EU AI Act: key amendments adopted under the Digital Omnibus package

Extended deadlines for high-risk AI systems

Most provisions of the AI Act were intended to apply as from 2 August 2026.

One of the central elements of the amendment that was now adopted, is a postponement of obligations for high-risk AI systems. The revised timelines are intended to ensure that the necessary technical standards and support infrastructure are in place before enforcement begins.

• Stand-alone high-risk AI systems will now need to comply from 2 December 2027.
• AI systems embedded as safety components, covered by EU sectoral legislation on safety and market surveillance, will need to comply from 2 August 2028.
• Watermarking obligations for AI-generated content have been delayed until 2 December 2026. From that date, AI-generated content must be labelled in a machine-readable format to increase transparency.

Notably, these extensions do not alter the substance of the AI Act's risk-based framework. They are designed to give companies, particularly smaller ones, more time to prepare.

Ban on nudifier applications and AI-generated CSAM

The amendments furthermore also introduce a (new) outright prohibition on AI systems that generate child sexual abuse material (CSAM) or create images, videos, and audio depicting an identifiable person's intimate parts or sexually explicit activities without their consent.

Providers will be prohibited from placing such systems on the EU market unless they incorporate adequate technical safeguards to prevent the creation of this material. The ban also extends to deployers who use AI systems for these purposes.

Companies have until 2 December 2026 to bring their systems into compliance.

Reducing regulatory overlap

The amendments also address a recurring concern from industry: overlapping compliance obligations across different pieces of EU legislation. Key changes include:

• Machinery products with AI components will no longer face duplicative requirements under both the AI Act and sectoral safety legislation. The amendment clarifies that these products need only comply with the applicable sectoral safety rules, while maintaining an equivalent level of health and safety protection.
• The definition of "safety component" has been refined. AI features that merely assist users or optimise performance will not automatically be classified as high-risk, provided their failure or malfunction does not pose health or safety risks.
• Processing of personal data is now permitted where strictly necessary to detect and correct biases in both high-risk and non-high-risk AI systems, subject to appropriate safeguards.
• SME exemptions have been extended to small mid-cap enterprises (SMCs), broadening the pool of companies that benefit from lighter regulatory requirements.
• Enforcement of certain general-purpose AI systems has been streamlined and centralised within the EU's AI Office.

What companies should do now

With several of the amended deadlines falling later this year and in 2027/2028, companies deploying or developing AI systems in the EU should:

• Review their AI systems against the updated risk classifications.
• Map compliance timelines and prioritise action items based on the established risk classification.
• Assess content labelling readiness ahead of the 2 December 2026 watermarking deadline.
• Evaluate whether SME exemptions now apply to their organisation.
• Ensure that any AI-generated content tools comply with the new prohibitions on non-consensual intimate imagery and CSAM.