The AI Omnibus Accord: delay or abandonment? What you need to know and how to prepare

In May 2026, the European Council and European Parliament reached a provisional political agreement on the so-called Digital Omnibus for AI. This series of targeted amendments to the EU AI Act, and to related legislation such as the GDPR, gives the market more breathing room, but simultaneously introduces new, sharp rules. For many organizations, the accord feels like a relief, since the strict deadlines for high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI systems are shifting significantly. But make no mistake: the bar for responsible AIresponsible AIThe set of principles an AI system should live up to: fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, and human oversight. Widely shared and sitting under the EU AI Act and the major frameworks. On their own the principles are statements of intent; the law turns them into duties that cannot be met unless they are carried inside the organization's governance, which is how responsible AI lands in governance rather than beside it. GovCompass organizes the seven principles into a control framework, the GovCompass-7, one pillar per principle. See principle, pillar, governance.Open full entry → remains as high as ever, and the supervisory authorities are operational.

What does this accord mean exactly for your organization? In this article we analyse the four most important changes and explain why now is the moment to structurally embed AI governance, rather than using the extra time as an excuse to do nothing.

The four most important changes from the AI Omnibus accord

1. extended deadlines for high-risk AI

Originally, the heaviest deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → obligations for high-risk AI systems were due to take effect on 2 August 2026. The Omnibus shifts these deadlines considerably:

• 2 December 2027: The new deadline for stand-alone high-risk AI systems (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →), systems for recruitment & selection, biometric identification, credit assessment, education and law enforcement. These are the so-called stand-alone applications that fall directly within the operational processes of deployers.
• 2 August 2028: The deadline for AI systems integrated as safety components in regulated products (Annex I), such as medical devices, aviation technology and industrial machinery. The original date was 2 August 2027.

What has not been delayed: the transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → obligations of Art. 50 (including the obligation to inform end-users that they are communicating with an AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry →) remain in force from 2 August 2026. The same applies to Art. 4 (AI LiteracyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry →) and Art. 5 (prohibited practicesprohibited practicesAI uses banned outright under the AI Act, such as social scoring, manipulative techniques and untargeted scraping of facial images.Open full entry →), which have been in effect since 2 February 2025. The delay applies exclusively to the heavy compliance obligations for high-risk systems: FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry →, quality management system, European database registration, and the full incident reporting structure.

2. new, hard prohibitions around generative AI

While deadlines for regular business applications are shifting, Europe is cracking down harder on the darker side of generative AIgenerative AIAI systems that produce new content — text, images, audio, code — rather than only classifying or predicting. Large language models are the prominent example.Open full entry →. The accord introduces additional prohibitions on:

• AI systems that generate sexually explicit synthetic images without the explicit consent of the person depicted (so-called nudifier applications);
• AI systems that create or distribute images or content involving child sexual abuse material (CSAM).

These prohibitions apply upon entry into force of the Omnibus amendments and are absolute, there are no exceptions or transition periods for commercial parties. Organizations deploying generative AI for creating synthetic media content must immediately test their applications and security measures against these new boundaries.

3. GDPR adjustment for bias detection in AI models

A notable and nuanced change concerns the amendment of the GDPR. To build fair AI and prevent discrimination, it is often practically necessary to test models on sensitive categories of personal data, such as ethnic origin, health data, or religious belief. Under the current GDPR, processing such special categories of personal data is in principleprincipleOne of the seven responsible-AI values a governed system should live up to (fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, human oversight). A principle is abstract: it states an outcome, not a lever you can pull. It becomes governable by naming the harm that would breach it, assessing the risk that harm carries, and placing controls against that risk. When GovCompass holds a principle this way it calls it a pillar. See pillar, harm, risk.Open full entry → prohibited, unless one of the exhaustively listed exceptions applies.

The Omnibus introduces an explicit exception: processing of special categories of personal data is permitted when this is strictly and demonstrably intended for detecting and correcting bias in AI models. This is a welcome clarification for organizations that actively want to test their models for discriminatory outcomes.

The flip side is equally clear: this exception places higher demands on documentation. You must accurately record the legal basis, the specific purpose, the data minimizationdata minimizationProcessing only data that is adequate, relevant and necessary — in ML, implemented through pseudonymisation, feature selection, synthetic data and privacy-enhancing techniques.Open full entry → methods employed and the mitigation actions taken. A supervisory authority knocking on your door will request exactly this documentation. Without conclusive evidenceevidenceThe concrete proof that a control is designed, implemented, and working: a test report, an audit trail, an impact assessment, a monitoring log. Each link in the governance chain produces an artifact, and together they are what an organization hands to its own board, a regulator, a customer, or an affected person to show, not say, that a system is governed. Its absence is itself the failure: a risk register without test results, or a mitigation claimed without validation, is a governance gap, not a paperwork one. The closing link of the governance chain. See control, governance.Open full entry →, the exception lapses and the processing qualifies as a GDPR violation.

