Omnibus Agreement: How the EU AI Act changes

On May 7, and after one failed attempt, EU legislators struck an agreement on the AI Omnibus, in order to amend and simplify the EU AI Act. 

With the Omnibus in place, companies will have until the end of 2027 to comply with high-risk AI rules, while providers of AI-powered machinery will be explicitly exempted from certain obligations under this regime. At the same time, the Omnibus introduces a new prohibition on AI that facilitate sexually explicit content.

The formal approval process will now begin, with a view to publishing the final amendments by August. 

Background

As part of its broader push to simplify the EU’s digital rulebook, the European Commission published two proposals under the “Digital Omnibus” umbrella in November 2025: one focusing on data and cyber legislation, and a second targeting the AI Act – as well as targeted simplification amendments to the NIS2 Directive in January 2026.

Read more: The EU Digital Omnibuses, AI and the Amish and EU to revamp cyber legislation.

The Commission’s draft AI Omnibus proposed, among other things, to push back compliance deadlines for high-risk AI systems:

• from August 2026 to December 2027 for standalone systems (such as HR and creditworthiness tools); and 

• from August 2027 to August 2028 for AI systems embedded in physical products, including radio equipment and medical devices.

Following the publication of their respective amendments to the proposal, the European Parliament and the Council of the EU, which represent EU governments, entered so-called “trilogue” negotiations with the Commission, ultimately reaching agreement on the final text of the AI Omnibus. 

What is in the trilogue agreement 

Negotiations between the Parliament and Council progressed relatively swiftly. Failure to reach an agreement would have resulted in the AI Act’s high-risk regime entering into application in August of this year, without key technical standards and guidelines to facilitate companies. 

High-risk AI: more time for compliance, with caveats

The agreement maintains the revised compliance timeline for high-risk systems: providers and deployers will now have until December 2027 and August 2028 to make their systems ready for the AI Act. Compared to the initial draft, the Commission will not have any power to amend these deadlines.

However, where providers make a self-assessment that their systems are not high-risk classification they must still register on a central EU database. The Commission’s original Omnibus proposals suggested removing this obligation, but it was reintroduced during negotiations.  

The Parliament and Council also fine-tuned a new provision allowing processing of special categories of personal data for the purposes of bias detection in AI systems. Under the agreed text, such processing would be permitted only where “strictly necessary”. 

New carve-out for industrial AI

A big chunk of the negotiations focused on whether to make the regime lighter for AI embedded into industrial products, in order to capitalize on Europe’s strengths in downstream AI applications.

As a result of the Omnibus, AI-powered machinery equipment governed by the EU Machinery Regulation will not be subject to AI Act-specific high-risk requirements and instead must only comply with obligations arising from its respective sectorial legislation.

Medical devices and toys were also considered for exemption, but were ultimately left out from the compromise between negotiators.  

The issue of how exactly these sector-specific laws and the AI Act interact has been postponed. The Commission will be given responsibility to address the complex questions this coexistence raises through secondary legislation and guidelines. 

Negotiators also settled on a new definition of AI “safety component” – which is used to identify high-risk products under the AI Act; the wording excludes AI components that simply help users, optimize performance, automate, or manage quality in a physical product. 

GenAI and content labelling

The original proposal did not foresee any material changes to obligations for General-Purpose AI systems and models like LLMs – which remain bound by model evaluation, adversarial testing and copyright requirements. 

However, the Omnibus will provide additional time to comply with content watermarking obligations, extending the deadline from August to December 2026. The Commission is also drafting a new Code of Practice specifying how synthetic content should be labelled – which is expected to be completed by June. 

Prohibition for AI “nudifiers” 

EU legislators added a new prohibition to the AI Act at the trilogue stage of the Omnibus: AI systems that allow the generation of sexually explicit deepfakes and child sexual abuse materials will be banned under Article 5 of the Act. 

The Parliament and Council agreed on the need for such a prohibition in response to recent public outrage against so‑called “nudifiers”. 

In addition to the banning of dedicated AI systems tailored to the generation of such content, and with current LLM-based systems’ capabilities measured in terms of multi-modal output generation, it is likely this prohibition will be operationalised through guardrails against specific user prompts. 

Conclusions and next steps

The original Omnibus proposals only made modest simplifications to the AI Act and, as predicted, those proposals were watered down in “trilogue” negotiations. That said, the delay to the rules for high-risks systems is a welcome addition, as are the changes for AI-powered machinery equipment.

The trilogue agreement must now be formally approved by both the Parliament and Council, before publication in the Official Journal of the EU. This is expected to take place between June and July, allowing time for review by lawyer-linguists. 

On this timeline, the AI Omnibus could enter into force in August, delaying the application of the AI Act’s obligations on high-risk systems.