The AI Omnibus: What Changed in the EU AI Act and What It Means for Your AI Strategy

The EU AI Act entered the books in 2024 as the first comprehensive law on artificial intelligence. It was always going to need adjustment as the market and the standards behind it matured. The AI Omnibus is that adjustment.

On 19 November 2025 the European Commission published the Digital Omnibus, a wider simplification package covering data, cybersecurity, and AI rules. The AI-specific track within it, commonly called the AI Omnibus or Digital Omnibus on AI, proposes targeted amendments to the AI Act rather than a rewrite.

On 7 May 2026 the European Parliament and the Council reached a provisional agreement on that track. It is not yet law. The text still needs formal adoption by both institutions and publication in the Official Journal, expected before 2 August 2026, with entry into force three days after publication. Until then, the original AI Act timeline stays the legal baseline.

So the Omnibus is best read as three things at once: a timeline reset for high-risk systems, a simplification pass on documentation and registration, and a short list of new prohibitions. It is not a repeal, and it is not deregulation.

The headline change is the deadline relief for high-risk AI systems. The original AI Act made most high-risk obligations applicable from 2 August 2026. The Omnibus splits that into two later dates:

• Stand-alone high-risk systems (Annex III) move to 2 December 2027. These are use-case driven systems such as AI in recruitment, credit scoring, education, or access to essential services.
• High-risk systems embedded in regulated products (Annex I) move to 2 August 2028. These are AI components in products already covered by EU product-safety law, like medical devices or machinery.

Two related dates also shifted. The transparency and synthetic-content marking obligations in Article 50(2) move from 2 August 2026 to 2 December 2026, with a short grace period for content already on the market. The deadline for member states to establish national regulatory sandboxes moves to 2 August 2027.

One detail matters for planning. The Commission's original November proposal tied the high-risk start date to the availability of harmonised standards and support tools, a conditional trigger with a backstop. The May agreement dropped that conditional approach and settled on fixed dates. That removes ambiguity: you can now plan against 2 December 2027 and 2 August 2028 as firm targets, not moving ones.

It would be a mistake to read the Omnibus as pure relief. The agreement adds two new prohibited practices to Article 5, the article that lists AI uses banned outright in the EU. From 2 December 2026, it is prohibited to use AI systems that generate or manipulate:

• Non-consensual intimate imagery, meaning realistic depictions of an identifiable person's intimate parts without that person's consent.
• Child sexual abuse material, in line with the existing definition under Directive 2011/93/EU.

Providers carry liability where such output is the system's intended purpose or a reasonably foreseeable outcome without significant modification. Deployers are liable for intentional misuse, while accidental generation is excluded. For most enterprises these prohibitions will not touch day-to-day use, but they confirm the direction of travel: the EU is still willing to add hard limits, not only defer them.

The other half of the Omnibus is genuine simplification. The changes target paperwork and overlap rather than the substance of the obligations.

• Registration trimmed. Several data points in the Annex VIII registration database have been deleted, reducing what providers of non-high-risk systems must self-declare while keeping core transparency intact.
• AI literacy softened. The Article 4 wording moves from a duty to ensure a sufficient level of AI literacy to a duty to take measures to support it among staff. The expectation remains, the framing is less absolute.
• SME and small mid-cap relief. Simplified technical documentation and proportionate treatment of penalties now extend to SMEs and small mid-caps, lowering the fixed cost of compliance for smaller players.
• Post-market monitoring flexibility. The monitoring regime gains room for more proportionate, risk-based implementation.
• Bias-detection exception. A new provision permits limited processing of special-category data for detecting and correcting bias, under strict safeguards such as exhausting alternative data and applying state-of-the-art security.
• Centralised supervision. The EU AI Office gains exclusive competence over AI systems built on general-purpose AI models and those integrated into very large online platforms, reducing fragmented national enforcement for the largest providers.

None of this removes the need to govern AI. It lowers the friction of proving that you do.

The risk-based architecture of the AI Act is intact. The Omnibus moves dates and trims forms; it does not redraw the map.

Risk classification still applies. The four-tier model of unacceptable, high, limited, and minimal risk stays. Your obligations still depend on where each system sits, and the high-risk categories in Annex III and Annex I are unchanged in substance.

Earlier obligations already bind you. The prohibited-practice rules have applied since February 2025. The obligations for general-purpose AI models have applied since August 2025. The Omnibus does not roll those back.

The underlying work is unchanged. A high-risk system still needs a risk-management system, data governance, technical documentation, logging, human oversight, and traceability of the data behind it. That work takes months. The new dates change when you must finish, not what you must produce.

For most organisations the right response is to treat the extra time as runway, not as permission to pause. Four moves make the most of it.

1. Inventory and classify every AI system. You cannot apply the right obligations until you know which systems are high-risk, which are limited-risk, and which fall outside scope. Build a living inventory that records purpose, data sources, and risk tier for each system, including the models embedded in tools you buy.

2. Treat documentation as a data problem. The Act's technical documentation, logging, and data-governance requirements all depend on knowing where your data came from and how it flows. End-to-end data lineage and a clear record of sources turn a scramble before the deadline into a standing capability.

3. Align AI compliance with GDPR. The Act and the GDPR overlap wherever AI touches personal data. Tracking personally identifiable information through your systems serves both regimes, and the new bias-detection provision sits squarely on that boundary. Do the mapping once and reuse it.

4. Connect it to the wider regulatory picture. For regulated sectors the AI Act lands alongside DORA and the NIS2 Directive. The evidence base they each demand, accurate records of systems, data, and controls, is largely shared. A single governed source of truth pays for itself across all of them.

For a deeper look at the original deadlines and obligations, see our earlier guide on EU AI Act compliance deadlines, and for the broader picture, our guide to governing AI safely across classification, GDPR, copyright, and internal policy.

Every obligation the AI Act keeps comes back to the same question: can you show, with evidence, what your AI uses and where that data came from? That is a metadata and governance problem, and it is the problem Dawiso is built to solve.

The Data Catalog gives you the living inventory of data assets and the systems that consume them. Interactive Data Lineage traces data end to end, so technical documentation and impact analysis stop being manual archaeology. The AI governance solution ties classification, ownership, and policy to the assets themselves rather than to a spreadsheet that drifts out of date.

For teams putting AI to work, the Context Layer and Model Context Protocol (MCP) support give agents the governed business context they need to reason about your data, with the access controls and traceability that compliance expects. The result is the same record serving both your AI strategy and your AI Act evidence.

The Omnibus bought you time. The organisations that use it to build a governed, AI-ready foundation will meet the 2027 and 2028 deadlines without a fire drill, and they will have a better data platform to show for it.