Red optical fibre

2 July 202615 minute read

Digital Omnibus on AI: What's changed in the EU AI Act and why it matters for companies

The Digital Omnibus has now moved at two different speeds. While the broader Digital Omnibus proposal on data, privacy, cybersecurity and other digital rules is still following its own legislative path, the AI component has reached the end of the EU legislative process.

On 29 June 2026, the Council of the EU gave its final green light to the Regulation amending the AI Act as part of the Digital Omnibus on AI. The text will be published in the Official Journal of the EU and will enter into force on the third day after publication.

This is not a suspension of the AI Act. Nor is it a wholesale deregulation of AI in the EU. The risk-based architecture of Regulation (EU) 2024/1689 remains in place: prohibited practices, high-risk systems, transparency obligations, general-purpose AI (GPAI) rules, conformity assessment, market surveillance and sanctions continue to structure the EU framework. What changes is the implementation architecture around that framework. The Digital Omnibus on AI recalibrates the timetable for high-risk systems, clarifies when AI embedded in regulated products is caught by the AI Act, introduces a new ban on certain harmful generative AI practices, adjusts AI literacy and bias-correction rules, extends some simplification measures to small mid-caps, strengthens the role of the AI Office and makes the contractual AI value chain more explicit.

For businesses, the main message is that the immediate pressure on some high-risk AI compliance deadlines is reduced, but the need to classify, document, contract for and govern AI systems doesn’t disappear. In several areas, the Omnibus makes the legal analysis more granular.

 

A fixed new timetable for high-risk AI systems

The most visible change is the timetable. Under the original AI Act, many high-risk obligations were due to apply from 2 August 2026, with a later date for certain product-embedded systems. The Omnibus replaces this with a clearer split.

Category New application date
High-risk AI systems listed in Annex III, including many stand-alone systems used in areas such as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and administration of justice 2 December 2027
High-risk AI systems classified under Article 6(1) because they’re safety components of, or products covered by, EU product legislation listed in Annex I 2 August 2028
New prohibitions on AI systems generating or manipulating non-consensual sexual or intimate content or child sexual abuse material 2 December 2026
Article 50(2) transparency obligations for systems generating synthetic audio, image, video or text content already placed on the market before 2 August 2026 2 December 2027
National AI regulatory sandboxes 2 August 2027

 

Companies shouldn’t treat the new timetable as a single extension of “the AI Act deadline.” A bank using AI to support credit scoring, fraud detection or HR decisions may be looking at the Annex III timetable. A manufacturer integrating AI into a regulated product must instead assess whether the AI is a safety component and whether the product follows the Annex I product-law route.

 

A more precise approach to ‘safety components’

One of the most important clarifications concerns AI embedded in products. The original AI Act created practical uncertainty around when an AI function becomes a safety component rather than a performance, convenience or optimisation feature.

The Omnibus clarifies that a component fulfils a safety function where its intended purpose is to prevent or mitigate risks to the health and safety of persons or property. It also states that AI systems used solely for non-safety-related user assistance, performance optimisation, service efficiency, automation, convenience or quality control don’t qualify as safety components. However, if failure or malfunctioning of the AI system would endanger health and safety, the system will still qualify as a safety component.

An AI feature that optimises industrial energy consumption may not be safety-related if its failure only reduces efficiency. AI that detects dangerous overheating and triggers a shutdown is different. The key questions are intended purpose, malfunction impact and sectoral product law.

 

Product legislation, machinery and sectoral integration

The Omnibus addresses intersections between the AI Act and EU product safety legislation. For high-risk AI systems classified under Article 6(1), the application of specific AI Act requirements may be limited where EU harmonisation legislation listed in Annex I, Section A provides equivalent or higher protection of health, safety or fundamental rights, and where limiting the AI Act doesn’t reduce the overall level of protection. The Commission must specify the relevant systems, obligations and conditions by delegated acts.

This is relevant for sectors such as medical devices, toys, lifts and watercraft, where product legislation already contains conformity assessment regimes.

Machinery receives a more specific treatment. The Omnibus moves the Machinery Regulation from Annex I, Section A to Section B of the AI Act framework. As a result, AI-enabled machinery is removed from the direct application of the AI Act’s high-risk regime, subject to a sectoral approach under the Machinery Regulation. The Commission will be empowered to adopt delegated acts amending the Machinery Regulation to incorporate health and safety requirements for high-risk AI systems that are safety components in machinery or machinery themselves.

For industrial companies, this is a major structural change: AI compliance for machinery will be channelled through machinery law, but AI Act requirements will still influence machinery safety through secondary legislation and standards.

