As dawn broke, negotiators from the European Parliament, the Council, and the Commission managed to close the agreement on the new community simplification package regarding Artificial Intelligence services. The legislators' objective was to streamline the implementation of the new digital legislation so that small businesses do not have to face enormous administrative burdens, without renouncing the framework of guarantees that the European Union considers essential to protect fundamental rights and reinforce legal certainty in the community digital market.
“With simpler and more innovation-friendly regulation, we facilitate innovation without compromising safety,” celebrated the community technology lead, Vice-President Henna Virkkunen. From the Government of Spain, Secretary of State María González Veracruz stated in an interview with Demócrata that “what is being experienced with deepfakes, minors on social media, and content manipulation proves us right in that regulation is essential,” also calling for the development of the entire “democratic shield” that “we have launched in Europe.”
The agreement represents one of the most relevant regulatory advances of recent months within the community strategy to consolidate a European digital ecosystem based on public supervision, algorithmic transparency, and citizen protection against abusive uses of Artificial Intelligence. Brussels thus aims to combine the boost to technological competitiveness with a reduction in bureaucratic barriers that particularly affect startups, SMEs, and mid-cap companies.
Protection against abuse and illicit content
Among the main novelties is the specific prohibition within the AI Law against those practices capable of generating non-consensual intimate sexual content or child sexual abuse material, including applications known as "deepfake" or "nudification" apps. This measure, driven by the Twenty-seven and supported from the outset by the European Parliament, aims to directly protect "dignity and fundamental rights against abuses generated by AI".
European institutions consider that the rise of increasingly accessible generative technologies has increased the risk of fraudulent use of manipulated images and videos, especially against women and minors. The new regulatory framework therefore reinforces the capacity of national and community supervisors to act against platforms or providers that allow such illicit uses.
Likewise, the three institutions have agreed to establish fixed deadlines and progressive calendars to ensure that technical standards and support tools are available before the new obligations become fully enforceable. In this way, Brussels seeks to avoid legal uncertainty or scenarios of unequal application among Member States.
For example, rules related to biometrics, education, or employment —sectors considered high-risk within the European Regulation— will be mandatory starting December 2, next year. The Commission considers it a priority to strengthen supervision in areas where algorithms can directly affect labor rights, educational opportunities, or automated decisions with relevant social impact.
The rules applicable to Artificial Intelligence systems integrated into products such as elevators, toys, or industrial machinery will begin to apply in August 2028. Meanwhile, the obligations for detecting and labeling AI-generated content will come into effect from December of this year. All providers of existing systems on the market will have until next February to adapt to the new transparency requirements.
Less bureaucracy for SMEs and medium-sized companies
One of the main political objectives of the agreement was to prevent business growth from leading to a disproportionate regulatory burden. Therefore, the regulatory privileges initially foreseen for small and medium-sized enterprises will also be extended to small mid-cap companies.
This will involve the introduction of simplified technical documentation, through specific forms drawn up by the European Commission, quality management systems proportional to the size of the company and special consideration of the economic viability of companies when imposing possible administrative sanctions.
The community institutions argue that this reform will allow accelerating European innovation without weakening the supervisory framework. The objective is to prevent only large technology multinationals from having the capacity to comply with regulatory requirements, thus favoring a more competitive and balanced ecosystem within the digital single market.
With the new legal text, the EU executive's AI Office will assume greater supervisory powers, centralizing part of the control to avoid regulatory fragmentation within the European market. It will have exclusive competence over AI systems based on general-purpose models when the model and the system belong to the same provider.
Furthermore, it will supervise Artificial Intelligence integrated into very large online platforms or search engines and will be able to carry out pre-market conformity assessments for certain systems considered high-risk. Brussels thus seeks to strengthen the EU's executive capacity in the face of the sector's growing technological complexity.
Regulatory sandboxes and support for innovation
The European Commission also wants to facilitate access to controlled testing spaces, known as regulatory sandboxes, so that innovative providers can experiment with their solutions under real conditions before their definitive market launch.
On this line, a European Union-scale sandbox will be created, managed directly by the AI Office and operational within two years. The objective is to offer a safe testing environment that allows for the reduction of regulatory adaptation costs and the acceleration of the development of emerging European technologies.
In the same way, the horizontal obligations that imposed on companies the mandatory training of all their personnel in AI have been eliminated. From now on, it will be the responsibility of the Commission and the Member States to promote digital and technological literacy through specific training and awareness programs.
The processing of data intended to detect and correct biases in Artificial Intelligence systems will be permitted, although subject to stricter conditions of supervision and proportionality. Brussels considers this point to be fundamental to guarantee more transparent and less discriminatory algorithms.
Furthermore, those system providers in high-risk areas who consider that their tools should not be classified as such —by being limited to narrow or procedural tasks— will no longer be obliged to register in the European database, although they will still have to document their assessment internally and keep it available to the competent authorities.
Data Treatment and Governance
The European Commission also intended to repeal the Regulation on the Free Flow of Non-Personal Data, the Data Governance Act, and the Open Data Directive with the aim of harmonizing rules and simplifying legal obligations. Regarding data governance and intermediation services, Brussels proposes several far-reaching changes.
Data Brokerage Services
The mandatory notification regime for data intermediation service providers will be transformed into a voluntary registration system aimed at fostering trust. Likewise, the legal separation requirement between activities will be replaced by a functional separation, allowing for more sustainable business models adapted to the reality of the European market.
Re-use of public sector data
Public administrations will be able to establish higher charges or special conditions for the reuse of data by very large companies, especially gatekeepers designated under the DMA. The objective is to protect competition and preserve opportunities for smaller companies within the European digital ecosystem.
“It guarantees legal certainty and a smoother, more harmonized application of the rules across the Union, strengthening digital sovereignty and the overall competitiveness of the EU,” stated after Wednesday’s meeting the Cypriot Deputy Minister of European Affairs, Marilena Raouna, who also highlighted that the agreement “clearly demonstrates the capacity of the European institutions to act quickly and fulfill their commitments.”
According to the presidency of the Council of the European Union, this pact "represents the first achievement of the 'One Europe, One Market' roadmap, agreed by the three institutions last week within the foreseen deadline".
Unification of Incident Notifications
Another of the pillars of the reform involves the introduction of a single European entry point so that entities can comply with their incident notification obligations under multiple Community legal frameworks.
The Commission's philosophy is based on the principle of "notify once, share with many", significantly reducing the administrative burden and avoiding regulatory duplication between different national and European authorities.
In this way, the European Union Agency for Cybersecurity will be in charge of developing and maintaining this centralized notification system. The mechanism will be mandatory for incidents regulated under the NIS2 Directive, the GDPR regarding data breaches, DORA, the eIDAS Regulation on digital identity, and the CER Directive on the resilience of essential services.
Within the Community Executive, estimates are being handled that foresee savings of at least 1 billion euros annually for the affected companies, in addition to another 1 billion in one-time adaptation costs. Brussels calculates that the aggregate impact of these measures could reach at least 4 billion euros in accumulated savings before 2029, while at the same time strengthening European competitiveness in the technological and digital sphere.