In June 2024, the EU passed the AI Act — the world's first comprehensive AI regulation. Fifteen months later, they started taking it apart.
On November 19, 2025, the European Commission unveiled its "Digital Omnibus Package," a set of proposals officially designed to "simplify" and "boost competitiveness." In practice, it's an unprecedented rollback of the very protections that made the AI Act a landmark piece of legislation. The EU Council agreed its position in March 2026. The European Parliament's committees voted overwhelmingly in favour. And civil society is sounding the alarm.
This isn't simplification. It's capitulation.
What's Actually Happening
The Digital Omnibus on AI proposes targeted amendments to the AI Act that, taken together, represent a fundamental weakening of its core protections:
- High-risk AI deadlines pushed back by 16 months — from August 2026 to December 2027. These are the rules governing AI in healthcare, hiring, welfare, border control, and the justice system. The systems that can literally decide your life opportunities will operate without adequate safeguards for another year and a half.
- Transparency requirements gutted — Under the current AI Act, if a company decides its AI system isn't high-risk, it must publicly register that assessment so it can be scrutinised. The Omnibus deletes this requirement entirely. Companies get to self-assess their own risk levels in the dark.
- Deepfake labelling delayed — Rules requiring AI-generated content to be labelled are pushed back, even as deepfakes become increasingly indistinguishable from reality. The implications for elections and public discourse are obvious.
- Grandfathering loophole — High-risk AI systems deployed before the (now delayed) deadline remain exempt from many obligations. Rush your AI system to market before the rules kick in, and you're largely off the hook.
The Commission even skipped its own impact assessment for these changes, claiming they have "no impact on fundamental rights" — while directly weakening fundamental rights safeguards.
The Lobbying Fingerprints
In January 2026, Corporate Europe Observatory and LobbyControl published a detailed analysis tracing Big Tech's fingerprints on the Digital Omnibus proposals. The findings are damning.
The digital industry's annual lobby spending in Brussels has grown from €113 million in 2023 to €151 million — a 33.6% increase in just two years. Amazon alone spent €7 million on EU lobbying in a single year. Companies like Google, Meta, Microsoft, and their industry associations have been pushing a consistent message: the AI Act "threatens innovation" and is "too expensive" to comply with.
When you compare Big Tech's lobbying positions with the Commission's proposed text changes, the overlap is striking. As Amnesty International's Damini Satija put it: "The EU's ongoing deregulatory push will lead to a weakening of people's rights and expose them to digital oppression."
The Trump administration's AI Action Plan added external pressure, pushing for the removal of what it called "red tape" and directly pressuring the EU to relax its digital regulations. The European far right has amplified this narrative domestically. As Politico wrote, "Washington is now setting the pace on deregulation in Europe."
The GDPR Is Next
The AI Omnibus doesn't exist in isolation. It's part of a broader Digital Omnibus that also targets the GDPR — Europe's flagship data protection law. Proposed changes include:
- Redefining personal data — Pseudonymised data would no longer count as personal data if the company holding it claims it "cannot identify" the individual. This creates a massive loophole: a company can strip names, claim the data is anonymous, sell it to brokers who can re-identify people, and wash its hands of GDPR obligations.
- Special AI carveouts — Companies would only need to delete personal data from AI training sets if it doesn't require "disproportionate efforts." A conveniently vague standard that large language model operators will drive a truck through.
- Restricting data access rights — Your right to see what data companies hold about you? The Omnibus would let companies refuse requests if they decide you're asking for "purposes other than the protection of your data."
What This Means for Mittelstand Companies
Here's the bitter irony: while the Omnibus is sold as helping European businesses compete, it primarily benefits the US tech giants that dominate the AI market. Small and mid-sized European companies — the Mittelstand — get caught in the worst of both worlds.
Many German companies have spent the last two years investing in AI Act compliance. They've hired consultants, built governance frameworks, trained teams, and redesigned processes. They took the regulation seriously because they believed the EU was serious about it.
Now the rules are shifting under their feet. Deadlines are moving. Requirements are disappearing. And the companies that lobbied hardest against the AI Act — the ones with €151 million in annual lobbying budgets — are the ones benefiting from the rollback.
For a German Mittelstand company that invested €200,000 in compliance, the message is clear: you played by the rules while the big players rewrote them.
At Cierra, we work with mid-sized companies implementing AI responsibly. Our advice hasn't changed: don't let political uncertainty become an excuse to abandon good governance. The companies that build trustworthy AI systems — with proper risk assessments, transparency, and human oversight — will be better positioned regardless of where the regulatory pendulum swings. Compliance isn't just about avoiding fines. It's about building AI that your customers, employees, and partners can actually trust.
The Bigger Picture
What's happening with the AI Act is part of a pattern. The EU is systematically weakening its own digital regulatory framework under the banner of "competitiveness" — a framework that took years to build and was once considered a global model.
A "digital fitness check" is already planned, evaluating the Digital Services Act and Digital Markets Act for their impact on competitiveness. More "simplification" proposals are in the pipeline. The direction of travel is clear.
Amnesty International, the Civil Liberties Union for Europe, EDRi, noyb, and dozens of other organisations have raised the alarm. But in the face of €151 million in annual tech lobbying, record corporate access to EU institutions, and geopolitical pressure from Washington, civil society voices are being drowned out.
Europe's AI Act was supposed to prove that you can regulate technology without killing innovation. Instead, we're watching a real-time demonstration of how corporate lobbying can dismantle regulation from the inside — not by fighting it head-on, but by "simplifying" it into irrelevance.
The trap isn't in the complexity. It's in the simplification.
Sources: Amnesty International (April 2026), Corporate Europe Observatory / LobbyControl (January 2026), Amnesty International (November 2025), Civil Liberties Union for Europe, Reuters, EU Council (March 2026), European Parliament
