On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.

Below is an overview of some of the key highlights.

1.      Postponed Deadlines for Certain Obligations

The most noteworthy change is likely to be the staggered deferral of certain compliance deadlines.

High-Risk AI Systems (HRAIS): For HRAIS obligations, the delays reflect a two-tiered approach:

  • Annex III HRAIS (use-based): Obligations are postponed from 2 August 2026 to 2 December 2027 (i.e., deferred by 16 months).
  • Annex I HRAIS (product-regulated, including radio equipment, lifts and medical devices): Obligations are postponed from 2 August 2027 to 2 August 2028 (i.e., deferred by 1 year).

Transparency obligations under Article 50(2): For AI systems generating or manipulating synthetic content and placed on the EU market or put into service before 2 August 2026, the provider’s obligation to ensure that the system’s outputs are marked in a machine-readable format and detectable as artificially generated or manipulated is postponed from 2 August 2026 to 2 December 2026 (i.e., deferred by 4 months). Those systems placed on the EU market or put into service after 2 August 2026 must comply from the date they are placed on the market or put into service.

National AI regulatory sandboxes: The obligation for Member States to establish at least one regulatory sandbox at the national level is postponed from 2 August 2026 to 2 August 2027 (i.e., deferred by 1 year).

The delayed timeframes reflect the challenges with operationalizing several provisions of the AI Act, particularly for high-risk systems requiring testing, documentation, and third-party assessment. The delay will provide EU standards-setting bodies, such as CEN-CENELEC, additional time to prepare the necessary standards and guidelines that will serve as the backbone for several requirements.

2.      Realignment of the AI Act with Sectoral Rules

The interaction between the AI Act and existing product safety rules has been further refined, after significant debate that led to a temporary delay in reaching a compromise agreement. The final text reflects two key changes:

  • Machinery Regulation moved from Annex I Section A to Section B. The most structurally significant change is that the Machinery Regulation ((EU) 2023/1230) has been moved from Annex I Section A to Section B — shifting AI-enabled machinery subject to the Regulation from a dual-compliance model to one where sector-specific laws are paramount. Unlike Section B products, Section A products have to satisfy both AI Act high-risk obligations and their existing sectoral safety frameworks in parallel. Now that the Machinery Regulation is listed under Section B, the full suite of Chapter III, AI Act obligations will no longer apply directly to such products; instead, the Commission must adopt delegated acts amending Annex III of the Machinery Regulation to incorporate AI-specific health and safety requirements by 2 August 2028.
  • Refined definition of “safety component.” AI systems used solely for user assistance, performance optimization, efficiency or automation, and convenience or quality control will not qualify as “safety components” (i.e., high-risk AI under Article 6(1)), unless a failure or malfunction could endanger health or safety.

3.      New Prohibitions on Non-Consensual, AI-Generated Intimate Imagery and CSAM

Among the most visible changes to the AI Act is the introduction of two new prohibited AI-related practices; namely, the use of AI systems to generate or manipulate non-consensual intimate material and child sexual abuse material (CSAM). The prohibition—which takes effect on 2 December 2026—amends Article 5 of the AI Act to ban the placing on the market, putting into service, or use of AI systems that generate or manipulate realistic depictions of an identifiable natural person’s intimate parts or of an identifiable person engaged in sexually explicit activities, without that person’s freely given, specific, informed, unambiguous, and explicit consent. A parallel prohibition applies to AI systems that generate or manipulate CSAM within the meaning of Directive 2011/93/EU (subject to a narrow carve-out where a “without right” defense applies under national law).

Importantly, the prohibition applies only in certain circumstances, which differ between AI system providers and deployers. For providers, the prohibition applies (i) where generating or manipulating such material is the AI system’s intended purpose; or (ii) where such output is a reasonably foreseeable and reproducible outcome without significant technical modification, and the provider has not implemented reasonable and adequate technical safety measures to reliably prevent it.

For deployers, the prohibition is narrower: it applies only where the deployer uses such AI systems for the purpose of generating or manipulating prohibited material—including by circumventing the provider’s safety measures or by misusing a lawful system not designed for such purposes. Accidental generation of this material is expressly excluded.

