The AI Digital Omnibus – simplifying the path to EU AI compliance
Co-author(s)
Date
The AI Digital Omnibus seeks to simplify the AI Act and address some of the implementation challenges, while maintaining the core safeguards aimed at protecting fundamental rights.
What is the Revision of the AI Act?
On 19 November 2025, the European Commission proposed the Digital Omnibus Package. The package, consisting of two separate regulations (Regulations (EU) 2025/0360 and 2025/0359), aims to simplify and refine the EU’s digital regulatory framework, cut compliance costs for companies (particularly for start-ups) and facilitate competition and innovation across the EU.
The AI Digital Omnibus proposes targeted amendments to the AI Act, the world’s first comprehensive horizontal legal framework for artificial intelligence. Since the AI Act entered into force, stakeholders, including SMEs, start-ups and industry groups, have identified areas where the obligations are disproportionately complex relative to the risk presented; where overlaps with sector-specific legislation create duplicative compliance burdens; and where technical provisions require refinement.
In addition, delays in the designation of national competent authorities and the lack of harmonised technical standards, guidelines and support tools have also presented challenges for in-scope entities. As such, the AI Digital Omnibus seeks to simplify the AI Act and address some of the implementation challenges, while maintaining the core safeguards aimed at protecting fundamental rights.
Who is affected by the AI Digital Omnibus?
The targeted amendments proposed in the AI Digital Omnibus will be relevant to entities and individuals in scope of the AI Act, namely those that provide, place on the market, put into service, deploy, develop, import, distribute or use AI systems and general-purpose AI (“GPAI”) models in the EU, regardless of whether they are located within or outside the EU. As such, a broad range of businesses will be caught by the amended rules, including technology companies, financial services firms, healthcare, insurance and HR technology providers and public authorities.
Importantly, given that the AI Digital Omnibus delays the timeline for implementation of the rules for high-risk AI systems, organisations developing and/or deploying such systems will, in particular, benefit from the amendments. SMCs will also benefit from the extended the regulatory privileges afforded to them under Article 99 of the AI Act.
At a glance: the AI Digital Omnibus amendments to the AI Act
| What it is | Regulation (EU) 2025/0359 (“AI Digital Omnibus”) proposes targeted amendments to Regulation (EU) 2024/1689 (“AI Act”) with the aim of simplifying and streamlining the AI Act and addressing some of its implementation challenges, while retaining the core risk-based architecture of the original instrument. |
| The legal instrument | Regulation (EU) 2025/0359 |
| Common name | “AI Act revision” / “AI Digital Omnibus” |
| Who it targets | Any and all entities and individuals caught within the scope of the AI Act, including: providers, deployers, importers and distributors of AI systems and general-purpose AI (“GPAI”) models (regardless of whether they are located within or outside the EU). This includes technology companies, financial services firms, healthcare, insurance and HR technology providers and public authorities. Small mid-cap enterprises (“SMCs”) will benefit the most from the AI Digital Omnibus. |
| Proposal date | 19 November 2025, as part of the Digital Omnibus package |
| Current stage | The AI Digital Omnibus was formally adopted by both the European Parliament and the European Council on 16 June 2026 and 29 June 2026 respectively. It was signed by Minister of State for European Affairs and Defence, Thomas Byrne, TD on behalf of the European Council, during the first plenary session of Ireland’s EU Presidency on 8 July 2026. It is set to be published in the Official Journal of the European Union shortly and will enter into force three days after publication. |
| Key institutional leads | Executive Vice-President Henna Virkkunen (EPP/Finland); Commissioner Michael McGrath (Renew/Ireland) |
| Matheson key contacts | Marie McGinley, Davinia Brennan and Sarah Jayne Hanna |
What does this mean for your business?
As the legislative procedure for the AI Digital Omnibus has concluded, businesses now have some welcome clarity on the nature and scope of the amendments to the AI Act. Despite the delayed implementation of the high-risk AI system rules, it is critical that businesses continue with their AI Act compliance efforts and finalise their AI governance frameworks as soon as possible. This includes mapping all AI systems and GPAI models, assessing whether any AI systems are high-risk (see our article on the European Commission’s guidance on what AI systems qualify as “high-risk” here), determining which operator role you play and your related obligations, preparing technical and compliance documentation and putting in place internal policies, and procedures.
Management boards and directors should also engage with their stakeholders to ensure effective AI governance and compliance (see our article discussing key board issues here).
For more information on your obligations under the AI Act, see our comprehensive AI Guide for Businesses.
Frequently Asked Questions
| Rules | Amendment and Practical Impact |
| Implementation timeline for high-risk AI systems | Postponement of the implementation timeline for rules on high-risk AI systems to:
It is anticipated that further guidelines, technical standards and support tools will be published by relevant authorities (eg, the European Commission), in order to assist businesses with complying with their high-risk AI obligations. |
| Transparency and watermarking obligations | Extension of the implementation timeline for the transparency and watermarking obligations under Article 50(2) AI Act until 2 December 2026. By this time, AI-generated content will have to be labelled in a machine-readable way to increase transparency. All other transparency obligations will continue to apply from 2 August 2026. |
| Prohibition on non-consensual intimate images and child sexual abuse material | AI systems that generate non-consensual intimate images and child sexual abuse material will be prohibited (ie, included in Article 5 AI Act), which will apply to both providers and deployers of such AI systems. Companies will have until 2 December 2026 to bring their systems in compliance. This ban will apply where (i) such generation is the intended purpose of the AI system and (ii) the providers and deployers have not put in place adequate technical safeguards to prevent the generation of such content. |
