Digital Omnibus: Why the EU Proposal Is Not a Signal to Wait and See

The market demands speed; regulation has so far demanded patience. With the “Digital Omnibus” presented on November 19, 2025, the European Commission is addressing criticism of excessive bureaucracy. The goal of the initiative is simplification: requirements under the GDPR and the AI Act will be made simpler, clearer, and more practical. But anyone who misinterprets the promised relief as a signal to wait and see is making a strategic mistake.

For many companies, the news from Brussels sounds tempting: deadlines are being pushed back, reporting requirements are being eliminated. Does this mean the pressure to act is gone? No—the following points illustrate why hesitation is a mistake. While the draft does give companies more time, it does not change the core task of integrating trustworthy AI into their own processes. On the contrary: where the legislature removes formal hurdles, companies’ own responsibility increases. The strict requirements for high-risk AI, in particular, demand comprehensive adaptation processes that take a great deal of time. Those who wait and see now, instead of actively using the preparation time, are not only squandering a valuable head start. Should the deadlines ultimately not be postponed, there is also the threat of an organizational challenge that will be nearly impossible to manage.

Finally Solvable: The Conflict Between Data Protection and Fairness

Until now, banks and insurers in particular have faced a practical dilemma: The AI Act requires non-discriminatory AI models, yet the General Data Protection Regulation (GDPR) made it extremely difficult to use sensitive data to test for and correct precisely this discrimination.

The Omnibus draft now specifically resolves this conflict. The processing of such sensitive data is permitted—though strictly limited to the purpose of identifying and correcting bias. This creates the urgently needed legal certainty for regulated industries. Instead of operating in a gray area, you will be able to verify in the future, on a clear legal basis, whether your AI makes fair decisions. It is important to note: This permission applies only under strict safeguards, such as pseudonymization and the obligation to delete the data immediately after correction. The recommendation is: You should already be assessing which datasets are needed for such fairness tests. If this has not already been done, establishing structured data governance provides the necessary foundation to be ready to go as soon as the regulation takes effect.

Use New Deadlines as Preparation Time

Since the harmonized technical standards have not yet been finalized, the Commission proposes adjusting the implementation deadlines. For high-risk AI systems, the EU Commission is now targeting December 2, 2027. However, it should be noted that the outcome of the deadline regulation remains uncertain in the wake of the trilogue negotiations launched in spring 2026, and the original deadline of August 2, 2026, could still apply. A delaying tactic is therefore risky.

Industry observers warn that this new timeline creates dangerous regulatory chaos. On the one hand, the draft legislation leaves companies in legal limbo: as long as the Digital Omnibus has not been finally adopted, the original, much tighter deadline of August 2, 2026, formally remains in effect. Should the legislative process in the European Parliament be delayed, companies face acute uncertainty regarding which deadline actually applies. On the other hand, the new deadlines are not guaranteed safety nets, but rather flexible targets. The draft stipulates that the rules will take effect as soon as the Commission confirms the availability of the technical standards. If this happens sooner than expected, compliance obligations could take effect well before December 2027—with lead times of just a few months. So, anyone who rigidly aligns their roadmap with the latest possible date risks jeopardizing their operations. Instead, the time should be used to set up processes properly now. Those who implement “governance by design” today—and tailor it optimally to their own organization and corporate culture—are immune to the back-and-forth of deadlines and ready to go, no matter when the starting gun is fired.

Competence remains indispensable - even without legal compulsion

The draft proposes to remove the legal training requirement for companies (“Article 4 – AI Competence”) and instead hold member states accountable for promoting educational opportunities.

We strongly advise against interpreting this as an invitation to cut corners on employee training. Even if the legal obligation is removed, the operational risk remains with you. An employee who fails to recognize manipulation or blindly trusts AI errors endangers the entire company—regardless of what the law says. Companies should therefore voluntarily invest in the competence of their teams. After all, security is guaranteed by knowledgeable users, not legal provisions.

Less bureaucracy, more personal responsibility

The draft proposes significant simplifications: The definition of eligible companies is to be expanded. Additionally, the requirement to register AI systems in the EU database is to be waived if the provider itself classifies them as non-high-risk.

However, this reverses the burden of proof. Without external registration, the company’s own documentation serves as the decisive evidence. In the event of an audit, it must be possible to provide complete documentation of why a system was classified as such. Organizations should therefore verify whether they fall under the expanded definitions of eligible companies and ensure that their internal documentation is audit-proof.

Conclusion: Quality Prevails

The Digital Omnibus is a positive sign of greater practicality. Upon closer inspection, however, the existence of this initiative is a double-edged sword: While simplifications such as data processing or relief for SMEs make sense, they also harbor new risks for citizens and call into question the protection of fundamental rights. The deletion of Article 4 is particularly critical, as it sends a dangerous signal in our view.

The promised leeway should not tempt you to wait and see, but rather motivate you to strengthen your own governance structure. Whether it involves establishing structured data governance for fairness testing, audit-proof documentation, or fostering AI skills within your team: the new leeway is a call to take the initiative.

This is exactly where adesso is the right partner at your side. We support you in actively leveraging this transition period and making your AI initiatives future-proof. Our team of experts provides comprehensive support—from strategy development and risk management to skills development—so that you are prepared for any regulatory scenario.