What Is Europe Trying to Achieve With Its Omnibus and Sovereignty Push?

Audio of this conversation is available via your favorite podcast service.

This week, the European Commission unveiled a sweeping plan to overhaul how the EU enforces its digital and privacy rules as part of a ‘Digital Omnibus,’ aiming to ease compliance burdens and speed up implementation of the bloc’s landmark laws. Branded as a “simplification” initiative, the omnibus proposal touches core areas of EU tech regulation — notably the AI Act and the General Data Protection Regulation (GDPR).

The Commission argues that this update is necessary to ensure practical implementation of the laws, but civil society organizations see the proposed reform as the “biggest rollback of digital fundamental rights in EU history.”

I spoke to two experts to understand what the EU is trying to achieve:

• Leevi Saari, EU Policy Fellow at AI Now Institute
• Julia Smakman, Senior Researcher at the Ada Lovelace Institute

Below is a lightly edited transcript of the discussion.

Ramsha Jahangir:

In today's episode, we look at whether Europe's push to simplify its digital rules alongside a drive for digital sovereignty represents a clear strategy or a policy pulling in two directions. For years, the EU positioned itself as a global standard setter on AI and privacy. Yet at a moment when European leaders are calling for independence from US tech, the digital omnibus appears to weaken key protections and shift power to major tech firms. Two experts join me to help us understand what exactly is the EU trying to do. Let's start with introductions.

Julia Smakman:

Hi, I'm Julia Smakman. I'm a senior researcher in the law and policy team of the Ada Lovelace Institute, and I work on issues related to AI regulation and policy in both the EU and the UK.

Leevi Saari:

Hi all, Leevi Saari. I'm the EU policy fellow at AI Now Institute and a PhD researcher at the University of Amsterdam, working on regulation and political economy of AI in Europe.

Ramsha Jahangir:

Thanks so much for joining you two. I'm really looking forward to this discussion. A lot has happened this week. Perhaps the biggest story that has come up is obviously the digital omnibus and the Commission has repeatedly promised that its proposals would not lower the level of protection for fundamental rights, stating that its changes are fundamental for boosting innovation and supporting compliance. But civil society groups are calling it the most severe rollback of digital rights in EU history.

So Julia, maybe we can start off with you, in practical terms, what does this digital omnibus change in how the EU enforces its laws?

Julia Smakman:

I would say that this digital omnibus definitely tips the scales in favor of commercial interests at the expense of people's rights and protections. So unfortunately, I don't think the Commission is really delivering on their promise of not lowering protections in favor of protecting company interests. So in practical terms, what these changes actually mean, the digital omnibus consists of both the data omnibus and AI omnibus. So there's some changes there both for the GDPR and for the AI Act and some other act as well. So within the GDPR, the data omnibus, we are most concerned about changes to the definition of personal data, moving it from an objective standard that would push companies to really strive to state-of-the-art anonymization techniques to a more subjective standard, which means that they will only have to consider data, personal data if they themselves can identify people out of a data sets, would tie that information back. To a natural course since in practice, that would mean that less data is considered to be personal data. So less data has these protections and rights for the data subject attached to them.

Also in the data omnibus there's changes to the prohibition of automated decision-making. This is currently framed as a prohibition and will be changed to be framed as a permission. So that is definitely a big change.

And also something we're concerned about in the data omnibus is the introduction of the development operation of AI as a legitimate interest, the processing of data. This is framed as quite a vague, legitimate interest operation of AI. What does that mean? So yeah, we are also definitely keeping a close eye on what that would mean in terms of people's data being used to train and use AI systems and models.

Within the AI omnibus, there's two key things I think we're most concerned about. One is the delay in the application of the high-risk provisions in AI Acts. They were supposed to go into force at the latest through August, 2026, but now some of those provisions will be delayed until the end of 2027. So that basically means that high-risk systems can continue to be used and developed, but with less protections being enforced to keep people safe from the kind of AI harms that might come from the use of these systems in contexts like insurance recruitments, critical infrastructure, those kind of situations.

And the second change in the AI omnibus that we are quite concerned about is the removing of the registration requirement for low-risk AI systems. Because basically under this requirement, companies can self-score their AI system as being low-risk. So not being covered by the high-risk provisions in the AI Act. But now also because of this change, companies will no longer need to register these self-assessments. So companies can basically mark their own homework, they can say that their system is low-risk, but then also don't need to publish that homework anywhere so you can't check it anymore if that system is indeed low-risk. So those are some of the big changes that we've been looking at the past week since the digital omnibus has come out.

Ramsha Jahangir:

Why is the commission pushing for simplification now and who is asking for this?

