{"id":17154,"date":"2026-01-15T12:12:00","date_gmt":"2026-01-15T11:12:00","guid":{"rendered":"https:\/\/haimagazine.com\/uncategorized\/ai-act-and-gdpr-simplification-as-a-maturity-test-for-smes\/"},"modified":"2026-01-20T14:38:03","modified_gmt":"2026-01-20T13:38:03","slug":"ai-act-and-gdpr-simplification-as-a-maturity-test-for-smes","status":"publish","type":"post","link":"https:\/\/haimagazine.com\/en\/law-and-ethics\/ai-act-and-gdpr-simplification-as-a-maturity-test-for-smes\/","title":{"rendered":"\ud83d\udd12 AI Act and GDPR: simplification as a maturity test for SMEs"},"content":{"rendered":"

But this isn\u2019t about loosening the rules or about “regulatory relief” in the sense of less accountability. The announced changes <\/a><\/mark>are mainly about how the law is applied, not its scope. That\u2019s a subtle but very important distinction, especially for SMEs planning to develop IT systems and data-driven tools.<\/p>

Why were SMEs drowning in red tape?<\/h4>

A pretty clear picture emerges from the proposed changes: for small and mid-sized companies, the problem isn\u2019t the data itself or even using AI. The real issue is the amount of red tape designed for large organizations and then automatically pushed onto smaller ones. This especially affects documentation, reporting, and the organizational obligations around customer data, employee data, and the data used by IT systems.<\/p>

In many companies, complex procedures are a fixture of everyday work, whether or not they actually help with data processing. Documentation and processes are kept mostly to tick the formal boxes, and their link to how systems are really used is often secondary.<\/p>

The simplifications now in the design phase are helping tidy up this space. Accountability stays, but compliance is increasingly judged by how the system works in practice and what impact it has on the data. The question of whether a given solution makes sense is becoming the starting point for the decisions that follow.<\/p>

SMC as a bridge, not a cliff<\/h4>

Here, it\u2019s worth taking a look at the rise of the small mid-caps (SMC) category. We\u2019re talking about companies that have technically crossed the SME threshold but still operate in a world far from big corporations. According to the proposed regulation COM(2025) 501 final of 21 May 2025<\/a>:<\/mark> fewer than 750 employees, turnover up to 150 million euro, or a balance sheet total up to 129 million euro. Note that the Digital Omnibus package sets different SMC thresholds depending on the legal act. For capital markets, it\u2019s up to 1000 employees and 200 million euro in turnover.<\/strong><\/p>

This expansion matters not just for SMCs. It shows that the regulator is starting to assess companies by the real scale of their operations<\/mark><\/a>, rather than a single rigid threshold after which obligations spike. For SMEs, that\u2019s an important signal: the direction of change is toward continuous requirements, not a regulatory \u201ccliff\u201d where flexibility suddenly ends.<\/p>

AI Act: From formalism to understanding the system<\/h4>

In the drafts related to the AI Act<\/mark><\/a>, there’s an increasingly clear shift away from formalism. Technical documentation is still required, but its role is changing. Instead of writing lengthy descriptions “just in case,” what matters more is a company’s ability to show:<\/p>

\u2013 what the AI system is used for,<\/p>

\u2013 what kinds of data are being processed, <\/p>

\u2013 where risks that need oversight might appear.<\/p>

Under the drafts, the European Commission will create standardized, simplified templates for technical documentation for SMEs and SMC. This documentation will be submitted to notified bodies. These are specialized, independent entities authorized to check whether systems comply with EU rules.<\/strong><\/p>

In practice, documentation should be clear and useful, not written “just in case.” That shifts the focus from form to substance and reduces the risk of costly misinterpretations.<\/p>

Same goes for AI skills. Digital Omnibus is moving away from the idea that every employee needs the same level of “AI knowledge.” Instead, the regulator is starting to look at skills through the lens of real-world use of systems. A company testing a single analytics tool has different needs than an organization building its own models.<\/p>

GDPR: from reporting to proportionality<\/h4>

You can see a similar logic shift in drafts about GDPR application, which draw a line between processing that genuinely affects people’s rights and activities that, until now, triggered obligations purely out of caution.<\/p>

That means extending the exemption from the obligation to keep records of processing activities to organizations with fewer than 750 employees<\/mark><\/a>, as long as the processing doesn’t involve high risk. Those sprawling records with no real decision-making value are no longer the default.<\/p>

One key way the rules are being clarified is by reinforcing the idea that personal data should be judged by whether a specific organization can actually identify someone. In the Digital Omnibus package documents<\/mark><\/a>, it\u2019s emphasized that information isn\u2019t personal data for a company if it can\u2019t identify a person without taking extra steps. Even if another entity can.<\/strong><\/p>

