The Digital Omnibus on AI, Explained: What Changes and What Stays
The Digital Omnibus on AI, Explained: What Changes and What Stays
Three months ago, there was one AI Act timeline. Now there are two. Possibly three, depending on how you count. The European Commission published the Digital Omnibus on AI on 19 November 2025. The Council adopted its position on 13 March 2026. The European Parliament voted 569 to 45 on 26 March 2026. Trilogue negotiations started the same day. A political agreement is expected at the next political trilogue on 28 April 2026.
If that agreement holds, the AI Act’s most consequential deadline moves from 2 August 2026 to 2 December 2027. That is a 16-month extension for high-risk AI obligations.
But here is the part most summaries leave out: until the Digital Omnibus is formally adopted and published in the Official Journal, the original August 2026 deadline is still binding law. The race between the legislative calendar and the compliance calendar is the defining regulatory story of Q2 2026.
This article explains what the Digital Omnibus on AI actually proposes, what Council and Parliament agree on, where they differ, and what compliance teams should do while waiting for a final text.
First, clear up the naming confusion
The word “Omnibus” now refers to at least ten separate legislative packages the Commission has tabled since February 2025. Three of them are directly relevant to compliance teams, and confusing them is easy.
Omnibus I (Sustainability). This one is done. Directive (EU) 2026/470 was published in the Official Journal on 26 February 2026 and entered into force on 18 March 2026. It rewrites CSRD scope (thresholds raised to more than 1,000 employees and more than 450 million euro turnover), abolishes the CS3D phased rollout, and removes listed SMEs from mandatory sustainability reporting. If someone says “the Omnibus” without specifying which one, and they work in sustainability reporting, they mean this.
Digital Omnibus on AI (COM(2025) 836). This is the one this article is about. It amends the AI Act only. It is currently in trilogue. Not yet adopted. Expected to be published in the Official Journal in July 2026.
Digital Omnibus Regulation (COM(2025) 837). This is the broader sibling. It proposes amendments to the GDPR, ePrivacy Directive, NIS2 Directive, and Data Act. It is at a much earlier legislative stage. The European Economic and Social Committee adopted an opinion on 18 March 2026. Parliamentary committee allocation is still in progress. Trilogue has not started. Adoption is unlikely before late 2026 at the earliest.
When someone at a conference says “the Digital Omnibus will change GDPR,” they are talking about COM(2025) 837. When they say “the Digital Omnibus delays the AI Act,” they mean COM(2025) 836. These are two separate legislative proposals moving at very different speeds.
What the Digital Omnibus on AI proposes
The Commission framed this as a simplification exercise. In practice, it does four things.
It delays high-risk AI deadlines. The original AI Act set 2 August 2026 as the date when Annex III high-risk AI system obligations (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) would take effect. The Digital Omnibus proposes moving this to 2 December 2027. For Annex I systems (AI embedded in regulated products like medical devices, machinery, and toys), the deadline moves from 2 August 2027 to 2 August 2028. The reason is straightforward: the compliance infrastructure is not ready. Only 8 of 27 Member States had designated their national competent authorities by March 2026, and harmonised standards are delayed.
It adjusts AI literacy obligations. The Commission originally proposed removing Article 4’s mandatory AI literacy obligation entirely, replacing it with a softer duty for Member States to “encourage” literacy. Both the Council and Parliament pushed back. The final text will likely keep the obligation but soften the language.
It introduces a new prohibited practice. The Parliament added a ban on AI systems that generate or manipulate non-consensual intimate imagery of identifiable individuals. This was not in the Commission’s original proposal but received broad support.
It touches synthetic content rules. Providers of AI systems generating synthetic audio, images, video or text must implement machine-readable detectability or marking. The Commission proposed a grace period until 2 February 2027 for systems already on the market. The Parliament shortened this to approximately 2 November 2026. The Council kept 2 February 2027. This is one of the open negotiation points.