Julia Smakman:

Yeah, it's a really good question and I think to answer it, we need to zoom out a little bit because we've seen the EU been talking about cutting red tape and deregulation basically since the Draghi report and really pushing this false narrative that regulation stands in opposition to innovation. This is a narrative we've not just seen in the EU. We've also seen in the UK and the US and this claim that regulation stops economies from thriving and stops innovation from happening. We've also seen over the past year, the Trump administration putting a lot of pressure on the EU about its digital regulations. This was something that also came up in the context of the tariff discussions earlier this year. So this is kind of the broader context in which we should see this pressure from the US and also concerns of the Commission themselves about the EU economy and growth and innovation.

So the Commission claims that these changes in the digital omnibus are necessary to make processes simpler, particularly for SMEs and that this will help boost Europe's economy. However, the changes how we see them, we don't think that the Commission is being fully transparent about the fact that the overwhelming beneficiaries of these changes will be large non-EU tech companies. We're mostly concerned with, for instance, the training of big AI models. And also we haven't really seen that SMEs have really been asking for the changing of these kind of key definitions within the GDPR. But we do see these changes being very much in the interest of big AI companies for whom data protection laws have honestly become an hindrance in getting their hands on more data to train their models with. So I would probably put it in the context of these economic concerns, but also geopolitical pressures.

Ramsha Jahangir:

It's actually very interesting because this digital omnibus was published the same week there was a digital sovereignty summit in Berlin where the tone was super clear from the French and German, but also Henna Virkunnen, the EU Commissioner, was present. So the tone was really to deregulate and invest. There were a bunch of announcements including support for simplification. As you pointed out, Julia, in the name of speeding up innovation. So there were a lot of promises about unlocking more capital for European tech and a growing push by European clauses in public procurement. So Leevi, coming to you, when you look at the Berlin Summit and these developments, the deregulation push, the European by clauses and the promise of a sovereign AI stack, do you see genuine sovereignty building? And I guess the same question for you. Who is asking for sovereignty and who does it serve?

Leevi Saari:

Thank you. It's a good question. I think first of all, at this moment we are still talking in terms of announcements and publications. I am personally of the opinion that where the rubber hits the road is when capital gets deployed. It's also looking at the concrete actions of private market operators, whether these grant announcements will actually be [inaudible 00:08:54] in some form. At this moment, I take this to be a symbolic political moment. To your question, who this is for, I think there is a very real public, like state level imperative on this, which has been sparked by questions of weaponizability, the threat of the deteriorating transatlantic relationship, that has activated the discussion on sovereignty that has been going on since the Snowden days.

I do think that then who are the actors? Who is this going to benefit? This is at this moment undecided. Of course, a lot of the hyperscalers are willing to neutralize this moment and capture this sovereign technology moment in order to expand their markets and resist this threat to their market share. But there are also European operators that are now actively moving to this space. So maybe one to point out was the new European sovereign tech alliance headed by Deutsche Telekom and Orange and so on. So you have markets emerging for these kind of alternatives.

Ramsha Jahangir:

It's an interesting contradiction, which actually makes me think about to what you were saying, is it even possible, is reliance on, for instance, UN's infrastructure fundamentally incompatible with EU's sovereignty claims?

Leevi Saari:

Well here I think it's important to be a bit more specific, what do we mean by digital sovereignty? So there are a lot of different efforts going on at the moment that try to nail that concept and define it. At this moment, I'm more inclined to treat it as a tool. So I think it's more illuminating to ask what do we need digital sovereignty for? And I do think there are many overlapping things going on. I do think I would separate these into three options. I think first is the regulatory sovereignty, this idea that we have rules and regulations and we want to be able to enforce them.

I think the second is the political sovereignty, this idea that we need our own sovereign stack because if not, we are constantly in threat of being cut of. So for instance, in the case of international criminal court, I think the example where Mr. Trump did order Microsoft to cut off the email services to the prosecutor who had been placing a warrant for President Netanyahu of Israel. I think that is the kind of risk that is more in the political realm.

But then there is a third one, which is the economic sovereignty argument, which is that these infrastructures are also siphoning lot of value created on top of them. So this idea of extracting rents on the operations that happen on top of the infrastructure.

So we think about this, we think about this regulatory political economic sovereignty. If we are only concerned about regulatory autonomy, there is an amazing sovereign cloud offering by all the hyperscalers that they're very willing to sell to you. These have extra data protection measures, legal, technical and operational practices that try to make sure that for instance, GDPR will not be violated. This also goes into the question of data localization. So infrastructure build out of different European member states by hyperscalers I think is at least partly motivated by this idea to assure customers that the data will not leave Europe. If we are worried about political sovereignty, that is still ... Hyperscalers are still more or less compatible. This idea that especially right now what we are seeing is this emergence of partner cloud arrangements where European operators will make continuation agreements with hyperscalers. So if for example, SAP just recently announced that in case Microsoft will be forced to shut down operations in Europe, SAP will take over the service provision. However, whether that is actually feasible is still up for debate.