For many tech and B2B companies, that means more legal certainty around specific analytics and testing workflows, without having to automatically apply the full GDPR regime. In this context, Digital Omnibus extends the existing exception in Article 10(5) of the AI Act<\/strong>, allowing not just providers but also deployers<\/strong> of all AI systems\u2014not only high-risk ones\u2014to process certain sensitive data to detect and correct algorithmic bias. It\u2019s one of the few places where the regulator openly admits that without such data, safe systems simply won\u2019t get built.<\/p>

Operational consequences of the changes<\/h4>

The planned regulatory sandboxes are intended to serve as controlled test environments for businesses developing or implementing AI systems. Access for SMEs and startups? Priority\u2014and, as a rule, free of charge.<\/strong> They mark a shift in approach: the regulator treats compliance as a process built on understanding the system and having control over the data, not a one-off box-ticking exercise.<\/p>

Along the same lines, there are some less visible but very tangible operational changes. The Digital Omnibus Package introduces a single entry point mechanism<\/mark><\/a>, so companies can report digital incidents through a single portal instead of to several institutions in parallel. The system will be managed by ENISA (European Union Agency for Cybersecurity).<\/p>

To complement this approach, there are changes around cookies and technical data. A proposed list of purposes\u2014such as first-party<\/strong> audience analytics, service security, or sending messages\u2014would allow processing without having to ask for consent every time.<\/p>

The Digital Omnibus package is currently moving through the legislative process\u2014the Commission\u2019s November 2025 proposals still need approval from the European Parliament and the Council. The final text will come out of negotiations, so the details could still change. This isn\u2019t the time to throw out your documentation, but to get ready for the shift ahead.<\/p>

Compliance will be less about paperwork and more about whether a company truly understands its own processes and the data it runs on. Some SMEs will take advantage of that. The rest will be left with paperwork that\u2019s losing real value.<\/p>

What can we do tomorrow morning?<\/h4>

It’s not about rewriting procedures or cranking out new documents. Just a few simple steps can get your company ready for the changes ahead.<\/p>

\u2013 A quick inventory of the systems where data is actually processed: what’s running in the company, what it’s used for, and by whom.<\/p>

\u2013 Ask what real impact each tool has, not in a formal sense, but operationally: where the system affects data, decisions or processes.<\/p>

\u2013 Check the documentation to see if it really explains how the systems work, or if it just sits alongside them as a formal add-on.<\/p>

\u2013 Identify the key roles who work with data or AI systems every day, rather than planning training “for everyone”.<\/p>

They’re small steps, but they’re exactly aligned with where the regulator is headed: moving from paperwork to a real picture of how the company actually runs on data.<\/p>","protected":false},"excerpt":{"rendered":"

The European Commission has unveiled the Digital Omnibus package \u2014 a set of legislative proposals meant to make the AI Act and the GDPR simpler for small and medium-sized businesses. It\u2019s a shift in how the regulator thinks about technology in companies that aren\u2019t operating at corporate scale.<\/p>\n","protected":false},"author":452,"featured_media":17095,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"rank_math_lock_modified_date":false,"footnotes":""},"categories":[805],"tags":[],"popular":[],"difficulty-level":[38],"ppma_author":[843],"class_list":["post-17154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-law-and-ethics","difficulty-level-medium"],"acf":[],"authors":[{"term_id":843,"user_id":452,"is_guest":0,"slug":"ewa-siciak","display_name":"Ewa Siciak","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/ebee7b40b99f8697a441e9c4e843181f1ee192815264acf918eb0ef697dfbe3e?s=96&d=mm&r=g","first_name":"Ewa","last_name":"Siciak","user_url":"","job_title":"","description":"Administratywistka i entuzjastka prostych rozwi\u0105za\u0144 AI dla ma\u0142ych firm. Bada i testuje technologie, kt\u00f3re realnie odci\u0105\u017caj\u0105 przedsi\u0119biorc\u00f3w."}],"_links":{"self":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/17154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/users\/452"}],"replies":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/comments?post=17154"}],"version-history":[{"count":1,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/17154\/revisions"}],"predecessor-version":[{"id":17155,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/posts\/17154\/revisions\/17155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/media\/17095"}],"wp:attachment":[{"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/media?parent=17154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/categories?post=17154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/tags?post=17154"},{"taxonomy":"popular","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/popular?post=17154"},{"taxonomy":"difficulty-level","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/difficulty-level?post=17154"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/haimagazine.com\/en\/wp-json\/wp\/v2\/ppma_author?post=17154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}