What's next for EU AI Act “simplification"?

Previewing the EU's Digital Omnibus announcemnt | #32

Nov 17, 2025

Hey 👋

I’m Oliver Patel, author and creator of Enterprise AI Governance and author of the forthcoming book, Fundamentals of AI Governance (2026).

On Wednesday 19 November 2025, the European Commission will publish its Digital Omnibus Package—a sweeping proposal to reform the EU’s digital legislative framework. The EU AI Act is in sharp focus, alongside the GDPR and a host of other flagship EU laws. This article explains how we got here, what’s at stake, and the potential changes being discussed in Brussels. It will be followed by in-depth analysis of the proposed changes, once they are published.

How did we get here?

The EU has consistently sought to shape global regulatory standards on digital technology, data, and AI. The EU has been open about its policy objectives of protecting citizens and promoting global regulatory convergence towards its high standards, in domains like data protection and privacy. And in some ways, it has succeeded.

With GDPR, for example, there has been a demonstrable “Brussels effect”. Many countries worldwide have enacted data protection laws of a similar flavour and corporations have prioritised aligning their internal frameworks accordingly. Despite the lack of U.S. federal privacy law (which renders the U.S. a global outlier), almost all major American enterprises are significantly impacted by the GDPR and have implemented dedicated privacy compliance programmes.

However, as EU laws covering digital governance have proliferated, the picture has become increasingly complex and convoluted. Keeping track of the EU’s regulations and directives covering the digital sphere is no mean feat.

CEPS and Kai Zenner’s dataset of EU digital sector legislation, updated in July 2025, lists 101 different laws, including the EU AI Act and the GDPR. The authors remark that there has been an “absolute explosion” of EU digital laws and that “even the best experts struggle to keep up with this torrent of legal and policy instruments”. To complement the 101 laws, there exists a far greater number of regulatory bodies covering digital issues.

Enterprises require large teams of people to make sense of these developments and determine how to be compliant, not least because obtaining deep expertise in just one legislative area takes years. In response, enterprises have also established a range of somewhat separate yet overlapping digital governance capabilities to address key legal obligations and requirements. This includes implementing enterprise AI governance, which has become a core priority in recent years due to both the EU AI Act and the surge in AI adoption. But you didn’t need me to tell you that…

For AI governance professionals, this regulatory complexity is especially acute, as AI systems frequently trigger multiple regulatory requirements simultaneously—from GDPR’s rules on automated decision-making and use of sensitive personal data, to the AI Act’s requirements for high-risk and transparency-requiring AI systems, cybersecurity mandates, copyright and intellectual property, and existing sectoral laws.

In recent months, discussion regarding simplification of the EU’s digital rulebook has intensified—both within the EU and externally. It is widely reported that EU officials and member states have faced sustained lobbying from U.S. industry and the Trump administration. There are even reports of President Trump considering imposing tariffs and sanctions on the EU and its officials, due to the perceived impact of EU digital laws on U.S. companies and citizens.

This pressure has been accompanied by increasingly vocal calls from segments of European industry that EU digital regulations need to be reformed, streamlined, simplified, to reduce compliance burdens. For example, in July 2025, dozens of companies—including industry heavyweights like Mercedes Benz, Deutsche Bank, and L’Oreal—signed an open letter to the EU urging for a two-year delay to the EU AI Act’s key provisions on general-purpose AI (GPAI) models and high-risk AI systems.

This is coming to a head on Wednesday 19 November, as the European Commission is set to publish its “Digital Omnibus Package” proposal. This will outline, for the first time, the comprehensive set of legislative amendments the Commission proposes, to simplify the EU’s digital rulebook.

What was the Draghi report?

Although this situation has evolved over several years, the September 2024 publication of the “Draghi report” on The Future of European Competitiveness was an important milestone in this story. Mario Draghi is the former president of the European Central Bank and former prime minister of Italy. This independent report, commissioned by the EU, is shaping aspects of the European Commission’s policy agenda.

