Digital Omnibus on AI: Changes to the application of the AI Act

Digital Omnibus on AI: Changes to the application of the AI Act

July 1, 2026
4 minutes

KEY FACTS

2 December 2026: Entry into force of the ban on AI generating CSAM and non-consensual sexual deepfakes; deadline for bringing systems into compliance with the watermarking requirement

2 December 2027: Full application of the AI Act requirements for stand-alone high-risk systems (Annex III)

2 August 2027: Deadline for the launch of national AI regulatory sandboxes

2 August 2028: Full application of the AI Act requirements for systems embedded in products (Annex I)

New prohibitions: AI generating CSAM and non-consensual sexual deepfakes – prohibited from 2 December 2026

New possibilities: Processing of sensitive data for bias detection extended beyond high-risk systems; SME exemptions now cover small mid-cap companies

On 29 June 2026, the Council of the EU adopted the Digital Omnibus Regulation on AI, introducing targeted amendments to the AI Act. The package includes the postponement of key compliance deadlines, new prohibitions and clarifications to a number of definitions. Below, we outline the changes relevant to entities developing, deploying or procuring AI systems.

New deadlines for the application of requirements for high-risk systems

The original date of entry into force of the requirements for high-risk systems, 2 August 2026, is replaced by two new dates, depending on how the system is classified:

  • 2 December 2027 – stand-alone systems classified under Annex III of the AI Act, including systems used in biometrics, recruitment, education, lending, law enforcement and the administration of justice.
  • 2 August 2028 – systems embedded in products covered by EU harmonisation legislation (Annex I), e.g. medical devices, machinery and toys.

The postponement of the deadlines is mainly due to delays in standardisation work and the insufficient readiness of national supervisory authorities.

New prohibitions on AI generating illegal sexual content

From 2 December 2026, it will be prohibited to make available or use AI systems that:

  • generate child sexual abuse material (CSAM);
  • without the consent of the person depicted, create or manipulate images, audio or video depicting that person’s intimate body parts or their activities of an unambiguously sexual nature (so-called non-consensual sexual deepfakes).

The ban applies both to providers of AI systems, who may not place them on the market without appropriate technical safeguards, and to entities that use these systems for prohibited purposes. The provisions apply from 2 December 2026.

Obligation to label synthetic content in a machine-readable format

Providers of AI systems that generate synthetic content (audio, video, images or text), whose systems were placed on the market before 2 August 2026, have until 2 December 2026 to comply with the obligation to apply machine-readable watermarks to such content. This also applies to GPAI models. The transition period has been reduced from 6 to 3 months.

Clarification of the definition of a ‘safety component’

The AI Act applies to AI systems performing a ‘safety function’, i.e. those intended to prevent risks to the health or safety of persons or property. The amendment clarifies that systems used solely to assist the user, optimise performance or automate processes are not classified as safety components, provided that their failure does not pose a health or physical risk. In practice, this amendment narrows the scope of AI systems classified as safety components, which directly affects the risk assessment of systems embedded in industrial and consumer products.

Processing of special categories of data to detect and correct bias

Until now, the processing of sensitive personal data (e.g. data relating to ethnic origin or health) for the purpose of detecting and correcting algorithmic bias was permitted only for providers of high-risk systems. The Digital Omnibus extends this possibility to providers and deployers of AI systems outside the high-risk category, provided that the processing is strictly necessary and subject to appropriate safeguards (Article 10(5) of the AI Act).

Extension of SME relief to small mid-cap companies and other systemic changes

The preferential rules for the application of the AI Act, previously reserved for SMEs, will be extended to so-called small mid-cap companies (SMCs) – entities that have exceeded the SME thresholds but still operate on a scale comparable to smaller entities. At the same time, enforcement mechanisms for selected GPAI models by the European AI Office will be strengthened, whilst sectors such as machinery will be able to avoid duplication of compliance requirements where sector-specific legislation provides an equivalent level of protection.

National AI regulatory sandboxes

Member States have until 2 August 2027 to launch national AI regulatory sandboxes. These are controlled environments in which companies can test innovative AI systems under the supervision of the competent authority, with the possibility of a temporary exemption from selected requirements.

If you are implementing, procuring or developing AI systems and wish to assess what obligations under the AI Act apply to your organisation, we are here to help. Please contact us: Aneta Kiser, Marcin Kroll, Rafał Wieczerzak.

We don’t just
advise – we commit.

We think like stakeholders.
We’re by your side to drive results.