Dear Reader,
On Wednesday the European Parliament voted 569 to 45 to adopt its negotiating position on amending the AI Act. Nine months after the regulation entered into force. Every outlet led with the same headline: the deadline for high-risk AI compliance has been pushed back by sixteen months.
That headline is premature. The Parliament voted to open trilogue negotiations, not to enact law. The Omnibus is a proposal. The original deadlines remain legally binding until the final text is published in the Official Journal. What Parliament and Council have done is agree on what they want to negotiate — not on what will happen.
🎬 If you prefer video: I recorded a broader introduction to the AI Act amendment before the EP vote. The core advice holds — and the vote made it stronger. Watch on YouTube →
The speed tells you something#
The Digital Omnibus went from Commission proposal (November 2025) to both co-legislators adopting negotiating positions in four months. For context: the GDPR took four years. The AI Act itself took three. By EU standards, this is extraordinarily fast.
The trigger was not technical. The Draghi Report (September 2024) called for “radical simplification” of EU regulation, flagging a 20% increase in data management costs for European operators. Von der Leyen responded by instructing commissioners to cut administrative burden by 25% — 35% for SMEs. Since January 2025, the Commission has launched six omnibus packages across sustainability, investment, digital, agriculture, defence, and chemicals. More than half of the Commission’s 2026 legislative output is packaged as simplification.
The AI Omnibus is one part of a broader Digital Omnibus that also touches GDPR, ePrivacy, NIS2, DORA, and the Critical Entities Resilience Directive. It repeals four regulations outright. The AI Act is not being amended in isolation. It is being amended as part of a political programme to make European regulation less expensive for industry.
That framing matters for what follows.
What both co-legislators propose to change#
The deadline. Annex III high-risk systems (biometrics, employment, credit scoring, education, law enforcement, migration) would move from 2 August 2026 to 2 December 2027. Annex I systems (AI in regulated products) would move to 2 August 2028. Both Parliament and Council rejected the Commission’s original mechanism — a conditional trigger tied to standards readiness — and proposed fixed dates instead.
The scope for regulated products. Parliament proposes deleting Section A of Annex I, moving Medical Devices Regulation, Machinery Regulation, and IVD Regulation into Section B. AI embedded in regulated products would be assessed primarily under sectoral legislation, not the AI Act. For software-only deployers — banks, insurers, HR departments — this would change nothing.
A new prohibition. Article 5(1)(h) would ban AI systems that generate non-consensual intimate imagery. Triggered by the Grok incident: 4.4 million images in nine days, including 1.8 million sexualised images of women and 23,000 of children. Proposed penalty: €35M or 7% of global turnover. Both co-legislators adopted this — it is the most likely element to survive trilogue unchanged.
SME protections. Both positions extend simplified compliance to “small mid-cap enterprises” — softening the cliff-edge at 250 employees.
What the Commission wanted but did not get#
The Commission proposed removing the obligation to register AI systems in the EU database when providers self-assess as non-high-risk. Both co-legislators said no.
The Commission proposed loosening the data processing threshold for bias detection from “strictly necessary” to “necessary” and extending it to all AI systems. Both co-legislators reinstated “strictly necessary” and limited extension to exceptional cases.
The Commission proposed removing the AI literacy obligation on providers and deployers entirely, shifting responsibility to Commission and Member States through non-binding measures. Parliament pushed back, reinstating a mandatory obligation — though at a lower standard than the original Act (“support the improvement of” rather than “ensure”). The Council stayed closer to the Commission’s lighter approach. This is now the sharpest trilogue divergence: who is accountable for workforce AI readiness — operators or governments?
The pattern: the EDPB and EDPS published Joint Opinion 1/2026 in January, explicitly critical of the loosening. Both co-legislators followed. The Omnibus that emerges from trilogue will be more conservative than the Commission intended.
What did not change#
Article 26 deployer obligations — all thirteen of them — identical. Annex III high-risk domains — all eight — identical. Article 5 prohibited practices — expanded, not reduced. Penalty structure — unchanged. Registration obligation — stays.
If your AI system scores credit applications, filters CVs, manages energy infrastructure, or supports law enforcement decisions, nothing about your requirements would change under the Omnibus. You would have more time. You would not have fewer obligations.
The infrastructure gap#
“Europe regulates faster than it can implement.” That observation, from cyberprawo.org, is the most useful sentence written about this vote.
Zero harmonised standards have been published. CEN/CENELEC missed their 2025 delivery deadline. The earliest realistic availability is Q4 2026. Without standards, companies cannot demonstrate conformity through the presumption-of-conformity route — even those that want to comply have no recognised path to do so.
Only eight of twenty-seven member states have designated their AI Act competent authorities. The deadline was August 2025. Nineteen are seven months late.
Poland specifically: the implementation law (project UC71) is still in draft. The proposed supervisory body is KRiBSI — a new authority, not UODO. UODO publicly criticised being relegated to an advisory role. The body does not exist yet. No Polish-language Annex III classification guidance has been published. The extension buys time, but time without infrastructure is a longer runway to the same wall.
One more detail. The Omnibus is not yet law. Trilogue has not started. If the three institutions do not reach agreement and publish the final text in the Official Journal before 2 August 2026, the original deadlines apply immediately. OneTrust called pausing compliance a “costly gamble.” Hogan Lovells advised continued preparation. The formula from AiActo is the most honest: “Prepare as if August 2026 is real, plan as if December 2027 is the likely enforcement date.”
The second wave nobody is watching#
The Digital Fitness Check — phase two of the simplification programme — closed its public consultation on 11 March. It covers GDPR, AI Act, Data Act, NIS2, DSA, DMA, and consumer protection law. More than 100 laws, 270 regulators. The Commission report is expected Q1 2027, with legislative proposals following in 2027-2028.
Bird & Bird has already labelled the Omnibus “AI Act 2.0.” The AI Act was in force for barely a year before substantial amendments were proposed. This is not a one-off correction. Ongoing amendment is becoming normalised.
Questions for leadership#
1. Has your legal team updated the AI Act classification analysis — and did they check whether obligations changed too? If the memo from legal only mentions the new date, it is incomplete. The risk is not missing the deadline. It is mistaking a timeline shift for a requirements reduction.
2. Which of your AI systems fall under Annex III? The Omnibus does not change the category list. If you cannot answer this question today, the deadline is irrelevant. You are not late on compliance. You have not started.
3. Is anyone in your organisation treating the Omnibus as a reason to slow down? Deloitte reports that only 18% of European companies feel highly prepared for AI governance. The EP and Council both rejected the Commission’s attempts to simplify. The political signal is the opposite of relaxation. The organisations that use the extension to build will be ready. The ones that use it to wait will face the same scramble in December 2027 that they were about to face in August 2026.
Sources:
- European Commission proposal: COM(2025)0836 — EUR-Lex
- European Parliament adopted text: TA-10-2026-0098
- Council negotiating mandate: ST-7322-2026-INIT (13 March 2026)
- EDPB/EDPS Joint Opinion 1/2026 (20 January 2026)
- cyberprawo.org: “Digital Omnibus — AI Act dostaje pierwszy lifting” (26 March 2026)
- Deloitte AI governance readiness survey (2026)
- CEN/CENELEC JTC 21 standards tracker: ai-act-standards.com
Stay balanced,
Krzysztof Goworek