between authorities protecting fundamental rights and market surveillance authorities
The Digital Omnibus proposes streamlining cooperation between authorities that protect fundamental rights, including the right to non-discrimination, and market surveillance authorities. The Opinion supports this goal, but makes suggestions to clarify the authorities’ respective roles.
The Digital Omnibus proposals need to go through the EU legislative process before any of the proposed changes can become law. Due to the European Commission’s intention to delay deadlines that are currently due in August 2026 - including, notably, the proposed “stopping the clock” mechanism which concerns some of the key deadlines for the EU AI Act - this process may be more rapid that usual. In addition, the EDPB and the EDPS are finalising their work on a joint opinion on the Digital Omnibus on data and cyber laws, which is likely to be published in February. Separately, the EDPB and European Commission are due to issue joint guidelines on the interplay between the GDPR and the AI Act later this year.