The report presents the EU’s economic challenges, focusing on diminished competitiveness, weakening productivity, and slowing growth. Draghi frames the economic outlook as an “existential challenge” for the EU, arguing that it will be unable to finance its social model, achieve its environmental ambitions, and deliver the prosperous and fair society that represents its raison d’être if it fails to make radical changes.

The Draghi report outlines three action areas to “reignite growth”. These are:

Closing the innovation gap with the U.S. and China, especially in advanced technologies.
Forging a joint plan for decarbonisation and competitiveness.
Increasing security and reducing dependencies.

It is the first action area which is most relevant for our focus—EU AI Act simplification. The Draghi report argues that the EU’s complex digital regulatory environment impedes innovation and growth. It elevates “reducing the regulatory burden” as a core priority for transforming the EU’s economic prospects.

Examining the “innovation gap” between the U.S. and China on the one hand and the EU on the other, the report claims that innovative European companies attempting to scale up are “hindered at every stage by inconsistent and restrictive regulations”. This is why, the report argues, European tech entrepreneurs routinely seek to grow their businesses in the U.S. The report also cites that 55% of SMEs flag “regulatory obstacles and administrative burden” as their greatest challenge, arguing that these “regulatory burdens” are particularly damaging for digital sector SMEs.

The report criticises the “precautionary approach” taken by EU digital laws, including the EU AI Act. It specifically calls out the compute threshold for determining whether a general-purpose AI (GPAI) model poses “systemic risk”, noting that various frontier AI models already exceed the threshold, despite the EU AI Act’s nascency. It also highlights the increasing difficulty that companies face in navigating the various overlapping laws relevant for AI and the hundreds of regulatory bodies across the EU responsible for digital governance.

It is important to note that a vast array of other impediments and challenges are highlighted—from inadequate research talent pipelines to low investment in innovation commercialisation—as contributing factors to the EU’s competitiveness challenge. Therefore, my intention is not to claim that the Draghi report is all about digital “regulatory burdens”, as that would be misleading. It would be equally misleading to claim the Digital Omnibus Package results solely from the Draghi report. However, the complexity of the EU’s digital legislative framework has undeniably become a totemic issue, which the Draghi report shone a very bright light on.

Next, we turn our attention to the European Commission’s Digital Omnibus Package. Will it deliver the changes that Draghi seeks? And what could this mean for the EU AI Act?

What is the EU’s Digital Omnibus Package?

The Digital Omnibus Package is the European Commission’s much anticipated proposal to reform the EU’s digital legislative framework. It is due to be announced and published on Wednesday 19 November. This follows public consultations earlier in the year.

The proposal will feature meaningful amendments to some of the EU’s flagship laws and perhaps even the repeal of specific instruments. The Digital Omnibus Package is expected to focus on the EU AI Act, the GDPR, the ePrivacy Directive, the Data Act, and the NIS2 Directive—horizontally cutting across the core digital governance domains of AI, data protection and privacy, and cyber security.

The purpose of the Digital Omnibus Package is to simplify and streamline the EU’s digital legislative framework, to ease compliance burdens and cut costs for organisations (particularly startups and SMEs), promote the growth and competitiveness of European companies, and boost innovation. It is inevitable that the core threads from the Draghi report will be woven into the European Commission’s proposal.

Before engaging in any further analysis of the imminent proposal, several caveats are required.

First, the current discussion, including this article, is based on leaked documents, media reporting, speculation, and rumours. Brussels is a famously leaky city, so this is nothing new. However, until the European Commission officially publishes its proposal, we do not know exactly what the proposal consists of. At the time of writing, nothing official has been published.

Second, the Digital Omnibus Package that will be published later this week merely represents the European Commission’s initial proposal on this controversial set of issues. Therefore, even when we have the proposal, all we will have is the official starting position of one of the EU’s institutions. To amend EU laws in this way will require extensive trilogue negotiations and approval from the European Parliament and EU member states via the Council of the EU (the Council).

