The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion pushing back on parts of the European Commission's "Digital Omnibus on AI." The package, proposed on November 19, 2025, aims to simplify how the AI Act and other digital rules are implemented. The watchdogs' message is simple: streamline paperwork, yes - but do not water down rights.
They wrote that "Administrative simplification must not... lower the protection of fundamental rights" and called for tight coordination between Data Protection Authorities (DPAs), the EU AI Office, and Market Surveillance Authorities (MSAs). For the full opinion, see the EDPS/EDPB joint opinion.
What's changing - and why they care:
Special-category data for bias fixes: The Omnibus would allow providers and deployers to process sensitive personal data (for example, ethnicity or health) to detect and correct bias across more AI systems. The watchdogs want this strictly limited and allowed only where the risk to people is serious. See the EDPS press release.
High-risk AI timelines: The Commission floated delaying some core obligations for high-risk systems and postponing certain transparency and watermarking requirements. The EDPB and EDPS say any delays should be minimized and transparency measures should stay on schedule. See the Commission announcement.
Registration carve-outs: The proposal would exempt some systems that are "not really high risk" from being listed in the EU AI database. The watchdogs argue that removing registry obligations would undercut accountability and want the registry requirement to remain. See the EDPS press release.
AI literacy and sandboxes: The opinion says duties to improve AI literacy should stay on providers and deployers, not only on authorities. It also asks for Data Protection Authorities to be involved directly in EU-level sandboxes and for a clearer role for the EU AI Office so it does not overlap with independent supervision. See the EDPS press release.
FRIA vs. DPIA, the fast version:
DPIA (Data Protection Impact Assessment): Required under GDPR Article 35 when processing personal data poses likely high risks to people's rights and freedoms. Many products already need a DPIA. For background, see GDPR Article 35 (DPIA).
FRIA (Fundamental Rights Impact Assessment): Required under the AI Act Article 27 for certain deployers of high-risk systems. FRIAs look beyond personal data to assess broader impacts on fundamental rights. Typical covered cases include public bodies, private entities providing public services, and certain uses in credit and insurance. You may need both a DPIA and a FRIA, depending on your system. See AI Act Article 27 (FRIA).
In plain language: DPIAs focus on data-protection risks. FRIAs look at a wider set of harms to people's rights. If your product handles EU users' personal data, plan for DPIAs. If you deploy high-risk models in public services, credit, or insurance, plan for FRIAs too.
Why founders should care:
Expect DPIAs to remain table stakes if you touch EU users' data. If you deploy high-risk systems for public services, credit scoring, or insurance, expect to need a FRIA too.
Build documentation now: logging, clear human oversight, risk management, and impact assessments are core pillars of the AI Act and GDPR and will matter regardless of Omnibus tweaks.
Enforcement will likely involve multiple regulators. The opinion pushes for clear lines between DPAs, MSAs, and the EU AI Office to avoid gaps. Prepare for multi-regulator scrutiny in different member states.
For more detail on the legal distinctions, see AI Act Article 27 (FRIA) and GDPR Article 35 (DPIA).
Process and timing:
The Commission proposed the Digital Omnibus on November 19, 2025. Parliament and the Council now handle the file.
The file was presented to the European Parliament's LIBE committee on January 26, 2026. Beyond that, the timeline depends on political negotiations.
See the Commission announcement for the original proposal.
Links for the nerds:
Joint Opinion (Jan 20, 2026): EDPS/EDPB joint opinion
Commission proposal (Nov 19, 2025): Digital Omnibus AI regulation proposal
EDPS press release summarizing the joint position: EDPS press release
Bottom line: The EDPB and EDPS support making rules workable and cutting unnecessary paperwork. They are clear, though: simplification must not come at the expense of transparency, accountability, or the rights protected by the AI Act and the GDPR.
Get daily insider tech news delivered to your inbox every weekday morning.
