07-01-2026 Article

AI Omnibus 2026: Trilogue Agreement on Amendments to the AI Act Brings Longer Deadlines and Less Bureaucracy

Update Data Proctection No. 256

With its decision of 29 June 2026, the Council of the European Union gave its final approval to the so-called Digital Omnibus on AI, thereby concluding the ordinary legislative procedure after the European Parliament had already approved the text at first reading on 16 June 2026. The amending regulation makes targeted interventions in the AI Act (Regulation (EU) 2024/1689) before its central obligations for high-risk AI systems have even become applicable, and forms part of the simplification agenda pursued by the Union under the heading “Omnibus VII.” At its core is a postponement of the date of application of the high-risk obligations, which would otherwise have applied from 2 August 2026. At the same time, the Omnibus introduces two new prohibited practices in Article 5 of the AI Act and makes various clarifications aimed at reducing the burden on businesses. With its adoption by the Council, the substantive content is now settled. The regulation will shortly be published in the Official Journal and will enter into force on the third day following its publication. For affected companies, the timeline for part of their compliance obligations is thereby extended, but the existing need for action does not disappear – it merely shifts.

The following article contextualises the key changes and sets out the steps that companies should now take.

I. Background to the AI Omnibus

The AI Act entered into force on 1 August 2024 and its provisions apply in a staggered manner: while the rules on prohibited practices (Article 5 of the AI Act) and the provisions on AI literacy have been in effect since 2 February 2025, and the obligations for general-purpose AI models have been applicable since 2 August 2025, the central requirements for high-risk AI systems under Chapter III of the Regulation were intended to take effect on a staggered basis – for standalone systems listed in Annex III from 2 August 2026, and for systems embedded in products as safety components listed in Annex I from 2 August 2027. These high-risk obligations constitute the actual core of the AI Act’s regulatory regime and are also associated with the highest implementation effort for the affected providers and deployers.

In the course of implementing the already applicable parts of the Regulation, however, it became apparent that essential prerequisites for the legally certain application of these obligations were not yet in place. In particular, the harmonised standards, common specifications and guidelines on which providers are expected to rely in demonstrating conformity have been delayed in their development. Likewise, the establishment of the competent national authorities as well as the governance and conformity assessment structures has not been completed in many places. Providers of high-risk AI systems would therefore have been required to base their conformity assessments on foundations that were not yet available, which would have entailed considerable and objectively unjustifiable compliance costs.

Against this background, on 19 November 2025, the European Commission presented the so-called Digital Omnibus package. This comprises two draft regulations aimed at simplifying and streamlining the Union’s digital legal framework, particularly in the areas of AI, data protection and digital services.
Following the adoption of the Council’s position on 13 March 2026 and a provisional trilogue agreement on 7 May 2026, the European Parliament approved the compromise at first reading on 16 June 2026, before the Council formally adopted the text on 29 June 2026, thereby concluding the legislative procedure.

II. Key Changes Introduced by the Omnibus

The Omnibus leaves the fundamental structure of the AI Act unchanged – in particular the risk-based approach, the category of prohibited practices and the provisions for general-purpose AI models. Rather, the changes concern the timeline for the high-risk obligations, supplement the catalogue of prohibited practices and clarify individual terms and obligations with the aim of reducing compliance costs. The key new provisions of practical relevance for businesses can be summarised as follows.

1. Postponement of the Date of Application of the High-Risk Obligations

The centrepiece of the Omnibus is the postponement of the date on which the obligations for high-risk AI systems take effect. Under the original staggered timeline of the AI Act, these would have become applicable for standalone systems listed in Annex III from 2 August 2026, and for systems embedded in products listed in Annex I from 2 August 2027. The new provision differentiates between the two categories of high-risk systems:

For AI systems classified as high-risk under Article 6(2) in conjunction with Annex III of the AI Act – i. e. standalone systems in certain sensitive application areas such as employment, education or access to essential services – the date of application is now 2 December 2027.

For AI systems classified as a safety component of a product or as such a product under Article 6(1) in conjunction with Annex I of the AI Act, the date of application is postponed to 2 August 2028.

The staggered dates follow the logic originally established in the AI Act and are intended to afford the affected economic operators the time necessary to adapt until the relevant standards, common specifications and guidelines are actually available. In a flanking measure, the Commission is required to provide guidelines on compliance with the high-risk requirements by 1 August 2027 at the latest.

2. New Prohibited Practices: AI-Generated Abuse Material (Article 5 of the AI Act)

While the Omnibus provides temporal relief for the high-risk obligations, it simultaneously expands the catalogue of prohibited practices in Article 5 of the AI Act by two new offences.

First, the use of AI systems whose purpose is to generate or manipulate non-consensually created intimate material of identifiable real persons is prohibited. Second, AI systems used to generate or manipulate depictions of child sexual abuse are prohibited, including fully or partially AI-generated content.

