European Commission proposes extending AI Act deadlines for high-risk systems
6 days ago • ai-governance
The European Commission unveiled the Digital Omnibus package on November 19, 2025, with targeted amendments to the EU Artificial Intelligence (AI) Act and the General Data Protection Regulation (GDPR) to reduce administrative burdens.
High-risk AI systems listed in Annex III would have application deadlines tied to standards availability: 6 or 12 months after the Commission confirms support tools, but no later than December 2, 2027. Systems in Annex I would face a cap of August 2, 2028. The proposals remove mandatory staff AI literacy requirements, allow processing of special category personal data for bias detection and correction under safeguards, and extend SME simplifications to small mid-caps, with estimated savings of €225 million annually.
GDPR changes clarify identifiability using a "reasonably likely" standard, permit limited residual special category data for AI development, and modernize cookie consent via one-click options and browser settings. The package also creates a single-entry point for cybersecurity incident reporting across NIS2, GDPR, and DORA, projecting €5 billion in savings by 2029.
On January 20, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) endorsed streamlining in Joint Opinion 1/2026 but recommended keeping literacy obligations and tighter data-processing limits to protect fundamental rights. The European Parliament's LIBE Committee hearing on January 26 expressed skepticism about Big Tech influence and urged caution on premature revisions.
Why It Matters
- IT and compliance teams gain up to 16 months extra for high-risk AI compliance by aligning deadlines with standards rollout, reducing immediate penalty risk.
- Permitting controlled use of special category data for bias detection accelerates model auditing and remediation while keeping safeguards in place.
- A unified incident-reporting entry point reduces duplicate filings across GDPR, NIS2, and DORA, simplifying security operations and lowering administrative overhead.
- Clarified rules on pseudonymized and residual data reduce friction when assembling AI training datasets and help teams plan data governance controls.
Trust & Verification
Source List (4)
Sources
- IAPPOtherJan 27, 2026
- Kennedys LawOtherJan 28, 2026
- Reed SmithOtherJan 28, 2026
- FieldfisherOtherJan 29, 2026
Fact Checks (5)
Digital Omnibus proposed November 19, 2025, amends AI Act and GDPR (VERIFIED)
High-risk AI deadlines: up to Dec 2, 2027 for Annex III (VERIFIED)
EDPB-EDPS Joint Opinion adopted January 20, 2026, supports streamlining with safeguards (VERIFIED)
GDPR amendments include special category data for AI bias detection (VERIFIED)
LIBE hearing January 26, 2026, on Digital Omnibus skepticism (VERIFIED)