Issue
Current law (Regulation 2024/1689)
AI Omnibus as adopted (June 2026)
What to do now
Main high-risk AI rules (Annex III) Under Article 113 of the enacted AI Act, the main high-risk obligations apply from 2 August 2026.
The adopted Omnibus shifts Annex III stand-alone high-risk obligations to 2 December 2027. Awaiting OJ publication.
Keep inventory, classification, control design and evidence planning moving against the December 2027 date.
Product-integrated high-risk AI (Annex I) Under Article 6(1) and Article 113, Annex I product-integrated high-risk obligations apply from 2 August 2027.
The adopted Omnibus shifts Annex I obligations to 2 August 2028. Awaiting OJ publication.
Align product, legal, engineering and quality teams against the August 2028 date if AI is embedded in medical devices, machinery, radio, transport or other regulated products.
Watermarking & synthetic content Article 50(2) transparency for AI-generated synthetic content applies from 2 August 2026 under Article 113.
The adopted Omnibus sets a transitional grace until 2 December 2026 for systems already on the market before 2 August 2026. Broader Article 50 transparency disclosures stay on the original schedule. Awaiting OJ publication.
Build provenance and labelling into pipelines now if you generate synthetic images, audio, video or text aimed at the EU market.
National regulatory sandboxes Article 57(1) sets 2 August 2026 as the deadline for Member States to establish at least one AI regulatory sandbox.
The adopted Omnibus postpones the Article 57(1) deadline to 2 August 2027 and expands real-world testing to Annex I systems outside sandboxes. Awaiting OJ publication.
For sandbox-eligible programs, build the operational case (innovation goal, supervisor relationship, exit criteria) early; the slot is the bottleneck, not the deadline.
Sensitive data for bias testing Article 10(5) allows providers to process Article 9 special-category data for bias detection and correction only when strictly necessary, with safeguards.
The adopted Omnibus extends the legal basis to all AI systems and general-purpose AI models, but keeps the strictly-necessary standard. The Commission proposed lowering it to "necessary"; the co-legislators rejected that change. Awaiting OJ publication.
Plan bias testing under the existing strictly-necessary standard, with documented safeguards and a clear data-protection impact assessment.
Article 6(3) registration Article 6(3) lets providers self-assess that an Annex III system does not pose a significant risk; Article 6(4) requires the assessment file; Article 49(2) requires registration of such systems in the EU database.
The adopted Omnibus preserves registration. The Commission proposed dropping the obligation for self-exempted systems; the co-legislators rejected that change. Awaiting OJ publication.
Treat Article 6(3) self-exemption as a documentation exercise, not a hide-from-the-database exercise. Build the assessment file and the database registration as one workflow.
The Article 5 prohibitions have applied since 2 February 2025.
The adopted Omnibus adds a new Article 5 prohibition on AI systems intended to generate non-consensual sexual or intimate imagery of identifiable real persons, and on AI systems intended to generate child sexual abuse material. Foreseeable misuse where effective technical safeguards are absent is also caught. Compliance by 2 December 2026. Awaiting OJ publication.
For generative-image, video, voice and avatar pipelines aimed at any EU touchpoint, design and document effective technical safeguards (consent verification, refusal training, content filters, audit logging) before deployment. Lack of safeguards is itself a trigger.
Supervision of AI systems built on a GPAI model where the model and the system come from the same provider was not cleanly separated from national-authority competence.
The adopted Omnibus clarifies, only in same-provider GPAI model + system cases, that the AI Office takes the lead, with new enforcement powers: investigations, on-site inspections, binding commitments, and fines. National authorities remain competent in law enforcement, border management, judicial authorities, and financial institutions. Awaiting OJ publication.
Map your supervisory contact point per use case rather than per company. A single GPAI provider deploying into multiple sectors faces different lead authorities depending on the sector.
AI Act Annex I lists Union harmonisation legislation (medical devices, toys, machinery, radio, watercraft, etc.) where AI Act high-risk obligations stack with sectoral product law.
The adopted Omnibus lets the Commission limit AI Act application via implementing acts where sectoral law has similar AI-specific requirements. Machinery is exempt from direct AI Act applicability; AI-specific health/safety routes through delegated acts under the Machinery Regulation. The "safety component" definition is narrowed to exclude systems used solely for user assistance or optimization. Do not assume relief until the implementing and delegated acts exist.
For Annex I products, watch for the Commission implementing and delegated acts before duplicating effort. Until they are adopted, the AI Act compliance path remains the operative one.
Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy of their staff, applicable since 2 February 2025.
The adopted Omnibus softens the obligation: providers and deployers must support the development of AI literacy rather than ensure specific literacy levels. The obligation remains but is substantively weakened. Awaiting OJ publication.
Keep role-based AI training running. Documented literacy efforts remain a cheap audit-defensibility win and feed Article 26 deployer duties either way.