Who is affected

The amendments are particularly relevant for providers and deployers of high-risk AI systems where the main obligations are postponed, and providers and deployers of industrial AI products where significant de-regulation is expected.

The Omnibus is also especially relevant for SMEs, start-ups and small mid-cap enterprises, as the final text extends or clarifies several simplification and support measures for these businesses.

Key changes

• Obligations on providers and deployers of high-risk AI systems are postponed to 2 December 2027 for stand-alone high risk AI-systems, and 2 August 2028 for AI embedded in regulated products (such as such as medical devices, machinery, and vehicles).
• New prohibited AI practices relating to AI systems that generate or manipulate realistic non-consensual intimate material and child sexual abuse material, requiring providers to design AI systems in a manner that prevents misuse for these purposes, such as content filtering and abuse reporting.
• The legal basis for processing special category personal data for bias detection and protection is extended to providers of other AI systems than high-risk, and GPAI-models.
• “Small mid-cap” companies (fewer than 750 employees or annual turnover/balance sheet below 150MEUR / 129MEUR) may follow simpler templates for technical documentation that must be accepted by regulators, proportionate quality management requirements, priority access to regulatory sandboxes and lower potential fines.
• More opportunities for testing high-risk AI systems in real world conditions, subject to applicable safeguards.
• AI systems incorporated in products subject to the EU Machinery Regulation are exempted from the scope of the act. For AI systems incorporated into products subject to safety requirements in other EU legislation, the EU Commission is given the right to limit the application of requirements under the AI Regulation to avoid double regulation.
• The concept of a “safety component” is clarified, which is important for determining whether certain AI systems are high-risk. AI systems used solely for non-safety related user assistance, performance optimization, service efficiency, automation, convenience or quality control will not as a starting point qualify as safety components.
• High-risk AI systems within the scope of the Cyber Resilience Act will be deemed to comply with the AI Act’s cybersecurity requirements where the relevant conditions under the Cyber Resilience Act are met.

Recommended actions

• Update AI Act implementation roadmaps to reflect the final Omnibus dates for high-risk AI systems, new prohibited practices and transitional rules.
• Refresh AI inventories and classification assessments.
• Review generative AI safeguards against misuse for non-consensual intimate material and child sexual abuse material.

---

Contact us