Share This Article
On 16 June 2026, the European Parliament adopted the Digital Omnibus changes to the EU AI Act — the first set of amendments to the AI Act since 2024 — ending weeks of uncertainty around one of the most controversial reforms of the EU’s digital rulebook.
The vote is part of the EU’s wider “Omnibus VII” simplification agenda, and it substantially reshapes how parts of the AI Act will apply in practice, particularly for industrial AI systems and products already regulated under sector-specific legislation.
The agreement is the first real political acknowledgment that the original AI Act created major implementation problems for companies operating across regulated sectors such as manufacturing, machinery, automotive, medical devices, and connected products.
And it arrives just months before the original 2 August 2026 deadline for high-risk AI obligations.
The headline is relief on timing — but this is not a one-way deregulation story. Some obligations were actually tightened. Here is the real picture. Below is a video on the topic and a more detailed article where I explore the matter:
The AI Act Changes Were Driven by One Core Problem
The central issue behind the negotiations was not whether Europe should regulate AI. The real question was whether the AI Act, as originally drafted, had become unworkable for businesses already subject to extensive sectoral regulation. This became particularly evident for AI systems embedded into products already governed by European product safety frameworks.
Manufacturers were facing the prospect of complying simultaneously with:
- the AI Act;
- the Machinery Regulation;
- medical device rules;
- automotive safety frameworks;
- cybersecurity obligations;
- and broader product compliance requirements.
For many businesses, the result was not legal certainty, but overlapping and potentially duplicative compliance obligations. That is precisely where the negotiations became politically explosive.
Machinery Rules Become the Biggest Winner of the Deal
The most significant aspect of the compromise concerns machinery. Under the AI Act amendments, machinery products will largely avoid direct overlap with the AI Act where equivalent obligations already exist under the Machinery Regulation.
Instead of imposing parallel compliance frameworks, AI-related health and safety requirements for machinery will now primarily be addressed through sectoral product legislation. Registration and conformity assessment have been streamlined precisely to reduce this kind of duplication against sectoral product law. This is a major shift in regulatory strategy.
The European Commission will still retain powers to adopt delegated acts introducing AI-specific health and safety requirements where needed, but the compromise clearly reflects pressure from industrial stakeholders — particularly Germany — to avoid a regulatory duplication scenario.
And Germany pushed extremely hard for this outcome. German Chancellor Friedrich Merz openly criticized what he described as an excessively restrictive regulatory framework for industrial AI, arguing that European competitiveness was at risk if industrial sectors were burdened with overlapping AI compliance obligations. In practice, the deal signals that Europe is starting to accept something businesses have been warning about for months:
AI regulation cannot operate in isolation from existing product regulation.
Different Compliance Deadlines Confirm the Shift
Another key part of the agreement is the postponement of certain AI Act obligations. The compromise introduces differentiated timelines depending on the type of AI system involved.
Under the new framework:
- high-risk AI systems involving biometrics, education, employment, law enforcement, border management, and critical infrastructure (Annex III) will apply from 2 December 2027;
- high-risk AI systems embedded into regulated products (Annex I) will instead become subject to obligations from 2 August 2028.
The reasoning behind the delay is unusually candid. Lawmakers acknowledged that the necessary standards, common specifications, and national supervisory authorities were simply not ready in time.
This distinction is extremely important.
It effectively acknowledges that product-integrated AI systems raise significantly more operational complexity than standalone AI applications. Many companies were still struggling to understand how AI Act conformity assessments would interact with existing product certification processes.
The reform is an attempt to redesign the operational interaction between the AI Act and Europe’s broader regulatory ecosystem.
More Breathing Room for Smaller Companies
The amendments also widen the population of businesses that benefit from lighter obligations. Alongside the existing relief for small and medium-sized enterprises (SMEs), the Digital Omnibus introduces a new category of “small mid-cap enterprises” (SMCs) — companies too large to qualify as SMEs but still far from Big Tech. These businesses will benefit from lighter, proportionate obligations.
The reform also softens the AI literacy requirement. Rather than guaranteeing a particular outcome, organizations will now be held to a “reasonable efforts” duty when ensuring that staff and users understand the AI systems they deploy.
