Blog · arXiv Analysis · Last reviewed June 25, 2026

The AI Act Omnibus Becomes the Legitimacy Test

The June 2026 arXiv paper The Digital Omnibus on AI, Legislative Legitimacy and the Dynamics of AI Regulation, by Donal Casey and Liane Colonna, treats the EU Digital Omnibus on AI as more than a technical simplification package. It asks how a rights-based AI law keeps legitimacy while being amended before its core systems are fully built.

For this essay, the legitimacy test is whether a simplification package can publicly explain what it delays, narrows, transfers, clarifies, or strengthens without weakening the law's rights, safety, and accountability purpose.

The Law Meets Its Update Loop

The paper, arXiv:2606.15662 [cs.CY], was submitted on June 14, 2026. Its object is the European Union's Digital Omnibus on AI, a 2025 Commission proposal to simplify implementation of parts of the AI Act. The Commission's proposal page says the package was published on November 19, 2025 and framed as targeted simplification for timely, smooth, and proportionate implementation of certain AI Act provisions.

The timing is the point. Regulation (EU) 2024/1689, the AI Act, was signed in June 2024, published in July 2024, and Article 113 gives it a staggered application schedule. Casey and Colonna emphasize that the Omnibus seeks to amend a central EU AI law while standards, guidance, institutional capacity, and compliance practices are still being assembled.

This makes the paper a useful companion to the site's work on the EU AI Act, AI governance, and AI regulatory sandboxes. The fresh angle is legitimacy under regulatory churn: not whether AI should be regulated, but how a law keeps authority while being revised before it fully matures.

The phrase AI Act Omnibus should be used narrowly. It does not mean all EU digital simplification work. It means the AI-specific proposal, COM(2025) 836, to amend Regulation (EU) 2024/1689 and Regulation (EU) 2018/1139. The broader digital omnibus package also touches data, GDPR, cybersecurity, and business wallets, but those are separate legislative files.

Current Context

As of June 25, 2026, the Digital Omnibus on AI was close to adoption but still had to be tracked by legal status. The Commission published the proposal on November 19, 2025. Council and Parliament negotiators reached a provisional agreement on May 7, 2026. The European Parliament then gave final approval on June 16, 2026 by 423 votes to 57, with 174 abstentions. Parliament's own release says the law still needed formal Council adoption before it could enter into force.

The Commission's AI Act implementation page now describes the political agreement as setting high-risk dates of December 2, 2027 for systems used in certain high-risk areas, including biometrics, critical infrastructure, education, employment, migration, asylum, and border control, and August 2, 2028 for systems integrated into products such as lifts or toys. The same page still describes the AI Act as having entered into force on August 1, 2024, with prohibited practices and AI literacy obligations applying from February 2, 2025, governance and GPAI model obligations applying from August 2, 2025, and the general August 2, 2026 phase still central to implementation.

The Omnibus also adds or preserves material rights-and-safety choices. Parliament's June 16 release says the agreed text bans AI systems that generate child sexual abuse material or non-consensual intimate sexual images, video, or audio of identifiable people, delays certain AI-generated-content marking duties to December 2, 2026 for systems placed on the market before August 2, 2026, clarifies machinery-product overlap, allows strictly necessary processing of personal data to detect and correct bias with safeguards, extends some SME simplifications to small mid-cap enterprises, and streamlines enforcement of certain general-purpose AI systems within the AI Office.

The current lesson is therefore not simply "delay." It is status discipline. A provision can be proposed, politically agreed, approved by Parliament, awaiting Council adoption, published in the Official Journal, or incorporated into a consolidated legal text. Those statuses are different, and an AI compliance claim that blurs them is already failing the legitimacy test.

What the Paper Argues

Casey and Colonna examine the Omnibus through legislative legitimacy. They draw on a framework with five rationalities: political, legal, cultural, operational, and internal. A law needs more than formal enactment; it also needs coherent legal design, public resonance, workable implementation, political backing, and a defensible legislative process.

