Skip to main content
Skip to main content

What Is the EU Digital Omnibus Package? A Plain-English Guide for Business Owners

Posted by
By Marcus Venn  |  Digital Rule Book  |  March 2026 TL;DR — Key Points The EU Digital Omnibus Package, proposed 19 November 2025, is the most significant change to EU digital regulation since the AI Act itself. It proposes to simplify GDPR, delay the AI Act's high-risk deadlines by up to 16 months, merge cybersecurity reporting into a single entry point, and modernise cookie rules. For most EU businesses, the Omnibus will reduce compliance burden — but it has not been passed into law yet, and current deadlines still apply. The Digital Omnibus is not a weakening of the AI Act. It is a restructuring of the rollout to align with the actual readiness of the compliance ecosystem. This article explains every major proposal in plain English, so you know what is changing, when, and what it means for your business. DISCLAIMER: This article is for informational purposes only. The Digital Omnibus Package is a legislative proposal subject to amendment and rejection. Information ...

What Is the EU AI Act

Image
Posted by

A Plain-English Guide for Everyone


By Marcus Venn  |  Digital Rule Book  |  February 28, 2026


TL;DR — Quick Summary

  • The EU AI Act is the world's first major law regulating artificial intelligence — it came into force in 2024.

  • It classifies AI systems by risk level: Unacceptable, High, Limited, and Minimal.

  • It affects any business selling to EU citizens — even companies based outside Europe.

  • Violations can cost companies up to €35 million or 7% of global revenue.

  • For regular people: it gives you new rights over AI systems that make decisions about your life.


You have probably heard about the EU AI Act in the news. Maybe someone told you it will change how businesses use artificial intelligence. Maybe you are wondering if it affects you personally, your job, or your business.


This guide explains everything in plain language — no legal jargon, no technical complexity. By the end of this article, you will understand exactly what the EU AI Act is, who it affects, and what it means for your daily life and work in 2026 and beyond.


DISCLAIMER

This article is for informational purposes only. It is not legal advice. If the AI Act directly affects your business, consult a qualified legal professional familiar with EU digital law.


What Is the EU AI Act, and Why Does It Exist?

The EU Artificial Intelligence Act — usually called the EU AI Act — is a law passed by the European Union that regulates how artificial intelligence can be developed and used. It was formally adopted in 2024 and started applying to different types of AI systems in stages from 2024 through 2027.


Think of it like this: the EU already had GDPR to regulate how companies handle your personal data. The AI Act is the same concept, but for AI systems. The EU looked at how fast AI was developing — chatbots, facial recognition, AI hiring tools, AI medical diagnosis — and decided that without rules, these systems could seriously harm people.


The core problem the law is trying to solve is simple: AI systems can make decisions that affect your job, your loan application, your healthcare, your freedom — and until now, there were almost no rules about how those decisions had to be made or how fair they had to be.

The Four Risk Levels — The Heart of the AI Act

The EU AI Act does not ban all AI. Instead, it divides AI systems into four risk categories, each with different rules:

Level 1: Unacceptable Risk — Completely Banned

These AI applications are banned outright across the entire EU because they are considered too dangerous to human rights and dignity:

  • AI systems that manipulate people psychologically without their knowledge — for example, an app that secretly exploits your emotions to make you buy something

  • Social scoring systems used by governments — ranking citizens by behavior and punishing or rewarding them (the type China uses)

  • Real-time facial recognition in public spaces by law enforcement — with very narrow exceptions

  • AI that targets children with exploitative techniques


REAL EXAMPLE

If a company built an AI app that secretly analyzed your social media to identify your fears and then used that to pressure you into buying insurance, that would be banned under the EU AI Act.


Level 2: High Risk — Heavy Regulation

These AI systems are allowed but must meet strict requirements before being used. They include AI used in:

  • CV screening and hiring decisions

  • Credit scoring and loan approval

  • Medical diagnosis and treatment recommendations

  • Critical infrastructure like electricity grids and water systems

  • Law enforcement and border control

  • Education — AI that decides whether students pass or fail


Companies using high-risk AI must conduct risk assessments, keep detailed records, allow human oversight, and register their AI systems in an EU public database. If you were rejected for a loan or a job by an AI system, this law gives you more rights to understand why.


Level 3: Limited Risk — Transparency Required

This includes AI systems like chatbots, AI content generators, and deepfakes. The rule here is simple: you must be told you are interacting with AI. If you are talking to a customer service chatbot, it must tell you it is not human. If content was generated by AI, it must be labeled.


This is why you now see 'AI-generated' labels on more content in 2025 and 2026. That is the EU AI Act in action.


Level 4: Minimal Risk — No New Rules

AI used in spam filters, AI in video games, AI recommendations in streaming services — these carry minimal risk and face no new specific requirements under the AI Act. They can continue operating as before.


Who Does the EU AI Act Apply To?

