The AI Omnibus Accord: delay or abandonment? What you need to know and how to prepare

In May 2026, the European Council and European Parliament reached a provisional political agreement on the so-called Digital Omnibus for AI. This series of targeted amendments to the EU AI Act — and to related legislation such as the GDPR — gives the market more breathing room, but simultaneously introduces new, sharp rules. For many organisations, the accord feels like a relief, since the strict deadlines for high-risk AI systems are shifting significantly. But make no mistake: the bar for responsible AI remains as high as ever, and the supervisory authorities are operational.

What does this accord mean exactly for your organisation? In this article we analyse the four most important changes and explain why now is the moment to structurally embed AI governance — rather than using the extra time as an excuse to do nothing.

The four most important changes from the AI Omnibus Accord

1. Extended deadlines for high-risk AI

Originally, the heaviest deployer obligations for high-risk AI systems were due to take effect on 2 August 2026. The Omnibus shifts these deadlines considerably:

• 2 December 2027: The new deadline for stand-alone high-risk AI systems (Annex III) — systems for recruitment & selection, biometric identification, credit assessment, education and law enforcement. These are the so-called stand-alone applications that fall directly within the operational processes of deployers.
• 2 August 2028: The deadline for AI systems integrated as safety components in regulated products (Annex I), such as medical devices, aviation technology and industrial machinery. The original date was 2 August 2027.

What has not been delayed: the transparency obligations of Art. 50 (including the obligation to inform end-users that they are communicating with an AI system) remain in force from 2 August 2026. The same applies to Art. 4 (AI Literacy) and Art. 5 (prohibited practices), which have been in effect since 2 February 2025. The delay applies exclusively to the heavy compliance obligations for high-risk systems: FRIA, quality management system, European database registration, and the full incident reporting structure.

2. New, hard prohibitions around generative AI

While deadlines for regular business applications are shifting, Europe is cracking down harder on the darker side of generative AI. The accord introduces additional prohibitions on:

• AI systems that generate sexually explicit synthetic images without the explicit consent of the person depicted (so-called nudifier applications);
• AI systems that create or distribute images or content involving child sexual abuse material (CSAM).

These prohibitions apply upon entry into force of the Omnibus amendments and are absolute — there are no exceptions or transition periods for commercial parties. Organisations deploying generative AI for creating synthetic media content must immediately test their applications and security measures against these new boundaries.

3. GDPR adjustment for bias detection in AI models

A notable and nuanced change concerns the amendment of the GDPR. To build fair AI and prevent discrimination, it is often practically necessary to test models on sensitive categories of personal data — such as ethnic origin, health data, or religious belief. Under the current GDPR, processing such special categories of personal data is in principle prohibited, unless one of the exhaustively listed exceptions applies.

The Omnibus introduces an explicit exception: processing of special categories of personal data is permitted when this is strictly and demonstrably intended for detecting and correcting bias in AI models. This is a welcome clarification for organisations that actively want to test their models for discriminatory outcomes.

The flip side is equally clear: this exception places higher demands on documentation. You must accurately record the legal basis, the specific purpose, the data minimisation methods employed and the mitigation actions taken. A supervisory authority knocking on your door will request exactly this documentation. Without conclusive evidence, the exception lapses and the processing qualifies as a GDPR violation.

4. Reliefs for SMEs and micro-enterprises

The Omnibus simplifies compliance obligations for micro-enterprises and small and medium-sized enterprises in a number of respects: simplified documentation formats, a lighter variant of the conformity assessment procedure, and more proportionate sanction levels. This is in line with the broader European policy of reducing the administrative burden on SMEs.

One widely heard misconception deserves correction: the Art. 4 obligation (AI Literacy) for deployers has not lapsed. Individual organisations remain obliged to ensure that employees working with AI systems have sufficient knowledge and skills. What the Omnibus adjusts is the responsibility for broad societal AI literacy — that is placed more with member states and the European Commission. The deployer obligation to train their own staff and document that training remains in place.

Delay versus abandonment: the strategic pitfall

The delay of the heaviest deadlines is tempting. The pitfall is to temporarily put the AI dossier on ice and not restart until 2026 or 2027. That is a strategic mistake, for three concrete reasons.

First: building governance takes time. Inventorying all AI systems in your organisation, classifying by risk class, designating supervisors, and building compliance dossiers — that is not a project of a few weeks. Organisations that started in 2024 will have a head start in 2027 that cannot be made up through last-minute compliance.

Second: the supervisory authorities are already operational. The ACM (Authority for Consumers & Markets) has been designated as national market supervisory authority for the EU AI Act and is active. Enforcement of Art. 4 (AI Literacy) and Art. 5 (prohibited practices) is already possible. Transparency obligations follow from August 2026. Those who do nothing now are consciously risking a fine in a regime that is already in force.

Third: the burden of proof works cumulatively. The EU AI Act requires not a snapshot, but a demonstrable, dated history of decisions: when did you classify, who reviewed, what was logged, how was oversight arranged? An audit trail that only starts in 2026 or 2027 inherently contains gaps. Supervisory authorities and courts look at the entire dossier.

The extra time the Omnibus provides is exactly what organisations need to make the shift from reactive compliance ticking to proactive Governance by Design. Those who use that time build a structure that is resilient to further regulatory changes — and that radiates trustworthiness to clients, employees and supervisory authorities.

Five concrete steps you can take now

1. Complete the AI inventory — Map all AI systems your organisation deploys: per department, per supplier, per intended use. Also register shadow AI (ChatGPT, Copilot, niche SaaS). This is the indispensable foundation for every subsequent step.
2. Perform risk classification — Determine the risk class for each system based on Art. 6 and Annex III. Uncertain? Classify conservatively: high-risk. The law requires this in cases of doubt, and incorrect classification is itself a violation.
3. Document Art. 4 AI Literacy — The obligation applies now. Record which employees have completed training, when, and through which programme. Retain attendance lists and certificates. This is the first thing a supervisory authority will request.
4. Implement transparency obligations (Art. 50) — Check all interfaces where AI is involved in communication with end-users. Add labels, disclaimers or notifications. Deadline: 2 August 2026.
5. Designate a governance structure — Appoint an AI Officer (whether or not combined with the DPO function), designate a supervisor per high-risk system, and record the responsibilities in writing. Without ownership, governance is paperwork.

The Omnibus as an opportunity for strategic leadership

Organisations that use the Omnibus accord as an alibi to do nothing miss the broader context: AI governance is not a legal obligation to tick off, but a strategic capability to build. The law sets the minimum requirements; the market rewards those who go further.

Clients, employees and business partners are increasingly asking questions about how your organisation handles AI risks. Organisations with a structured, demonstrable approach — a complete AI register, documented classifications, active oversight processes — build a reputation for reliability that cannot be bought.

The Omnibus gives you more time. Use that time well.