The prohibition is directed both at providers who make such systems available on the Union market and at deployers who use such systems for the stated purposes. On the provider side, the prohibition covers not only systems with a corresponding intended purpose, but also those where the generation of such content is a reasonably foreseeable and reproducible outcome without substantial technical modification, and where adequate technical safeguards to reliably prevent such generation are lacking. Providers of generally usable image and video generators must therefore already assess at the design and deployment stage whether such misuse is foreseeable. Unlike the high-risk obligations, these new prohibitions are not subject to the postponed deadline but apply from 2 December 2026.

3. Clarification of the Term “Safety Component”

Of considerable practical significance is the revised definition of the term “safety component” (Article 3(14) of the AI Act), which is decisive for classification as a high-risk AI system under Article 6(1) of the AI Act. In future, an AI system will only fulfil a safety function where its intended purpose, as determined by the provider, is to avert or mitigate risks to the health and safety of persons or property. Expressly excluded are AI systems that serve exclusively user assistance, performance optimisation, service efficiency, automation, user convenience or non-safety-related aspects of quality control. The mere integration of an AI system into a product subject to Union harmonisation legislation does not in itself establish a safety function. This clarification narrows the scope of high-risk classification and provides providers with greater legal certainty in independently assessing their systems.

4. Softening of the AI Literacy Obligation (Article 4 of the AI Act)

The obligation previously enshrined in Article 4 of the AI Act to ensure a sufficient level of AI literacy among personnel is converted into an obligation to promote AI literacy. Providers and deployers are accordingly required to take measures to promote the AI literacy of their personnel and other persons acting on their behalf. The Commission and Member States are to support these efforts through training, information resources and the exchange of best practices. The requirement thus remains in substance, but loses its strictly mandatory and sanction-backed character in favour of a more facilitative approach.

5. Transparency and Labelling Obligations (Article 50 of the AI Act)

The transparency and labelling obligations under Article 50 of the AI Act remain substantively unchanged and continue to apply from 2 August 2026. However, for providers of generative AI systems that placed their systems on the market before 2 August 2026, the Omnibus provides for a transitional period within which the technical measures for labelling artificially generated content under Article 50(2) of the AI Act are to be implemented; the relevant cut-off date is set at 2 December 2026.

Companies that deploy or provide generative AI should note that the essential body of obligations under Article 50 of the AI Act is therefore expressly not covered by the general postponement of deadlines.

6. Further Facilitations and Clarifications

Beyond the above key points, the Omnibus contains a number of further adjustments. Definitions are introduced for SMEs and for “small mid-cap companies,” coupled with the extension, where appropriate, of existing facilitations for smaller operators to this group of undertakings. In the area of data protection, the legal basis for the processing of special categories of personal data for the purpose of detecting and correcting biases is extended beyond providers of high-risk AI systems to their deployers and to providers and deployers of other AI systems and models, subject to the same limitations, conditions and safeguards as before. Furthermore, the deadline for the establishment of national AI regulatory sandboxes is extended to 2 August 2027, and the competence of the AI Office for the supervision of AI systems based on general-purpose AI models of the same provider is further elaborated, including the establishment of exceptions in favour of the still competent national authorities.

III. Recommendations for Companies

Despite the granted postponement, companies should undertake or continue the central preparatory measure – a comprehensive inventory of deployed AI systems – without delay. Only on this basis can it be determined for each system whether it falls within the scope of the AI Act, to which risk category it is to be assigned, and which of the now staggered application dates is relevant. A careful examination of classification in light of the clarified definition of “safety component” is advisable, as systems that serve exclusively user assistance, performance optimisation or comparable functions may now fall outside the high-risk category under the revised definition.

Where the assessment concludes that a system continues to be classified as high-risk, the remaining time until the respective date of application should be used to establish the necessary conformity, risk and quality management processes and to evaluate the Commission’s forthcoming guidelines. Subsequent modifications to systems already placed on the market must also be managed deliberately, since any significant design change triggers the full set of high-risk obligations and a documented change management process must accordingly be maintained.

Irrespective of the postponement of the high-risk obligations, the immediate need for action with respect to the non-deferred obligations remains. Providers and deployers of generative AI systems should prioritise the implementation of the transparency and labelling obligations under Article 50 of the AI Act with a view to 2 August 2026 and the deadline of 2 December 2026 applicable to existing systems, and adapt their communication, marketing and publication workflows accordingly. Likewise, the new prohibitions under Article 5 of the AI Act should be taken as an occasion to review the deployment and provision of generative systems for potential risks and to put in place appropriate safeguards, as these prohibitions apply from 2 December 2026.

IV. Conclusion and Outlook

With the Council’s adoption of the Digital Omnibus on AI, it is now established that the timeline for the central high-risk obligations under the AI Act is significantly pushed back, without the fundamental risk-based structure of the Regulation being altered. For companies, this means a gain in time and legal certainty, but not a removal of the need for action – not least because the transparency obligations under Article 50 of the AI Act and the new prohibitions under Article 5 of the AI Act already take effect in the short term.

With the publication in the Official Journal and the entry into force of the amending regulation, the phase of further concretisation through standards, specifications and guidelines also begins, the timely availability of which will determine the practical feasibility of the obligations. Companies are therefore well advised to use the time gained consistently for preparation and to closely monitor further legal developments.

This article was created in collaboration with our student employee Emily Bernklau.

Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.