This is where many people are surprised. The EU AI Act applies to:

  • Any company that develops AI systems sold or used in the EU — even if the company is based in the USA, China, or anywhere else in the world

  • Any company that uses AI systems to make decisions about EU citizens

  • Public authorities using AI for law enforcement, border control, or social services


In practical terms: if you are a small online business in Egypt, Turkey, or the USA selling products to European customers and you use an AI system to manage those customers — you may have obligations under this law. Global reach is one of the most significant features of EU digital regulation.


What Are the Fines for Breaking the Rules?

The EU AI Act has some of the largest fines in any digital regulation in history:


Violation Type

Maximum Fine

% of Global Revenue

Using banned AI (unacceptable risk)

€35 million

7%

Failing high-risk AI obligations

€15 million

3%

Providing incorrect information to regulators

€7.5 million

1.5%


What Does This Mean for You as an Ordinary Person?

The EU AI Act gives ordinary people new rights that did not exist before:

  • The right to know when you are interacting with AI — a chatbot must identify itself

  • The right to a human review if a high-risk AI system made a decision that affects you negatively — like rejecting your job application

  • The right to an explanation of decisions made by high-risk AI systems

  • More accountability from companies using AI to sort, rank, or evaluate people


In 2026, these rights are becoming reality. Major companies are updating their AI systems to comply. Others are facing fines. The enforcement has started — and it is only getting stricter.


Frequently Asked Questions

Q: Is the EU AI Act already in effect?

A: Yes. The law entered into force in August 2024. Rules for banned AI (unacceptable risk) applied from February 2025. Rules for high-risk AI are phasing in through 2026 and 2027.

Q: Does the EU AI Act affect me if I live outside Europe?

A: If you use or sell AI systems that interact with EU citizens, yes. The law has global reach similar to GDPR.

Q: Does ChatGPT comply with the EU AI Act?

A: OpenAI has been working on compliance. As a general-purpose AI, ChatGPT falls under specific transparency requirements. OpenAI registered with EU authorities and is working toward full compliance.

Q: What is a general-purpose AI (GPAI) under the Act?

A: A GPAI is an AI system like ChatGPT or Gemini that can be used for many different tasks. These face their own category of rules focused on transparency and copyright.

Q: Where can I read the official law?

A: The full text is available at eur-lex.europa.eu — search for 'Artificial Intelligence Act 2024'.


The EU AI Act is not just another regulation. It is the first major attempt in history to create a legal framework for artificial intelligence that puts human rights before technology profits. Whether you are a business owner, an employee, or simply someone who uses AI tools every day — understanding this law gives you real power in a world being reshaped by artificial intelligence.


In the coming articles on this blog, we will explore how the EU AI Act affects specific industries, how businesses are adapting, and what practical steps regular people and small business owners can take to stay compliant and protected.


AFFILIATE NOTE

This blog occasionally recommends tools and services. If you click a link and make a purchase, we may earn a small commission at no extra cost to you. We only recommend tools we genuinely find useful.

Location: Amsterdam, Netherlands

Popular posts from this blog

The EU Just Sanctioned an Iranian Cyber Company

Posted by
  What It Means for EU Business Compliance By Marcus Venn  |  Digital Rule Book  |  March 2026 TL;DR — Key Points On 16 March 2026, the EU Council imposed sanctions on Iranian cyber company Emennet Pasargad for attacks on EU citizens and infrastructure. The sanctions include asset freezes and travel bans — with direct compliance implications for any EU business that transacts with or employs Iranian-linked entities. The company hacked a French subscriber database, targeted the 2024 Paris Olympics, and compromised a Swedish SMS service affecting millions of EU citizens. NIS2 requires businesses in 18 critical sectors to respond to this threat intelligence within 24 hours of a significant incident. Every EU business must now verify it has no contractual or financial exposure to the sanctioned entity and its known affiliates. DISCLAIMER: This article is for informational purposes only. It is not legal advice. If sanctions exposure directly affects your business, co...
Read more

Iran Just Lost Its Internet: What the World's Biggest Cyberattack Means for EU Cyber Law

Posted by
What the World's Biggest Cyberattack Means for EU Cyber Law By Marcus Venn  |  Digital Rule Book  |  March 7, 2026 TL;DR — Key Points The February 28 cyberattack dropped Iran's internet connectivity to 4% of normal — confirmed by NetBlocks and Cloudflare Radar. The attack combined DDoS, deep system intrusions, electronic warfare, and satellite broadcast hacking — unprecedented in scale. Previous Iranian internet shutdowns cost the economy $35.7 million per day and caused online sales to fall 80%. This attack sets legal, ethical, and technical precedents that will directly shape EU cyber law for years. EU regulators now have a real-world case study proving why the Cyber Resilience Act and NIS2 are not bureaucratic overreach. At 18:45 UTC on February 28, 2026, Cloudflare Radar published a brief, clinical statement: 'Internet traffic in Iran has dropped to effectively zero, signaling a complete shutdown and disconnection from the global internet.' Four words that had ne...
Read more