Pillar guide โ For the full breakdown of EU AI Act obligations for SMEs and SMBs (Art. 4, 5, 26, 27, 50, fines, timeline), see our complete EU AI Act SME compliance guide.
For weeks, a single question has been circulating through European compliance circles: is the EU really going to ease the GDPR and the AI Act โ and if so, what should businesses do with their current compliance roadmaps?
The debate is rooted in a simplification package the European Commission has been developing since the Draghi Report on European competitiveness. AI researcher Rohan Paul summarised the news on X: "Europe is moving to relax parts of its strict GDPR and AI Act to cut compliance costs and push growth." The reactions across X range from relief to scepticism. Both are reasonable.
For European SMBs currently building an AI strategy or evaluating ongoing compliance investments, the practical question is: pause and wait, or keep moving?
What the Commission is actually proposing
The Commission's Competitiveness Compass (January 2025) set a target of reducing administrative burden for businesses by 25 percent. Based on our reading of the published proposals, the planned GDPR Omnibus package targets four main levers:
Pseudonymisation as a simpler legal basis: Companies that technically pseudonymise personal data would have an easier path to using "legitimate interest" as a legal basis โ without having to document a full balancing test for every processing activity. Rohan Paul reported on X: the new plan "gives companies more room to move data around if they strip out direct identifiers."
SME documentation relief: Smaller companies below a threshold still to be determined would be partially or fully exempt from maintaining a complete Records of Processing Activities (RoPA) under Article 30 GDPR.
AI Act simplification for low-risk systems: Applications that fall outside high-risk categories โ staffing decisions, credit scoring, biometric identification โ could benefit from streamlined conformity documentation.
Third-country transfers for pseudonymised data: Transfers outside the EU would face fewer barriers where direct identifiers have been technically removed at source.
Important: everything above is a legislative proposal, not enacted law. By the time an Omnibus package completes the full EU legislative procedure โ Council, Parliament, trilogues โ 18 to 36 months typically elapse between Commission proposal and entry into force.
What is not changing
Privacy expert Emmanuel Pernot-Leplay put it clearly on X: "Simplification and clarification are both welcome for GDPR and AI rules." But, he added, that effort must target processes and paperwork โ not the fundamental rights and principles themselves. That framing is the right one for any business planning around the reform.
What is firmly not on the table:
- Purpose limitation: Data collected for contractual purposes cannot simply be repurposed for AI training, even after a reform package passes.
- High-risk AI categories: HR assessment, credit scoring, biometric identification โ these categories remain heavily regulated under the AI Act regardless of any Omnibus changes.
- The fine framework: Up to 35 million euros or 7 percent of global annual turnover. Simplification targets documentation requirements, not the consequences of actual violations.
- Today's law applies today: A reform package adopted in 2028 does not retroactively change the legality of data transfers made in 2026.
The trap of waiting
This is where the strategic miscalculation often happens: the waiting period is not a legal grey zone.
If a business today loads employee records, client communications, or internal contract documents into a US-based cloud LLM service, that transfer has happened. It is either lawful or it is not. A simplification package adopted two years from now does not fix a GDPR violation made today.
Companies that instead run local AI infrastructure โ models such as Llama 3.3 70B, Qwen2.5 72B, or DeepSeek-V3 on their own hardware โ simply do not have that exposure. Inference runs on their own servers. No data leaves the company. That remains true regardless of how the GDPR reform lands.
This is not an ideological stance on data sovereignty โ it is a concrete risk calculation. Local infrastructure acts as a compliance hedge in both directions: it runs cleanly under strict data protection law and it runs cleanly under a simplified version of it.
Three concrete steps for European SMBs
Keep your Records of Processing Activities current
Even if SME relief arrives, a RoPA under Article 30 GDPR is the foundation of every regulatory inspection. Maintaining it now means less work in the reform scenario, not more. A simple spreadsheet covering tool name, processing purpose, legal basis, and data category is a usable starting point.
Classify your AI tools by risk category
The AI Act draws clear lines between low-, limited-, and high-risk systems. Documenting which tools in your organisation fall into which category means you benefit from any simplification โ and you are protected when a supervisory authority comes knocking. This does not need to be a large project to be effective.
Make infrastructure choices that hold either way
The question of whether sensitive processing runs on your own hardware or in the cloud cannot be corrected retroactively once data has been transferred. Local models on a Mac Studio M3 Ultra (192 GB unified memory) or a dedicated server with an NVIDIA L40S reach sufficient quality for most SMB workloads today. Community-reported inference rates for Llama 3.3 70B on Apple Silicon sit in the 20โ35 tok/s range โ more than enough for asynchronous document processing, summarisation, and internal search applications.
See also: data sovereignty with local AI and the Kaira Toolkit for SMB-scale local deployments.
Monitor the reform process actively
The ongoing legislative process deserves real monitoring, not panic and not indifference. Once an official Commission proposal is on the table, trilogue negotiations and national implementation will determine the actual reach of the reform. Companies that are well-documented today will have a stronger position if SME thresholds are still negotiable during that phase.
How this affects your current compliance timeline
If your business must meet GPAI deployer obligations under the AI Act by August 2026 โ and based on our reading, most companies using ChatGPT, Claude, or Gemini professionally do โ it is unlikely that the current reform package will shift that deadline. Enacted law applies until it is changed. For a detailed look at what August 2026 actually requires, see our overview on Freshlab.de.
The most practical approach for most SMBs: build your infrastructure now so that it runs correctly under both strict and simplified data protection law, while tracking the reform through informed monitoring. That is not a hedge against every scenario, but against the most likely ones.
We support European SMBs through exactly this process โ from initial risk classification to hardware selection to running a productive local AI pilot.