01

Immagine creata con IAAI-generated image

The AI Act and the Digital Omnibus: the new high-risk timeline, between simplification and fundamental rights

On 16 June 2026 the European Parliament gave final approval to the amendment of Regulation (EU) 2024/1689 within the so-called “Digital Omnibus on AI”: the obligations for high-risk systems are postponed to 2 December 2027 and 2 August 2028, the simplifications for SMEs are extended to small mid-caps, and the generation of non-consensual intimate material is banned. But does simplifying the European regulatory maze risk translating into a rollback of protections?

The European legislator’s over-production of rules continues to create considerable difficulties for practitioners and, this time, it is the legislator itself that is running for cover. Less than two years after the entry into force of Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence — the AI Act — the European institutions have approved an amending regulation within the seventh simplification package, the so-called Digital Omnibus on AI (Omnibus VII), based on Commission proposal COM(2025) 836 of 19 November 2025.

This seems the right place to try to bring some clarity to the new set-up, bearing in mind that the general body of the AI Act’s provisions will in any case start to apply from 2 August 2026 and that, as we will see, the timetable comes out profoundly redrawn.

The legislative path of Omnibus VII

The ordinary legislative procedure 2025/0359(COD), with its legal basis in Article 114 TFEU, followed a particularly tight course: Commission proposal on 19 November 2025, Council general approach on 13 March 2026, Parliament’s negotiating position in plenary on 26 March 2026, provisional trilogue agreement on 7 May 2026, and final first-reading approval on 16 June 2026, with 423 votes in favour, 57 against and 174 abstentions.

The Council formally adopted the act on 29 June 2026, noting that “the legislative act will be published in the EU’s official journal shortly and will enter into force on the third day after this publication”. As at the time of writing, the amending regulation has not yet been published in the Official Journal of the European Union and its number has not been assigned: the legislative file shows the status “Awaiting signature of act”.

The new application timetable: high-risk postponed to 2027 and 2028

The core of the intervention concerns high-risk AI systems. According to the Parliament’s statement, “the obligations for high-risk AI systems will apply: from 2 December 2027 for stand-alone high-risk AI systems; from 2 August 2028 for AI systems embedded as safety components governed by EU sectoral safety and market-surveillance legislation”. The Council, for its part, made clear that the co-legislators treated this part of the package “with utmost priority”, agreeing “a fixed timeline for the delayed application of high-risk rules”.

In other words: the obligations for stand-alone high-risk systems under Annex III (biometrics, employment, access to essential services, education and the like) slip from 2 August 2026 to 2 December 2027; those for systems embedded as safety components in products covered by sectoral harmonisation legislation, under Article 6(1) and Annex I, to 2 August 2028. This is not the only deferral. The new regulation also postpones to 2 August 2027 the deadline for national regulatory sandboxes, and to 2 December 2026 the content-marking obligations for AI-generated content for systems placed on the market before 2 August 2026 — while cutting the grace period for transparency solutions from six to three months. The date of 2 August 2026 remains, instead, for most of the remaining provisions.

The simplifications for SMEs and small mid-caps

On the simplification side, the legislator chose to extend “to small mid-cap enterprises (SMCs) the exemptions provided for SMEs from certain rules, to support their growth”, together with simplified technical documentation and specific considerations regarding penalties. This is consistent with the overall rationale of the Omnibus package, avowedly aimed at reducing administrative burdens on economic operators: the centre of gravity of the discipline shifts, at least in the transitional phase, from the prescriptiveness of the obligations to their sustainability for the European productive fabric.

The ban on “nudification” apps

Alongside the deferrals, the regulation introduces a new prohibition. The Parliament’s statement is unambiguous: “the law prohibits AI systems that generate child sexual abuse material or create images, videos and audio depicting the intimate parts of an identifiable person or sexually explicit activities without their consent”, with a compliance deadline set at 2 December 2026. The words of co-rapporteur Michael McNamara make clear the vulnerable-subject protection underlying the provision: “we agreed a limited change for machinery products, with clear safeguards, and secured a total ban on AI ‘nudification’ apps. These applications target real people, overwhelmingly women, with the aim of humiliating, degrading and objectifying them”.

Critical issues: simplification or rollback?

The intervention is not without problematic aspects, and the 174 abstentions in plenary are a first institutional signal. First, the European data-protection authorities themselves opened scrutiny of the proposal. In their Joint Opinion 1/2026 on the Digital Omnibus on AI, the EDPB and the EDPS — while supporting the objective of addressing the AI Act’s implementation difficulties — warned that “administrative simplification must not, however, lower the protection of fundamental rights” and, as to the deferrals, expressed “concerns regarding the proposed postponement of core provisions”, inviting the co-legislators “to consider whether the original timeline can be maintained for certain obligations, such as transparency requirements, and to minimise delays to the extent possible”. The two authorities also advised against removing the registration obligation for systems that providers self-classify as non-high-risk, holding that such a change “would significantly undermine accountability”.

Second, civil society criticised the compressed timeframe and the absence of an impact assessment. The Civil Liberties Union for Europe observed that “this breakneck pace, coupled with the fact that parts of the AI Act have yet to take effect, renders this process a defeat for the rule of law. There was no impact assessment, and no meaningful consultation”, holding that the Omnibus “weakens fundamental rights protections in the AI Act, delays enforcement of key provisions, and empowers Big Tech companies”. Third, the transfer of machinery products with embedded AI towards sectoral legislation through Commission delegated acts — presented by the Council as a remedy to regulatory overlaps — was contested by civil society as “a loophole that responds to industry interests”. Finally, it cannot be overlooked that the deferral of high-risk obligations affects areas — biometrics, work, education, access to essential services — where the need to protect fundamental rights is, by definition, most intense.

Conclusions

The Digital Omnibus delivers a new and, at least on paper, more realistic calendar: 2 August 2026 for most provisions, 2 December 2026 for the nudification ban and content marking, 2 August 2027 for the sandboxes, 2 December 2027 and 2 August 2028 for high-risk. The time gained must, however, be used and not merely awaited: from the harmonised standards under development to the setting-up of management systems, substantive compliance cannot be improvised. In the light of the above, one wonders whether the deferral of the obligations will truly reconcile competitiveness with the protection of fundamental rights, or whether the time gained will resolve into a mere slippage of deadlines, unmatched by any substantive strengthening of the safeguards the AI Act is meant to secure.