← May 10, 2026
tech power

The EU Spent Three Years Writing the World's Toughest AI Law. Then It Rewrote It.

The EU Spent Three Years Writing the World's Toughest AI Law. Then It Rewrote It.
AI2People

What happened

After a nine-hour all-night negotiation, the European Parliament and Council reached a provisional agreement on the AI Act Omnibus in the early hours of May 10. The deal delays the application of high-risk AI rules for stand-alone systems from August 2026 to December 2027, and for AI embedded in regulated products to August 2028. The original sectoral exemptions sought by Germany, which wanted to remove AI Act requirements that overlap with existing rules for medical devices, toys, and other machinery, were mostly rejected; only machinery products received the carve-out. Germany was criticized by other member states for what they described as a failure to collaborate in the negotiations. Attention now shifts to the Digital Omnibus, a separate legislative package that will determine how personal data can be used for AI development and scientific research, a fight that analysts describe as more consequential than the AI Act itself.

Europe delayed its hard AI rules by two years and called it simplification. The real fight is over the Digital Omnibus, where the question is whether European companies can train AI on personal data at all. If the data protection framework holds, Europe will continue to train less competitive AI on less data. If it yields, Europe will lose the only structural distinction that made its approach different.

The Hidden Bet

1

Delaying enforcement creates breathing room for companies to comply

The AI Sandbox framework, pushed back from August 2026 to August 2027, is already criticized for allowing only soft measures. The grace period is being used to slow the rollout of enforcement infrastructure, not to accelerate company readiness. Delays benefit the largest companies with the most lobbying capacity, not the startups that need clarity.

2

The AI Act and the Digital Omnibus are separate issues

You cannot build compliant high-risk AI systems without clear rules for what data you can train them on. The AI Act sets deployment rules; the Digital Omnibus sets training rules. If the Digital Omnibus weakens GDPR's data processing constraints for AI, the two-year AI Act delay is irrelevant because the underlying constraint disappears.

3

Europe is the global template for AI regulation

The US is moving toward voluntary frameworks and security partnerships with AI companies rather than mandatory compliance. China has its own national AI governance framework with different rules. The EU's claim to set global standards depends on companies choosing to comply, which depends on the EU remaining a market worth serving. Two delays in three years test that assumption.

The Real Disagreement

The live tension is between two things both the EU wants: competitive AI development and strong data protection. They cannot both be maximized simultaneously. Training competitive AI requires large-scale personal data processing. GDPR imposes consent and minimization requirements that make large-scale personal data processing expensive and legally risky. The Digital Omnibus is where this tension breaks. Industry and scale-ups argue the EU's AI ambitions are pointless without data access. Privacy advocates say loosening GDPR creates a precedent that hollows out the entire framework. The Commission's original compromise was watered down in Council, suggesting the status quo is winning, meaning Europe may preserve GDPR and accept second-tier AI competitiveness.

What No One Is Saying

Germany is in an impossible position. It wanted carve-outs for its industrial machinery sector to avoid AI Act compliance costs. Other member states called Germany obstructionist for not collaborating earlier. But Germany's machinery sector is the most exposed to AI-enabled competition from China and the US, and Germany is correct that the AI Act's overlap with sectoral rules creates genuine compliance confusion. The political cost of Germany arguing for its industrial interest is that it looks like it is undermining the regulation it publicly supports.

Who Pays

European AI startups

Ongoing, compounding with each delay

Regulatory uncertainty persists; compliance timelines have changed twice; venture capital prefers jurisdictions with clearer rules; the sandbox framework is delayed another year, removing the low-risk testing environment they were promised

EU citizens whose data is used in AI training

From the date the Digital Omnibus enters into force, if adopted

If the Digital Omnibus loosens GDPR's protections for AI development, personal data processed under existing GDPR consents could be repurposed for AI training without new consent; the 'incidental processing of sensitive data' exemption being discussed would mean health and biometric data could be used for AI development under a broad research exception

Medical device and toy manufacturers

When high-risk rules apply in December 2027

They sought sectoral exemptions from duplicate AI Act requirements but received only implementing acts, which come long after the problems they are meant to fix; they now face both existing sectoral regulations and AI Act requirements without the clarity the Omnibus was supposed to provide

Scenarios

Digital Omnibus preserves GDPR

The status quo wins in the Digital Omnibus debate; personal data processing for AI development remains tightly restricted; European companies continue training on smaller, consent-compliant datasets; the competitiveness gap with US and Chinese AI widens

Signal Digital Omnibus proposal published without an Article 88c legitimate interest exemption for AI processing

Data access loosened

Industry lobbying succeeds; GDPR's definition of personal data is narrowed or a broad AI research exemption passes; European companies gain data access comparable to US competitors; privacy groups challenge the law in the European Court of Justice

Signal Commission publishes a Digital Omnibus draft that includes a broad AI research exemption covering pseudonymized data

Neither resolves, enforcement fragments

AI Omnibus delays continue beyond 2027; Digital Omnibus stalls in Council; national regulators interpret existing GDPR and AI Act rules differently; large companies establish compliance strategies by member state rather than for the EU as a whole

Signal France, Germany, and Netherlands issue conflicting national AI Act guidance before the December 2027 deadline

What Would Change This

If the European Court of Justice issues a ruling that definitively clarifies what AI training data processing is permissible under GDPR, the Digital Omnibus debate resolves by litigation rather than legislation. That has happened before in EU digital regulation. It would be faster and more binding than the current legislative path, but it would remove democratic deliberation from a decision that affects hundreds of millions of people.

Sources

Euronews — Reports the overnight negotiation outcome and immediately pivots to the Digital Omnibus as the higher-stakes fight; industry calls the AI Omnibus too modest, rights groups call it a sellout
AI2People — Describes the delay of high-risk AI obligations and the political backlash beginning from consumer and civil society groups
AI Business Review — Industry perspective: the simplified framework is welcome but the deadlines remain unclear and the definition narrowing creates compliance uncertainty

Topics

EU AI Act regulation Digital Omnibus GDPR data protection

Related

power

Meta Is Giving Rival AI Chatbots Free WhatsApp Access for One Month to Avoid a Fine It Cannot Afford Politically

 power

The EU AI Act Open-Source Exemption Exempts Almost Nothing

 power

The EU Just Rewrote Its AI Law Before It Took Effect. OpenAI Is Cooperating. Anthropic Is Not.

 power

Europe Blinks on AI