Skip to content

The AI Digital Omnibus – simplifying the path to EU AI compliance

The AI Digital Omnibus seeks to simplify the AI Act and address some of the implementation challenges, while maintaining the core safeguards aimed at protecting fundamental rights.

What is the Revision of the AI Act?

On 19 November 2025, the European Commission proposed the Digital Omnibus Package. The package, consisting of two separate regulations (Regulations (EU) 2025/0360 and 2025/0359), aims to simplify and refine the EU’s digital regulatory framework, cut compliance costs for companies (particularly for start-ups) and facilitate competition and innovation across the EU.

The AI Digital Omnibus proposes targeted amendments to the AI Act, the world’s first comprehensive horizontal legal framework for artificial intelligence. Since the AI Act entered into force, stakeholders, including SMEs, start-ups and industry groups, have identified areas where the obligations are disproportionately complex relative to the risk presented; where overlaps with sector-specific legislation create duplicative compliance burdens; and where technical provisions require refinement.

In addition, delays in the designation of national competent authorities and the lack of harmonised technical standards, guidelines and support tools have also presented challenges for in-scope entities. As such, the AI Digital Omnibus seeks to simplify the AI Act and address some of the implementation challenges, while maintaining the core safeguards aimed at protecting fundamental rights.

Who is affected by the AI Digital Omnibus?

The targeted amendments proposed in the AI Digital Omnibus will be relevant to entities and individuals in scope of the AI Act, namely those that provide, place on the market, put into service, deploy, develop, import, distribute or use AI systems and general-purpose AI (“GPAI”) models in the EU, regardless of whether they are located within or outside the EU. As such, a broad range of businesses will be caught by the amended rules, including technology companies, financial services firms, healthcare, insurance and HR technology providers and public authorities.

Importantly, given that the AI Digital Omnibus delays the timeline for implementation of the rules for high-risk AI systems, organisations developing and/or deploying such systems will, in particular, benefit from the amendments. SMCs will also benefit from the extended the regulatory privileges afforded to them under Article 99 of the AI Act.

At a glance: the AI Digital Omnibus amendments to the AI Act

What it isRegulation (EU) 2025/0359 (“AI Digital Omnibus”) proposes targeted amendments to Regulation (EU) 2024/1689 (“AI Act”) with the aim of simplifying and streamlining the AI Act and addressing some of its implementation challenges, while retaining the core risk-based architecture of the original instrument.
The legal instrumentRegulation (EU) 2025/0359
Common name“AI Act revision” / “AI Digital Omnibus”
Who it targetsAny and all entities and individuals caught within the scope of the AI Act, including: providers, deployers, importers and distributors of AI systems and general-purpose AI (“GPAI”) models (regardless of whether they are located within or outside the EU). This includes technology companies, financial services firms, healthcare, insurance and HR technology providers and public authorities. Small mid-cap enterprises (“SMCs”) will benefit the most from the AI Digital Omnibus.
Proposal date19 November 2025, as part of the Digital Omnibus package
Current stageThe AI Digital Omnibus was formally adopted by both the European Parliament and the European Council on 16 June 2026 and 29 June 2026 respectively. It was signed by Minister of State for European Affairs and Defence, Thomas Byrne, TD on behalf of the European Council, during the first plenary session of Ireland’s EU Presidency on 8 July 2026. It is set to be published in the Official Journal of the European Union shortly and will enter into force three days after publication.
Key institutional leadsExecutive Vice-President Henna Virkkunen (EPP/Finland); Commissioner Michael McGrath (Renew/Ireland)
Matheson key contacts Marie McGinley, Davinia Brennan and Sarah Jayne Hanna

What does this mean for your business?

As the legislative procedure for the AI Digital Omnibus has concluded, businesses now have some welcome clarity on the nature and scope of the amendments to the AI Act. Despite the delayed implementation of the high-risk AI system rules, it is critical that businesses continue with their AI Act compliance efforts and finalise their AI governance frameworks as soon as possible. This includes mapping all AI systems and GPAI models, assessing whether any AI systems are high-risk (see our article on the European Commission’s guidance on what AI systems qualify as “high-risk” here), determining which operator role you play and your related obligations, preparing technical and compliance documentation and putting in place internal policies, and procedures.

Management boards and directors should also engage with their stakeholders to ensure effective AI governance and compliance (see our article discussing key board issues here).

For more information on your obligations under the AI Act, see our comprehensive AI Guide for Businesses.

Frequently Asked Questions

Rules Amendment and Practical Impact
Implementation timeline for high-risk AI systemsPostponement of the implementation timeline for rules on high-risk AI systems to:

  • 2 December 2027 for standalone high-risk AI systems under Article 6(2) and Annex III AI Act; and
  • 2 August 2028 for AI systems embedded as safety components and covered by EU sectoral legislation under Article 6(1) and Annex I AI Act.

It is anticipated that further guidelines, technical standards and support tools will be published by relevant authorities (eg, the European Commission), in order to assist businesses with complying with their high-risk AI obligations.