4.      Targeted Adjustments with Practical Impact

A.                  Use of Special Category Data for Bias Detection and Correction

The agreed text introduces a new Article 4a that expands the ability to use special category data for bias detection and correction. This is permitted only on an exceptional basis, where strictly necessary, and subject to a set of cumulative safeguards.

For providers of high-risk AI systems, processing is permitted only where:

  • the bias detection and correction cannot be achieved using alternative data (e.g., synthetic or anonymized data);
  • the special category data is subject to technical limitations on reuse and state-of-the-art security and privacy measures (including pseudonymization);
  • the data is subject to strict access controls, documentation, and confidentiality obligations, with access limited to authorized persons only;
  • the data is not transmitted, transferred, or otherwise made accessible to third parties;
  • the data is deleted once the bias has been corrected or the retention period expires, whichever comes first; and
  • records of processing activities clearly demonstrate why the processing was strictly necessary and why alternatives were insufficient.

For (i) providers and deployers of non-high-risk AI systems and models, and (ii) deployers of high-risk AI systems, the same safeguards apply. In addition, the exception is only available where the bias in question is likely to:

  • affect the health or safety of persons;
  • have a negative impact on fundamental rights; or
  • lead to discrimination prohibited under EU law (in particular, where outputs influence subsequent decision-making).

Overall, this creates a narrow but viable pathway for bias testing, while maintaining a high compliance threshold.

B.                  Clarification of GPAI Supervision

The amendments clarify the allocation of supervisory competence for general-purpose AI (GPAI), reinforcing a more centralized, EU-level approach in certain cases.

The AI Office now has exclusive competence for the supervision and enforcement of AI Act obligations in relation to two categories of AI systems:

  1. AI systems based on GPAI models where the model and the system are developed by the same provider, or by providers within the same undertaking: Certain carve-outs apply, including (i) Annex I products (e.g., medical devices, machinery) (ii) Annex III, point (2) use cases (i.e., critical infrastructure); and (iii) certain AI systems provided by law enforcement, border management authorities, and financial institutions.
  2. AI systems that constitute or are integrated into a very large online platform (VLOP) or very large online search engine (VLOSE) within the meaning of the EU Digital Services Act (DSA). Here, the final text provides that the DSA’s existing risk assessment, mitigation, and audit obligations (Articles 34, 35, and 37) serve as the first point of entry for the assessment of such AI systems, with the AI Office empowered to investigate and enforce AI Act non-compliance ex post.

In addition, for AI systems within its exclusive competence that are classified as high-risk and subject to third-party conformity assessment under Article 43, the Commission is responsible for pre-market assessments and testing before the system is placed on the EU market or put into service. The Commission may delegate these assessments to designated notified bodies, which act on its behalf, with fees borne by the provider.

This is particularly relevant for global AI developers and platform providers, as it centralizes supervision at the EU level in certain high-impact scenarios. The trade-off is that the AI Office wields a potent enforcement toolkit, including binding commitments, on-site inspections, and substantial fines.

C.                 Sharpened Information-Sharing Obligations Across the AI Value Chain

Article 25(2)—which governs the obligations an initial provider of an AI system owes to a downstream actor that becomes a provider of a high-risk AI system under Article 25(1) (e.g., through substantial modification or repurposing of the AI system)—has been amended to make those information-sharing obligations more specific. The initial provider to the downstream provider must now be responsible for the following, where relevant to the downstream provider’s compliance with the AI Act:

  • making available technical documentation sufficient for the provider to assess the AI system’s compliance with Article 16 requirements (i.e., high-risk AI system requirements);
  • informing the new provider about known limitations and failure modes of the AI system; and
  • providing the new provider with targeted technical access to the AI system, including for testing and validation.

In parallel, Article 25(4) is amended to add “AI model” to the list of items that, when supplied by a third party for use or integration in a high-risk AI system, must be covered by a written agreement specifying the necessary information, capabilities, technical access, and other assistance.

D.                 Breaches of Article 25 Now Carry Fines of Up to 3% of Worldwide Turnover

Article 99(4) —which establishes the 3% of worldwide annual turnover / €15 million first-tier fine—has been amended to add a new category of infringement for breaches of Article 25(2) or (4).

