On May 7, the European Parliament and Council reached political agreement on a set of targeted amendments to the AI Act, packaged within the broader Digital Omnibus simplification initiative. The changes don’t rewrite the AI Act — they extend timelines, adjust scope thresholds, and tighten prohibitions in specific areas. For most companies operating in Europe, the practical effect is more time to comply and clearer rules about what is actually banned.
The most significant operational change is the extension of the high-risk compliance deadline. Under the original AI Act timeline, companies deploying high-risk AI systems — in areas like employment, credit scoring, education, and border control — faced compliance obligations running from the Act’s February 2025 entry into force. The Digital Omnibus deal extends implementation timelines by up to two additional years for most high-risk categories, giving companies until mid-2028 to fully comply with conformity assessment and documentation requirements.
For small and medium enterprises, the agreement includes targeted carve-outs: lighter obligations for companies below specified size and revenue thresholds, with the precise figures still being negotiated at technical level. The intent is to prevent the AI Act from functioning as a de facto market barrier against European startups while larger incumbents have the compliance resources to absorb the costs.
The agreement also includes a firm prohibition on AI-generated intimate imagery without consent. This closes a gap in the original text, which addressed non-consensual intimate images in general but did not explicitly cover AI-generated versions. Under the new provision, systems designed or marketed for generating such content fall within the prohibited AI systems category.
One of the less-discussed elements of the deal is the expanded mandate for ENISA, the EU Agency for Cybersecurity, in relation to general-purpose AI models. The original AI Act gave ENISA a supporting role; the Digital Omnibus amendments task the agency with developing technical guidance on model evaluation methodologies, particularly for systemic risk assessment of the most capable models above the 1025 FLOP threshold.
This matters because the general-purpose AI provisions are where the AI Act intersects with the global frontier model debate. Developers of the most powerful models face systemic risk obligations — including adversarial testing, incident reporting, and cybersecurity baselines. ENISA’s methodology guidance will determine how those obligations are operationalised in practice, giving the agency significant de facto influence over what frontier AI compliance looks like in Europe.
The deal reflects a deliberate strategic choice by EU Executive Vice-President Henna Virkkunen, who leads the Digital portfolio. From her first days in office, Virkkunen signalled that the Commission’s priority was AI deployment at scale — getting European companies to build with AI, not just comply with rules about it.
The Digital Omnibus approach — bundling AI Act changes with simplifications to the Data Act, the Cyber Resilience Act, and other digital legislation — was Virkkunen’s mechanism for moving quickly without reopening full legislative procedures. It allowed targeted amendments without triggering the full co-decision process each time.
The tradeoff is coherence. Bundling changes across multiple regulations in a single vehicle makes the legislative record harder to track. Civil society groups and some MEPs have raised concerns that the simplified procedure reduces parliamentary scrutiny. The Commission’s counter is that the changes are clarifications and extensions, not substantive rewrites — a characterisation that will face challenge in implementation.
Political agreement is reached; formal adoption is expected by autumn 2026 after legal-linguistic finalisation. Companies in high-risk sectors should recalculate compliance calendars against the amended schedule once the final text is published — the two-year extension runs from the original entry-into-force date. The extension buys time, but not indefinitely: conformity assessment and technical documentation for high-risk systems are substantial, and two years goes quickly if underlying system architecture needs to change. The Commission’s updated guidance, expected alongside the amended regulation, is where the operational detail lives.
.png)
.png)
