Authors: Marcel Mir Teijeiro and Koen Holtman
We have published a report analysing the Council and European Parliament positions going into the EU AI Act Omnibus trilogue. We make several recommendations for the parties engaged in the trilogue. Our main concern in making these recommendations is that, while it is positive if the Omnibus can remove some administrative burdens, it should not lower the level of protection of health, safety, and fundamental rights compared to what is now offered by the EU AI Act.
Our main recommendations for the trilogue are the following. We have sorted them based on a combination of our priority, and the remaining divergence between the co-legislators.
- We strongly welcome that both the Council and EP reinstate the registration requirement under Article 6(4). This relatively minor burden for companies is essential for proper enforcement of the regulation and oversight of AI systems in the EU.
- We strongly welcome the Parliament’s proposed Article 64(2a), which will legally require an adequate resourcing of the AI Office. If the AI Office takes on expanded enforcement responsibilities, ensuring sufficient capacity is essential.
- On Article 75 which defines AI Office oversight powers, we welcome both the Council and Parliament proposals as strong improvements over the Commission’s initial centralisation proposal. If centralisation with exclusivity is chosen in the trilogue, our strong recommendation to ensure that the AI Office has adequate resources through the Parliament’s proposed Article 64(2a) becomes all the more necessary.
- On the Parliament’s proposal to exclude Annex I.A high-risk AI systems from many obligations, we have a weak preference for the Council’s approach that maintains the current obligations. To inform the trilogue negotiations, our writeup below contains some detailed analysis of the pros and cons of the EP proposal. To avoid causing delays in standards writing for the AI Act, it is crucial that whichever position prevails, the final text must avoid ambiguities. We make specific recommendations on this below.
- We generally support the Parliament’s extension of value chain obligations to providers of GPAI models under Article 25, as long as these extensions are limited to exclude providers who have clearly specified that their models or systems are not intended for integration or conversion into high-risk AI systems. We also make recommendations for the sub-case of open source.
- On Article 4a, related to bias mitigation and privacy, we stress that this addition to the AI Act is only positive under the premise that the GDPR safeguards it references are not diluted or eliminated through the parallel GDPR Omnibus procedure. We support both co-legislators in reinstating the “strictly necessary” threshold consistent with Article 10(5) of the current AI Act.
- For the new Article 5 prohibitions, NCII and CSAM, we recommend the Parliament’s cleaner formulation: a direct prohibition paired with a safe harbour. We specifically recommend against the Council’s inclusion of “reproducing” among prohibited functions, which risks capturing legitimate operations such as cloud backups and content moderation, and against its “use of an AI system capable of” wording, which could make any user of a general-purpose system liable regardless of their actual use. We note that the Council’s structural separation of NCII and CSAM merits consideration in the final text.
- On Article 72(3), post-market monitoring, we support the shift from implementing act to guidance but back the Parliament’s inclusion of a template and its earlier deadline of February 2027 to ensure providers have clear reference in time.