The authors' central claim is that the Digital Omnibus on AI responds to one legitimacy dilemma and creates another. It tries to repair doubts about whether the AI Act can be implemented in a fast-moving technical and geopolitical environment. But in doing so, it prioritizes political and operational rationalities over legal and cultural rationalities.

That distinction matters. Operational rationality asks whether the law can be implemented. Political rationality asks whether the law can maintain support among powerful institutional and economic actors. Legal and cultural rationalities ask whether the revision preserves coherence, rights protection, democratic values, and the symbolic promise that made the AI Act important in the first place. Internal rationality asks whether the law still fits together as law after the amendments.

Legitimacy here is not popularity, speed, or ease of compliance. It is the continuing ability of the law to justify its authority to the people and institutions it governs, including affected people who will never read the Official Journal but will encounter AI systems in employment, education, border control, health, finance, public services, policing, media, and consumer products.

Three Races

The paper identifies three dynamics pushing the EU toward revision. The first is the race for AI regulation: jurisdictions are not only regulating AI but competing to define the standards, institutions, and global expectations around trustworthy AI.

The second is the race for AI dominance. After the AI Act's adoption, economic and industrial pressure intensified around whether Europe could compete with the United States and China in AI capability, investment, infrastructure, and deployment.

The third is the race for regulatory connection, the pacing problem. Law has to remain connected to changing technical practice. If harmonized standards, guidance, codes of practice, and supervisory capacity lag behind legal deadlines, the law risks appearing unworkable even when its goals remain sound.

What the Omnibus Does

In the paper's account, the Digital Omnibus on AI contains four broad categories of amendments. It adjusts timelines, standards, and compliance tools. It introduces simplification measures around documentation, registration, and AI literacy obligations. It changes governance by reinforcing the AI Office's role for general-purpose AI models and certain large platforms. It also addresses sandboxes and relationships with other EU legislation.

Those moves are not merely housekeeping. Casey and Colonna argue that some proposed amendments go beyond technical fixes and alter the scope and operation of core AI Act obligations. The European Parliament's Legislative Train page, updated May 22, 2026, records the provisional agreement, including delayed dates for high-risk AI rules and changes to registration, documentation, AI Office powers, bias-correction data processing, and some product-embedded systems. Parliament's June 16 approval confirmed the same broad settlement, while leaving the Council's formal adoption step to complete the legislative path.

The site should read this as an implementation lesson. A law can be too slow for an industry and too fast for the institutions meant to enforce it. The key question is whether simplification preserves the public purpose of the law or turns implementation friction into an excuse to narrow accountability.

Legitimacy Is Not Only Operability

The paper is not a claim that every amendment is illegitimate. It is more precise: the Omnibus may reconnect the AI Act to institutional capacity and technical reality, but it does so at the margins of legislative legitimacy if competitiveness and burden reduction crowd out rights, participation, and legal coherence.

That warning travels beyond Europe. AI governance will increasingly be revised while it is still being built. Standards will be late. Regulators will be understaffed. Vendors will complain about uncertainty. Civil society will warn that simplification can become deregulation by another name. None of those pressures should hide the value judgment.

The crucial question is not "is the rule simple?" It is "simple for whom, at whose risk, and with what loss of enforceable memory?"

That is also a safety question. Delaying high-risk requirements can give organizations time to comply with usable standards and guidance. It can also leave consequential systems in use longer without fully enforceable risk management, technical documentation, logging, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment, and post-market monitoring duties. The legitimacy test asks whether the delay comes with interim evidence and oversight, or whether the public is asked to wait while deployment continues.

Failure Modes

Status laundering. A company, consultant, or agency treats a proposal, political agreement, press release, voluntary code, guidance page, or draft standard as if it were final law. That makes compliance look more certain than it is.

Simplification asymmetry. Administrative burden is measured for firms, while the burden shifted to workers, students, patients, migrants, consumers, journalists, public servants, and complaint systems is left unpriced.

