REGULATE ONLY WHAT YOU CAN ENFORCE

The EU’s Digital Omnibus signals a critical pivot: admitting that premature regulation endangers the very certainty it seeks to create.

The European Union’s introduction of the "Digital Omnibus" package—which proposes delaying key high-risk obligations under the AI Act and recalibrating GDPR standards—is more than a mere adjustment of timetables. From the perspective of legal operations, it represents a structural correction to a regulatory rhythm that has become dangerously front-loaded.

The core message from Brussels is blunt: when regulations enter into force before administrative capacity, technical standards, and industrial readiness are established, the institution itself becomes a source of risk. Instead of fostering order, premature regulation simultaneously damages Legal Certainty (Rechtssicherheit) and Executability (Vollzugstauglichkeit).

The Structural Deficit: Density vs. Capacity

For the past decade, the EU has pursued a hyper-active legislative model: set the boundaries with framework legislation first, then fill in the details through standards, guidelines, and enforcement practice later. This "framework-first" approach, visible in the GDPR, DMA, and DSA, has successfully cemented the EU’s role as a global rule-maker.

However, in the complex domains of AI and data governance, this strategy has exposed a critical structural limitation: while Regulatory Density (Regelungsdichte) can be arbitrarily high, Enforcement Capacity (Vollzugskapazität) does not automatically follow.

The AI Act serves as the prime example. Its high-risk obligations cover technical documentation, data traceability, model monitoring, and risk management. Each requirement presupposes the existence of a mature ecosystem of standards and administrative review mechanisms. Yet, these standards are still being drafted, national competent authorities vary wildly in readiness, and corporate "best practices" remain nascent.

If these rules were to take effect on the original schedule, the market would face a paradox: obligations would exist in law, but the standards for compliance would remain undefined in practice.

The Erosion of Rechtssicherheit

For businesses, this gap forces compliance to be built on guesswork. Companies must restructure operations without knowing what "good enough" looks like. For regulators, it means enforcing rules without stable criteria, leading to inevitable fragmentation across Member States.

This dynamic directly erodes Rechtssicherheit. The law transforms from a tool that reduces uncertainty into a source of additional unpredictability. Viewed in this light, the decision to delay obligations is not a retreat from regulation, but an attempt to restore the rules to a level commensurate with reality—bringing them back within the acceptable bounds of Proportionality (Verhältnismäßigkeit).

GDPR: From Doctrine to Feasibility

The adjustments to the GDPR follow the same logic, shifting the focus from abstract data principles to operational utility. In past interpretations, using personal data for AI model training or internal optimization carried a heavy procedural burden and legal ambiguity. The dilemma for firms was not just obtaining consent, but determining when "legitimate interest" could validly serve as a legal basis, and how to achieve anonymization that was practically workable rather than just theoretically perfect.

When the regulatory line is drawn at a point that is "theoretically safe but operationally impossible," Verhältnismäßigkeit is lost.

The new Omnibus approach explicitly recognizes AI training as a potential legitimate interest and adopts more pragmatic anonymization standards. It also raises the threshold for breach reporting to focus on material risks. This is not "deregulation"; it is a shift from a system defined solely by prevention to one that balances prevention with feasibility. It acknowledges that excessive procedural burdens dilute supervisory resources and weaken the targeted effectiveness of the regime.

Process as Friction

The proposal also addresses a long-underestimated issue: process itself can distort regulatory intent. With the overlapping mandates of NIS2, GDPR, and DORA, cross-border firms face a labyrinth of multiple reporting channels, inconsistent formats, and misaligned timelines.

The introduction of a single reporting window and the European Digital Identity Wallet signals a shift from "stacked requirements" to "integrated compliance." Industry feedback has long highlighted that the problem is rarely the inability to comply, but the inability to predict the sheer cost of administrative friction. Over time, this unpredictability distorts investment and behavioral incentives.

Global Convergence and the "Politics of Timing"

Internationally, this move brings the EU subtly closer to other major jurisdictions. The U.S. relies on an ex-post model supported by antitrust and sector-specific guidance to avoid setting rigid obligations before technology matures. Japan emphasizes co-regulation and iterative guidance.

By adjusting its tempo, the EU is not abandoning its ambition but admitting a universal truth: regulatory authority derives not from how early the rules are set, but from how stable, consistent, and predictable their operation is.

The Strategic Warning for Taiwan

For economies like Taiwan, currently in the early stages of drafting AI basic laws and revising privacy frameworks, the EU’s pivot offers a lesson more valuable than the text of the laws themselves.

There is a risk that Taiwan, in benchmarking the EU, might copy the original, ambitious texts while overlooking the subsequent corrections and delays. This could lead to a "Regulatory Inversion": Taiwan could inadvertently introduce a framework where obligation intensity and implementation timelines are even more aggressive than those the EU is currently walking back.

The result would be a regime where Regulatory Density (Regelungsdichte) exceeds the European benchmark, while domestic Enforcement Capacity (Vollzugskapazität) falls far behind it. In such a scenario, the burden of the system arrives before its benefits; businesses retreat into conservatism due to uncertainty, and regulators become overwhelmed by procedural paperwork rather than substantive risk.

Conclusion: The Return to Reality

The EU’s adjustment should not be misread as "softening." It is an answer to a fundamental jurisprudential question: Should law arrive before capability?

Brussels is increasingly answering "No." For Taiwan and other emerging digital economies, the goal should not be to blindly mirror the EU’s specific amendments, but to internalize this attitude of pragmatic adjustment. When designing tech laws, policymakers must return to three rigorous questions: Are the standards clear? Is the enforcement capacity present? Do the regulated entities possess the tools to comply?

If these three elements are not synchronized, the pursuit of "world-class" regulation will merely construct a system that is, from day one, impossible to execute.