Where Council and Parliament agree
On the most consequential provisions, the two co-legislators are closely aligned. Both rejected the Commission’s original conditional mechanism (which linked deadline extensions to the availability of harmonised standards) and replaced it with fixed dates. Both agreed on 2 December 2027 for Annex III and 2 August 2028 for Annex I. Both kept core obligations intact: risk management, conformity assessment, technical documentation, transparency, human oversight, post-market monitoring. None of these are being weakened.
The convergence is significant because it means the trilogue is unlikely to get stuck on the biggest issues. The legislative calendar matters here. If political agreement is reached on 28 April, formal endorsement by Parliament and Council could follow in May and June. Publication in the Official Journal could happen in July 2026, just before the 2 August 2026 original deadline. The timeline is tight but achievable.
Where they disagree
Three points of divergence will shape the trilogue.
Sectoral integration. The Parliament proposed moving all Annex I-A product categories (medical devices, machinery, toys, radio equipment, and others) into Annex I-B and integrating AI Act requirements into each sectoral law directly. This is structurally significant. It would make sectoral conformity assessment the primary compliance pathway rather than the AI Act’s own procedures. The Council did not propose this. The Standing Committee of European Doctors has already objected, arguing that medical devices should remain under direct AI Act scope. This may be the hardest negotiation point.
Synthetic content timing. As noted above, the Council proposes 2 February 2027 for the watermarking obligation on pre-existing systems. The Parliament proposes 2 November 2026. Three months apart. Likely lands somewhere in between.
CRA cybersecurity alignment. The Parliament proposes that high-risk AI systems fulfilling the Cyber Resilience Act’s essential cybersecurity requirements should be considered compliant with the AI Act’s cybersecurity obligation. The Council has not taken a position on this. If included, this would reduce duplicate compliance work for companies already preparing for the CRA’s September 2026 vulnerability reporting deadline.
The expected timeline from here
Given the legislative pace and the Cypriot Presidency’s stated ambition, the most likely sequence is:
Technical trilogue rounds continue through April 2026. Political agreement at the 28 April 2026 trilogue. Formal endorsement by Parliament (May) and Council (June). Publication in the Official Journal (July 2026). Entry into force before 2 August 2026.
If this timeline holds, the amended AI Act provisions would legally take effect before the original high-risk deadline passes. Companies would then have until 2 December 2027 for Annex III obligations and 2 August 2028 for Annex I.
If the timeline slips, even by a few weeks, the original 2 August 2026 deadline technically remains in force. This is the scenario A&O Shearman flagged in their April 2026 analysis: even if the delay is all but certain politically, it only takes legal effect upon Official Journal publication. Until then, competent authorities in the 8 Member States that have designated them could, in theory, begin enforcement from 2 August 2026.
The practical likelihood of aggressive enforcement on 3 August is low. The political likelihood of the Omnibus being adopted is high. But “probably fine” is not a compliance position.
What compliance teams should do right now
The consensus across every law firm analysis published in the past month is the same: continue preparing against the original August 2026 deadline.
This is not conservative advice for the sake of caution. It is asymmetric risk management. If you prepare for August and the deadline moves to December 2027, you have done work earlier than necessary. That work is not wasted. If you pause preparation and the delay does not materialise (or is narrowed), you have lost months with no recovery path.
The practical benefit of the expected delay is not that companies can stop preparing. It is that enforcement starts later. Competent authorities will not begin inspections until the new deadline passes. That gives organisations more time to fine-tune systems that are already being built.
The EU’s regulatory simplification agenda will keep generating Omnibus proposals for years. Every one of them will create a period of timeline uncertainty. Organisations that build compliance capacity now, regardless of which exact month enforcement begins, will navigate every future recalibration from a position of strength.
Not sure whether the AI Act applies to your organisation? Take our free 3-minute AI Act readiness assessment. It covers the 10 areas that matter most and gives you a score with specific next steps.
Track all affected deadlines in our EU compliance deadline tracker.