 

AI literacy: Organisational support, not an individual guarantee

The Omnibus refines the AI literacy obligation. Providers and deployers must take measures to support the development of sufficient AI literacy among their staff and other people who operate and use AI systems on their behalf. The assessment must consider technical knowledge, experience, education, training, the context of use and the people or groups of people on whom the AI systems are to be used.

The important clarification is that providers and deployers don’t have to guarantee a specific level of AI literacy for each individual. AI literacy is still a legal obligation, but it’s now framed more clearly as an organisational and contextual obligation. Training for low-risk internal generative AI won’t be the same as training for AI used in HR recruitment, insurance claims handling, fraud detection or critical infrastructure monitoring.

 

Bias detection and special categories of personal data

The new Article 4a is one of the most sensitive amendments. It creates a specific legal basis, subject to strict conditions, for processing special categories of personal data for bias detection and correction.

For providers of high-risk AI systems, processing is permitted only to the extent strictly necessary. The Omnibus sets cumulative safeguards: the objective cannot be effectively achieved using other data, including synthetic or anonymised data; re-use must be technically limited; state-of-the-art security and privacy-preserving measures, including pseudonymisation, must be applied; access must be controlled and documented; data must not be transmitted or accessed by other parties; data must be deleted once the bias has been corrected or the retention period expires; and records must explain why the processing was strictly necessary.

The provision also extends, with conditions, to providers and deployers of other AI systems and models and to deployers of high-risk systems where this is strictly necessary to address biases likely to affect health and safety, fundamental rights or discrimination prohibited under EU law. Importantly, it doesn’t create a general obligation to conduct bias detection and correction.

For companies, this may provide a clearer route to test discriminatory outcomes in recruitment, credit scoring, insurance pricing or healthcare triage. But using sensitive data for bias testing will require documented necessity, access controls, retention rules and coordination with GDPR compliance.

 

Simplification for SMEs and small mid-caps

The Omnibus extends certain measures previously focused on SMEs and startups to small mid-cap enterprises. SMEs, startups and small mid-caps can use a simplified technical documentation form for high-risk AI systems, which notified bodies must accept for conformity assessment. The quality management system required for providers of high-risk AI systems must also be implemented proportionately to the size of the provider’s organisation, while still preserving the degree of rigour needed to ensure compliance.

This should help scale-ups and mid-sized technology companies, particularly in B2B AI, SaaS, industrial AI, fintech and healthtech. However, simplified documentation is not light documentation: the advantage is a more proportionate format, not a lower substantive standard.

 

AI value chain: Contracts become more important

One of the least headline-grabbing but most important changes concerns Article 25 and the AI value chain. Where a new operator becomes the provider of an AI system, the initial provider must cooperate, make necessary information available and provide reasonably expected technical access and assistance, including technical documentation, known limitations, failure modes and targeted access for testing and validation.

The Omnibus also reinforces written arrangements between providers of high-risk AI systems and third parties supplying AI systems, AI models, tools, services, components or processes that are used or integrated into the high-risk system. These arrangements must address the information, capabilities, technical access and assistance needed to allow the provider to comply. There is a carve-out for certain open-source components, but this doesn’t apply to general-purpose AI models.

This is a clear signal for procurement and contracting. A company cannot assume that AI Act compliance can be solved internally if the system depends on model providers, cloud providers, software suppliers, data providers or system integrators. Contracts will need to allocate responsibilities for documentation, testing, logging, incident support, model updates, failure modes, audit rights, cybersecurity, change management and assistance in regulatory assessments.

For an AI-based insurance claims tool built on a third-party model and customised by an integrator, compliance is also a contractual governance exercise: who can explain the model, who controls updates and who supports conformity assessment?

 

FRIA, DPIA, conformity assessment and standards

The Omnibus introduces a practical link between the AI Act’s fundamental rights impact assessment and the GDPR data protection impact assessment. Where obligations under the FRIA are already met through a DPIA under the GDPR or the Law Enforcement Directive, the deployer may cross-reference relevant sections or include relevant parts of the DPIA in the FRIA. The AI Office must also develop a questionnaire template, including through an automated tool, to simplify the FRIA.

This doesn’t merge the two assessments. A DPIA and a FRIA have different legal purposes and scopes. But it allows businesses to avoid purely formal duplication and reuse DPIA work where it genuinely covers parts of the FRIA, while leaving room for AI-specific fundamental rights analysis.

