EU AI Act Digital Omnibus
Last reviewed
May 31, 2026
Sources
16 citations
Review status
Source-backed
Revision
v2 ยท 2,385 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
May 31, 2026
Sources
16 citations
Review status
Source-backed
Revision
v2 ยท 2,385 words
Add missing citations, update stale details, or suggest a clearer explanation.
The EU AI Act Digital Omnibus is a package of proposed amendments to the EU AI Act that the European Commission put forward on 19 November 2025 to simplify and delay parts of the regulation. The measure, formally titled the Digital Omnibus on AI and carried in Commission document COM(2025) 836, sits inside a wider Digital Omnibus package that also reopens the General Data Protection Regulation, the ePrivacy Directive, the NIS2 Directive, and the Data Act. The AI component proposes to push back the application of the high-risk obligations, lighten transparency, documentation, and governance duties, and tie several deadlines to the availability of technical standards. It is widely described as the first major rollback of the AI Act since the law entered into force in August 2024, and it drew sharp criticism from digital-rights groups who called it deregulation dressed up as simplification. On 7 May 2026 the European Parliament and the Council reached a provisional political agreement on the file. [1][9][2]
This article describes the Commission proposal of November 2025 and the legislative process that followed, including the provisional agreement of May 2026. Until the co-legislators formally adopt the text and it appears in the Official Journal of the European Union, the changes do not have legal effect. Formal adoption was expected before 2 August 2026, the date on which the bulk of the AI Act's high-risk rules would otherwise have started to apply. [3][11]
The EU AI Act (Regulation (EU) 2024/1689) is the European Union's horizontal law on artificial intelligence and a landmark in AI regulation. It entered into force on 1 August 2024 and was designed to apply in phases. The bans on a small set of prohibited practices and the AI literacy duty became applicable on 2 February 2025. Rules for general-purpose AI models (GPAI) and the bulk of the governance provisions followed on 2 August 2025. The heaviest tier, the obligations for high-risk AI systems, was scheduled to apply from 2 August 2026 for systems listed in Annex III (use cases such as biometrics, critical infrastructure, education, employment, credit scoring, law enforcement, migration, and border control) and from 2 August 2027 for high-risk AI embedded in products already covered by EU sectoral safety law under Annex I (for example medical devices, machinery, lifts, and toys). [3][4]
By late 2025 the timetable was under strain. Harmonised standards from CEN-CENELEC that providers were meant to rely on for compliance were running behind, several member states had not designated their national competent authorities or conformity assessment bodies, and Commission guidance on classifying high-risk systems had slipped past its own deadlines. Industry argued that firms were being asked to comply with rules whose technical detail did not yet exist. More than 110 EU-based companies and several large technology firms pressed for a pause. [4][5][6]
The push also fit a broader political mood. The European Council had called in 2024 for action on competitiveness, echoing the Letta report on the single market and the Draghi report on European competitiveness, both of which warned that regulatory complexity was holding the bloc back. The Commission framed its Digital Omnibus agenda around cutting red tape, with a stated target of reducing administrative burdens by at least 25 percent for all businesses and at least 35 percent for small and medium-sized enterprises by 2029. Pressure from the United States, where parts of the administration and major technology companies criticised EU tech rules as restrictive, formed part of the backdrop, and some commentators framed the rollback as a test of the so-called Brussels effect, the tendency for EU standards to spread abroad. [1][7][8]
The Commission presented the AI Omnibus as targeted simplification rather than a reopening of the AI Act's risk-based architecture. The proposal keeps the law's overall structure but adjusts timing and trims specific obligations. The most consequential change is to the high-risk timeline. Instead of fixed dates, the Commission proposed linking the start of the Annex III and Annex I high-risk obligations to the availability of supporting standards, common specifications, or Commission guidance, with backstop dates so the rules apply at the latest by 2 December 2027 for stand-alone Annex III systems and by 2 August 2028 for high-risk AI embedded in regulated products. [1][9]
The package also lightens several day-to-day duties. The obligation on providers and deployers to ensure AI literacy among their staff would be replaced by a softer duty on the Commission and member states to encourage AI literacy. The proposal offers more flexibility in post-market monitoring, extends simplified technical documentation and proportionate treatment of penalties from SMEs to a new category of small mid-cap companies (firms under 750 employees with turnover up to 150 million euros), and reinforces the role of the AI Office to reduce governance fragmentation. A new Article 4a would let providers and deployers of non-high-risk systems process special categories of personal data to detect and correct bias, loosening the existing standard from strictly necessary to merely necessary. The Commission also proposed removing the duty to register in the EU database those Annex III systems that a provider concludes are not high risk because they perform only narrow or procedural tasks. [8][9][10]
The broader Digital Omnibus, the data and privacy half of the package, would amend the GDPR and related laws, including changes to how personal data is defined and a clearer legal basis for using personal data to train AI. Those data measures are separate proposals from the AI Omnibus but were published together and share the same simplification rationale. [8]
The table below summarises the main proposed changes to the AI Act and how they sat after the May 2026 provisional agreement. Dates and details reflect the agreed text and remained subject to formal adoption.