But the third question, which is about the economic value, then that one is quite difficult to see how this could be combined with the current architecture of cloud infrastructure markets where these are highly concentrated markets and there is a lot of pricing power inherent in that infrastructural control. So this is how I think about it, that whether hyperscalers are compatible with the European sovereignty aspirations very much depends on why do we care. And there is a very active discussion right now and debate in Europe on where different parties try to shape that narrative to their advantage. And you can imagine that for a lot of these hyperscalers, the focus on rules, regulations and compliance is the most easy way to slice the pie.

Ramsha Jahangir:

It actually somehow brings me back to the omnibus discussion that we started with. We are still talking about stronger market concentration with the sovereignty claims, but also at the same time simplify rules to push innovation. This is a question for both of you, whoever wants to jump in, but I'm curious, even if you replace let's say in an ideal world US firms, do European alternates still abide by those rules? And there's a lot of talk of European values as well. What does this look like, this new landscape that the EU is moving towards where there are weaker rules, there's a lot of market concentration still, and even if we have alternates, we're not sure if they will abide?

Julia Smakman:

I think it very much depends on the kind of outcome you're looking for because I can see from an international security perspective it might be helpful to switch to more European providers for certain services and decrease dependency on foreign companies.

At the same time, at Ada, we very much take the perspective of centering the outcomes for people. You can ask questions about whether simply replacing foreign companies with European companies, but then at the same time reducing the protections that also those European companies are bound by will actually lead to better outcomes. So you could say there's not that big a difference of having your data rights exploited by a foreign company versus a European company.

Also if we do move towards more European alternatives, it is very important that we continue to hold those European companies to a high standard of data protection and making sure that's changing what providers we go to actually also still improve the outcomes or the kind of services that people here have access to and the way they can exercise their data rights. I think it's very much about looking at the outcomes and not just about on paper, do we have more European companies here and more foreign companies because that's not the only thing that really matters.

Leevi Saari:

Yeah, maybe. Yes, I think I agree with Julia here. I think what I would add on that is to also say that the environment defines incentives. So indeed the nationality per se is not the key lever that determines outcomes. But the idea that we need to create constraints inside which creativity and innovation can develop, that we always need those constraints. I do find it slightly unserious the kind of discussion where we say innovation is opposite to regulation because there is no such thing as unregulated market. They are only differently regulated and there is different kind of rules by different kinds of actors. So if there are not public rules, there will be private rules. And the idea that there's only one direction of innovation goes against everything we know about how innovation develops. And I do think that especially on the question of GDPR and privacy for instance, I think just as an idea, the degeneration of a lot of the contemporary digital technology to ad-based business models was something that was facilitated by the lack of privacy legislation in the United States in the federal level.

So I do think that there is a counterfactual to think what kind of tech could we have if we would have different kinds of constraints and different kinds of incentives that build on those constraints. And henceforth, I do think that the whole question about regulation versus innovation is slightly weird and there is some kind of European self-doubt, I'd say. This idea that there's a discourse in Europe where we look at the US than with envy and think like, "Oh, if we were more like them, only if we didn't have these pesky regulations, maybe we could compete." But I see no reason why that is a game we should keep on playing on those terms. Also, just for the very practical fact that we don't ... Right now, we are not going to win that kind of race. So maybe we should flip the table and think about instead of seeing our regulations as constraints to see them as a framework for creativity that could develop, that we could have some alternative pathway for technology.

Julia Smakman:

And I think also if I can make a quick point to add to that is that I definitely agree with Leevi that regulation also is a way of expressing the kind of innovation you'd want to have. But also regulation I think is also in a way a key driver of adoption of technologies because regulation can really create trust. So at Ada, we do a lot of public engagement work and that very consistently shows that people are more willing and more excited to use technologies that they feel have a sufficient amount of guardrails and safeguards around them. That's the reason why we trust medicine, the financial system, airplanes with our lives, our money, our health. The reason for that is that we have these systems in place that guarantee the quality.

And I think if you take those quality safeguards away, there's also a question of how much people are willing to adopt new technologies like AI systems if they don't feel that they can trust them. I think also just to add another nuance to this narrative of regulation and innovation standing in opposition to each other, that regulation can actually be a very key driver for adoption and fostering trust in new technologies. And like Leevi said, it's also been, I think companies complying with higher standards for safety can also be selling points. You see that European companies have been promoting their products as being more privacy-protective than foreign alternatives and really being competitive from that aspect. So this is again showing that it's not a simple story.

Ramsha Jahangir:

It sounds like things are not moving in the right direction regardless of this and that we are lacking nuance in the public debate on some of these issues. So again, a question to you both, where can pressure still be applied to change costs?

