The AI Omnibus: what it means for AI strategies

High-risk AI systems: compliance deadlines are set to move back

This is one of the most significant changes in the package. The AI Act imposes detailed requirements on high-risk AI systems, such as those used in recruitment, credit scoring, law enforcement, education, or other essential private and public services. These extensive requirements cover areas including data quality and management, technical documentation, human oversight, and accuracy and robustness, among others.

Under the current timetable, they are due to take effect on 2 August 2026 for standalone high-risk AI systems (in Annex III of AI Act). This deadline has now been pushed back to 2 December 2027.

Short grace period for marking and labelling AI-generated content

The AI Act sets out transparency rules to ensure people know when they are interacting with AI or viewing AI-generated or manipulated content. The simpler requirements, such as informing users that they are interacting with AI, remain unchanged and will apply from August 2026.

However, the AI Omnibus adjusts the deadline for a more significant and technically challenging obligation. This involves marking AI-generated content in a machine-readable format so that it can be more easily detected.

This could involve, for example, embedding digital watermarks or metadata that automated systems can read, rather than just attaching a visible label.
The agreed deal will give AI systems already on the market before 2 August 2026 an extra four months to comply, setting a new deadline of 2 December 2026. However, any new generative AI (Gen AI) product launched on or after 2 August 2026 will need to comply from day one, a distinction that has direct implications for product release planning.

A new ban on AI-generated intimate imagery without consent

The AI Omnibus introduces a new outright ban on AI systems that create or manipulate sexually explicit images, videos, audio or similar material of real, identifiable people without their consent. This covers so-called “nudification” tools and other forms of deepfake intimate imagery. The ban also covers AI-generated Child Sexual Abuse Material (CSAM)².

This prohibition falls within the AI Act’s most serious category of banned practices and carries the highest available penalties: fines of up to €35 million or 7% of global annual turnover.

Providers should be aware that this ban will apply if their AI system is intended to generate this type of content, or where such misuse is foreseeable and reasonable technical measures and other safeguards are not in place to prevent and address it. Deployers will be subject to the ban only where they intentionally use a system to generate such content.

The Omnibus also lists examples of what would count as robust technical measures and safeguards. These include data cleaning, training the model to refuse harmful prompts, safer prompt and output design, runtime guardrails, content classification and filtering, usage restrictions, abuse detection, and effective notice and action mechanisms. It will not be enough to have safety measures in place at launch. Safeguards must remain aligned with evolving industry best practices and standards, effective over time, and capable of addressing foreseeable attempts to bypass them.

However, the ban applies only to realistic depictions of identifiable people. It excludes cartoon-like or impossible images, non-realistic artistic works, consent-based try-on apps, and legitimate medical uses. Edits that do not make an image more revealing, such as captions, background changes or brightness adjustments, are also excluded.

The new prohibition will take effect from 2 December 2026.

The AI Office: a bigger remit

The Commission’s AI Office already acts as the supervisor of GPAI model providers under the AI Act. Supervision of AI systems, however, remains largely the responsibility of national regulators in each EU member state. The AI Omnibus changes this, giving the AI Office direct oversight of two categories of AI systems at EU level:

1. AI systems that qualify as, or are embedded within, designated VLOPs and Very Large Online Search Engines (VLOSEs) under the DSA. For instance, this could include AI systems used to drive content recommendations on a social media platform or AI overviews in search results.
2. AI systems built on a GPAI model developed in-house, whether deployed by the same organisation or by another company within the same group.³  For example, a company may develop a GPAI model and build a Gen AI assistant on top of it, using it internally for customer service, but also selling it to other businesses. Where the company uses the assistant internally, it is both a provider and a deployer, so supervision of both the GPAI model and the assistant will fall to the AI Office. Where the same assistant is sold to an external customer, such as a bank, online retailer or airline, deployment within that customer’s organisation remains supervised by the relevant national regulators.

Where it has supervisory competence, the Omnibus gives the AI Office a full enforcement toolkit. This includes the power to open investigations, conduct on-site inspections, accept binding commitments from organisations, and impose penalties for non-compliance. However, for AI systems within VLOPs and VLOSEs, the main route for assessment remains the risk and audit framework already in place under the DSA. The AI Office will still be able to investigate and enforce non-compliance with the AI Act on an ex post basis.

Registration of lower-risk AI systems in high-risk areas: obligation simplified, not removed 

Under the AI Act, AI systems used in areas such as recruitment, credit scoring or access to other essential services are classified as high-risk. However, not all AI systems in these areas will necessarily meet that threshold. Organisations can assess their systems and conclude that they fall below it. This may be the case, for example, where a system performs only a narrow procedural task, such as document sorting, and does not directly influence individual decisions. AI systems below the threshold do not need to meet the full high-risk requirements. They do, however, still require registration in the public EU AI system database.

The Commission had proposed eliminating the registration obligation altogether, arguing that it imposed an unnecessary burden on organisations. However, the final agreement maintains the registration requirement, albeit in a simplified and less information-intensive form.

What is not being eased is the assessment itself. Organisations operating in high-risk areas will still need to determine whether their AI systems meet the threshold, document that reasoning thoroughly, and be prepared to share it with regulators on request.

General AI literacy obligation: softened, but not for high-risk systems.

The AI Act currently places a general obligation on all providers and deployers of AI systems to ensure a sufficient level of AI literacy in their organisations (Article 4). This obligation has been in effect since February 2025. However, the requirement is broadly phrased, and many stakeholders have argued that it is too imprecise to be meaningfully implemented or enforced.

The Omnibus amends the general AI literacy requirement. It replaces organisations’ existing duty to “ensure” AI literacy with a lighter obligation to “take measures to support the development of” AI literacy. Importantly, the Omnibus clarifies that organisations are not required to guarantee any specific level of AI literacy for any individual. The Commission and member states are also required to support organisations in fulfilling this obligation, including by publishing practical guidance.

However, it is important to distinguish this general AI literacy obligation from the separate, more specific requirements that apply to high-risk AI systems. The AI Act’s high-risk framework includes detailed obligations around human oversight, and staff competence and training for individuals involved in operating or overseeing high-risk AI systems. These requirements are not affected by the Omnibus and will apply in full once the high-risk deadlines take effect.