AI Act: 10 Practical Impacts of the Digital Omnibus on AI for Your Compliance Efforts

The Digital Omnibus on AI does not overhaul the AI Act, but seeks to facilitate its implementation by adjusting several key parameters, including the timeline for high-risk systems, alignment with sector-specific frameworks, data processing provisions aimed at reducing bias, and support measures for SMEs.

Presented as a simplification measure in response to the operational difficulties encountered during implementation (delays in the adoption of standards, incomplete compliance tools, and authorities still in the process of being designated), it was the subject of a political agreement in May 2026 and was approved by the European Parliament and the Council in June 2026, subject to its publication in the Official Journal of the European Union.

For organisations, the challenge is therefore not to put compliance on hold, but to adjust their roadmap by distinguishing between what has been postponed and what remains applicable in the short term.

Date Deadline 
2 August 2026 • Transparency obligations under Article 50 of the AI Act (except for the obligations set out in Article 50(2))
2 December 2026 • Obligations relating to the labelling of AI-generated content (Article 50(2))

• Prohibition of AI systems generating non-consensual sexual or intimate content and AI systems generating child sexual abuse material (CSAM)
2 December 2027 • Obligations applicable to standalone high-risk AI systems (Annex III)
2 August 2028 • Obligations applicable to high-risk AI systems integrated into regulated products (Annex I)

Key Changes to Keep in Mind

1. Postponement of the timeline applicable to high-risk AI systems

The proposed postponement concerns the two categories of high-risk AI systems:

  1. For standalone AI systems falling within the scope of Annex III of the AI Act, the application timeline is postponed to 2 December 2027. This category notably covers systems used in sensitive areas such as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, as well as the administration of justice and democratic processes.
  1. For AI systems integrated into products subject to European sectoral legislation listed in Annex I, the deadline is postponed to 2 August 2028. This postponement concerns AI systems integrated into regulated products such as toys, radio equipment, pressure equipment, medical devices, in vitro diagnostic medical devices, lifts and personal protective equipment.
Compliance implications

In practice, these postponements do not constitute a suspension of compliance obligations. Rather, they provide additional time to structure and advance the main compliance workstreams.

2. AI literacy obligation (Article 4)

AI literacy remains an obligation, but it is increasingly framed as an obligation of means rather than an obligation of results. Providers and deployers of AI systems remain required to promote a sufficient level of AI literacy among their staff and other persons involved in the operation and use of AI systems.

Compliance implications

This requirement remains highly significant from an operational perspective. It requires organisations to identify the individuals concerned, tailor awareness-raising and training measures to their profile and to the context in which AI systems are used, and retain evidence of implementation.
As such, this requirement constitutes a cross-cutting pillar of AI governance. It applies beyond high-risk AI systems alone and remains relevant throughout the entire lifecycle of AI systems.

3. Obligations for systems benefiting from the filtering mechanism (exemption from high-risk classification)

For systems falling under Article 6(3) of the AI Act that benefit from the filtering mechanism, the obligation to register in the European database is maintained. However, the required documentation is simplified, provided that it can be demonstrated that these systems are exempt from being classified as “high-risk”.

Compliance implications

In practice, organisations will need to be able to justify why an AI system’s risk classification falls outside the high-risk category, including the relevant Annex III use case, the grounds for applying the filtering mechanism, and the justification for the absence of profiling. This development reinforces the importance of internal traceability, qualification, and justification mechanisms, going beyond a purely declarative approach.

4. Simplified requirements for SMEs and small mid-cap companies

The text maintains the simplifications already provided for SMEs and extends them to small mid-cap companies (SMCs), notably through simplified technical documentation, streamlined forms accepted by notified bodies, and proportionate reductions in administrative penalties in certain cases.

Compliance implications

This development reflects a principle of proportionality: ensuring that AI compliance does not become a competitive disadvantage for organisations that do not have the same resources as large enterprises. However, the simplification of requirements does not exempt these organisations from establishing appropriate governance arrangements, nor from demonstrating a structured compliance approach that is proportionate to their resources and risk profile.

