The AI Omnibus: what is settled and what is still in play

High-risk AI systems: compliance deadlines are set to move back

This is one of the most significant changes in the package. The AI Act imposes detailed requirements on high-risk AI systems, such as those used in recruitment, credit scoring, law enforcement, healthcare, product safety, or critical infrastructure. These extensive requirements cover areas including data quality and management, technical documentation, human oversight, and accuracy and robustness, amongst others.

Under the current timetable, they are due to take effect on 2 August 2026 for most high-risk AI systems (Annex III), and 2 August 2027 for high-risk AI systems embedded in products already covered by other EU safety legislation (Annex I). These deadlines are now almost certain to be extended, and there is broad consensus on the new dates (see Figure 2).

Short grace period for marking and labelling AI-generated content

The AI Act sets out transparency rules to ensure people know when they are interacting with AI or viewing AI-generated or manipulated content. The simpler requirements, such as informing users that they are interacting with AI, remain on track, and will be applicable from August 2026.

What the AI Omnibus proposes is to adjust the deadline for a more significant and technically challenging obligation. This involves marking AI-generated content in a machine-readable format so that it can be more easily detected. This could involve, for example, embedding digital watermarks or metadata that automated systems can read, rather than just attaching a visible label.

The delay will only apply to AI systems already on the market before 2 August 2026. Any new generative AI product launched on or after that date will need to comply from day one, a distinction that has direct implications for product release planning.

The final deadline for existing systems has not been settled, but negotiations currently point to a date between November 2026 and February 2027.

A new ban on AI-generated intimate imagery without consent

There is now strong support to introduce a new outright ban on AI systems that create or manipulate sexually explicit images of real, identifiable people without their consent. This covers so-called “nudification” tools and other forms of deepfake intimate imagery. The ban is also set to cover AI-generated Child Sexual Abuse Material (CSAM).

The issue has gained particular political urgency following widely reported incidents in which mainstream AI tools were exploited to generate non-consensual imagery. In response, the Commission launched a formal investigation into a Very Large Online Platform (VLOP) under the Digital Services Act (DSA).

This new prohibition would sit in the AI Act’s most serious category of banned AI practices, carrying the highest available penalties: fines of up to €35 million or 7% of global annual turnover. An exception is expected for AI systems with effective technical safeguards that prevent misuse. The details of what these safeguards entail has not been fully defined yet. Early indications suggest it will not be sufficient to have safety measures in place at launch. Instead, safeguards must reliably prevent misuse and remain effective on an ongoing basis.

The timeline for the new prohibition to take effect has not been fully settled, but some proposals suggest a February 2027 deadline.

The AI Office: a bigger remit, boundaries still being drawn

The Commission’s AI Office already serves as the EU level supervisor for providers of GPAI models under the AI Act. For AI systems, however, supervision remains largely the responsibility of national regulators in each EU member state. The AI Omnibus proposes to change this, expanding the AI Office’s role to take on supervision of certain AI systems at EU level.

Two categories of AI system would come under the AI Office’s direct oversight, under current proposals:

1. AI systems that qualify as, or are embedded within, designated VLOPs and Very Large Online Search Engines (VLOSEs) under the DSA. For instance, AI systems when used to drive content recommendations on a social media platform or AI overviews in search results.
2. AI systems built on GPAI models from the same organisation or group. For example, a company might offer a GPAI model and sell a distinct AI system built on it to banks, retailers, or other businesses. Currently, the AI Office would supervise the GPAI model, while national regulators in buyers' countries would supervise the AI system. Under the AI Omnibus proposal, supervision of both the GPAI model and system would fall to the AI Office.

There is support for these proposals, in principle. The key outstanding question is where to draw the boundaries of the AI Office’s remit and how its powers will interact with those of national authorities.

Member states’ governments have also proposed that certain sensitive sectors be carved out from EU level supervision. For example, AI systems used by financial institutions, law enforcement agencies, and border management authorities, amongst others, could remain under the oversight of their existing national regulators.

There is also an ongoing discussion about the extent to which national regulators should retain a role in supervising AI systems within VLOPs and VLOSEs alongside the AI Office.

Registration of lower-risk AI systems in high-risk areas: obligation likely to be simplified, not removed

Under the AI Act, AI systems used in areas such as recruitment, credit scoring, or access to other essential services are designated as high-risk. However, not all AI systems in these areas will necessarily qualify. Organisations can assess their AI systems and conclude that they fall below this threshold. This would be the case, for example, if the system performs only a narrow procedural task, such as document sorting, and does not directly shape individual decisions. AI systems below the threshold do not need to meet the full high-risk requirements. They do, however, still require registration in a public EU database.

The Commission wanted to eliminate the registration obligation altogether, arguing it imposes an unnecessary burden for organisations. However, negotiations currently indicate the registration requirement will remain, albeit in a simplified form.

What is not being eased is the assessment itself. Organisations operating in high-risk areas will still need to determine whether their AI systems meet the threshold, and to document that reasoning thoroughly.

General AI literacy obligation: likely to be softened, but not for high-risk systems.

The AI Act currently places a general obligation on all providers and deployers of AI systems to ensure a sufficient level of AI literacy in their organisations (Article 4). This obligation has been in effect since February 2025. However, the requirement is broadly phrased, and many stakeholders have argued that it is too imprecise to be meaningfully implemented or enforced.

The Omnibus is likely to at least soften the general AI literacy requirement. Currently, discussions range from replacing organisations’ duty to “ensure” AI literacy with a lighter obligation to “support the improvement of” it, to removing the obligation altogether. The Commission could also be tasked with issuing practical guidance and governments could be taking on a larger role in promoting AI skills across the economy.

However, it is important to distinguish this general AI literacy obligation from the separate, more specific requirements that apply to high-risk AI systems. The AI Act’s high-risk framework includes detailed obligations around human oversight, and staff competence and training for individuals involved in operating or overseeing high-risk AI systems. These requirements are not affected by the Omnibus and will apply in full once the high-risk deadlines take effect.