EDPB and EDPS Push for Stronger Safeguards in EU AI Act Rollout

EDPB and EDPS Joint Opinion on the EU AI Act: What Legal Teams Need to Know

On January 21, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the European Commission's "Digital Omnibus on AI." The package is meant to simplify how organizations apply the EU AI Act across the EU. The supervisors support simplification-but not at the expense of fundamental rights or accountability.

Below is a concise rundown of the key legal issues and the practical steps counsel should consider now.

Key takeaways

• Processing special categories of data: Any extension that lets providers or deployers process sensitive data (e.g., ethnicity, health) to detect and correct bias should be strictly limited to scenarios with a serious risk of harm and backed by strong safeguards.
• Registration of high-risk AI systems: Removing registration duties-even when providers self-claim "non-high risk"-is discouraged. The EDPB and EDPS warn it weakens accountability and could incentivize under-classification.
• Regulatory sandboxes: Innovation sandboxes are welcome, but Data Protection Authorities should directly supervise and enforce data processing inside them. The EDPB should also have an advisory role and observer status at the European Artificial Intelligence Board to align EU-level sandboxes.
• Role of the AI Office: Its supervisory role-especially for general-purpose model-based systems-must be clearly defined and must not overlap with the EDPS's independent oversight of AI systems used by EU institutions.
• Market Surveillance Authorities (MSAs): Their function should be limited to administrative points of contact. New roles must not dilute the independence or powers of Data Protection Authorities.
• AI literacy: Providers and deployers remain responsible for ensuring staff have adequate AI literacy. Any new EU or Member State actions should support, not replace, these obligations.
• Delays to high-risk provisions: The supervisors are concerned about postponing essential high-risk requirements and urge minimizing delays, particularly for transparency duties, given the pace of AI deployment.

Practical implications for counsel

• Bias mitigation using sensitive data: If you rely on sensitive data for bias testing, document necessity, proportionality, and a serious risk of harm. Build in safeguards (purpose limitation, strict access, minimization, retention limits, strong security, and DPIAs).
• Maintain a central AI register: Even if public registration rules change, keep an internal register that records system classification, use cases, training data sources, risk rationale, and applicable controls. This helps with audits and regulator inquiries.
• Prepare for sandbox oversight: Treat sandboxes as regulated environments. Involve your DPO early, define legal bases for all data uses, and set evaluation exit criteria. Expect DPA visibility on processing activities inside the sandbox.
• Clarify roles across regulators: Map who supervises what in your footprint (AI Office, DPAs, MSAs, sectoral bodies). Avoid gaps or overlaps in escalation and reporting lines.
• General-purpose model risk: Update vendor due diligence and contractual terms for systems built on foundation models. Ensure you can evidence transparency, data governance, and post-market monitoring.
• Transparency readiness: Assume transparency duties for high-risk systems will land sooner than later. Prepare notices, user-facing explanations, and technical documentation now.
• AI literacy plans: Keep responsibility for training in-house rather than outsourcing it entirely to public initiatives. Develop role-based training for product, compliance, and engineering teams. For an example of a curated learning path that supports AI literacy, see the AI Learning Path for Primary School Teachers.

Timeline and compliance posture

The supervisors' message is clear: do not bank on delays for high-risk obligations. Prioritize transparency, documentation, data governance, and human oversight controls now. Align your GDPR program with AI Act duties to cut duplication and speed evidence production.

Also watch for clarifications on the AI Office's remit and the role of MSAs. These will influence who you notify, how you document compliance, and which authority may knock on your door first.

Further reading

For official materials and updates, see the EDPB and the European Commission's page on the AI Act. Expect additional guidance as the Digital Omnibus progresses.