BRUSSELS (CN) — As European startups flee to the U.S., the EU loosened artificial intelligence and privacy regulations Wednesday, delaying restrictions on high-risk AI systems by up to 15 months while promising the changes won’t weaken data protection.
The package — a catch-all set of rule changes known as an omnibus — also narrows what counts as personal data to free up AI training, consolidates four data laws into one and creates a single portal for cybersecurity incident reports.
The move marks a deliberate pivot for Brussels, which has spent years building a reputation as the world’s toughest tech regulator. Officials are now responding to mounting pressure that European regulations have hampered the continent’s ability to compete with the U.S. and China in technology.
“Regulation alone is not enough,” said Henna Virkkunen, the EU’s top official overseeing tech policy, at a digital sovereignty summit in Berlin on Tuesday. “We must move from rulemaking to innovation building.”
Virkkunen noted that European startups are leaving to the U.S. to grow. “In many years, more startups are established in the European Union than in U.S.,” she said. “But 60% of the scale-ups are in the U.S. and only 8% in the European Union.”
Still, some experts warn the changes could advantage U.S. tech giants like Google and Meta more than European companies.
High-risk AI rules postponed
The proposal delays rules for AI systems that screen job applicants, assess criminal risk or diagnose medical conditions — systems the law deems “high-risk.”
Companies would need to conduct risk assessments, maintain technical documentation and ensure human oversight before deploying such systems — but Brussels hasn’t finalized the technical standards showing them how.
In July, executives from more than 40 major European companies — including chipmaker ASML, aerospace giant Airbus and AI startup Mistral — called for a two-year pause on key parts of the AI Act, arguing that this regulatory limbo puts them at a disadvantage against Silicon Valley competitors who can deploy AI systems immediately.
Now the EU has agreed to a delay that stretches up to 15 months for employment and law enforcement systems, and 12 months for AI embedded in medical products.
But industry groups warn the flexible timeline creates its own uncertainty. Alexandre Roure, head of policy at tech industry association CCIA Europe, noted that if the European Commission deems technical specifications ready sooner than expected, companies could face compliance deadlines with less than a year’s notice.
Andrea Renda, a senior research fellow at the Brussels-based think tank CEPS, suggested Brussels should adopt “a sunrise clause: If the private sector fails to present a good proposal in the next year, then the commission will step in with own decisions setting standards.”
France and Germany, the EU’s two largest economies, pushed for the AI enforcement delay at Tuesday’s Berlin summit. Their backing gives the package significant political weight in negotiations.
The changes extend compliance relief to more small and medium-sized companies, potentially saving them at least 225 million euros per year through lighter documentation requirements, said the commission Wednesday.
The package expands Brussels’ AI Office powers, giving it supervision over AI systems based on general-purpose models like ChatGPT. That marks a notable centralization of power in Brussels, moving oversight from national governments to the EU’s main executive body.
Privacy law changes under fire
The package makes targeted amendments to Europe’s General Data Protection Regulation (GDPR), the bloc’s strict 2018 privacy law. The changes let companies use more data for AI training without it counting as “personal data” if individuals can’t be reidentified.
Companies could also train AI models on personal data without explicit consent under “legitimate interest” provisions. For instance, anonymized health records that were once protected might no longer be if patients can’t be identified.
A fierce legislative battle looms. The commission insists the changes aim “to maintain the effectiveness and integrity of this landmark regulation while also addressing stakeholder calls to clarify, simplify and harmonize the GDPR.” Privacy campaigners aren’t convinced: A group of 127 civil rights organizations last week called the package “the biggest rollback of digital rights in EU history.”
“The EU cannot undermine essential human rights protections just to facilitate product development,” Daniel Leufer, senior policy analyst at Access Now, a digital rights group, told Courthouse News. “With the changes it’s proposing, it’s only going to create legal uncertainty and make it easy for unscrupulous actors to dodge rules, cut corners and violate people’s rights.”
Mario Mariniello, a senior fellow at Bruegel, a Brussels-based economic think tank, questioned whether the GDPR changes will even help European companies. “The omnibus does not give a comparative advantage to EU companies — because non-EU companies would [also] benefit from more data access in Europe,” he told Courthouse News.
He suggested the changes could actually advantage U.S. tech giants that already dominate European markets — such as Google or Meta.
Cookie consent is also getting a facelift. The amendments would cut back the barrage of pop-up banners and let users save their preferences through browser or operating system settings with a single click. Websites would need to honor those choices for at least six months. Brussels estimates this alone could save businesses more than 800 million euros annually.
The fight ahead
Right now, a company hit by a cyberattack might have to file separate reports to data protection authorities, financial regulators, and cybersecurity agencies. The new system would let them report once to a single portal.
Brussels is also merging four separate pieces of legislation into the Data Act, attempting to reduce legal complexity. Small and mid-sized companies get exemptions from some cloud-switching rules, worth about 1.5 billion euros in one-off savings. The package restricts business-to-government data sharing requirements to actual emergencies like floods or pandemics, rather than routine government requests.
A new Data Union Strategy would make more datasets available for AI development, while a “European Business Wallet” would give companies a digital tool to communicate with authorities across all 27 EU member states.
Overall, the EU estimates the package could save businesses up to 5 billion euros in administrative costs by 2029. The digital wallets could unlock another 150 billion euros annually if widely adopted.
Whether the changes will help Europe compete remains an open question. Industry groups say Brussels hasn’t gone far enough.
Roure called the package “a promising first step” but said “its narrow scope leaves much of the EU’s patchwork untouched. Unprecedented regulatory complexity and legal uncertainty act as a direct tax on Europe’s competitiveness and innovation.”
Victoria de Posson, secretary general of industry group European Tech Alliance, called the package “a long-overdue reset for Europe’s digital rulebook” but cautioned that “key details still need work to ensure European tech companies feel real relief.”
The package is Brussels’ attempt to show it heard the message. Officials are calling it the first in a series of simplification efforts, with a broader digital fitness check launching next year to stress-test the entire rulebook.
The proposals now head to the European Parliament and European Council — the bloc’s two main legislative bodies — where the political dynamics could mirror an earlier omnibus package approved last week exempting most businesses from supply chain regulations. That earlier effort saw the center-right European People’s Party ally with far-right groups to push changes through over fierce objections from progressives who have mobilized against what they see as a threat to data protection.
“We have all the ingredients in the EU to succeed,” Virkkunen said in a statement. “But our companies, especially our startups and small businesses, are often held back by layers of rigid rules.”
Even as Brussels pushes simplification, enforcement activity continues. On Tuesday, the commission launched market investigations into whether Amazon Web Services and Microsoft’s Azure cloud platform should be designated as gatekeepers under Europe’s Digital Markets Act, which imposes special obligations on dominant tech platforms. On Wednesday, the EU’s General Court rejected Amazon’s appeal against its designation as a very large online platform under the Digital Services Act, Europe’s content moderation law.
It’s the seventh omnibus package from the commission, which has set a target of cutting administrative burdens by at least 25% — and 35% for small and midsized companies — by the end of 2029.
Courthouse News correspondent Yuval Molina is based in Brussels, Belgium.
Our weekly newsletter Closing Arguments offers the latest about ongoing
trials, major litigation and rulings in courthouses around the U.S. and the world,
while the monthly Under the Lights dishes the legal dirt from Hollywood,
sports, Big Tech and the arts.
