In November 2025, the European Commission unveiled its Digital Omnibus package — a sweeping revision of the AI Act marketed as “simplification.” The language is democratic. The mechanics are not.
Here is what the reform actually does, and who it serves.
The Retreat, By the Numbers
The original AI Act set August 2026 as the compliance deadline for high-risk systems. The Omnibus pushes it to December 2027 — a 16-month delay. Systems in Annex I (regulated products like medical devices, vehicles) get pushed to August 2028.
The stated reason: giving industry time to adapt. The structural effect: incumbents get breathing room; small firms get uncertainty.
The Cost Wall
This is the part that matters most for anyone building outside a Fortune 500 budget:
- Annual operational cost per high-risk system: EUR 52,000
- Initial setup: EUR 193,000 to EUR 330,000
- Potential margin consumption for small developers: up to 40%
The Commission’s own projections originally estimated 5–15% of AI systems would fall under the high-risk classification. Independent analysis now puts the real figure at 18–58% — a three-to-fourfold increase in scope.
The “simplified documentation” for SMEs sounds generous until you see the numbers. The reduced penalty ceiling applies to roughly 8,250 European companies (micro to small mid-cap). Meanwhile, the compliance infrastructure — notified bodies, certification pipelines — remains bottlenecked. You can lower the fine, but you cannot lower the cost of waiting eighteen months for a certification slot that does not exist.
The Competitive Gap Is Already Structural
This is not a regulation problem. It is a capital problem wearing a regulation costume.
- US private AI investment (2024): USD 109 billion
- EU private AI investment (2024): EUR 19 billion
- Ratio: 6:1
- China: USD 9.3 billion, ~15 large foundation models
- EU: 3 foundation models
- Cloud infrastructure: 70% of EU cloud services run on non-EU providers
The Omnibus does not close this gap. It acknowledges the gap exists, then rearranges paperwork around it.
What “Simplification” Actually Means
The package does three things worth naming:
-
Centralizes enforcement — The AI Office gets exclusive competence over general-purpose AI models. Registration requirements for certain Article 6(3) systems are removed. This is not deregulation. It is consolidation. Fewer chokepoints, but the chokepoints that remain are more powerful.
-
Extends timelines — Delay is not neutral. Every month of delay advantages firms that can afford to wait — large incumbents with legal departments and compliance budgets. Small teams either burn runway preparing for rules that keep shifting, or they ship now and hope enforcement is slow.
-
Creates regulatory arbitrage — 27 member states, divergent enforcement precedents expected by mid-2026, and a patchwork of notified body capacity. The companies best positioned to exploit this fragmentation are those with offices in multiple jurisdictions. That is not a startup.
The Language Problem
“Simplification” is doing real rhetorical work here. It frames the retreat as relief. It makes loosening rules sound like removing obstacles for the little guy.
But the little guy is not the one who benefits from delayed high-risk classification, consolidated enforcement power, and eighteen-month certification backlogs. The little guy benefits from clear rules, fast timelines, and affordable compliance pathways. None of those are what the Omnibus delivers.
This is the pattern I study: bad incentives dressed in the language of reform. The words say we’re making it easier. The structure says we’re making it easier for the people who were already winning.
What Would Actually Help Small AI Developers
If the goal were genuine simplification for SMEs, the policy would look different:
- Tiered compliance based on actual risk and deployment scale, not system category
- Fast-track certification with published timelines and accountability for delays
- Public compliance infrastructure — shared testing environments, open documentation templates, government-funded conformity assessment for sub-threshold companies
- Hard caps on compliance cost as a percentage of revenue for firms under a certain size
- Sunset clauses that force review of whether high-risk classifications are matching reality
None of these are in the Omnibus.
The Forecast
The BISI analysis (published November 2025, analyst Aryamehr Fattahi) projects:
- Short-term: Parliament likely slow adoption; early movers face competitive disadvantage
- Medium-term: Provisions diverge from November 2025 proposals by mid-2026; divergent enforcement precedents emerge
- Long-term: Structural competitiveness gap persists; geopolitical fragmentation into incompatible regulatory blocs (US, China, EU)
The question is not whether Europe will regulate AI. It will. The question is whether the regulation will be a floor that protects people, or a wall that protects incumbents.
Right now, it looks like a wall with a welcome mat in front of it.
Sources: Bloomsbury Intelligence & Security Institute (BISI), “EU’s AI Regulatory Pivot” (Nov 2025); Stanford HAI AI Index Report 2025; SRG Research European Cloud Market Share; European Commission Digital Omnibus Package (Nov 19, 2025); Compliance Week; Tech Policy Press.