Julia Smakman:

So just speaking in the context of the omnibus procedure itself is a strange way to push for these changes in the EU because omnibus procedure is meant to push for more technical narrow changes to regulation, not to promote very sweeping policy reforms. And instead of using that as a means to sort of tidy up maybe technical definitions in regulation, it is being used as well, frankly a deregulation exercise. So this omnibus process bypasses some of the safeguards that are built into the ordinary legislative process, including some public consultations, impact assessments. So that means that this omnibus procedure has less checks built in.

Still the European Parliament and the council will need to agree to the omnibus to pass, which means that there is still a period coming up over the next few months. I don't know how long it will take. Probably at least 8, 9, 10 months considering the changes that are being proposed here in which there will be discussion and potentially scope for changes. So we will be applying pressure and speaking to stakeholders, speaking with members of the European Parliament and other actors in the EU to really push to not adopt these changes and to really consider trade-off in people's fundamental rights here. So we're hoping to make a lot of noise and we're hoping to really convene different voices in this space to push together for protection of people's rights in upcoming months.

Leevi Saari:

To complement what Julia said, I think in general right now where the zeitgeist is that I think there is an increasing interest and emphasis also not only on the negative side of regulation which is by sticks, so regulations and positive. And I don't mean this normatively, but like positive as in deploying capital side of policymaking. And I think it is important for different stakeholders of civil society movements to also familiarize themselves with the capital flows that are happening right now. So we have different measures through European Innovation Council, through the upcoming MFF negotiation where a lot of capital will be deployed in pursuit of technological progress or growth. And I think shaping what that means is crucial.

So there are alternatives in the European Union, Eurosky, for instance, a social media platform where you have examples of what better kind of technology would look like. And I think in order to support the emergence of the alternatives that this regulatory push also keeps the space for is important to also focus on deploying money and making sure that the resource deployments that we make are also aligned with the kind of technology we want to have. Because there is a risk that now in the push towards more AI adoption and fear of missing out and envy, the size of computational infrastructure, that a lot of this money will be spent to foster technology that is captured in a corporate dominant ecosystem already. Looking at also how can you deploy money, how can you understand the institutional plumbing of how money is being deployed in Europe and then engage with that I think is a crucial obviously point for civil society movements in the next 12 to 18 months.

Ramsha Jahangir:

Is there political will, obviously civil society groups are really pushing for the things you've mentioned, but I wonder where the member states are at, how are we seeing this nationally?

Leevi Saari:

No, the question is good. I think there's a lot of political movement. I think a lot of the Berlin discussion also, I think that the core tension that still exists between the different member states, I think a lot of people were looking at the distinction between Macron and Merz on the procurement side. So I do think there is an appetite for European technology, but indeed as mentioned, it is very much still a contested space. What that looks like, and you will have, for instance on the infrastructure side, for instance, there's something called Cloud Sovereignty Framework that came out two weeks ago, which likely is going to be part of the discussions in the upcoming months.

The more the requirements are defined in terms of compliance or legal and data protection, the less space there is. And you can see already some member states proposing doing proposals exactly in that direction. So moving it away from the infrastructure ownership alternatives frame. But I do think that there is potential, I do think there are some avenues where a lot of member states, for different reasons, are waking up to the fact that alternative technology is also possible.

Julia Smakman:

I think with regards to the digital omnibus, it's also quite a nuanced picture in that some member states, I think have been quite critical of the idea of targeting key provisions of the GDPR and other data, digital technologies. A number of countries have come out quite critical earlier in the process of reopening the GDPR for instance, and making these key changes. Interestingly, Germany has actually been quite in favor of these kinds of sweeping changes. I think this has a lot to do with certain interests in industries that are based in Germany, but I think over the next few months we'll see where the chips will fall. I think we will see certain countries staying more critical, whereas others will be more open to discussing some of these big changes.

I definitely think, I agree with Leevi that there's a lot of potential still though to engage with member states and to bring evidence to the table also around how these changes in digital rights are really a significant and extraordinary retrenchment, the biggest one we've seen in decades. And that we really need to square this with evidence that we have around what these kind of new technologies that we're sacrificing our digital rights for, what these new technologies are actually bringing to the table because it is not always actually clear what the productivity benefits, for instance, are of certain AI technologies. So I think there's definitely lots of evidence to bring and lot of discussions to be had and I'm quite optimistic about the perspective of engaging with member states in this process.

Ramsha Jahangir:

I think that's a positive, somewhat positive note to conclude this discussion because it's been a very stressful week for many of us keeping up with these developments. So thank you so much both of you for your time.

Julia Smakman:

Thank you for this discussion.

Leevi Saari:

Thank you.