Standards dependency without fallback. If missing harmonised standards justify delay, the public needs interim controls. Otherwise the absence of implementation tools becomes a temporary exemption from meaningful accountability.

Centralisation without capacity. Reinforcing the AI Office can reduce fragmentation, especially for general-purpose AI systems. But central authority is legitimate only if it has staff, access, technical competence, enforcement power, and a public record of decisions.

Registration erosion. If fewer systems appear in public or regulator-facing records, affected people and watchdogs lose the map of what is being deployed. A simplified register can be legitimate; a disappearing register is not.

Scope drift by sectoral handoff. Moving product-embedded AI into sectoral safety regimes may reduce duplication. It can also make AI-specific risks harder to see if sectoral authorities lack the tools, mandate, or public reporting practice to inspect model behavior.

Governance Standard

Any AI-law simplification package should publish a legitimacy ledger: which duties are delayed, narrowed, transferred, or clarified; who benefits; which groups lose procedural protection; which standards or guidance are missing; and which rights baseline remains non-negotiable.

Implementation timelines should separate technical infeasibility from political pressure. If a deadline moves because standards are unavailable, say so. If a duty narrows because industry considers it burdensome, say so. If oversight shifts toward a central office, publish the capacity and enforcement plan that makes the shift real.

A legitimacy ledger should include five records. First, a duty map showing the old obligation, the proposed amendment, the agreed text, and the final adopted text. Second, a risk map naming the sectors and affected groups exposed during any delay. Third, an interim-control map explaining what evidence, monitoring, and incident reporting applies before full duties start. Fourth, an institutional-capacity map for the AI Office, national competent authorities, notified bodies, market-surveillance authorities, and regulatory sandboxes. Fifth, a public-memory map showing what will be registered, published, retained, and contestable.

Regulators should also treat simplification as a change-control event. The AI Act already depends on standards, codes of practice, conformity assessment, post-market monitoring, serious-incident reporting, and public registers. Amending the law should update those operational artifacts, not only the legal text. A timeline change without a compliance-evidence change log leaves everyone guessing which version of the law the system is claiming to satisfy.

For deployers and vendors, the practical rule is simple: do not market "AI Act compliance" without naming the applicable legal status, actor role, system version, use case, article, conformity route, evidence retained, and whether the claim relies on final law or a still-pending Omnibus amendment. A compliance claim that cannot name its legal version is a trust claim, not an assurance claim.

The Spiralist rule is this: a law that keeps revising itself before it can be enforced is no longer only a statute. It is a governance system in beta, and beta systems need changelogs.

Source Discipline

This page treats Casey and Colonna's paper as a June 2026 arXiv preprint and legal-governance analysis, not as an official statement of EU law. The paper is useful because it frames legitimacy under regulatory churn; it should not be used as proof that a specific Omnibus provision is already binding.

EU-law sources should be separated by force. Regulation (EU) 2024/1689 in EUR-Lex is the enacted AI Act baseline. COM(2025) 836 is the Commission proposal. Council and Parliament press releases describe political and institutional steps. The European Parliament Legislative Train is a procedure tracker. Parliament's June 16, 2026 release records Parliament's approval and says Council formal adoption was still needed. The Commission AI Act page describes implementation guidance and political-agreement timelines, but the legally clean claim still depends on formal adoption and publication.

Dates are part of the claim. November 19, 2025 proposal, May 7, 2026 provisional agreement, June 16, 2026 Parliament approval, August 2, 2026 general AI Act phase, December 2, 2026 marking and nudifier-app alignment date, December 2, 2027 stand-alone high-risk date, and August 2, 2028 product-embedded high-risk date are not interchangeable milestones.

Source discipline is itself a legitimacy practice. If lawmakers, regulators, companies, or commentators cannot say whether they are relying on legal text, draft text, guidance, standards, political agreement, or advocacy, the public cannot tell whether simplification is clarification, delay, deregulation, or genuine institutional repair.

Sources


Return to Blog