4. reliefs for SMEs and micro-enterprises

The Omnibus simplifies compliance obligations for micro-enterprises and small and medium-sized enterprises in a number of respects: simplified documentation formats, a lighter variant of the conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → procedure, and more proportionate sanction levels. This is in line with the broader European policy of reducing the administrative burden on SMEs.

One widely heard misconception deserves correction: the Art. 4 obligation (AI Literacy) for deployers has not lapsed. Individual organizations remain obliged to ensure that employees working with AI systems have sufficient knowledge and skills. What the Omnibus adjusts is the responsibility for broad societal AI literacy, that is placed more with member states and the European Commission. The deployer obligation to train their own staff and document that training remains in place.

Delay versus abandonment: the strategic pitfall

The delay of the heaviest deadlines is tempting. The pitfall is to temporarily put the AI dossier on ice and not restart until 2026 or 2027. That is a strategic mistake, for three concrete reasons.

First: building governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → takes time. Inventorying all AI systems in your organization, classifying by risk class, designating supervisors, and building compliance dossiers, that is not a project of a few weeks. Organizations that started in 2024 will have a head start in 2027 that cannot be made up through last-minute compliance.

Second: the supervisory authorities are already operational. The ACM (Authority for Consumers & Markets) has been designated as national market supervisory authority for the EU AI Act and is active. Enforcement of Art. 4 (AI Literacy) and Art. 5 (prohibited practices) is already possible. Transparency obligations follow from August 2026. Those who do nothing now are consciously risking a fine in a regime that is already in force.

Third: the burden of proof works cumulatively. The EU AI Act requires not a snapshot, but a demonstrable, dated history of decisions: when did you classify, who reviewed, what was logged, how was oversight arranged? An audit trail that only starts in 2026 or 2027 inherently contains gaps. Supervisory authorities and courts look at the entire dossier.

The extra time the Omnibus provides is exactly what organizations need to make the shift from reactive compliance ticking to proactive Governance by Design. Those who use that time build a structure that is resilient to further regulatory changes, and that radiates trustworthiness to clients, employees and supervisory authorities.

Five concrete steps you can take now

1. Complete the AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry →, Map all AI systems your organization deploys: per department, per supplier, per intended use. Also register shadow AIshadow AIAI tools adopted by staff or business units outside official channels and governance — the predictable product of processes that are too heavy or too slow.Open full entry → (ChatGPT, Copilot, niche SaaS). This is the indispensable foundation for every subsequent step.
2. Perform risk classification, Determine the risk class for each system based on Art. 6 and Annex III. Uncertain? Classify conservatively: high-risk. The law requires this in cases of doubt, and incorrect classification is itself a violation.
3. Document Art. 4 AI Literacy, The obligation applies now. Record which employees have completed training, when, and through which program. Retain attendance lists and certificates. This is the first thing a supervisory authority will request.
4. Implement transparency obligations (Art. 50), Check all interfaces where AI is involved in communication with end-users. Add labels, disclaimers or notifications. Deadline: 2 August 2026.
5. Designate a governance structure, Appoint an AI Officer (whether or not combined with the DPO function), designate a supervisor per high-risk system, and record the responsibilities in writing. Without ownership, governance is paperwork.

The omnibus as an opportunity for strategic leadership

Organizations that use the Omnibus accord as an alibi to do nothing miss the broader context: AI governanceAI governanceGovernance extended for AI: the same organizational steering at the highest level, widened to cover what makes AI different (it works in probabilities rather than fixed rules, learns from data, and can act at a speed and scale no human reviewer can match). It inherits the existing governance structure and brings AI inside the disciplines the organization already runs, rather than creating a parallel system in a silo. It operates on two levels, design and execution. See governance, governance design, execution level, responsible AI.Open full entry → is not a legal obligation to tick off, but a strategic capability to build. The law sets the minimum requirements; the market rewards those who go further.

Clients, employees and business partners are increasingly asking questions about how your organization handles AI risks. Organizations with a structured, demonstrable approach, a complete AI register, documented classifications, active oversight processes, build a reputation for reliability that cannot be bought.

The Omnibus gives you more time. Use that time well.