Europe Rewrites Its AI Rules: Easier for Businesses, Tougher on Digital Abuse

2026-06-05 data

Brussels, Friday, 5 June 2026.
The EU has agreed to simplify its landmark AI Act, giving businesses more breathing room while banning apps that generate non-consensual intimate imagery. High-risk AI rules are now pushed to December 2027.

A Political Deal Five Months in the Making

The political agreement between the European Parliament and the Council of the EU did not emerge overnight. The European Commission had proposed the Digital Omnibus on AI just five months prior, as part of a broader EU simplification agenda designed to sharpen Europe’s competitive edge [1]. That proposal — formally designated COM(2025)836 — was published on 19 November 2025 and aimed squarely at reducing the regulatory friction that had been building since the AI Act entered into force in the summer of 2024 [2][8]. On 7 May 2026, the Council of the EU and the European Parliament reached a political accord on the so-called ‘AI Omnibus’ package [4][8]. The agreement was subsequently approved by Coreper — the Committee of Permanent Representatives — on 13 May 2026, though formal ratification by both EU institutions is still pending before the regulation can be published in the Official Journal of the European Union [8].

What Changes — and When

The revised framework introduces a carefully sequenced implementation timeline that gives businesses significantly more runway to prepare. Under the new agreement, rules governing high-risk AI systems used in areas such as biometrics, critical infrastructure, education, employment, migration, asylum, and border control will now apply from 2 December 2027 [1][4]. This marks a substantial delay from the original deadline of 2 August 2026, which had been looming for organisations using such systems [3][4]. For AI systems integrated into regulated products — such as lifts or toys — the compliance deadline has been pushed further still, to 2 August 2028 [1][2]. The European Commission explained that this sequencing is designed to ensure that technical standards and other support tools are fully in place before the rules begin to apply [1]. In a parallel relief for smaller companies, the definition of a ‘medium-sized enterprise’ has been expanded to encompass companies with up to 750 employees and annual revenues of up to €150 million — a threshold change that unlocks access to simplified documentation requirements, reduced penalties, and regulatory test sandboxes [4].

The Nudification Ban: Europe Draws a Hard Line

Alongside the business-friendly simplifications, the agreement introduces one of its most socially significant measures: a categorical ban on so-called ‘nudification’ apps — AI tools that generate non-consensual intimate imagery by digitally removing clothing from images of real individuals [1]. The European Commission has framed this prohibition as a critical step in protecting citizens from AI-enabled harm, and it sits alongside the AI Act’s existing list of banned AI practices, which have been in force since February 2025 [2][GPT]. The ban reflects growing alarm across EU member states about the proliferation of such tools, particularly their use to target women and minors. This is not a regulatory grey area: the deal treats nudification apps as a hard prohibition, not a risk category to be managed or monitored [1].

The Broader Simplification Drive Behind the Deal

The AI Omnibus agreement does not exist in isolation — it is one piece of a much larger EU simplification push that took shape following the Strategic Agenda 2024–2029 and the Budapest Declaration in November 2024, both of which called for a ‘simplification revolution’ to streamline EU rules and boost long-term competitiveness [5]. By 2030, the EU has set a target of reducing administrative costs and reporting obligations by at least 25% for all businesses — equivalent to savings of €37.5 billion — and by at least 35% for small and medium-sized enterprises [5]. The Digital Omnibus is the AI-specific expression of that ambition. Under the revised rules, the obligation on organisations to promote AI literacy has been shifted away from individual companies and redirected toward member states and the European Commission [8]. Registration and compliance obligations for high-risk AI systems that carry no significant risk have also been scrapped outright [8].

Dutch Businesses and the Compliance Countdown

For businesses operating in the Netherlands, the revised timeline delivers immediate relief — but also underscores the urgency of preparation. A survey by European HR services provider SD Worx, conducted among 5,936 HR managers and 16,500 employees across sixteen European countries including the Netherlands, found that only four in ten Dutch employers currently have an ethical AI policy in place for HR [3]. At the same time, 58% of Dutch HR professionals are now actively exploring how AI can support the workplace, up from 41% in 2025 — a sign that adoption is accelerating even as governance frameworks lag behind [3]. Nearly half of Dutch employers — 44% — report that AI is already reducing the need for certain roles or tasks [3]. Yet 32% of European organisations admit they lack sufficient internal knowledge and expertise to deploy AI effectively, and 30% cite the absence of a clear AI strategy as a key reason their AI projects are underperforming [3]. With the new high-risk AI deadline now set for 2 December 2027, Dutch companies — particularly those in HR, logistics, manufacturing, and quality control — have more time to build that internal capacity, but the clock is running [3][4].

Innovation Relief, Privacy Caution

Not all observers are celebrating the deal. Privacy lawyers and digital rights organisations have raised concerns that some of the proposed simplifications — particularly those touching on the use of personal data and pseudonymised data for AI training — risk weakening the protections enshrined in the GDPR [2]. Critics warn that pseudonymisation, as proposed by AI companies, offers insufficient protection because individuals can still be identified through the combination of different data points, such as daily travel patterns [2]. The Dutch cabinet had itself flagged concerns as early as 12 December 2025, cautioning that proposed changes to the GDPR definition of personal data and the broadening of the ‘legitimate interest’ legal basis for AI training do not effectively reduce regulatory burden and may undermine fundamental rights [8]. On 22 May 2026, the Dutch Senate’s committees on Digitalisation and Economic Affairs sent further questions to the State Secretary for Justice and Security regarding a non-paper on fundamental GDPR amendments dated 8 April 2026 [8]. A formal opportunity for written parliamentary input has been scheduled for 30 June 2026 [8]. The tension at the heart of the agreement — between innovation acceleration and privacy protection — is one that Brussels, The Hague, and capitals across Europe will continue to navigate long after the formal ratification of the AI Omnibus is complete [2][5].

Bronnen

AI regulation European Union