The Deal Goes Beyond Industrial AI
While the debate largely focused on industrial sectors, the compromise also introduces several other important changes to the AI Act. One of the most politically visible reforms is a new Article 5 prohibition targeting AI systems capable of generating non-consensual intimate imagery — so-called “nudifier” applications — and child sexual abuse material. The European Commission is expected to issue guidelines clarifying the precise scope of the ban.
The prohibition is expected to apply from 2 December 2026.
This reflects increasing political concern around generative AI misuse and synthetic content risks. The agreement also shortens the implementation timeline for transparency obligations relating to AI-generated content. Providers will now have only three months — instead of six — to implement transparency solutions once the relevant obligations become applicable.
Importantly, one of the most criticized proposals — which would have let providers skip EU-database registration for systems they self-declare as not high-risk — was largely walked back. The obligation to register high-risk AI systems in the EU database has therefore been preserved.
That point is particularly relevant because the registry is likely to become one of the main enforcement and transparency tools for regulators.
The Personal Data Point Could Become Highly Relevant
One aspect of the agreement that deserves particular attention from privacy professionals is the clarified — and already contested — legal basis for using personal data to detect and correct bias. The compromise expressly allows organizations to process special categories of personal data (sensitive data) where strictly necessary to identify and mitigate bias in high-risk AI systems, provided appropriate safeguards are implemented.
This change could become one of the most operationally important elements of the reform. Many companies have been struggling with a fundamental tension: how do you properly test AI systems for discriminatory outcomes without processing sensitive or representative personal data?
The agreement appears designed to create greater legal certainty on that point. But it also raises obvious questions regarding the interaction with GDPR principles, particularly purpose limitation and data minimization.
And this is another example of the broader issue emerging across the AI Act debate: AI regulation is increasingly colliding with existing European legal frameworks.
What Happens Next
With the European Parliament’s adoption on 16 June 2026, the Digital Omnibus on AI now moves to the next stage. The text still requires sign-off from the Council, after which it will be published in the Official Journal of the European Union and enter into force three days later.
The institutions are expected to finalize the process before 2 August 2026 to avoid legal uncertainty linked to the original entry into application of the high-risk AI provisions. But politically, the direction is now clear.
Crucially, the core architecture of the AI Act remains untouched. The risk tiers, the conformity assessment model, the dedicated track for general-purpose AI (GPAI), and the AI Office all survive intact. The European Union is not abandoning the AI Act. However, it is already recalibrating it before the most burdensome obligations have even entered into force. This is breathing room, not a free pass — and that alone says a great deal about how difficult AI regulation becomes once it moves from political ambition to operational reality.
For businesses, the message is equally clear. The AI Act is no longer a static piece of legislation. It is rapidly evolving into a dynamic compliance framework where the interaction between AI rules and sector-specific regulation may become just as important as the AI Act itself.
What Companies Should Do Now
The biggest mistake companies can make at this stage is treating the AI Act changes as a reason to pause compliance projects. The opposite is true. The deal confirms that the regulatory framework is becoming more complex, not less — and the smart move is to use these extra months rather than switch off your AI Act programme. Businesses now need to reassess whether their AI systems fall directly under the AI Act, under sector-specific legislation, or under a combination of both.
For many organizations, particularly in manufacturing, automotive, medtech, connected products, and industrial technology, this exercise can no longer be handled only by legal teams in isolation.
Companies should now:
- map AI systems embedded into products and services;
- identify whether sectoral legislation may partially replace AI Act obligations;
- review conformity assessment and product compliance processes;
- reassess contractual allocation of compliance responsibilities across the supply chain;
- evaluate transparency obligations for AI-generated content;
- and align AI governance with GDPR, cybersecurity, product safety, NIS2, and DORA requirements where applicable.
Another critical point is governance. The deal shows that the AI Act will continue evolving through delegated acts, implementing acts, and regulatory guidance. That means compliance cannot be approached as a one-off legal exercise completed before a deadline.
Businesses instead need governance structures capable of continuously monitoring regulatory developments and adapting internal controls accordingly. This is particularly important because many of the practical compliance expectations under the revised framework will likely emerge only over the next 12 to 24 months through secondary legislation and regulatory interpretation.
In practice, the companies that will manage the AI Act transition more effectively are not necessarily those waiting for complete legal certainty, but those already building operational AI governance frameworks that can evolve alongside the regulation.
For more updates on the EU AI Act, AI governance, and technology regulation, visit the AI section of GamingTechLaw.com.