What the EU AI Omnibus Deal Changes for the AI Act and What Lies Ahead

At 4:30 a.m. on May 7, EU legislators reached an agreement on the AI Omnibus, the regulation amending the EU AI Act. This concludes the most arduous phase of a six-month negotiation process conducted under an exceptionally tight schedule, aimed at finalizing the whole procedure before the original August 2, 2026 deadline.

The proposal forms part of a broader, horizontal simplification effort affecting most of the EU legislative acquis to stimulate competitiveness — underpinned by the Draghi Report — and responds to industry demands.

The main changes to the AI Act

The central goal of the entire exercise — and the reason for such a tight schedule — was to postpone the application date of requirements for high-risk AI systems, which constitute the bulk of systems targeted by the AI Act. Those requirements were set to take effect imminently, before the relevant standards had even been finalized, a situation widely deemed unworkable for industry. Under the new rules, AI systems touching on fundamental rights will need to comply by December 2, 2027, while systems embedded in regulated products will have until August 2, 2028. Systems subject to transparency and watermarking requirements must still comply by this August, though those already on the market will be granted additional leeway until December 2 of this year.

The final text also confirms an expansion of the ability to use sensitive personal data for bias detection and correction — something the GDPR limits and requires specific justification to permit — to all AI systems, covering both providers and deployers, subject to safeguards. This provision was among the most sensitive and drew opposition from civil society, which raised concerns about the broadening of data collection practices and the potential harm to fundamental rights. Nevertheless, legislators across the board agreed that bias mitigation constitutes a legitimate public interest comparable to personal data protection, and the final text shifts the balance more toward the former than the original AI Act had done, where this possibility was far more circumscribed.

The AI literacy obligation for providers and deployers has been made less stringent — closer to an obligation of means than a strict obligation of result — and will be supported by direct assistance from the Commission and Member States, including shared resources and repositories of AI literacy courses.

Among the more substantial changes, the AI Omnibus introduces a new ban on "nudifier tools." This was not part of the Commission's original proposal and is already partially addressed through the Digital Services Act, the Directive on Violence Against Women, and national criminal law. However, the wave of sexual deepfakes generated by Grok last winter — involving millions of cases — prompted both Parliament and Member States to intervene directly at the level of AI models themselves, requiring providers to take measures to prevent such content from being generated in the first place. The ban also extends to child sexual abuse material (CSAM) and will apply from December of this year.

The industrial AI standoff

The issue that kept co-legislators locked in protracted negotiations and nearly derailed the entire process just one week ago was the treatment of industrial AI. The AI Act had included, among high-risk use cases, regulated products — such as machinery, toys, connected devices, and medical devices — that incorporate AI systems as safety components. Parliament's negotiating mandate, in this instance the most vocal advocate of industry's concerns, sought to exempt all these sectors from the Act entirely. Its argument: they are already heavily regulated, and an additional layer of oversight would create burdensome duplication and costs. Parliament's preferred alternative was to have the Commission incorporate AI-related requirements into the respective sectoral legislation at some unspecified future date.

This approach would have undermined the Act's horizontal architecture, risked inconsistency across different sector-specific AI provisions, created serious capacity problems within the standardization bodies currently finalizing the norms that will help companies implement the AI Act's requirements, added pressure on the Commission's resources, and left these sectors in legal limbo until their respective legislation was updated. Industry's push for this outcome was relentless. It found little sympathy among most Member States, but did find a receptive ear in German Chancellor Merz, who took up the cause personally and — disregarding his own coalition partner, SPD — lobbied both other Member States and the Commission directly as negotiations entered their critical phase.

The result was a deadlock a week ago, with the EPP allegedly acting on cues from Berlin and the Commission — initially firmly opposed — beginning to soften its position. A rapid regrouping led to a second attempt, held last night. Industry's advocates evidently used the intervening time to bring more Member States around to Germany's position — securing the backing of two key players, France and Italy — and to soften the Council's mandate enough to make it more amenable to Parliament's firm demands, even if the Council's overall stance remained limited in scope. In the end, only the machinery sector — one out of twelve — was carved out of the AI Act's framework. Even so, it remains tethered to the Act through bridging standards deliverables, and the Commission is bound to incorporate adequate AI-related requirements before the deadline by which other sectors must comply (August 2, 2028).

Other, less contentious changes include streamlining of obligations and certification procedures, further centralization of enforcement for certain systems in the hands of the AI Office, the establishment of an EU-level regulatory sandbox, and an extension of SME privileges to small mid-cap companies. The overarching narrative of the proposal — and of the broader Omnibus process — is simplification, and the final text does deliver some. The core requirements and obligations, however, remain substantively unchanged.

What lies ahead

All in all, the process can be considered a qualified success: negotiators managed — just barely, at the finish line — to conclude it quickly enough to replace the August 2, 2026 deadline in time, and to keep the changes relatively targeted.

That said, the outcome has left stakeholders from both civil society and industry frustrated rather than relieved. The left wing of Parliament — clearly in the minority in the current term — chose to spend its political capital on securing the new nudifier ban, ceding ground to the right to go all-in on its industry-friendly priorities. The left's gamble was that both the Commission and the Member States would resist the proposed exemption of regulated sectors from the Act — as indeed seemed likely until recently — forcing the right to ultimately yield on its key demand. The pressure from industry and from Chancellor Merz's CDU put that strategy squarely in the crosshairs and nearly caused it to collapse. The final outcome is reasonably balanced, all things considered.

It does, however, generate additional burdens and responsibilities for both the Commission and standardization bodies that will require close monitoring in the months ahead. And critically, the AI Omnibus is only a precursor to the more consequential digital simplification package: the Data Omnibus.

The expanded ability to process sensitive personal data for bias mitigation is just one piece of a broader relaxation of measures currently shielding personal data from AI systems. It is the GDPR simplification — contained in the Data Omnibus’ draft proposal — that will carry the most far-reaching implications for AI and fundamental rights, ranging from narrowing the definition of personal data to recognizing AI training as a legitimate interest for data processing.

Because the GDPR faces no imminent deadlines, that process will unfold more slowly — and could prove far more disruptive — particularly given a Parliament strongly inclined to prioritize industry's concerns over regulatory burden, and a Germany on high alert to maximize the impact of the Omnibus wave in support of its own struggling companies.