On 29 June 2026, the Council of the European Union gave its final green light to the Digital Omnibus on AI, a package of amendments that eases and delays parts of the EU AI Act, completing a legislative procedure that began when the European Commission published its proposal on 19 November 2025. It amends the EU AI Act, together with the EU’s civil aviation rules and machinery regulation. According to the European Parliament’s Legislative Observatory, the final act was signed on 8 July 2026, and the Digital Omnibus is now awaiting publication in the Official Journal of the European Union, a necessary step before it can enter into force, ahead of the original 2 August 2026 deadline for several high-risk AI obligations.
Much of the public attention on the Digital Omnibus has focused on the delay to high-risk AI rules and the new ban on AI-generated intimate imagery. The full legal text of the amending regulation also reorganises, in detail, responsibility for supervising AI systems that operate within very large online platforms regulated under the Digital Services Act, and amends several other elements of the way the AI Act is enforced, points that have drawn less attention so far.
The Council describes this regulation as part of a wider legislative package known as Omnibus VII, one of several ‘omnibus’ simplification efforts the Commission has proposed across different policy areas. It was also listed in the Parliament and the Council in their Joint Declaration on EU legislative priorities for 2026, signalling the priority both institutions attached to its rapid finalisation.
Why the Commission proposed the amendments

According to the recitals of the Digital Omnibus on AI, the amendments respond to problems identified once parts of the AI Act began to apply in August 2024. The recitals point to delays in the preparation of harmonised technical standards needed by providers of high-risk AI systems in order to demonstrate compliance, as well as delays by several member states in setting up the national authorities and conformity assessment bodies responsible for checking that compliance. Taken together, the recitals state that these delays created a heavier compliance burden than originally expected.
The Commission’s proposal also links the amendments to a broader competitiveness rationale, describing them as part of a wider effort by EU leaders to reduce administrative burdens on business, following the recommendations of the Draghi and Letta reports on European competitiveness. Industry associations also lobbied for the amendments throughout 2025.
The trade group DIGITALEUROPE told policymakers that compliance with the AI Act could cost companies in the region of EUR 3.3 billion a year across the EU, and that a company of around 50 employees developing an AI-based product could face initial compliance costs of between EUR 320,000 and EUR 600,000.
How the Digital Omnibus was negotiated

The AI-specific amendments were separated from the wider Digital Omnibus package, which also proposes amendments to the GDPR, the ePrivacy Directive, the Data Act, and the NIS2 Directive on cybersecurity, due to the approaching deadline for high-risk AI obligations. According to the Legislative Observatory’s procedure record, Parliament’s Internal Market Committee voted on the proposed regulation on 18 March 2026, and the Parliament adopted its first-reading position on 26 March 2026.
The Parliament and the Council negotiators reached a political agreement on the Digital Omnibus early on 7 May 2026. The Council’s Permanent Representatives Committee confirmed the agreement in a letter dated 13 May 2026. The Parliament formally adopted the Digital Omnibus on 16 June 2026, the Council gave its final approval on 29 June 2026, and the final act was signed on 8 July 2026.
The regulation’s preamble records that the European Central Bank was consulted and issued a formal opinion, published in the Official Journal in April 2026, as required under EU legislation for measures affecting payments and financial infrastructure. The European Economic and Social Committee delivered its opinion on 18 March 2026, and the Committee of the Regions gave its opinion on 7 May 2026. National parliaments, including those of Czechia, Italy, the Netherlands, Portugal, Romania, Germany, Poland and France, also submitted subsidiarity contributions during the process. The Parliament’s public transparency register separately records meetings on this regulation between the two co-rapporteurs and organisations, including Google, the AI start-up Mistral AI, the digital rights group EDRi, the privacy group noyb, and the standards and conformity body TIC Council, reflecting the range of interests, from large technology firms to civil society, that engaged with the negotiations.
New deadlines for high-risk AI obligations
Under the amended Article 113 of the AI Act, the obligations for high-risk AI systems set out in Sections 1 to 3 of Chapter III will now apply from 2 December 2027 for systems classified as high-risk under Article 6(2) and Annex III, which covers areas such as biometrics, critical infrastructure, education, employment, law enforcement, migration and border management. For systems classified as high-risk under Article 6(1) and Annex I, meaning AI systems embedded in products already covered by other EU safety legislation, such as machinery or medical devices, the new deadline is 2 August 2028. Both deadlines were originally set for 2 August 2026.
A separate provision clarifies how the AI Act’s grace period for so-called legacy systems, set out in Article 111(2), applies. Once at least one unit of a given type and model of high-risk AI system has been lawfully placed on the market before the relevant cut-off date, further units of the same type and model can continue to be placed on the market or put into service without additional certification, as long as the system’s design does not change significantly. Any significant redesign after the cut-off date triggers full compliance with the AI Act, including conformity assessment.
To help providers meet the new deadlines, the Digital Omnibus requires the Commission to request that European standardisation bodies develop technical standards aligned with existing product-safety standards, reducing duplication for companies that have to comply with both the AI Act and sectoral legislation. The Commission must also publish guidance on post-market monitoring plans by 2 September 2027, as well as guidance to help providers of Annex I high-risk systems apply the AI Act alongside sectoral rules by 1 August 2027. Watermarking obligations for AI-generated content, which allow such content to be detected and traced, benefit from a separate four-month transitional period for systems already on the market before 2 August 2026.
Changes to AI literacy and the use of sensitive data for bias correction