The Omnibus also introduces changes to conformity assessment. Notifying authorities must provide the possibility of a single application and unified assessment procedure where a conformity assessment body seeks designation both under the AI Act and under relevant product legislation. A new Annex XIV adds codes and categories to specify the scope of notified body designation, including product-related AI, biometric AI, generative AI and agentic AI.

The link with standards remains central. Harmonised standards are expected in areas such as risk management, data governance, record keeping, transparency, human oversight, accuracy, robustness, cybersecurity, quality management and conformity assessment. Once referenced in the Official Journal, applying harmonised standards will provide a presumption of conformity.

There is also a new interaction with the Cyber Resilience Act: where a high-risk AI system falls within the CRA and satisfies the relevant conditions, it will be presumed compliant with the AI Act cybersecurity requirement.

 

Transparency and new prohibited practices

The Omnibus changes the transition period for Article 50(2) transparency obligations. Providers of AI systems, including GPAI systems, generating synthetic audio, image, video or text content that were placed on the market before 2 August 2026 must comply with Article 50(2) by 2 December 2026. This is a near-term deadline. Providers of generative AI systems should not focus only on the high-risk timeline. The transparency architecture for machine-readable marking, labelling and detection of synthetic content remains a priority.

The Omnibus also adds new prohibited AI practices to Article 5. It bans AI systems that generate or manipulate realistic images, video, audio or similar material depicting an identifiable person’s intimate parts or sexually explicit activities without that person’s freely given, specific, informed, unambiguous and explicit consent. It also covers systems generating or manipulating child sexual abuse material, subject to the “without right” defence under national law.

The prohibition applies to providers placing such systems on the market or putting them into service where the harmful output is reasonably foreseeable and reproducible by reason of the system’s intended purpose, design, training, architecture, capabilities or user-facing functionalities and adequate safeguards are not in place. It also applies to deployers that use AI systems for that purpose.

This moves the issue from content moderation or platform policy into the most severe AI Act category: prohibited practices. It also confirms that generative AI safety isn’t limited to GPAI obligations.

 

AI Office, sandboxes and real-world testing

The Omnibus strengthens the role of the AI Office. It becomes exclusively competent for supervising and enforcing AI Act obligations in relation to certain AI systems based on GPAI models where the model and the system are developed by the same provider or by providers forming part of the same undertaking. It is also competent for AI systems that constitute, or are integrated into, very large online platforms or very large online search engines.

But centralisation isn’t universal. The text preserves exceptions for systems related to products covered by Annex I legislation, certain biometric systems, systems provided by law enforcement authorities, border management authorities and financial institutions, and systems relating to the administration of justice. Banks, insurers and other financial institutions shouldn’t assume that AI Office competence will replace sectoral supervision.

The Omnibus also gives the AI Office structured supervisory and enforcement powers, including information requests, investigations, inspections, access to systems and explanations, data retention orders, commitments, non-compliance decisions, penalties and periodic penalty payments.

The deadline for member states to establish at least one AI regulatory sandbox has been moved to 2 August 2027. The AI Office may also establish an EU-level sandbox for systems within its competence, with priority access for SMEs, startups and small mid-caps. The Omnibus also expands real-world testing outside sandboxes, including for Annex III systems and certain product-law systems, subject to the AI Act conditions.

 

What companies should take from the Digital Omnibus

The Digital Omnibus on AI gives companies more time in some areas, but less room for superficial analysis. The next phase of AI Act compliance will be less about asking whether the AI Act applies in the abstract and more about mapping how it applies across the AI lifecycle.

AI inventories need to distinguish not only high-risk and non-high-risk systems, but also Annex III systems, product-embedded Article 6(1) systems, GPAI-based systems, systems producing synthetic content, systems already on the market and systems used by public authorities.

Product manufacturers need to revisit AI classification through the lens of safety function, malfunction impact and sectoral product legislation.

AI procurement and contracting will become more strategic. Contractual clauses on documentation, testing, auditability, updates, failure modes, cybersecurity and regulatory support are no longer optional governance extras.

Data protection and AI governance must be aligned. Bias testing, DPIAs and FRIAs need to be coordinated, but not collapsed into a single generic assessment.

Businesses should not ignore near-term obligations while focusing on the delayed high-risk dates. AI literacy already applies. GPAI obligations are already in force. Transparency duties for synthetic content and the new prohibited practices will become critical by 2 December 2026.

The Omnibus changes the compliance calendar, not the direction of travel. The EU is moving toward a more calibrated AI regulatory framework, but still one in which classification, evidence, technical documentation, contractual control and governance will determine whether AI can be deployed safely, lawfully and at scale.