EU Digital Omnibus: How Europe Hit Pause on Its Own AI Rules

The Largest AI Regulatory Reset Since the Act Itself

When the European Parliament adopted its position on the Digital Omnibus on AI on March 26, 2026, it did so with overwhelming force: 569 votes in favour, 45 against, and 23 abstentions. That lopsided margin reflects a rare consensus that Europe’s landmark AI Act, adopted with fanfare in 2024, needed urgent recalibration before its high-risk provisions kicked in on August 2, 2026.

The Digital Omnibus on AI is not a rollback. It is a pragmatic acknowledgment that the compliance infrastructure — harmonised standards, conformity assessment bodies, and national supervisory authorities — simply was not ready. The European Commission published the original proposal on November 19, 2025, as part of its seventh simplification package. The Council of the EU adopted its own negotiating position on March 13, 2026, and trilogue negotiations are now underway, with the Cypriot Presidency targeting a political agreement by late April or May 2026.

What the Deadlines Actually Look Like Now

The headline change is a “stop-the-clock” mechanism for high-risk AI obligations. The original AI Act required compliance by August 2, 2026. Under the Omnibus, those deadlines shift based on when the Commission formally confirms that compliance support measures — harmonised standards, guidelines, and common specifications — are available.

For stand-alone high-risk AI systems listed in Annex III (covering biometrics, critical infrastructure, education, employment, law enforcement, and border management), the rules will apply six months after the Commission’s readiness decision, with a hard backstop of December 2, 2027. For high-risk AI embedded in regulated products under Annex I (medical devices, machinery, vehicles), the timeline extends to 12 months after the decision, backstopped at August 2, 2028.

Both the Council and Parliament agree on these fixed dates, removing the uncertainty that had paralyzed compliance planning across industries. The message is clear: the rules are coming, but not until the tools to follow them actually exist.

Relief for Mid-Sized Companies

One of the sharpest criticisms of the AI Act was that its compliance burden fell disproportionately on mid-sized European firms — too large to qualify for SME exemptions (capped at 250 employees) but too small to absorb the six-figure compliance costs that surveys estimate at $30,000 to $250,000 per AI system.

The Omnibus addresses this by extending streamlined technical documentation requirements to Small Mid-Caps (SMCs) with up to 750 employees, provided their annual turnover does not exceed EUR 150 million or their balance sheet total stays under EUR 129 million. This change roughly triples the employee threshold for simplified compliance, bringing thousands of additional European companies under a lighter-touch regime.

The practical effect: mid-sized AI deployers in healthcare, logistics, and fintech can use abbreviated documentation instead of the exhaustive technical files that only well-resourced compliance teams can produce.

An EU-Wide Regulatory Sandbox

The Omnibus introduces a new EU-level regulatory sandbox operated under the supervision of the AI Office, sitting alongside the existing national sandboxes. This dual-layer structure is designed to let GPAI model developers and SMEs test high-impact AI systems in real-world conditions under regulatory guidance, without facing enforcement action during the testing period.

National sandboxes have had mixed results — uneven implementation across member states meant that a sandbox in France looked nothing like one in Romania. The EU-level sandbox promises harmonisation: a single set of rules, one supervising authority, and cross-border validity.

For general-purpose AI (GPAI) providers specifically, the Omnibus gives those who placed models on the market before August 2026 an additional transition window until February 2, 2027 to update documentation and governance processes. Codes of practice for GPAI, however, will shift from potentially binding instruments to soft law — guidance that regulators can reference but cannot enforce directly.

Parliament Goes Beyond the Commission: The Nudifier Ban

In a significant addition absent from the Commission’s original text, Parliament inserted a new prohibition under Article 5 of the AI Act: a ban on AI systems that generate or manipulate sexually explicit images depicting identifiable real persons without their consent. These so-called “nudifier” applications have proliferated rapidly, and Parliament’s move to classify them as prohibited AI practices signals that legislators see the Omnibus as a vehicle for strengthening protections, not just loosening them.

The ban exempts AI systems that incorporate effective technical safeguards preventing such content generation — a carve-out that acknowledges the dual-use nature of image generation models while targeting purpose-built abuse tools.

Centralized Enforcement and Bias Detection

Two less-discussed but consequential changes round out the Omnibus. First, the AI Office is being repositioned as a central enforcement hub. It will supervise AI systems integrated into very large online platforms and search engines, as well as GPAI-based systems where the model provider and system deployer are the same entity. This consolidation is meant to prevent the regulatory fragmentation that has plagued enforcement of the Digital Services Act across 27 member states.

Second, a new Article 4a relaxes the threshold for using sensitive personal data to detect and correct bias in AI systems. Previously limited to cases where such use was “strictly necessary,” the standard drops to merely “necessary” — and now extends to providers and deployers of non-high-risk AI systems. Privacy advocates have flagged this as a potential loophole, but supporters argue that better bias detection requires access to the demographic data that bias operates on.

What Comes Next

Trilogue negotiations between the Parliament, Council, and Commission are expected to move quickly. Both co-legislators are broadly aligned on the core deadline extensions and SMC provisions. The key sticking points will likely be the scope of the nudifier ban, the exact conditions for sandbox participation, and the degree of centralized enforcement power granted to the AI Office.

If the Cypriot Presidency achieves its target of a political agreement by late April or May 2026, the amended AI Act could enter into force before the original high-risk deadline of August 2, 2026 — meaning the delay would be legally operative before the rules it postpones would have applied. For companies that had been scrambling to meet the August deadline with nearly 60% of EU developers reporting launch delays, the Omnibus provides critical breathing room without abandoning the regulatory framework entirely.

Sources & Further Reading

• Artificial Intelligence Act: Delayed Application, Ban on Nudifier Apps — European Parliament
• Council Agrees Position to Streamline Rules on Artificial Intelligence — Council of the EU
• EU Digital Omnibus: Analysis of Key Changes — IAPP
• EU Digital Omnibus: The European Commission Proposes Important Changes — Sidley Austin
• MEPs Adopt Joint Position on Proposed Digital Omnibus on AI — Global Policy Watch
• The Hidden Cost of AI Regulations: A Survey — ACT | The App Association