Transparency and watermarking obligationsExtension of the implementation timeline for the transparency and watermarking obligations under Article 50(2) AI Act until 2 December 2026. By this time, AI-generated content will have to be labelled in a machine-readable way to increase transparency. All other transparency obligations will continue to apply from 2 August 2026.
Prohibition on non-consensual intimate images and child sexual abuse materialAI systems that generate non-consensual intimate images and child sexual abuse material will be prohibited (ie, included in Article 5 AI Act), which will apply to both providers and deployers of such AI systems. Companies will have until 2 December 2026 to bring their systems in compliance. This ban will apply where (i) such generation is the intended purpose of the AI system and (ii) the providers and deployers have not put in place adequate technical safeguards to prevent the generation of such content.
Machinery products and sectoral legislationWhile stakeholders and the Parliament have advocated to essentially exclude from the application of the AI Act those AI systems that are embedded in products already regulated by EU sectoral laws (eg, medical devices, toys, connected cars, industrial machinery) in order to avoid double-regulation, only machinery regulation (Regulation (EU) 2023/1230) was carved out (ie, it was moved from Annex I Section A to Section B). This means machinery products will only need to comply with requirements of EU sectoral legislation, while being subject to limited obligations under the AI Act to ensure an equivalent level of health and safety.
Definition of “safety component”Under the original text of Article 6(1) AI Act, an AI system is classified as high-risk where it is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the EU harmonisation legislation listed in Annex I and is required to undergo conformity assessment.

The AI Digital Omnibus amends the definition of a “safety component” in Article 3(14) AI Act to clarify that “a component fulfils a safety function where its intended purpose is to prevent or mitigate risks to health and safety of persons or property”. As such, the amendment seeks to exclude from the high-risk category products with AI functions that merely assist users or optimise performance, if their malfunction or failure does not create a health and safety risk.

Processing of special categories of personal data for bias detection and correctionProcessing by providers and deployers of high-risk and non-high-risk AI systems and models of special categories of personal data (as defined in the GDPR) to detect and correct biases can only be carried out in certain exceptional circumstances and subject to adequate safeguards only where it is strictly necessary.
Rules for SMCs The AI Digital Omnibus extends privileges afforded to SMEs in Article 99 of the AI Act (ie, reduced maximum penalties and additional considerations by regulators when imposing fines) to SMCs in order to support their growth.
 EU AI Office enforcementThe AI Digital Omnibus clarifies the scope of responsibilities and powers of the EU AI Office. In particular, the AI Digital Omnibus grants the EU AI Office exclusive competence to supervise certain AI systems integrating GPAI models (such as where the model and system are developed by the same provider), and those AI systems  that qualify as, or are embedded into, Very Large Online Platforms (“VLOPs”) and Very Large Search Engines (“VLOPEs”) (as defined under the EU Digital Services Act). Notwithstanding this, the AI Digital Omnibus facilitates exceptions where national authorities will remain competent.
AI literacy obligationsThe AI Digital Omnibus softens the requirement in the AI Act for providers and deployers to ensure a sufficient level of AI literacy to instead take measures to “support the development of AI literacy”. The revision now also requires the European Commission and EU Member States to support and facilitate the efforts of providers and deployers in this regard and for the Commission to publish practical examples of how to comply with this obligation.
EU database registration requirementsWhile the original AI Digital Omnibus proposal sought to remove the obligation for providers to register certain high-risk AI systems in the EU database where they have concluded that such systems are not high-risk in accordance with Article 6(3) of the AI Act, the final text of the AI Digital Omnibus merely simplified this requirement by removing some of the required content that must be provided under Section B of Annex VIII of the AI Act (namely, providing the status of the AI system and a scanned copy of a certificate issued by a notified body, where applicable).
  • 2 December 2026: Application of transparency and watermarking obligations under Article 50(2) AI Act.
  • 2 August 2027: Application of the deadline for the establishment of AI regulatory sandboxes by competent authorities at national level.
  • 2 December 2027: Application of rules for standalone high-risk AI systems under Article 6(2) and Annex III of the AI Act (eg, AI systems involving biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice and border management).
  • 2 August 2028: Application of rules for high-risk AI systems embedded in products under Article 6(1) and Annex I of the AI Act (ie, products that are covered by EU sectoral legislation on safety and market surveillance).
  • 2 February 2025: Rules on prohibited AI systems, scope, definitions and AI literacy came into force (per Article. 113(a) AI Act).
  • 2 August 2025: Rules applicable to GPAI model providers came into force (per Article 113(b)) AI Act).
  • 2 August 2026: The AI Act is generally applicable (subject to certain exceptions, and to the extended timeline for high-risk AI systems set out previously).

Key Contacts

Marie  McGinley

Marie

McGinley

Partner

Davinia Brennan

Davinia

Brennan

Partner

Sarah Jayne Hanna

Sarah Jayne

Hanna

Partner

Thought Leadership

EU Legislative Insights

© 2026 Matheson LLP | All Rights Reserved