Executive Summary: The EU AI Landscape in December 2025

As we close 2025, the regulatory landscape for Artificial Intelligence in Europe has shifted from initial implementation to targeted simplification. While the core of the AI Act has been in force since August 2024, the European Commission has just introduced a significant "course correction" to address implementation bottlenecks and support innovation.

1. The Headline Development: The Digital Omnibus Regulation Proposal: On 19 November 2025, the Commission adopted the Digital Omnibus on AI, a legislative proposal designed to simplify compliance and centralize oversight before the full rules for high-risk systems take effect. Key changes include:

• Timeline Adjustment for High-Risk AI: To avoid legal uncertainty, the application of rules for high-risk AI systems is now linked to the availability of harmonized standards. The proposal introduces a mechanism where these rules apply only after a transition period (6 to 12 months) following the Commission's confirmation that support tools are ready.
• Centralized Oversight for GPAI: The proposal significantly reinforces the powers of the AI Office. It is now set to become the exclusive competent authority for supervising AI systems based on general-purpose AI (GPAI) models where the provider is the same for both the model and the system. This moves supervision of major foundation models away from fragmented national authorities to the EU level.
• SME and "Small Mid-Cap" (SMC) Relief: Regulatory privileges previously reserved for SMEs, such as simplified technical documentation and reduced penalties, are being extended to Small Mid-Caps (SMCs) to foster broader innovation.
• AI Literacy Shift: The strict obligation for providers to ensure AI literacy has been softened; the proposal transforms this into an obligation for Member States and the Commission to encourage literacy measures, rather than a direct mandate on companies.
• Bias Detection: A new legal basis allows providers of all AI systems (not just high-risk ones) to process special categories of personal data if strictly necessary for bias detection and correction, subject to safeguards.

2. The "Regulatory Nexus": AI as a Complementary Layer: Supervisory authorities have clarified that the AI Act does not operate in a vacuum. It functions as a "complementary regulatory layer", meaning financial institutions must map AI requirements onto existing governance frameworks like MiFID II and Solvency II.

• ESMA has confirmed that AI use in investment services must comply with conduct-of-business rules; an algorithm acting against a client's best interest is a breach of fiduciary duty, not just a technical error.
• EIOPA has issued an opinion on AI governance, emphasizing that insurers must apply a risk-based approach to AI in pricing and underwriting to prevent exclusion and safeguard the principle of risk mutualization.

3. Enforcement Architecture: The Tripartite ModelWe are seeing the solidification of a "tripartite oversight model" involving Market Surveillance Authorities (technical compliance), National Competent Authorities (sectoral governance), and Data Protection Authorities (fundamental rights). This creates a "dual enforcement risk": a single AI failure involving personal data can trigger simultaneous sanctions from financial regulators for governance failures and Data Protection Authorities (DPAs) for GDPR violations.

4. Current Implementation Status

• Prohibitions: Bans on unacceptable risk practices (e.g., social scoring, untargeted scraping for facial recognition) have been effective since February 2025.
• GPAI Rules: Governance obligations for General-Purpose AI models became applicable in August 2025.
• National Friction: Implementation remains fragmented. While Germany has proactively designated BaFin as a key authority and leveraged existing algorithm principles, many Member States are still finalizing their competent authorities, prompting the Commission's push for the centralized oversight proposed in the Digital Omnibus.