A further amendment loosens the AI Act’s AI literacy obligation. Instead of requiring providers and deployers to ensure a sufficient level of AI literacy among their staff, the amended Article 4 requires them to take measures supporting the development of that literacy among staff and other people involved in the operation of their AI systems. The European Artificial Intelligence Board is tasked with adopting recommendations that set common objectives to guide how the Commission and member states support this obligation.
A new Article 4a allows providers and deployers of AI systems to process special categories of personal data, such as data revealing ethnicity or health status, for the specific purpose of detecting and correcting bias, subject to a list of privacy safeguards, including data minimisation, restrictions on transferring the data to third parties, and deletion once the bias has been corrected. The final text requires this processing to be strictly necessary, a stricter standard than the version originally proposed by the Commission. This followed a joint opinion issued by the European Data Protection Board and the European Data Protection Supervisor in January 2026, which recommended reinstating the stricter standard.
AI Office gains exclusive powers over general-purpose AI and large platforms

Article 75 of the AI Act, which governs the market surveillance of AI systems, has been substantially rewritten. Under the new provisions, the Commission’s AI Office becomes exclusively responsible for supervising two categories of AI systems. The first category comprises AI systems built on general-purpose AI models, where the same provider, or providers belonging to the same undertaking, developed both the underlying model and the AI system built on it. This exclusive competence carries several exceptions. It does not apply to AI systems related to products already covered by EU product-safety legislation, AI systems used as critical infrastructure, systems provided by law enforcement authorities, border management authorities or financial institutions in specific circumstances, or certain systems used in the administration of justice, all of which remain under national supervision.
The second category covers AI systems that constitute, or are integrated into, a very large online platform or a very large online search engine designated under the Digital Services Act (DSA), the EU’s rulebook for online platforms. The recitals state that empowering the Commission, through the AI Office, to act as a market surveillance authority for these systems is intended to ensure that enforcement of the AI Act and the DSA is carried out consistently, given the scale and potential societal impact of very large platforms and search engines.
For AI systems that are embedded in, or form part of, a designated very large platform or search engine, the Digital Omnibus specifies that the DSA’s own risk assessment, mitigation, and audit obligations, laid down in Articles 34, 35, and 37 of that regulation, serve as the first point of entry for assessing the AI system. This is without prejudice to the AI Office’s separate power to investigate and enforce breaches of the AI Act after the fact. The Commission services that enforce the DSA and the AI Office are required to coordinate, exchange views regularly, and take account of any fines already imposed on the same company for the same conduct, so that the combined penalties remain proportionate and do not amount to double punishment for the same infringement.
Outside this narrower platform-related category, national market surveillance authorities retain a role. Where a national authority has well-founded reasons to suspect that a provider or deployer of an AI system under the AI Office’s exclusive competence has breached the AI Act, it may ask the AI Office, through a designated national contact point, to investigate. The AI Office must tell that authority within four months whether it intends to act, and keep it informed of major developments and the eventual outcome.
The recitals acknowledge that taking on this expanded role will require the AI Office to be adequately staffed and resourced. Whether the Commission allocates sufficient capacity for the AI Office to supervise both general-purpose AI models and large platforms is an operational question that will only become clear as implementation proceeds, rather than one resolved by the legislation itself.
New ban on AI-generated intimate imagery and child sexual abuse material

