The EU AI Regulation is the new legal framework governing the use of artificial intelligence in Europe. It specifies which AI systems are prohibited, which are subject to particularly strict regulation, and which transparency requirements apply.

Artificial intelligence | Topics & Trends

However, a problem arises when it comes to practical implementation: Many companies, government agencies, and public organizations are expected to meet requirements even though key standards, guidelines, and testing frameworks are not yet fully in place.

This is exactly where the “Digital Omnibus on AI” comes in. It is not intended to repeal the EU AI Regulation or fundamentally rewrite it. Instead, certain deadlines, obligations, and responsibilities are to be adjusted to make implementation easier to plan and more practical.

For companies, government agencies, and public organizations, this means that AI compliance requirements are not going away. While they are not expected to become applicable in practice until later, preparations must begin today.

Westernacher Solutions – EU AI Act and Digital Omnibus

What do the new deadlines in the EU AI Act mean for AI compliance?

What is the “Digital Omnibus on AI”?

The “Digital Omnibus on AI” is a proposed amendment to the EU AI Regulation. It is intended to make targeted adjustments to certain provisions of the regulation, particularly in areas where companies, public authorities, and service providers would otherwise be faced with requirements for which the necessary foundations are not yet fully in place.

These include harmonized standards, technical guidelines, compliance tools, competent national authorities, and conformity assessment bodies. These elements are particularly crucial for high-risk AI systems. This is because such systems must not only be assessed from a legal perspective but also technically documented, tested, monitored, and organizationally integrated.

The “Digital Omnibus” is thus a response to a practical problem: The AI Regulation has been adopted, but the infrastructure needed to implement it is not yet fully developed in all areas.

Why is an amendment to the EU AI Regulation needed?

The EU AI Regulation continues to pursue a clear goal: AI should be used in a safe, trustworthy, and human-centered manner. It is intended to enable innovation while simultaneously protecting health, safety, fundamental rights, democracy, and the rule of law.

The “Digital Omnibus” does not call this goal into question. Instead, it focuses on how companies and public agencies can actually meet these requirements.

The obligations are particularly demanding when it comes to high-risk AI systems. Among other things, providers must implement risk management, ensure data quality, prepare technical documentation, enable human oversight, provide for logging, take cybersecurity into account, and monitor systems after they are placed on the market.

This makes sense, but it is only feasible if it is clear which technical standards apply, what documentation is expected, and which authorities are responsible. Without these guidelines, uncertainty arises. Companies then know that they must be compliant, but they do not always know what that compliance should look like in practice.

What changes are expected?

A key aspect of the “Digital Omnibus” concerns the timeline for high-risk AI systems. According to the preliminary political agreement reached on May 7, 2026, certain obligations will no longer take effect on August 2, 2026, as originally planned.

For high-risk AI systems as defined in Annex III of the EU AI Regulation, the deadline will instead be December 2, 2027. This applies, for example, to certain AI systems in areas such as education, employment, critical infrastructure, law enforcement, migration, border control, or access to essential private and public services.

For high-risk AI systems classified as regulated products or as safety components of such products under Annex I, the effective date is to be postponed to August 2, 2028. This applies in particular to areas where AI interacts with existing product and safety regulations.

This represents a delay of about one and a half to two years. This additional time is intended to allow companies, government agencies, and service providers to prepare for the requirements once standards, guidelines, and practical compliance tools become more widely available.

However, this does not mean that high-risk AI will be exempt from regulation. The requirements will generally remain in place. The main change is to the timing at which certain obligations are to take effect in practice.
In addition, the “Digital Omnibus” provides for further simplifications. Small and medium-sized enterprises, as well as smaller mid-cap companies, are to be given some relief. Documentation requirements are to be simplified in some cases. Duplicate requirements arising from interactions with other regulatory frameworks are to be reduced.

The role of the European Commission’s AI Office is also to be strengthened in certain cases. This is particularly relevant for very large AI providers whose systems are used throughout Europe. For example, if a provider develops its own AI model and integrates it directly into a major platform or search engine, oversight should be more closely coordinated at the EU level. This is intended to prevent differing national assessments.

Another important point concerns AI expertise. Even if specific obligations may be structured differently, one thing remains clear: Anyone who wants to use AI responsibly needs in-house knowledge of how it works, its risks, data protection, security, and the legal framework. AI expertise is not a peripheral issue, but a prerequisite for sound decision-making.

More time does not mean less responsibility

The “Digital Omnibus” can ease the burden on companies. It can help prevent rushed implementation and make compliance planning more manageable. This is particularly important for organizations that develop AI systems or use them in sensitive areas.

But more time should not be confused with standing still.

Anyone who waits until all details have been finalized and all standards have been fully published will lose valuable preparation time. After all, AI compliance doesn’t begin with a final template. It starts much earlier: with transparency regarding the systems in use, with clear responsibilities, with thorough documentation, with data protection reviews, with security assessments, and with internal expertise.

The key question, therefore, is not: Do we have to implement everything in full right now?

A better question is: What foundations do we need to lay today so that we will be able to take action in the future?

What does this mean for businesses and public organizations?

For businesses and public organizations, the “Digital Omnibus” means, above all, that AI governance remains necessary, but it must be planned dynamically.