5. Bias mitigation and the use of sensitive data

The new Article 4a introduces the possibility of using certain sensitive data for the detection and mitigation of bias, including beyond the sole scope of high-risk systems, provided that such use is strictly necessary. However, several mandatory safeguards must be implemented, including pseudonymisation, access restrictions, data deletion, and documentation of processing activities.

Compliance implications

In practice, this provision does not create a general authorisation to process sensitive data. Rather, it introduces a strictly regulated possibility, which requires organisations to justify the purposes pursued, control access to the data, limit retention periods, and rely on an appropriate legal basis for the processing. Companies will therefore need to integrate bias prevention and mitigation into their data governance framework, rather than treating it as a standalone issue.

6. AI Office, regulatory sandboxes and real-world testing

The role of the AI Office is strengthened with regard to the supervision of general-purpose AI models, particularly where the operator is both the provider of the model and the provider of the AI system, while maintaining the involvement of national authorities for certain sensitive sectors, including justice, law enforcement, finance and border management.

At the same time, the deadline for establishing national regulatory sandboxes is postponed to 2 August 2027, and certain real-world testing provisions are extended to AI systems covered by sector-specific legislation.

Compliance implications

The objective is to make testing and pre-compliance mechanisms more operational, thereby supporting innovation within a more controlled and structured framework.

7. Transparency of AI-generated content (Article 50(2))

The obligations set out in Article 50(2), relating to the labelling and identification of artificially generated content, will apply from 2 December 2026 for systems placed on the market before 2 August 2026.

Compliance implications

For organisations that create, integrate or distribute synthetic content, this remains a priority area, particularly in the context of the postponement of certain obligations applicable to high-risk AI systems.

8. Prohibition of AI systems that generate non-consensual sexual content and child pornography

The prohibition of AI systems that generate non-consensual sexual or intimate content (“nudification’ applications”) and AI systems that generate child sexual abuse material (CSAM) takes effect on December 2, 2026.

Compliance implications

This development is intended to address a gap in the initial framework by expressly bringing certain AI-related practices within the scope of the prohibitions set out under Article 5 of the AI Act.

9. Stronger alignment between the AI Act and existing sector-specific frameworks

For AI systems integrated into products already subject to European sector-specific legislation, the objective is to limit overlapping obligations between the AI Act and the applicable sector-specific regimes.

This approach is particularly evident for AI systems integrated into machinery, which would move towards a more sector-specific approach under Annex I, Section B. In practice, the AI-related requirements would be integrated directly into Regulation (EU) 2023/1230 on machinery, notably through delegated acts expected before 2 August 2027.

Compliance implications

In practice, this development seeks to avoid excessive overlap between compliance regimes while maintaining a level of oversight that is appropriate to the specific risks associated with the products concerned.

10. Safety component: a qualification focused on the risk prevention function

The concept of a safety component is refocused on AI systems performing a safety function, namely those intended to prevent or mitigate risks to health, safety, or property.

Compliance implications
This clarification is important from an operational perspective: an AI system used for assistance, optimisation, automation or quality control purposes should not automatically be classified as a safety component solely because it is integrated into a product or process.
The classification should therefore be based on a concrete assessment of the function performed by the system, its contribution to risk prevention and mitigation, and its role in ensuring the safety of the product or the relevant use case.

Conclusion 

The Digital Omnibus should not be interpreted as a signal to pause compliance efforts, but rather as an invitation to reprioritise the compliance roadmap.

Organisations should now distinguish the timelines and applicable obligations based on their mapping of AI use cases.

This phase should also provide an opportunity to secure qualification decisions: identifying systems already subject to transparency obligations, determining which use cases may fall under the high-risk regime, documenting classification and non-classification decisions, structuring controls relating to data, bias and human oversight, and retaining the evidence required in the event of an inspection.

The real challenge is therefore not whether compliance can wait, but how to prioritise actions between 2026, 2027 and 2028 in order to turn this regulatory clarification into an operational advantage: mapping, classifying, documenting, training and governing before the most significant deadlines become applicable.

👉 At Naaia, we are convinced that effective AI compliance is not only about understanding regulatory requirements, but also about the ability to operationalise governance, evidence management, and accountability over time.

To help organisations turn the changes introduced by the Digital Omnibus into a concrete action plan, the Naaia platform supports the implementation of clear, traceable, and actionable AI governance frameworks.