Digital omnibus on AI agreement: an overview

The (provisional) political agreement between the Council and the European Parliament introduces targeted amendments to the AI Act as part of the EU’s broader simplification agenda. While maintaining the overall architecture of the AI Act, the co-legislators have focused on reducing the administrative burden and improving coherence in the application of the rules across EU Member States.

Key elements of the agreement include:

  • Adjusted timelines for high-risk AI obligations: the application of the provisions on high-risk AI systems is deferred, with new dates set at 2 December 2027 (stand-alone systems) and 2 August 2028 (embedded systems), replacing the original timeline which would make certain obligations applicable already in August 2026;
  • Targeted relief measures: certain simplifications originally proposed by the Commission are retained, including reduced compliance requirements in specific cases and the extension of certain exemptions to small mid-cap companies (SMCs);
  • Governance and supervision: stronger coordination is introduced through enhanced powers of the EU AI Office, coupled with a clarification of the division of competences between the EU and national authorities, in particular for general-purpose AI systems;
  • Data and compliance adjustments: the agreement reinstates stricter safeguards, including the “strict necessity” standard, for processing special categories of personal data in bias detection and correction, as well as the obligations to register AI systems in the EU database even where providers consider them exempt from high-risk classification;
  • New substantive prohibitions and safeguards: the text introduces additional prohibited practices, notably relating to non-consensual sexual content and child sexual abuse material generated by AI;
  • Limitation of overlap with sector-specific product liability laws: a mechanism is introduced to address overlaps between the AI Act and sector-specific legislation (e.g., medical devices, machinery), allowing the AI Act’s requirements to be limited in cases where equivalent rules already apply under applicable product safety laws.

In addition, the agreement includes targeted procedural adjustments. In particular, the deadline for Member States to establish national AI regulatory sandboxes is postponed to 2 August 2027, providing authorities with additional time to set up these frameworks. At the same time, the timeline for implementing transparency measures for AI-generated content is shortened, reducing the grace period from six months to three months, with a new compliance deadline set at 2 December 2026.

What this means for businesses

For businesses developing, deploying or integrating AI systems in the EU, the agreement reflects a combination of practical relief and continued regulatory expectations.

The extension of compliance timelines for high-risk AI systems provides additional time for preparation. This is particularly relevant for organisations that are still assessing whether their systems qualify as high-risk and for those relying on standards and guidance that are not yet in place. The targeted reduction of administrative requirements and the extension of certain exemptions to small mid-cap companies may also ease the compliance burden for mid-sized organisations.

At the same time, the agreement confirms that simplification has clear limits. Certain obligations are reinforced rather than relaxed. The requirement to register AI systems in the EU database, including in cases where providers consider them exempt from high-risk classification, underlines the continued emphasis on transparency and oversight. Similarly, the reaffirmation of the strict necessity standard for processing sensitive personal data highlights the central role of data protection considerations in AI governance.

From a supervisory perspective, the strengthened role of the AI Office, combined with a clearer allocation of competences between EU and national authorities, may contribute to consistent enforcement. This nevertheless still requires companies to monitor developments at both levels, in particular where sector-specific rules apply, such as in financial services or healthcare.

The introduction of new prohibited practices and the tightening of timelines for transparency measures for AI-generated content indicate an increased focus on addressing harmful use cases. This may require organisations to reassess their risk classifications and internal controls.

Next steps: formal adoption by EU institutions still required

Formal adoption of the agreement by the EU institutions is still required. An agreement between the EU co-legislators had been expected in late April 2026 but was delayed over outstanding disagreements regarding Annex I (list of products covered by harmonised EU safety legislation). As the Digital Omnibus on AI seeks to, inter alia, amend the date of application of certain obligations under the AI Act (initially intended to enter into force in August 2026), there is however pressure to finalise the formal adoption of the text as soon as possible.

The agreed compromise text must therefore still be ratified by the European Parliament and the EU Council of Ministers, which is expected to take place over the coming weeks. The amending Regulation should enter into force on the third day following its publication in the Official Journal of the European Union.

Looking ahead: simplification, cybersecurity and regulatory coherence

  • Work on the broader simplification of the digital legislative framework continues in parallel. The European Parliament and EU Member States are currently examining the Commission’s Digital Omnibus proposal and are only expected to reach their respective negotiating positions after the summer break. Given the complexity of the proposal (amending 8 pieces of EU digital legislation), negotiations on the final text are likely to extend well into 2027. A first look into the direction of travel from the EU co-legislators is expected with the publication of the European Parliament’s draft report later this summer, as well as an expected discussion of EU ministers at the Telecommunications Council in June.
  • Legislative adoption of the revised Cybersecurity Act (‘Cybersecurity Act 2’) is likewise expected in 2027, but the exact timing will ultimately depend on the outcome of the interinstitutional negotiations. While the Regulation will be directly applicable, several substantive obligations are expected to be subject to transitional periods or delayed application (e.g., in ICT supply chain security). Close attention to the legislative process will therefore remain important to anticipate timelines and assess preparatory needs.
  • Finally, the Commission is also pursuing the second stage of its digital simplification efforts and undertaking a comprehensive evaluation of the digital legislative framework, the so-called Digital Fitness Check. The evaluation will look at the overall coherence of the framework and its cumulative impact (including associated costs) on citizens, businesses and public authorities. Initial stakeholder feedback points to persistent overlaps, inconsistent definitions and duplicative compliance requirements. Many business players call for more proportionality and ‘once-only’ compliance principles. At the same time, civil society organizations emphasise that simplification efforts should prioritize effective enforcement with clear guidance and improved coordination and warn that further reforms could weaken fundamental rights protections. Looking ahead, the Commission’s evaluation is expected to be published in the first half of 2027, and it could lead to further streamlining measures. Monitoring the evaluation process and the emerging policy signals will be crucial for anticipating potential future adjustments to the EU's Digital Rulebook. How these different strands are ultimately aligned will be critical in determining whether simplification translates into greater legal clarity in practice.

For businesses operating across the EU, staying closely aligned with these developments will be key to managing risk, maintaining compliance and identifying opportunities as the regulatory landscape continues to evolve.

This article is the third in our Digital Omnibus Proposal series. Keep an eye out for our next update, where we will take a closer look at the strand focusing on the clarification and consolidation of EU data rules.  

Contact us

If you would like to discuss how these developments may affect your organisation, please reach out to one of our colleagues below.