First, it is important to know which AI systems are actually being used or developed. Many organizations are already using AI without having a complete picture of it: in Office applications, in development tools, in document analysis, in chatbots, in translation systems, or in specialized processes.

The next step is an initial assessment. Is this a high-risk AI system? Are there transparency requirements? Is personal data or particularly sensitive data being processed? Who is the provider, the operator, or possibly both? Is the system merely being used, or has it been significantly modified through customizations?

In the public sector and the judiciary in particular, there is an additional consideration: It’s not just about efficiency. It’s about trust, transparency, legal certainty, and the protection of sensitive information. AI can support processes, but it must not replace professional responsibility.

Westernacher Solutions operates precisely within this tension between technological innovation, regulatory requirements, and specific protection interests. As a provider of digital solutions for government, the judiciary, and public organizations, we grapple daily with the question of how AI can be used responsibly, in compliance with the law, and in a practical manner. What matters most is not the use of AI for its own sake, but rather the specific benefits it provides, the risks it entails, and how digital solutions can be designed to be resilient in the long term.

What should organizations do now?

Even though the “Digital Omnibus” may make things easier, organizations should start with the basics now:

  • AI Inventory: Which systems are being used, by whom, for what purpose, and with what data?
  • Initial Risk Classification: Which systems are potentially high-risk, which are subject to transparency requirements, and which are relatively low-risk?
  • Clarification of Roles: Are we a provider, operator, importer, or distributor? Or do we modify a system so significantly that our role changes?
  • Data Protection and Information Security: What data can be used, what data cannot be used, and what protective measures are required?
  • AI Competence: Employees must understand what AI is capable of, where its limitations lie, and when human review is absolutely necessary. Governance Structure: Who decides on new AI tools? Who assesses risks? Who documents them? Who responds to errors, complaints, or security incidents?

Conclusion

The “Digital Omnibus on AI” is not a retreat from AI regulation. It is an attempt to make the implementation of the AI Regulation more practical.

This makes sense, because effective regulation requires not only clear rules but also practical procedures. Especially when it comes to high-risk AI systems, standards, guidelines, regulatory structures, and technical evidence must all align.

For companies, this means they will likely have more time. But they should make good use of that time.

AI compliance doesn’t just start when the deadline is looming. It begins with transparency, accountability, and a clear understanding of how you use AI. Those who lay a solid foundation today will be able to meet future requirements with much greater confidence.

The EU AI Regulation remains the legal framework. The “Digital Omnibus” is intended to help flesh out this framework in a practical way. However, responsible AI does not result from deadline extensions, but rather from thorough preparation, clear processes, and a conscious approach to managing risks.

FAQ on the “Digital Omnibus on AI”

In the EU context, an “omnibus” is a legislative package used to amend several existing legal acts or regulatory areas simultaneously. It is therefore not a single new piece of specialized legislation, but rather a bundled update to existing regulations. The goal is often to simplify rules, better align them with one another, or avoid duplicate regulations.

The “Digital Omnibus on AI” is a proposed amendment to the EU AI Regulation. It is not intended to replace the AI Regulation, but rather to adjust certain deadlines, obligations, and responsibilities. The focus is on how the requirements of the AI Regulation can be better implemented in practice, particularly with regard to high-risk AI systems.

High-risk AI systems are AI systems used in particularly sensitive areas that can have a significant impact on people. These include, for example, certain AI systems in education, employment, critical infrastructure, law enforcement, migration, border control, or access to essential private and public services. Such systems are subject to particularly stringent requirements, such as those related to risk management, data quality, technical documentation, transparency, human oversight, accuracy, and cybersecurity.

The “Digital Omnibus on AI” primarily affects providers and operators of AI systems, especially if they develop, provide, or use high-risk AI systems. It is also relevant for companies, public administrations, government agencies, conformity assessment bodies, and organizations that use AI in sensitive or regulated sectors. Small and medium-sized enterprises (SMEs) as well as smaller mid-cap companies may also be affected, as the Omnibus Act provides certain relief measures and simplifications for them.

No. The “Digital Omnibus” can extend certain deadlines and simplify individual obligations, but it does not repeal the EU AI Regulation. Companies should use the additional time to inventory their AI systems, assess risks, clarify roles, review data protection and information security, and establish internal governance structures. Waiting would be risky because documentation, assigning responsibilities, and building expertise cannot be caught up on in the short term.

Standards and guidelines help put abstract legal requirements into practice. They show how companies can specifically meet requirements related to risk management, data quality, transparency, human oversight, documentation, and cybersecurity. The “Digital Omnibus” therefore also addresses areas where such standards and tools are not yet fully available.

Yes. The EU AI Regulation remains the central legal framework for artificial intelligence in Europe. The “Digital Omnibus” is not intended to abolish this framework, but rather to make certain parts of it more practical. The basic logic of the AI Regulation remains unchanged: prohibited AI practices, strict requirements for high-risk AI systems, transparency obligations, and rules for general-purpose AI models.

Alina Borovskij
Alina Borovskij

Ihre Ansprechpartnerin

Alina Borovskij

Solutions Consultant

YOU MIGHT ALSO BE INTERESTED IN