Third, the aforementioned trilogue negotiations—and the process of amending and repealing a suite of EU laws in this way—are bound to be lengthy, complex, and fraught with drama. Although the precise legislative instrument to operationalise the Digital Omnibus Package is yet to be confirmed, it is most likely to be an EU regulation (which is the same legal instrument as laws like the GDPR and the EU AI Act).

To amend existing EU laws via a new regulation, the EU’s “ordinary legislative procedure” must be followed. This necessitates dual approval from both the European Parliament and the Council, following trilogue negotiations where both institutions have several opportunities to amend and update the legislative proposal. On average, it takes the EU 19 months to agree new laws, from the initial Commission proposal to formal adoption.

Plainly speaking, what all this means is that:

We don’t yet have an official proposal from the European Commission, merely leaks and media speculation.
When we do, it will be subject to lengthy and fraught trilogue negotiations, the outcome of which is impossible to predict.
- However, what can be predicted with a degree of certainty is that there will be a substantial difference between the European Commission’s initial legislative proposal and the final text that is voted on.
Following this, formal approval will be required from both the European Parliament and the Council to pass any regulation that meaningfully amends existing EU laws.
It is impossible to predict what the final legislative text will consist of and how long the negotiation and approval process will take.
Finally, there is no guarantee that any legislative changes will be approved—although this does seem unlikely given the various points made above.

How could the EU AI Act change?

Caveats aside, the final part of this article will highlight some of the potential changes that are reported to be on the cards for the EU AI Act.

Although based primarily on leaks and tip-offs, recent media reporting nonetheless shines a light on what is being discussed in the EU’s corridors of power. Below is a list of the various potential EU AI Act changes that have been reported. A special shout out for the reporting from MLex’s Luca Bertuzzi (who is a must follow for AI governance practitioners), which this list is largely based on:

Delaying the applicable date for the obligations for providers and deployers of transparency-requiring AI systems.
Delaying the applicable date for the obligations for providers and deployers of high-risk AI systems.
- These obligations apply from 2 August 2026, but this enforcement could reportedly be delayed for one year. This is partly due to delays in finalising technical standards that organisations can use to comply with these provisions.
Scrapping the AI literacy obligation for organisations and shifting it to governments, regulators, and EU institutions.
Centralising enforcement powers with the European Commission’s AI Office.
- This could be done by designating the AI Office as the regulatory authority responsible for supervising AI systems based on GPAI models. This is partly driven by concerns regarding readiness and capacity of EU member state regulators (some of which have not yet been designated), as well as the complexity firms could face in engaging with many different regulatory bodies.
Introducing smaller and more proportionate compliance penalties for ‘small mid-caps’ (defined as companies that employ up to 750 people and have an annual turnover of under €150 million).
- This would complement and expand the scope of the existing proportionality for compliance penalties for SMEs.
Removing the obligation for providers to register, in the EU’s public database, AI systems that are used in a high-risk domain which they have deemed and demonstrated are not high-risk due to the nature of the use.

It will be interesting to see which (if any) of these potential changes survive in the Digital Omnibus Package that the European Commission publishes on Wednesday. Given the speculative nature of this, I will not provide any further analysis on these potential changes in this article.

One final point to note is that the European Commission does have powers to amend or change aspects of the EU AI Act, via instruments called delegated acts and implementing acts. For example, the European Commission can modify the compute threshold for GPAI models with systemic risk via a delegated act.

Where these powers exist, the European Commission is able to drive changes without the need for the ordinary legislative procedure and formal approval from the European Parliament and Council. Although, there is always a degree of oversight from these institutions, who retain veto powers. However, the EU AI Act “simplification” changes discussed above extend far beyond the scope of the Commission’s powers to drive changes via delegated and implementing acts.