Get Ready for
the EU AI Act Omnibus

The EU AI Act mandates that AI system providers based in the EU comply with the regulation. Moreover, the Act also applies to providers and deployers outside the EU whose AI systems are used in the EU market. This means organizations worldwide may need to comply if their AI products or services reach EU users.

The situation is similar to the global reach of General Data Protection Regulation (GDPR). The AI Act applies to providers outside the EU when their AI system output is used in the EU. Non-EU deployers using AI systems in the EU are also covered. This extraterritorial scope means companies worldwide must assess their AI offerings for EU compliance.

The EU AI Act entered into force on 1 August 2024. Prohibitions on unacceptable risk took effect in February 2025, and GPAI obligations in August 2025. The general application date is August 2026. The Digital Omnibus proposal, currently in trilogue, would push high-risk system deadlines to December 2027 (Annex III standalone systems) and August 2028 (Annex I embedded products). These dates are proposed and not yet final.

To be ready for the EU AI Act, companies will have to adhere to the extensive requirements stipulated in the regulation. Key steps include: conducting an AI systems inventory, classifying systems by risk level, implementing required documentation and risk management systems, ensuring data governance practices, and establishing human oversight mechanisms.

According to the EU AI Act, significant modifications to an AI system can change your role from a deployer to a provider, triggering additional compliance obligations. Key modifications that may reclassify you include: • Altering Core Algorithms: Changes to the fundamental logic or algorithms of the AI system. • Re-training with New Data: Using new datasets for training that substantially alter the system's performance or behavior. • Integration with Other Systems: Modifying how the AI system interacts with other hardware or software components. Implications of becoming a provider include increased responsibilities such as complying with all provider obligations under the Act, including conformity assessments, documentation requirements, and ongoing monitoring obligations.

The Digital Omnibus on AI is a legislative proposal published by the European Commission on 19 November 2025 to amend the EU AI Act (Regulation 2024/1689). It delays high-risk AI deadlines, extends simplified compliance to companies with up to 750 employees, lets sectoral product regulations take precedence over separate AI Act conformity assessments, and broadens the use of sensitive data for bias testing. The Council and Parliament adopted their negotiating positions in March 2026. Trilogue negotiations are expected to conclude by mid-2026.

It depends on your AI system. Prohibited AI practices and AI literacy requirements are already enforceable since February 2025, and GPAI obligations since August 2025. The Omnibus does not change these. For high-risk AI systems, both the Council and Parliament agree on fixed new dates: December 2027 for standalone systems listed in Annex III (biometrics, critical infrastructure, law enforcement) and August 2028 for AI embedded in regulated products under Annex I (medical devices, machinery, vehicles). These dates are proposed and subject to trilogue, but the direction is clear. Do not pause compliance work.

The existing Article 5 prohibitions have applied since February 2025. The Omnibus proposes adding a new ban on AI systems that generate non-consensual intimate imagery of real persons and child sexual abuse material. Both the Council and Parliament support this addition, making it very likely to survive trilogue. This means the Omnibus is not only delaying obligations but also tightening rules in specific areas.