The Digital Omnibus amends Article 5 of the AI Act, which lists AI practices that are prohibited outright. It adds a prohibition against placing on the market, putting into service, or using AI systems that generate or manipulate realistic images, video or audio of an identifiable person’s intimate parts, or of that person engaged in sexually explicit activity, without that person’s free, specific, informed and unambiguous consent. It adds a parallel prohibition covering AI systems that generate or manipulate child sexual abuse material, subject to a narrow exception for activities that are lawful under national law, such as material generated by law enforcement authorities for the purposes of criminal investigation.
For providers, the prohibition applies in two situations: where generating or manipulating such material is the system’s intended purpose, or where that outcome is a reasonably foreseeable and reproducible result of the system’s design and the provider has not put in place reasonable and adequate safeguards, such as content filtering or abuse-detection mechanisms, to prevent it. For deployers, the prohibition applies only where the AI system is actually used for that purpose, meaning the ordinary use of a lawful system for unrelated purposes is not covered, nor is accidental generation of such content.
The prohibited material is defined narrowly. It covers realistic depictions, meaning a person’s face, voice or body shown in a credible, real-life manner, and specifically named intimate parts or depictions of sexually explicit activity. Cartoonish or physically impossible depictions fall outside the prohibition, as does content generated with the depicted person’s consent, non-realistic artistic nude work that does not depict an identifiable person, and legitimate medical applications such as anatomical simulations. Simple enhancements to existing images, such as adjusting brightness or adding a caption, are not treated as prohibited manipulation unless they increase the level of nudity or explicitness shown. Companies have to ensure that their systems comply with these rules by 2 December 2026.
Other simplification measures
The Digital Omnibus extends several compliance simplifications that previously applied only to small and medium-sized enterprises to a new category of small mid-cap enterprises, companies that have outgrown the SME definition but remain much smaller than large corporations. It also gives all SMEs, including start-ups, the option to comply with parts of the AI Act’s quality management system requirements in a simplified way, an option previously limited to microenterprises.
The deadline for each member state to have at least one operational national AI regulatory sandbox, a controlled environment in which providers can test AI systems under regulatory supervision, has been extended to 2 August 2027. The same provisions allow the AI Office itself to set up an EU-level sandbox for AI systems that fall under its exclusive competence, with priority access for SMEs, start-ups and small mid-cap enterprises, operating alongside, and not instead of, national sandboxes.
A further change moves the EU machinery regulation from one section of the AI Act’s product-safety annex to another, shifting AI-enabled machinery towards a more sector-specific approach. Under the new arrangement, the Commission must adopt delegated acts by 2 August 2028 incorporating the AI Act’s health and safety requirements directly into the machinery regulation, rather than requiring manufacturers to apply both frameworks in parallel.
Data protection authorities raise fundamental rights concerns

Before the political agreement was reached, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the Commission’s initial proposal. The two authorities said they supported the general aim of addressing implementation issues, but raised concerns that several measures could weaken human rights protections built into the AI Act. They warned that extending the legacy systems exception would allow more high-risk AI systems to reach the market without being subject to the Act’s safeguards and urged the co-legislators to keep any delay to transparency obligations as short as possible.
The two authorities also opposed the Commission’s original plan to remove the registration obligation for providers who conclude that their Annex III systems are not high-risk, arguing that this would weaken accountability and make it harder for market surveillance authorities to respond quickly to problem systems. That registration obligation was retained, in a streamlined form, in the Digital Omnibus as finally approved in June. As set out above, the authorities’ recommendation to apply a strict necessity standard to the processing of sensitive data for bias correction was also reflected in the final version of the Digital Omnibus.
Not all of the authorities’ recommendations were taken on board in the same way. Their broader concern, that postponing obligations for high-risk AI systems may leave fundamental rights protections unenforced for longer in a fast-moving technological area, remains a live point of disagreement between the co-legislators and civil society groups, as discussed further below.
Reactions: competitiveness framing meets rights concerns

Council and Parliament negotiators presented the changes as a way to make the AI Act more workable without altering its underlying risk-based structure. Co-rapporteur Arba Kokalari said the agreement showed that politics can move just as quickly as technology, linking the simplification to the Commission’s broader competitiveness agenda. Co-rapporteur Michael McNamara said the deal combined simplification measures with new safeguards against nudification apps and AI-generated child sexual abuse material.
Civil society organisations took a more critical view of the overall direction of the package. The digital rights group Liberties argued that the final agreement weakens several safeguards contained in the original AI Act, and described the postponement of high-risk obligations as a delay to fundamental rights protections that were due to take effect in August 2026.
Industry associations generally welcomed the changes. DIGITALEUROPE, which had been among the most vocal critics of the AI Act’s original compliance costs and timeline, broadly supported the direction of the simplification package, while continuing to call for further alignment between the AI Act and other overlapping EU digital rules.
What happens next
The Digital Omnibus on AI will enter into force once it is published in the Official Journal of the European Union. Until then, the AI Act’s original provisions and timeline remain legally in force, including the prohibitions on unacceptable AI practices and the obligations applicable to general-purpose AI models that have applied since August 2025.
A separate Commission exercise, the Digital Fitness Check, is expected to examine the DSA and the wider digital rulebook directly, with a report on its findings due in the first quarter of 2027 according to legal commentary on the process. That exercise, rather than the AI Omnibus itself, is where the more direct question of simplifying the DSA is likely to be decided and where the institutional link now established between the AI Office and DSA-regulated platforms may be revisited.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