| Area | Position before the Omnibus | Proposed and agreed change |
|---|---|---|
| High-risk Annex III (stand-alone) | Apply from 2 August 2026 | Apply at the latest from 2 December 2027, tied to availability of standards and tools |
| High-risk Annex I (product-embedded) | Apply from 2 August 2027 | Apply at the latest from 2 August 2028 |
| Article 50(2) content marking (watermarking) | Apply from 2 August 2026 | Transitional relief, compliance by 2 December 2026 for systems already on the market |
| AI literacy | Duty on providers and deployers | Shifted to a duty on the Commission and member states to encourage literacy |
| Sensitive data for bias detection | High-risk providers only, strictly necessary | Extended to non-high-risk systems, threshold relaxed to necessary (new Article 4a) |
| SME relief | Simplified documentation and penalties for SMEs | Extended to small mid-cap companies |
| Prohibited practices | No specific deepfake ban | New Article 5 ban on non-consensual intimate imagery and CSAM, compliance by 2 December 2026 |
| Machinery and sectoral products | AI Act plus sectoral rules | Clarified so qualifying machinery follows sectoral safety rules, reducing duplication |
| AI Office | Shared supervision | Strengthened central competence over some GPAI-based systems and large platforms |
| National AI sandboxes | Operational by 2 August 2026 | Deadline extended to 2 August 2027, plus a new EU-level sandbox |
As a Commission proposal, the Digital Omnibus on AI had to pass through the ordinary legislative procedure, meaning agreement between the Council and the European Parliament. The Council adopted its negotiating mandate on 13 March 2026. In the Parliament the file went to the Committee on the Internal Market and Consumer Protection and the Committee on Civil Liberties, Justice and Home Affairs, which adopted a joint report, and the plenary approved the Parliament's position on 26 March 2026 by 569 votes to 45 with 23 abstentions. [11]
Trilogue negotiations between the institutions then began. A session on 28 April 2026 broke down after about twelve hours, with the treatment of high-risk AI embedded in machinery and the related conformity assessment the most contested point. The institutions returned to the table and reached a provisional agreement in the early hours of 7 May 2026. The deal confirmed the postponement of the high-risk obligations to 2 December 2027 for Annex III and 2 August 2028 for Annex I, resolved the machinery dispute by routing qualifying products through sectoral safety rules, and added the new Article 5 prohibition. The Parliament reinstated the EU database registration duty that the Commission had proposed to drop, a point civil-society groups had flagged. [2][11][12]
The provisional agreement still required formal endorsement by the Council and the Parliament, followed by legal and linguistic revision, before adoption and publication in the Official Journal. Both institutions said they intended to complete the process before 2 August 2026 so the extended deadlines would be in place ahead of the date the original high-risk rules were due to bite. [2][11]
Industry groups broadly welcomed the agreement while saying it did not go far enough. European and German business associations including DIGITALEUROPE, the Federation of German Industries (BDI), Bitkom, the mechanical engineering association VDMA, and the retail body EuroCommerce described the deal as a step toward legal certainty, less double regulation, and a more innovation-friendly framework for industrial AI. The Commission and Council framed the outcome as support for companies through lower recurring administrative costs and a smoother, more harmonised rollout that would strengthen EU competitiveness and digital sovereignty. Executive Vice-President Henna Virkkunen, who led the simplification drive, said the omnibus packages were meant to clear regulatory clutter so companies could focus on building rather than paperwork. [7][13]
Some industry voices argued the package offered only limited relief. Trade groups such as CCIA Europe and the Business Software Alliance said that, beyond the grace period for high-risk obligations and the machinery carve-out, the deal left substantial legal uncertainty and did little to cut the day-to-day compliance burden. The TUV Association warned that carving machinery out of the AI Act could fragment the rules and slow the development of industrial AI standards. [13][14]
Digital-rights and consumer organisations were sharply critical. European Digital Rights (EDRi) called the Digital Omnibus a major rollback of EU digital protections and a massive reopening of the GDPR, ePrivacy Directive, and AI Act that risked dismantling the foundation of human rights and tech policy in the bloc. More than 130 civil-society organisations and unions urged the Commission to halt the package, and some 60 groups asked lawmakers to reject the transparency changes, warning that exempting self-assessed non-high-risk systems from EU database registration could turn the AI Act into a form of self-regulation. BEUC, the European consumer organisation, said the AI Omnibus rolled back consumer protections that had barely been adopted and created loopholes and confusion. Corporate Europe Observatory and LobbyControl published an analysis tracing what they described as Big Tech's influence over the proposals, and the Jacques Delors Centre argued the package was heading in the wrong direction. On the protective side, the new ban on AI-generated non-consensual intimate imagery and child sexual abuse material was welcomed across much of the debate. [5][6][15][16]
The Digital Omnibus marks a shift in tone for European AI governance. For several years the AI Act stood as the most far-reaching attempt to regulate artificial intelligence, and the EU presented it as a model others might follow. Reopening the law before its core obligations had even applied signalled that competitiveness concerns had moved up the agenda and that the Commission was willing to trade some regulatory ambition for legal certainty and speed to market. Supporters read it as a pragmatic correction to a timetable that standards bodies and national authorities could not meet. Critics read it as a precedent in which safeguards can be recast as burdens whenever industry objects loudly enough. [5][7][16]
The practical effect for organisations was a longer runway. High-risk providers and deployers gained roughly sixteen extra months for Annex III systems and a year for Annex I systems, time meant to let CEN-CENELEC finish standards and let member states stand up their supervisory machinery. Several analysts cautioned that the relief might be temporary and that significant uncertainty remained, particularly around overlaps with sectoral law and the conditions attached to the standards-linked start dates. How the final adopted text is implemented, and whether the delays translate into stronger compliance or weaker oversight, will shape the next phase of AI regulation in Europe. [9][12][14]