EU AI Omnibus Deal Reveals the Enforcement Gap: Why Sectoral Exemptions Could Undermine Europe's Safety Framework
EU's new AI Omnibus carves out law enforcement, finance, and justice from AI Office oversight—raising questions about who enforces safety in Europe's most sensitive sectors.
The Enforcement Fragmentation Problem
The EU’s AI Omnibus agreement, finalised on May 7, 2026, introduces a critical structural weakness that could fracture Europe’s regulatory architecture: sectoral exemptions that remove AI Office oversight from law enforcement, border management, judicial authorities, and financial institutions.
On the surface, this compromise makes sense. National governments wanted to retain control over sensitive domains where sovereignty concerns run deep. But the practical consequence is a two-tier enforcement system where Europe’s most consequential AI applications—facial recognition at borders, AI in criminal sentencing, algorithmic loan decisions—remain outside unified EU supervision.
What the Deal Actually Says
The agreement clarifies that the AI Office supervises general-purpose AI models only when “the model and that system are developed by the same provider.” For sectoral applications, national authorities remain competent. This creates a genuine loophole: an AI system used by a national police force to flag suspects receives weaker scrutiny than a chatbot used by a retail business.
For Ireland specifically, this means Irish authorities will enforce AI rules in Irish courts, Irish banks, and Irish policing—but without the coordinating framework that the centralized AI Office was designed to provide. Each Member State now becomes a mini-regulator for its own high-risk sectors.
Why This Matters for Builders and Deployers
If you’re an Irish enterprise deploying AI in financial services or law enforcement, you need to understand that your compliance burden now depends entirely on how your national authority interprets the rules. There’s no unified guidance from Brussels. The Commission’s May 8 consultation on transparency obligations provides some clarity, but sectoral applications won’t benefit from that same systematic approach.
This also creates a competitive distortion. A German bank might face different enforcement standards than an Irish one, even if both use identical AI systems. Vendors will inevitably optimize for the loosest interpretation across Member States.
The Broader Governance Question
Europe is essentially betting that national regulators—many of which lack AI expertise—can enforce sophisticated AI safety rules in sensitive domains without coordination. The AI Office exists precisely to solve this coordination problem. By exempting the sectors where coordination matters most, the Omnibus deal undermines its own logic.
There’s also a timing concern. These sectoral exemptions kick in immediately, while the sandbox delay extends to August 2027. This means high-risk systems in policing and finance move forward without the testing infrastructure that was supposed to support them.
Open Questions
How will Member States actually interpret these sectoral carve-outs? Will Ireland’s Data Protection Commissioner align with other national authorities, or will fragmentation accelerate? And critically: if an AI system in a European police force causes demonstrable harm, which regulator takes responsibility?
The May 2026 Omnibus agreement prioritized political consensus over regulatory coherence. Europe’s enterprises will now navigate the consequences.
Source: artificialintelligenceact.eu