| Machinery products and sectoral legislation | While stakeholders and the Parliament have advocated to essentially exclude from the application of the AI Act those AI systems that are embedded in products already regulated by EU sectoral laws (eg, medical devices, toys, connected cars, industrial machinery) in order to avoid double-regulation, only machinery regulation (Regulation (EU) 2023/1230) was carved out (ie, it was moved from Annex I Section A to Section B). This means machinery products will only need to comply with requirements of EU sectoral legislation, while being subject to limited obligations under the AI Act to ensure an equivalent level of health and safety. |
| Definition of “safety component” | Under the original text of Article 6(1) AI Act, an AI system is classified as high-risk where it is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the EU harmonisation legislation listed in Annex I and is required to undergo conformity assessment.
The AI Digital Omnibus amends the definition of a “safety component” in Article 3(14) AI Act to clarify that “a component fulfils a safety function where its intended purpose is to prevent or mitigate risks to health and safety of persons or property”. As such, the amendment seeks to exclude from the high-risk category products with AI functions that merely assist users or optimise performance, if their malfunction or failure does not create a health and safety risk. |
| Processing of special categories of personal data for bias detection and correction | Processing by providers and deployers of high-risk and non-high-risk AI systems and models of special categories of personal data (as defined in the GDPR) to detect and correct biases can only be carried out in certain exceptional circumstances and subject to adequate safeguards only where it is strictly necessary. |
| Rules for SMCs | The AI Digital Omnibus extends privileges afforded to SMEs in Article 99 of the AI Act (ie, reduced maximum penalties and additional considerations by regulators when imposing fines) to SMCs in order to support their growth. |
| EU AI Office enforcement | The AI Digital Omnibus clarifies the scope of responsibilities and powers of the EU AI Office. In particular, the AI Digital Omnibus grants the EU AI Office exclusive competence to supervise certain AI systems integrating GPAI models (such as where the model and system are developed by the same provider), and those AI systems that qualify as, or are embedded into, Very Large Online Platforms (“VLOPs”) and Very Large Search Engines (“VLOPEs”) (as defined under the EU Digital Services Act). Notwithstanding this, the AI Digital Omnibus facilitates exceptions where national authorities will remain competent. |
| AI literacy obligations | The AI Digital Omnibus softens the requirement in the AI Act for providers and deployers to ensure a sufficient level of AI literacy to instead take measures to “support the development of AI literacy”. The revision now also requires the European Commission and EU Member States to support and facilitate the efforts of providers and deployers in this regard and for the Commission to publish practical examples of how to comply with this obligation. |
| EU database registration requirements | While the original AI Digital Omnibus proposal sought to remove the obligation for providers to register certain high-risk AI systems in the EU database where they have concluded that such systems are not high-risk in accordance with Article 6(3) of the AI Act, the final text of the AI Digital Omnibus merely simplified this requirement by removing some of the required content that must be provided under Section B of Annex VIII of the AI Act (namely, providing the status of the AI system and a scanned copy of a certificate issued by a notified body, where applicable). |
- 2 December 2026: Application of transparency and watermarking obligations under Article 50(2) AI Act.
- 2 August 2027: Application of the deadline for the establishment of AI regulatory sandboxes by competent authorities at national level.
- 2 December 2027: Application of rules for standalone high-risk AI systems under Article 6(2) and Annex III of the AI Act (eg, AI systems involving biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice and border management).
- 2 August 2028: Application of rules for high-risk AI systems embedded in products under Article 6(1) and Annex I of the AI Act (ie, products that are covered by EU sectoral legislation on safety and market surveillance).
- 2 February 2025: Rules on prohibited AI systems, scope, definitions and AI literacy came into force (per Article. 113(a) AI Act).
- 2 August 2025: Rules applicable to GPAI model providers came into force (per Article 113(b)) AI Act).
- 2 August 2026: The AI Act is generally applicable (subject to certain exceptions, and to the extended timeline for high-risk AI systems set out previously).
Key Contacts

Marie is a partner and Head of the Technology and Innovation Group at Matheson.
A recognised leader in the technology sector and in data protection, Marie’s expertise is in technology regulation, including AI, outsourcing, commercial contracts, information law, and data protection.
Marie also brings extensive experience in cyber security, crisis management, intellectual property, and consumer law.

Davinia Brennan is a partner in Matheson’s Technology and Innovation Group. She has over 10 years’ expertise in data protection; privacy; information technology and; e-commerce law.
Davinia advises international and domestic companies on all aspects of compliance with data protection and privacy law, including; handling data subject access requests; data breach incidents; regulatory investigations and; international data transfers. She also advises online businesses on evolving regulatory and consumer protection law obligations.
Davinia presents and publishes widely on a range of technology related legal matters, in particular on data protection, intellectual property and information technology law. She is also a member of the editorial board of the PDP Data Protection Ireland Journal.

Sarah Jayne Hanna is a partner in the Technology and Innovation Group at Matheson.
She advises clients on all technology-related issues, with a particular focus on artificial intelligence, digital services regulation (DMA and DSA), and data access. In addition, she has significant experience advising on data protection and cybersecurity matters, including advising on strategic data protection compliance, employee data protection issues, data subject access requests, and responding to data breaches and cyber incidents.





