The AI Omnibus should not have happened. The AI Act was adopted after years of negotiation and compromise, yet some of its most important safeguards have not even started to apply.

Instead of supporting implementation through guidance, resources and strong enforcement, and timely work on crucial implementation tools such as standards, the European Commission reopened the law under the banner of ‘simplification.’ In reality, as with much of the wider Digital Omnibus agenda, this process has become a vehicle for deregulation. The final deal goes far beyond technical changes.

Amongst other changes, it delays obligations for high-risk AI systems, weakens public transparency, changes how the AI Act applies to industrial AI, and adds new prohibited practices at the last minute. These are political choices with real consequences for fundamental rights and accountability.

Furthermore, this process sets a dangerous precedent. If newly adopted digital rights laws can be reopened before they apply, powerful actors can treat implementation as a second chance to weaken rules they dislike. For rules that already apply but urgently need stronger enforcement, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive, the message is equally dangerous: under the banner of ‘competitiveness’, fundamental rights can be pushed further into the background. Globally, due to its shift to a regressive trajectory in relation to digital rights, the EU risks reinforcing race to the bottom in digital (de)regulation.

This is made worse by a process marked by weak evidence, no proper impact assessment, insufficient public-interest consultation, and a rushed timeline for legally and politically complex changes.

The deal weakens key AI Act safeguards

One of the worst Commission proposals was stopped. This specific proposal was also a clear example of what is wrong with the current deregulatory wave. The final deal does not fully delete the obligation to register AI systems in the EU database when providers rely on Article 6(3) to classify systems as ‘not high-risk’.

This matters because Article 6(3) already gives providers discretion to decide that some systems used in high-risk areas should not be treated as high-risk. Without public registration, companies could have avoided key AI Act obligations with almost no public trace.

But the deal still weakens public transparency. Providers will have to upload less information to the public database. This means regulators, researchers, civil society and affected people will have less information to assess whether providers are classifying their systems correctly, consequently less ability to fight back when AI harms occur.

The deal also moves the Machinery Regulation from Section A to Section B of Annex I. In practice, this pushes AI systems embedded in machinery towards sectoral machinery rules, rather than the AI Act’s horizontal high-risk framework.

This is a serious change. The AI Act was designed as a horizontal law because AI-related harms do not fit neatly into product safety boxes. Machinery law may address physical safety, but it was not designed to cover the full range of AI-specific and fundamental rights risks.

AI systems embedded in machinery can affect workers’ safety, work pace, task allocation, monitoring, autonomy and ability to challenge decisions. If these systems are framed as optimisation, automation, efficiency or quality control, their rights impact may become harder to capture.

Delayed safeguards mean delayed accountability

The final deal delays key obligations for high-risk AI systems. For many high-risk systems, safeguards are delayed until 2 December 2027. For AI systems covered through Annex I, the timeline is pushed further, to 2 August 2028.

This means that potentially harmful AI systems can be placed on the market or deployed for longer without the full AI Act safeguards. These safeguards include rules on risk management, documentation, human oversight, transparency, accuracy, robustness and monitoring.

This is especially concerning because AI systems are already being deployed in sensitive areas such as workplaces, public services, health, education, policing, migration and the justice system.

Delaying safeguards is not a neutral administrative step. It delays accountability and extends the period in which people affected by AI systems lack the protections the AI Act was supposed to provide.

Sensitive data and headline bans should not distract from the wider rollback

The AI Omnibus also introduces a worrying derogation for processing special categories of personal data for bias detection and correction. Bias detection matters, of course, but it should not be used to normalise the presence of highly sensitive data in AI pipelines. Data revealing health, political opinions, sexual orientation or ethnicity requires strict protection under EU data protection law.

This is especially worrying in the context of the so-called ‘Data Omnibus’, the other pillar of the Digital Omnibus, which risks creating further derogations for the use of special categories of personal data in AI development. Together, these files risk shifting sensitive data processing from exceptional to normal.

The final deal also adds new prohibitions on AI systems generating or manipulating non-consensual intimate material and child sexual abuse material. The harms addressed here are real and severe. But these prohibitions were inserted into an Omnibus file presented as technical simplification, despite the AI Act already having a review mechanism for prohibited practices, and while rights-abusive emotion recognition against people on the move and EU-made surveillance technologies affecting people outside of the EU continue to be permitted.

A headline ban should not distract from the wider reality: the same deal delays safeguards, weakens transparency and creates new loopholes.

You can read and download the full analysis of the AI Omnibus here - a joint paper by European Digital Rights (EDRi), ARTICLE19, Access Now, AlgorithmWatch, Amnesty International, Danes je nov dan, the European Center for Not-for-profit Law (ECNL), Lafede - justícia global and Politiscope.