EU Delays AI Rules: Digital Omnibus Impact
Brussels softens AI regulations amid global pressures
Model Diplomat7 min readEurope

EU Digital Rulebook in Motion: Brussels Blinks on AI Rules
How the June 29, 2026 Digital Omnibus delayed high-risk AI enforcement, softened GDPR, and reshaped global tech compliance — and who really wins.
The Council of the European Union formally adopted the Digital Omnibus on AI on June 29, 2026, pushing the enforcement of the bloc's strictest rules on high-risk artificial intelligence back by up to 24 months and rewriting core provisions of the world's first comprehensive AI law before most of them ever took effect. The European Parliament's briefing service confirms the deal freezes Annex III obligations until December 2, 2027 and Annex I embedded-AI rules until August 2, 2028. The story worth telling is different: Brussels has voluntarily suspended the Brussels effect at the exact moment other jurisdictions started copying it. Under twin pressure from the Trump administration's tariff threats and a Big Tech lobbying campaign led by Meta, the Commission has converted its digital rulebook from a global export product into a domestic competitiveness instrument. The primary short-term beneficiaries are the US hyperscalers the law was built to constrain.
What the Omnibus actually changed
The Digital Omnibus is not one law but a package. On November 19, 2025, the Commission tabled two parallel regulations — COM(2025) 836 amending the AI Act, and
COM(2025) 837 amending the GDPR, the Data Act, ePrivacy, NIS2 and the Critical Entities Resilience Directive — alongside a Digital Fitness Check that will "stress-test" the entire acquis through 2029.
On the AI file, co-legislators agreed on May 7, 2026 in trilogue and the Parliament ratified on June 16. According to the European Parliament press release, obligations on high-risk AI systems — biometrics, hiring, credit scoring, education, law enforcement, border management — now apply from December 2, 2027 rather than August 2, 2026. Embedded high-risk systems in machinery, medical devices and vehicles slip to August 2, 2028. Watermarking of AI-generated content is delayed to December 2, 2026. Machinery products with AI functions are removed from the AI Act's direct high-risk regime and redirected to the sectoral Machinery Regulation.
The August 2, 2026 date still matters. Transparency obligations — user notices, deepfake disclosures, chatbot labelling — become enforceable on that date. So does the AI Office's new supervisory architecture. But the substantive product-safety regime — conformity assessments, risk management systems, technical documentation, fundamental rights impact assessments — is on ice.
The data track is more consequential and less discussed. A European Parliament study published in 2026 notes that the Omnibus redefines "personal data" through an entity-specific identifiability test, adds a new Article 41a empowering the Commission to declare pseudonymised data non-personal for specific controllers, and — critically — codifies "legitimate interest" as a lawful basis for processing personal data to train and operate AI systems. It lowers the threshold for special-category processing from "strictly necessary" to "necessary" for bias-detection use cases, and folds the ePrivacy Directive's cookie rules into the GDPR with a machine-readable consent-signal regime meant to end "cookie fatigue."
Who pushed, who benefits
The official rationale is competitiveness. In remarks on November 19, 2025, Executive Vice-President Henna Virkkunen framed the package as "the EU's answer to calls to reduce burdens on our businesses," with Commissioner Valdis Dombrovskis projecting €5 billion in administrative savings by 2029 and casting the Omnibus as delivery on the Draghi and Letta reports. The Commission's own
staff working document puts the number at "at least EUR 5 billion in administrative cost savings for businesses by the end of the Commission mandate."
That story is incomplete. Two exogenous pressures accelerated the retreat. The first is the Trump administration. According to a CSIS analysis published in early 2026, the State Department in January 2026 imposed visa restrictions on five European officials involved in drafting the Digital Markets Act and Digital Services Act, and the administration has embedded anti-digital-regulation clauses in bilateral trade deals with Malaysia, Indonesia, Cambodia, Argentina, Guatemala and El Salvador. In August 2025, President Trump publicly threatened "additional tariffs" on countries with "digital taxes, legislation or regulations." The signal to Brussels was unambiguous: enforce the rulebook as written and pay in goods tariffs.
The second pressure is an intra-industry lobbying push. Brookings scholar Tom Wheeler documented how Meta's Mark Zuckerberg openly framed the fight as one where "the U.S. government should be defending its companies" against EU regulation, and how the Trump memo on "Defending American Companies and Innovators from Overseas Extortion" mapped almost directly onto that ask.
Bruegel put the industrial logic plainly: "The main beneficiaries of [the Omnibus] are large US tech firms, which already exercise a dominant position and whose gap with European AI may widen."
Civil society reads the same map. Amnesty International called the package "a stripping of our rights to serve the interests of Big Tech," pointing in particular to the removal of the requirement that providers publish self-assessments concluding a system is not high-risk. The European consumer group BEUC, cited in the
Parliament's think-tank briefing, warned the package "goes far beyond targeted modification."

