In this article (4)
EU AI Omnibus Makes Key Changes, but Compliance Still Needs Version Control
Key Takeaways
- Keep AI Act trackers versioned, with owners for each Omnibus dependent assumption.
- Treat proposed relief as provisional until final text and guidance confirm it.
- Document classification decisions even when administrative obligations appear to shrink.
Simplification may trim admin work, but AI Act plans still need owners, assumptions, and audit trails.
Omnibus sounds like someone tidied the filing cabinet. Compliance teams should distrust that sound, politely. The EU AI Omnibus may reduce some administrative friction, but it also creates the oldest problem in governance: the rule in your tracker may not be the rule that survives negotiation. A compliance calendar is not a policy position; it is a change log with deadlines attached.
The package is broad, and that is
the first complication PwC says the European Commission published the Digital Omnibus on November 19, 2025, presenting it as AI regulatory relief while leaving questions unresolved. Morrison Foerster describes the package as an effort to reduce administrative burdens by at least 25% for all businesses and at least 35% for small and medium enterprises by 2029, across the AI Act, Data Act, GDPR, ePrivacy Directive, and cybersecurity laws. Bruegel similarly describes two draft laws issued on 19 November that would amend several EU laws, with simplification and streamlining as the stated goal. That is useful context, but it is not a substitute for knowing which AI systems you run, which legal bucket each one sits in, and which evidence file proves the point. The breadth matters because simplification across multiple laws can move obligations sideways rather than remove them. A definition aligned in one file may still require a product team to update a data map, a procurement clause, or a model classification record. The builder lesson is dry but practical: do not convert a policy objective into a product requirement until the operative text supports it. Put another way, fewer forms is not the same thing as fewer duties.
Proposed relief belongs in
an assumptions column Morrison Foerster's December 2025 client alert is a useful example of why implementation plans need version control. It described a proposed removal of the EU database registration requirement for providers of AI systems exempted from high risk classification under Article 6(3) of the AI Act, including systems used only for preparatory tasks. That is exactly the kind of sentence that tempts teams to delete a workflow too early. It belongs in an assumptions log until final text, guidance, and the organization's legal reading all point the same way. CCIA's May 2026 account of the sealed AI Omnibus deal framed the outcome as one where EU negotiators missed opportunities, which is a warning against treating every proposal as delivered relief. The plain operating rule is simple: keep the classification memo, keep the use case description, and keep the trigger that tells legal when a preparatory tool has become something more consequential. If the registration duty changes, the evidence file still explains why the system was assessed the way it was. Regulators tend to prefer records over vibes, a habit worth planning around.
Version control is
the compliance plan, not paperwork theater Tech Policy Press reports that EU legislators reached agreement on the AI Omnibus at 4:30 a.m. on May 7, 2026, concluding the most arduous phase of a six month negotiation process conducted under a tight schedule. The same report says the process was aimed at finishing before the original August 2, 2026 deadline. That timing explains the operational risk: teams have enough signal to update plans, but not enough finality to freeze them. The correct response is not a wait and see pause; it is a managed branch. For product and governance teams, that means each AI Act obligation should carry a status, a source, a date, and an owner. One column should mark obligations that are stable under the AI Act as currently implemented. A second should mark Omnibus dependent assumptions, with a link to the source and the condition that would change the answer. A third should identify the business control affected, such as inventory, classification, registration, transparency notice, vendor review, or audit evidence.
The remaining uncertainty is where builders get stuck Bruegel argues that
the Commission's digital and AI omnibus proposals respond to pressure to accelerate EU productivity growth by reducing regulatory compliance costs, but also says the plans introduce new inconsistencies and fall short of transformative reform. That is the part builders experience first. A startup does not comply with a political ambition; it complies with text, guidance, supervisory practice, and customer due diligence questionnaires. When those layers disagree, the safest system is one that records why yesterday's answer changed. PwC's framing, regulatory relief with questions remaining, is therefore less a headline than an implementation instruction. AI Act teams should update inventories now, mark assumptions clearly, and avoid deleting controls solely because a proposal once suggested relief. Watch the final text, supervisory guidance, and sector specific interpretations, especially where AI governance overlaps with privacy, cybersecurity, and data access rules. Simplification may still help, but only the version you can evidence will help during an audit.