These obligations now sit in the same fining band as breach of Article 16 (obligations on providers of high-risk AI systems), Article 26 (obligations on deployers of high-risk AI systems), and Article 50 (transparency obligations), among others.

5.      No Change of Core Structural Obligations

Notwithstanding the above, the EU institutions refrained from modifying many of the core, foundational obligations in the AI Act. Importantly, the amendments do not alter:

  • Registration of High-Risk AI Systems: The obligation to register high-risk AI systems in the EU database remains in place. However, the requirements for systems self-assessed as non-high-risk under Article 6(3) have been simplified: Annex VIII, Section B, points 7 and 9 are deleted, somewhat streamlining the information that providers must submit while preserving the underlying transparency objective; and
  • AI Literacy: AI literacy requirements still apply directly to providers and deployers of AI systems. However, rather than requiring that these parties “ensure” AI literacy, the amended Act now requires them to “take measures to support the development of” AI literacy among their staff and other persons dealing with AI systems on their behalf.

6.      Anticipated Timing

The amendments to the AI Act introduced by the Digital Omnibus are expected to proceed through formal adoption in the coming months, with final approval anticipated in June and publication expected in July. It is important that they be in place ahead of the next key implementation milestone under the AI Act in August 2026.

Once adopted, the amendments will enter into force on the third day following publication in the Official Journal and will be binding in their entirety and directly applicable in all Member States.

*              *              *

If you would like to discuss how these developments may affect your organization, or need support in assessing their practical implications, please do not hesitate to get in touch. Our team is closely monitoring the implementation process at EU and Member State level and would be happy to assist with compliance strategies, risk assessments, and stakeholder engagement.

Tags: Artificial Intelligence, Digital Omnibus on AI, European Commission
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Jadzia Pierce Jadzia Pierce

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior…

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior to rejoining Covington in 2026, Jadzia served as Global Data Protection Officer at Microsoft, where she oversaw and advised on the company’s GDPR/UK GDPR program and acted as a primary point of contact for supervisory authorities on matters including AI, children’s data, advertising, and data subject rights.

Jadzia previously was Director of Microsoft’s Global Privacy Policy function and served as Associate General Counsel for Cybersecurity at McKinsey & Company. She began her career at Covington, advising Fortune 100 companies on privacy, cybersecurity, incident preparedness and response, investigations, and data driven transactions.

At Covington, Jadzia helps clients operationalize defensible, scalable approaches to AI enabled products and services, aligning privacy and security obligations with rapidly evolving regulatory frameworks across jurisdictions—with a particular focus on anticipating enforcement trends and navigating inter regulator dynamics.

Read more about Jadzia PierceEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less
Photo of Madelaine Harrington Madelaine Harrington

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has…

Madelaine Harrington is an associate in the technology and media group. Her practice covers a wide range of regulatory and policy matters at the cross-section of privacy, content moderation, artificial intelligence, and free expression. Madelaine has deep experience with regulatory investigations, and has counseled multi-national companies on complex cross-jurisdictional fact-gathering exercises and responses to alleged non-compliance. She routinely counsels clients on compliance within the EU regulatory framework, including the General Data Protection Regulation (GDPR), among other EU laws and legislative proposals.

Madelaine’s representative matters include:

coordinating responses to investigations into the handling of personal information under the GDPR,
counseling major technology companies on the use of artificial intelligence, specifically facial recognition technology in public spaces,
advising a major technology company on the legality of hacking defense tactics,
advising a content company on compliance obligations under the DSA, including rules regarding recommender systems.

Madelaine’s work has previously involved representing U.S.-based clients on a wide range of First Amendment issues, including defamation lawsuits, access to courts, and FOIA. She maintains an active pro-bono practice representing journalists with various news-gathering needs.

Read more about Madelaine HarringtonEmail
Show more Show less
Photo of Marianna Drake Marianna Drake

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating…

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating to AI and data. She also advises clients on matters relating to children’s privacy, online safety and consumer protection and product safety laws.

Her practice includes defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. Marianna also routinely partners with clients on the design of new products and services, drafting and negotiating privacy terms, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of AI technologies.

Marianna’s pro bono work includes providing data protection advice to UK-based human rights charities, and supporting a non-profit organization in conducting legal research for strategic litigation.

Read more about Marianna DrakeEmail
Show more Show less