The Brussels-effect paradox
Here is the second-order effect that reframes the story. The classical "Brussels effect" thesis holds that EU market size forces global convergence on European standards — a theory that relied on two conditions: the EU actually enforces, and no bigger market credibly threatens retaliation. The Digital Omnibus concedes the first condition. Trump has neutralised the second.
Yet the model is spreading anyway. CSIS reports that Brazil introduced comprehensive digital-markets legislation in September 2025; South Korea advanced platform-fairness rules; India, Japan and the United Kingdom are all considering DMA-style frameworks. The Centre for European Reform
counts only eight non-European jurisdictions with GDPR adequacy decisions, which suggests the export was always narrower than Brussels advertised. What is diffusing globally is not the EU text — it is the EU template. The paradox: the more Brussels softens its own rules, the more it hands the political room to São Paulo, Seoul and Delhi to write stricter ones, because the US pressure campaign cannot deploy tariffs against every mid-sized economy at once.
For compliance teams, this is the operational reality. Global multinationals must now maintain two regulatory clocks: an EU clock that is running slower and is more permissive on training data, and an ex-EU clock — Brazil, Korea, potentially India by 2027 — that is running faster and, in some cases, stricter. The "one policy, run globally" model that GDPR unlocked is fracturing.
Cyber: the quieter half of the package
The cybersecurity track has drawn less attention and matters more operationally. The Cyber Resilience Act's reporting regime for actively exploited vulnerabilities and severe incidents begins to bite on September 11, 2026 — a 24-hour notification duty to ENISA for manufacturers of connected products, as documented by CSIS's incident-reporting inventory. The Digital Omnibus creates a single reporting entry point across NIS2, CER, DORA and GDPR breach obligations — genuine simplification that industry actually asked for.
That matters beyond compliance. State-attributed cyber operations against EU targets will now flow through one funnel to ENISA, giving the agency a real-time picture of coordinated activity across sectors for the first time. The IMF's 2025 France Financial Sector Assessment already flagged DORA overlap with NIS2 as a supervisory friction point; the single entry-point resolves much of it.
The unintended consequence: consolidated reporting also consolidates attribution. If ENISA can correlate incidents faster, the EU can name state actors faster — a capability the bloc has historically been slower than the US or UK to exercise.
What to watch
Three catalysts will define whether the Omnibus is a tactical delay or a strategic retreat.
- July 2026 — Official Journal publication. The AI Omnibus enters into force three days after publication, expected mid-to-late July. That is the legal starting gun for the revised timeline and for the Commission's power to declare when harmonised standards are "available" — the trigger that starts the six- and twelve-month countdown to high-risk enforcement.
- September 11, 2026 — CRA reporting live. First real-world test of ENISA's capacity to process 24-hour vulnerability notifications at scale. Watch whether the single-entry-point machinery functions or splinters along national lines.
- Q4 2026 to 2027 — Digital Fitness Check output. The
Commission's own schedule sets DMA, Chips Act and Digital Decade reviews for 2026, and NIS2 and DSA reviews for 2027. If any of these get folded into a second Omnibus, the "targeted simplification" framing collapses and this becomes a full-scale rulebook rewrite.
Diplomat View
The Digital Omnibus is not a technical adjustment. It is Brussels' first substantive concession in the transatlantic tech war — a €5 billion cost-savings story wrapped around a strategic retreat forced by Trump's tariff leverage and Meta-led lobbying. The forecast: high-risk AI enforcement will slip further, not sooner, because the Commission has now linked application to "availability of harmonised standards" it does not control, and CEN-CENELEC standards work on AI is running years behind schedule. Expect the December 2, 2027 backstop to hold only nominally; expect a second AI Omnibus by 2028 that either extends the deadline or narrows the Annex III scope further. What would revise this call: a Court of Justice ruling striking down the redefinition of personal data (a real risk that CEPR and EDRi have flagged), a Schrems-style challenge collapsing EU-US data flows, or a European AI incident severe enough — a fatal autonomous-vehicle case, a large-scale biometric misidentification — to reverse the political momentum. Absent one of those, the Brussels effect is now something the EU exports through Brasília and Seoul, not from Brussels.
The Bottom Line
The EU's Digital Omnibus, adopted June 29, 2026, delays the world's toughest AI rules by up to two years and rewrites the GDPR to give AI developers freer access to training data — a strategic retreat under US tariff pressure and Big Tech lobbying. The immediate winners are American hyperscalers who gained another compliance-free window; the longer-term winners may be Brazil, South Korea and India, whose stricter, home-grown platform rules now define the global frontier of tech regulation. The Brussels effect did not die — it emigrated.
Discover more

India
Congress Accuses Modi of Stalling Women's Law
Congress accuses Modi of stalling women's reservation law by linking it to delimitation, revealing a deeper electoral strategy.

US Politics
SNAP Food Assistance Faces Legal Challenges
In 2026, SNAP faces stricter eligibility rules and mounting legal challenges, threatening food assistance for the millions of Americans who rely on the program.

India
Delhi CM Rekha Gupta Blasts Opposition's Delm
Delhi CM Rekha Gupta's remarks on women's quota defeat reveal BJP's strategy for the 2029 Lok Sabha elections, focusing on delimitation.

Global
Why Figuera, not Machado
Why the US backs Figuera over Machado in Venezuela's transition, how oil revenue shapes incentives, and what the August 1 working group means for elections.