AI Act changes: What does the Digital Omnibus propose for the EU AI Act?

The European Commission has outlined a number of proposed amendments to the EU AI Act (the “Act”) to ensure the “timely, smooth and proportionate implementation” of its provisions. These proposals are set out in the much-anticipated Digital Omnibus on AI published on 19 November, which forms part of the Commission’s broader Digital Omnibus simplification package, discussed in our blog here.

Key amendments proposed to the EU AI Act

The key changes in the proposals include:

• Pushing back the compliance deadline for high-risk AI obligations:
  The high-risk obligations are some of the most onerous in the Act and there had been intense lobbying to delay their introduction. The proposals suggest a delay linked to the availability of supporting measures (such as harmonised standards, which would help with compliance): 
   
  • For AI systems that are high risk because they are a type of AI listed in Annex 3 of the Act (e.g. AI used in recruitment and credit scoring), the deadline to comply with the high-risk rules will be delayed from 2 August 2026 until 6 months after the Commission confirms that relevant supporting measures are available. This is subject to a backstop date of 2 December 2027 (irrespective of whether the relevant supporting measures have been made available by then). 
     
  • AI systems that are high risk because they are intended to be used as a product or safety component of a product covered by the product safety laws listed in Annex 1 of the Act (e.g. medical device use) always had an additional year to comply. Those rules, which originally applied from 2 August 2027, will apply 12 months from when the supporting measures are available, subject to a backstop date of 2 August 2028 (again, irrespective of whether the relevant measures have been published). 
     
  • Subject to certain limited exceptions, high-risk AI systems already on the market at the time the obligations above come into force would not be subject to the high-risk obligations unless and until significant changes are made to their design (an exemption already provided for in the original text of the Act, and reconfirmed in the omnibus by updates to reflect the new proposed timelines above). 
     
  • There are also some other tweaks to the high-risk rules. For example, providers of Annex 3 high risk AI Systems who benefit from an exemption from high-risk categorisation due to the systems not posing a significant risk of harm, will no longer need to register their AI system. 
     
• Grace period for certain transparency requirements:
  The Act’s transparency rules were originally due to apply from 2 August 2026. Under the omnibus proposals, providers of AI systems put on the market before that date have an additional grace period of 6 months (i.e. until 2 February 2027) to comply with their obligation to make AI-generated audio, image, video or text content machine readable and detectable as artificially generated or manipulated. This delay does not apply to the other transparency rules. This delay does not go as far as a previously leaked version of the proposals suggested – that leaked draft had indicated that there would also be a freeze on the imposition of penalties for breaches of this ‘watermarking’ transparency obligation until August 2027, regardless of whether or not the system was already on the market by August 2026.  
   
• Removal of AI literacy requirements on providers and deployers:
  The proposals remove the obligation on providers and deployers to take measures to ensure their personnel have sufficient levels of AI literacy. Instead the Commission and Member States have a responsibility to encourage AI literacy. This change seems a little surprising, given the AI literacy rules have been in place since February 2025. The rules had, however, faced criticism for being too vague. 
   
• More authority given to the Commission’s European AI Office: 
  The AI Office will (subject to certain sector-related carve-outs) be responsible for the supervision and enforcement of:
   
  • any AI systems based on a general-purpose AI model where the system and model are developed by the same provider. The Act already envisaged the AI Office would have jurisdiction in this scenario, but the proposals confirm it has exclusive authority (i.e. there is no role for member state level authorities); and 
     
  • AI systems integrated into platforms or search engines designated by the Commission as very large online platforms or search engines under the Digital Services Act (see our previous blog on the DSA here).  This proposal extends the remit of the AI Office - under the original text of the Act, such supervision and enforcement would sit at Member State level (other than where, as mentioned above, the system and the underlying model it is based on were developed by the same platform or search engine provider).
     
• Further simplification measures:
  Other proposed changes are in line with the goals of simplifying digital regulation and boosting EU competitiveness and innovation. For example, they aim to lift the regulatory burden for SMEs (reducing the technical documentation they must provide), simplify the Act’s conformity assessments and post marketing monitoring requirements and boost the use of regulatory sandboxes. 

The Commission proposals also touch on how personal data can be processed, for example by widening the exemption allowing the processing of special category data for bias detection and mitigation.

Next Steps:
These proposals will now enter a consultation phase and will require approval from the European Parliament and Council. As noted in our general blog on the Digital Omnibus package, the proposals are likely to face a challenging and highly scrutinised legislative process. The changes the Digital Omnibus package proposed to data protection law have proved particularly controversial, which could cause delays to the progress of the EU AI Act proposals too, as it is not yet clear whether the EU AI Act changes will be progressed separately to the rest of the Digital Omnibus (although they may be, given they are set out in a separate proposal and, unless they are adopted by 2 August 2026, the high risk obligations will come into effect then). Reports this week have suggested that EU parliamentary committees have challenged the allocation of responsibilities for the passage of the EU AI Act amendments, and that several committee won’t appoint rapporteurs until late January, meaning progress will not be made this month.

Whilst the changes will be welcomed by many as a simplification of a very complex regime, the proposals (and timing of the related legislative process) do serve to further amplify the uncertainty for many businesses as they seek to assess what the Act requires of them, and on what timeframe. The reality is likely to be that organisations who are impacted by the Act will have to start, or indeed continue, making decisions (sometimes with wide-reaching consequences) on a sensible and defensible basis, without perfect clarity as to the nature, scope and timing of the Act’s obligations.