Search
Choose a style
Dark
Light
Time to read: 6 min

​​Europe views no simple path on its AI Omnibus  

image credit: Alexandra Lande/Shutterstock.com

The European Commission (EC) appears at a crossroads over whether member states and the business community will accept its proposed changes to facilitate AI adoption.

Yesterday (November 19), the Commission published a new package of measures intended to support AI enablement by simplifying existing rules on data and cybersecurity, with the goal of boosting business activity and economic growth.

The measures form part of what the EU describes as a wider digital omnibus of reforms aimed at streamlining existing legislation to accelerate AI uptake and broader economic development.

The direction of these AI rules carries significant implications for EU member states, individual rights, regulatory determinations and the governance of all tech platforms (European and international). 

Furthermore, the mandate is the first attempt by a multinational organisation to harmonise its legal framework for AI amongst its membership. 

The concerns raised

Sensitivities and conflicts are immediately visible in the initial proposals endorsed by the EC. Though member states recognise the significance of AI applications to improve business transactions, the proposed changes collide with mounting concerns over digital rights, personal autonomy and the potential dilution of Europe’s hard-won data-protection standards.

Concerns have been directly raised by digital advocacy agencies, such as European Digital Rights (EDRi), across all changes and determinations sought by the Commission. 

A breakdown of measures lays out a Digital and AI Omnibus fraught with challenges – in what is becoming the next battleground for the European Union and its digital future, especially as the EU has one eye on the significant investment US-based AI entities have poured into their capital market. 

On cybersecurity reporting, the Commission proposes to streamline overlapping obligations by creating a single-entry reporting system to replace Europe’s current regime of NIS2, GDPR and sector-specific requirements. Changes are deemed as a “practical fix to reduce duplication”, yet critics warn that “consolidation will weaken incident transparency by reducing touchpoints between regulators and companies”. 

They argue that simplification may prioritise administrative ease over the depth and quality of reporting, potentially leaving serious security breaches under-examined.

The most heated pushback centres on the Commission’s decision to reopen parts of the GDPR and modernise cookie rules. The Commission insists the changes will harmonise interpretations without lowering data-protection standards.

image credit: 3rdtimeluckystudio/Shutterstock.com

Yet concerns are raised over hard-fought privacy rights gained for EU audiences. Changes to accommodate AI simplifications are viewed as a watering down of the EU’s flagship privacy regime under the existing GDPR framework.

Liabilities that a narrower definition of personal data could allow companies to decide unilaterally what counts as “non-personal”, enabling expanded device tracking and data processing with fewer safeguards. New cookie exemptions are feared to permit data access without meaningful consent, especially across media and advertising environments. EDRi and others describe this shift as effectively moving protections from the ePrivacy Directive into the GDPR – and weakening both frameworks in the process.

On data access, the Commission aims to consolidate rules under the Data Act, lighten cloud-switching obligations for SMEs, and provide fresh guidance to help firms understand compliance. A broader “data union” strategy seeks to unlock high-quality datasets for AI, expand the use of data labs, strengthen European data sovereignty, and introduce a Data Act legal helpdesk.

Civil-society organisations argue that these moves dramatically expand access to sensitive datasets without adequate guardrails, particularly for AI training. They warn that the proposals give both corporations and public authorities greater room to collect and exploit data with reduced transparency and oversight. Many believe the economic gains will largely accrue to Big Tech and Europe’s biggest corporate players, rather than the SMEs the package claims to support.

The launch of a European Business Wallet is one of the less controversial measures. Designed to allow firms to sign, store and exchange verified documents digitally across the EU, it is intended to cut red tape and reduce in-person bureaucracy. However, even this initiative is not immune from criticism.  

Yet opponents mention that, taken alongside the other measures, the wallet risks becoming another vector for expanding data access without proportionate oversight.

image credit: Vitor Miranda/Shutterstock.com

Does Europe need to appease to Big Tech needs?

The political context surrounding these reforms has become equally significant. Across the bloc, ministers and lawmakers are increasingly anxious about the pace of AI deployment and the degree to which its underlying systems remain controlled by a small cluster of US-based Big Tech platforms. 

Member states warn that without firm guardrails, Europe risks importing not only AI technologies but also the corporate governance cultures that shape them. Their concerns range from the spread of misinformation during election cycles to IP breaches, data harvesting and a new wave of AI-driven scams that threaten consumer trust.

These anxieties intersect with a deeper geopolitical theme: Europe’s insistence that any company operating across its digital market must accept and uphold EU rules. 

Governments argue that accountability is non-negotiable, and that the bloc cannot afford to loosen protections at the very moment AI systems are becoming embedded in financial services, media, public administration and national security infrastructures. 

Yet, US tech giants are applying sustained pressure for a softer regulatory landing, urging Brussels to prioritise business transactions, rapid deployment and the removal of perceived friction for AI adoption.

MEPs have made their concerns explicit in a letter addressed to the EU’s Digital Chief, Henna Virkkunen, warning of the democratic risks posed by unchecked platform power and opaque AI systems. As the signatories cautioned:

“If providers of the most impactful general-purpose AI models were to adopt more extreme political positions, implement policies that undermine model reliability, facilitate foreign interference or election manipulation, contribute to discrimination, restrict the freedom of information or disseminate illegal content, the consequences could deeply disrupt Europe’s economy and democracy.”

The letter is co-signed by a cross-party group of MEPs including Brando Benifei, Kim van Sparrentak, Paul Tang, Patrick Breyer and Alexandra Geese — underscores the mounting political pressure on the Commission to prioritise rights-based safeguards and enforceable accountability in its approach to AI governance.

Europe now confronts a defining question: can it uphold its long-established model of rights-driven digital governance while building a truly global AI economy?

The “omnibus” label feels most fitting as the EU embarks on one of its most consequential technological judgments, one that will reshape regulatory doctrine, market dynamics and its relationship with global technology platforms.

Subscribe to our newsletter