The EU’s “Digital Omnibus”: A Strategic Breather and New Red Lines in the Race to Regulate AI
The Digital Omnibus is the European Commission’s legislative package (November 2025) designed to simplify the EU’s digital regulatory framework by amending the AI Act, the GDPR, the ePrivacy Directive, NIS2, and the Data Act to reduce administrative burdens. Following its final approval on 29 June 2026, it postpones the AI Act’s high-risk obligations, but it does not lower the standard of due diligence expected from organizations.
Brussels is not seeking to rethink its approach to AI regulation, but rather to make it more practical and workable. The aim is to streamline a regulatory framework that, after years of intense legislative activity, had become increasingly complex for businesses, public administrations, and supervisory authorities.
Simplification, Yes. Deregulation, No.
The Digital Omnibus is based on an obvious reality: the succession of regulations such as the GDPR, the AI Act, the Data Act, the Digital Services Act, and the NIS2 Directive has created one of the world’s most comprehensive regulatory frameworks—but also one of the most challenging to navigate. And, between us, being comprehensive does not necessarily mean being perfect. More than once, the complexity of managing this framework has bordered on the absurd.
The accumulation of obligations, differing implementation timelines, and the coexistence of multiple competent authorities have significantly increased the regulatory burden, particularly for small and medium-sized enterprises.
The reform aims to reduce this complexity by eliminating overlaps between the AI Act and sector-specific legislation (such as the rules governing medical devices and certain industrial products) while also clarifying the division of responsibilities among the various supervisory authorities.
The guiding principle behind the reform is to make compliance easier without lowering the level of protection. Simplification does not mean deregulation; it means creating a regulatory framework that is more coherent, more predictable, and easier to apply—for businesses and regulators alike.
A New Compliance Timeline
The most significant practical change is the postponement of the obligations applicable to high-risk AI systems. The European Union itself acknowledges that the market still lacks sufficient technical standards, harmonized rules, and certification mechanisms to ensure the consistent implementation of the AI Act.
As a result, the obligations for high-risk AI systems listed in Annex III will become enforceable on 2 December 2027, while AI systems subject to the EU’s harmonized product safety legislation will have until 2 August 2028 to comply. The Bosco case had already demonstrated how tangible the impact of this classification can be for organizations, long before the implementation timeline was revised.
At the same time—and quite understandably in relation to transparency obligations—the Digital Omnibus accelerates the timeline by shortening the adaptation period for implementing measures to identify AI-generated content. The new compliance deadline is 2 December 2026, making this one of the first obligations businesses will need to address.
| What changes | Date |
|---|---|
| High-risk systems — Annex III | December 2, 2027 |
| Systems embedded in regulated products — Annex I | August 2, 2028 |
| Labeling of AI-generated content (Art. 50.2) | December 2, 2026 |
| Ban on non-consensual intimate imagery and AI-generated CSAM | December 2, 2026 |
New Prohibitions to Safeguard Fundamental Rights
Regulatory simplification has not come at the expense of stronger safeguards. On the contrary, the Digital Omnibus introduces new prohibitions aimed at addressing some of the most harmful uses of artificial intelligence.
From December 2026, AI systems capable of generating non-consensual intimate images, as well as AI-generated child sexual abuse material, will be prohibited, among other practices.
Technological innovation and the protection of fundamental rights must continue to advance hand in hand.
A Challenge for Corporate Governance
The greatest risk is interpreting the postponement of certain deadlines as an invitation to delay preparation. That is not the case. While the most complex obligations now come with a longer implementation timeline, the AI Act’s core principles remain unchanged. Organizations are still expected to strengthen their AI governance frameworks, ensure the quality of the data used to develop and train AI systems, implement effective human oversight mechanisms, and promote training for the people who design, use, or supervise these technologies.
The expected standard of due diligence has not been lowered. Companies that use this extension to strengthen their internal processes will be far better prepared when the Regulation becomes fully applicable.
The Digital Omnibus gives Europe an opportunity to demonstrate that innovation and effective regulation can coexist. It is not a step back in the EU’s AI strategy, but rather a recognition that such an ambitious regulatory framework can only succeed if its obligations are both technically feasible and legally enforceable.
The most constructive way to view this extension is as an opportunity to prepare more effectively. Reviewing governance models, strengthening transparency measures, training teams, and anticipating the Regulation’s requirements will be far less costly than scrambling to comply once the obligations become fully enforceable.
If your organization needs to reassess its compliance roadmap in light of these changes, Facephi Compliance can help you identify priorities and prepare for what’s ahead.
The Digital Omnibus is a European Commission legislative package (November 2025) designed to simplify the EU’s digital regulatory framework. It amends the AI Act, GDPR, ePrivacy Directive, NIS2 Directive, and the Data Act to reduce administrative burdens and eliminate overlaps between regulations.
Partially. The obligations for high-risk AI systems under Annex III have been postponed from August 2026 to December 2027, while the requirements for Annex I systems have been deferred until August 2028. However, transparency obligations for AI-generated content have been brought forward and will become applicable from December 2026.
No. The AI Act remains in force, and several obligations retain their original implementation dates. The additional time is an opportunity to prepare—not to pause work on AI governance, data quality, and human oversight.
Strengthen AI governance, ensure the quality of training data, implement effective human oversight, and train the people who design, use, or supervise AI systems—using the extension as an opportunity to prepare more thoroughly, rather than waiting to react once the requirements become enforceable.