EU AI Act unpacked #34: The final Digital Omnibus on AI - Key amendments to the AI Act and their impact on businesses active in the EU
The EU’s policy makers have adopted the final text of the Digital Omnibus on AI (see Parliament on 16 June 2026 , Council on 29 June 2026, with entry into force in July 2026). For businesses that have been planning their AI Act (AIA) compliance programmes around the original 2 August 2026 deadlines, the changes are important: selected key obligations have been deferred, new prohibitions have been introduced and the AI Office has gained significantly expanded supervisory powers. Here is what you need to know.
A stop-the-clock mechanism for high-risk AI obligations
The most consequential change is a delay to the application of the high-risk AI rules. The original AI Act set 2 August 2026 as the general application date, including for standalone high-risk AI systems listed in Annex III of the AIA - covering areas such as employment, education, critical infrastructure, law enforcement and credit scoring. That date was practically challenging, especially since the harmonised standards that providers need in order to demonstrate conformity were not going to be ready in time.
The Digital Omnibus resolves this by deferring the stand-alone high-risk AI obligations to 2 December 2027. For AI systems embedded in products already subject to EU product safety legislation listed in Annex I AIA - e.g. legislation on medical devices, machinery or toys - the deadline shifts further to 2 August 2028.
Businesses in scope gain a meaningful runway but that time should be used productively as the underlying obligations have not changed.
Transparency obligations: a grace period for certain obligations
The AIA requires providers to mark AI-generated content, such as images, audio, video, and text in a machine-readable format so that it can be detected as artificially generated (Art. 50 para. 2 AIA). For systems that were placed on the market before 2 August 2026, a grace period of three months has been agreed, meaning those systems must comply with the marking and detection obligations by 2 December 2026. All other transparency obligations under Art. 50 AIA, for example informing users they act with an AI system, will still apply from 2 August 2026.
These are both near-term deadline that should not be overlooked.
New prohibitions: nudifier apps and AI-generated CSAM
The Digital Omnibus introduces a new prohibition for AI systems used to generate child sexual abuse material (CSAM) or non-consensual sexual or intimate content.
Both the placing on the market and the use of such systems are prohibited. Providers of in-scope systems have until 2 December 2026 to implement the technical safeguards required to comply, including measures such as refusal training, output controls and content filtering.
Expanded AI Office supervisory powers
The AI Office, established within the European Commission and responsible for supervising general-purpose AI (GPAI) models has had its supervisory scope significantly extended. Under the original AIA, the AI Office supervised GPAI models and AI systems based on those models where the same provider developed both. The Digital Omnibus broadens this to all AI systems based on GPAI models developed within the same undertaking as the model provider, subject to certain exceptions, as well as to AI systems constituting or embedded in Very Large Online Platforms/Very Large Online Search Engines (DSA) and to the deployers of those systems within the same undertaking The amendments also create an explicit legal basis for cooperation between the AI Office and national supervisory authorities.
Data processing for bias detection
The Digital Omnibus also amends the legal basis for processing special categories of personal data for bias detection and correction. Previously available only to providers of high-risk AI systems, this permission is now extended to providers and deployers of all AI systems and models, including non-high-risk ones. The Digital Omnibus does, however, reintroduce a strict necessity standard for such processing, stepping back from the European Commission's proposal to lower the threshold to a simple necessity test.
The Machinery Regulation
The exclusion of Machinery Regulation products from the AIA's high-risk regime was amongst the most contentious points in the Digital Omnibus negotiations. Arguments for the carve-out were that applying the AIA on top of existing sectoral safety law would create regulatory duplication and hinder innovation.
The agreed outcome is a targeted exclusion: AI embedded in products governed by the Machinery Regulation falls outside the direct scope of the AIA's high-risk rules. Other products with embedded AI listed in Annex I Section A of the AIA, including medical devices and toys, remain fully in scope. But the European Commission is empowered to adopt delegated acts under the Machinery Regulation to impose AI-specific health and safety requirements on machinery products.
Regulatory sandboxes
The deadline for national competent authorities to establish AI regulatory sandboxes has been postponed to 2 August 2027, reflecting an acknowledgment that governments need more time to operationalise the framework in practice.
Registration obligations for systems self-assessed as non-high-risk
Under the AIA, providers must register themselves and their AI systems in the EU database before placing a high-risk AI system on the market. The European Commission had proposed narrowing this obligation, excluding providers who had self-assessed their system as falling outside the high-risk classification. That proposal did not survive the negotiations.
Instead, the Digital Omnibus reinstates the registration obligation for those providers: systems self-assessed as non-high-risk must still be registered in the EU database, albeit with a lighter administrative footprint. In parallel, the Digital Omnibus aims to introduce a simplification of the registration process more broadly.
What this means for businesses now
The Digital Omnibus on AI is final and will enter into force in July 2026 following its publication in the EU’s Official Journal. While another simplification package under the Digital Omnibus covering data and cybersecurity remains in negotiation, with an agreement expected in the first half of 2027 (for more details see our blogposts here and here).
For businesses in scope of the AIA, the immediate priorities are:
- confirming whether any AI-generated content tools require transparency marking by 2 December 2026, while not losing sight of compliance with the remaining transparency requirements under the AIA that do not benefit from this grace period and will still become applicable on 2 August 2026;
- assessing whether any products or use cases fall within the newly expanded prohibited AI categories of ‘nudifier apps’; and
- revisiting compliance roadmaps for high-risk AI systems in light of the revised 2027 and 2028 deadlines.
The extended runway is welcome but businesses that have not yet started substantive compliance work should not treat it as an invitation to delay further. The underlying risk management, documentation and governance frameworks take time to build and the obligations themselves remain unchanged.
