HomeInsightsAI Act Omnibus 2026

AI Act Omnibus — What Is Changing in the EU AI Act (2026)

Published: 17 May 2026 | Last updated: 17 May 2026

On 7 May 2026 the Council of the EU and the European Parliament reached an agreement on targeted amendments to the AI Act. The so-called “AI Omnibus” postpones the deadlines for high-risk systems, introduces a new prohibition and eases the regime for smaller enterprises. In this article you will learn what is changing and what it means for businesses in Bulgaria.

What the AI Omnibus is and why the EU is changing the rules

The AI Act (Regulation (EU) 2024/1689) is the first comprehensive legal framework for artificial intelligence in the European Union. It introduces a risk-based approach — the obligations of providers and deployers depend on how risky the relevant artificial intelligence (AI) system is.

On 7 May 2026 the Council of the EU and the European Parliament reached a provisional political agreement on targeted amendments to the Act. It forms part of the European Commission’s broader initiative to simplify digital legislation (the “Digital Omnibus”). The reason is practical: much of the harmonised technical standards and guidance needed to apply the requirements for high-risk AI is not yet ready — and without it, businesses would struggle to achieve compliance within the original deadlines.

The agreement does not change the core structure of the Act. The risk-based approach and the general obligations of providers and deployers are preserved. The changes mainly affect the deadlines, the scope and certain reliefs.

Important: as at the date of publication, the AI Omnibus is a provisional agreement. It still has to be formally adopted by the European Parliament and the Council in order to take effect. This is expected to happen before 2 August 2026. The deadlines set out below should therefore be confirmed against the final adopted text.

The four risk levels under the Act

To understand exactly what the AI Omnibus postpones, it is helpful to recall the structure of the Act. It allocates AI systems into four categories according to the risk they carry:

  • Unacceptable risk — prohibited practices. Systems that conflict with fundamental rights — for example social scoring or subliminal manipulative techniques. They are entirely prohibited.
  • High risk. Systems used in sensitive areas — recruitment, creditworthiness assessment, biometrics, critical infrastructure — or embedded in regulated products. They carry the most extensive obligations.
  • Limited risk — transparency obligations. Systems such as chatbots and generative AI, where the user must know that they are interacting with AI or that the content is artificially created.
  • Minimal risk. All other systems — for example spam filters or AI in video games. The Act introduces no special obligations for them.

The AI Omnibus mainly affects the first three levels: it postpones the deadlines for high-risk AI, adds a new prohibited practice and refines the transparency obligations. Minimal-risk systems remain unaffected.

The new deadlines for high-risk AI

High-risk AI systems carry the heaviest obligations under the Act — risk management, data governance, technical documentation, transparency, human oversight, accuracy and cybersecurity. It is precisely their deadlines that are being extended most significantly.

CategoryOriginal deadlineNew deadline
Standalone high-risk systems (under Annex III — e.g. recruitment, creditworthiness assessment, biometrics)2 August 20262 December 2027
High-risk AI embedded in regulated products (under Annex I — e.g. medical devices, machinery, toys)2 August 20272 August 2028

The extension applies prospectively: systems placed on the EU market before the relevant date will, as a rule, not be subject to the high-risk AI requirements, unless they undergo a substantial modification after that date.

A tip from our practice: the postponement is not a reason to wait. The harmonised standards may be published only close to the new deadlines, leaving little time for bringing systems into compliance. We recommend that businesses use the additional time to complete the classification of their systems and build a risk-management framework.

A new prohibition: AI for non-consensual intimate content

Beyond postponing deadlines, the agreement also expands the list of prohibited practices. To the prohibitions under Art. 5 of the Act — which have applied since 2 February 2025 and cover, for example, social scoring and subliminal manipulative techniques — a new prohibition is added.

From 2 December 2026, the placing on the market and the use of AI systems designed to generate or manipulate sexual or intimate content without the consent of the person depicted, as well as child sexual abuse material, is prohibited. This also covers “nudifier” applications, as well as systems that lack reasonable safeguards against such misuse.

Infringements of the prohibited practices are backed by the highest penalties under the Act. Developers should therefore anticipate possible misuse already at the design stage and build in appropriate technical safeguards.

Transparency and labelling of AI-generated content

The agreement does not change the scope of the transparency obligations under Art. 50 of the Act. They remain two main groups:

  • Disclosure obligations — users must be informed when they interact with an AI system (for example a chatbot), as well as in the case of emotion-recognition systems and deepfakes.
  • Watermarking — content generated or manipulated by AI must be labelled as artificially created in a format that can be read by machines.

The obligations under Art. 50 apply from 2 August 2026. The agreement, however, introduces relief: generative AI systems placed on the market before that date must comply with the watermarking requirements only from 2 December 2026. The European Commission has also published draft guidelines and a code of practice that clarify how to fulfil these obligations in practice.

Relief for businesses and narrowing of the scope

Beyond the deadlines, the agreement introduces several measures that reduce the burden of the regime:

  • Relief for medium-sized enterprises — the simplified compliance framework that until now applied only to small and medium-sized enterprises is being extended to companies with up to 750 employees and up to EUR 150 million in annual turnover. It includes simplified guidance, reduced fines, access to regulatory sandboxes and standardised documentation templates.
  • Carve-out for industrial AI — AI in industrial applications and products already governed by the Machinery Regulation is removed from the scope of the Act, to avoid duplication of requirements.
  • Narrower definition of “safety component” — regulated products with AI functions that merely assist the user or optimise performance will not automatically fall within the high-risk AI regime, provided that a malfunction does not create a health or safety risk.
  • Bias detection — the use of special categories of personal data (for example health data or biometric data) is made easier where this is necessary to detect and mitigate bias in AI models.

Fines and what already applies

The extended deadlines do not mean the risk has gone away. Part of the Act already applies, and the penalties are significant:

  • The prohibited practices under Art. 5 have applied since 2 February 2025. Infringements are penalised with a fine of up to EUR 35 million or up to 7% of worldwide annual turnover — whichever is higher.
  • The rules for general-purpose AI models have applied since 2 August 2025.
  • Infringements of the transparency obligations under Art. 50 may lead to a fine of up to EUR 15 million or up to 3% of worldwide annual turnover.

It should also be borne in mind that AI systems often process personal data and are therefore also subject to the General Data Protection Regulation (GDPR). Data protection supervisory authorities are already actively enforcing the GDPR in the AI context — including the rules on data minimisation, transparency and security.

What businesses should do now

For companies that develop or deploy AI systems, we recommend the following steps:

  1. Make an inventory of the AI systems in use — both developed in-house and purchased or integrated into products and processes.
  2. Classify each system by risk — prohibited practice, high-risk system, system with a transparency obligation, or minimal-risk system.
  3. Use the extended time — complete the classification, build a risk-management framework and prepare the technical documentation, without waiting for the final deadlines.
  4. Check the transparency obligations — if you use a chatbot or generative AI, ensure disclosure to users and labelling of the generated content.
  5. Align compliance with the GDPR — where a system processes personal data, the AI Act regime and the GDPR regime must be applied together.
  6. Monitor the final text — the AI Omnibus deadlines will become definitive only after the amendment is formally adopted.

Frequently asked questions

Has the AI Omnibus entered into force?

Not yet. On 7 May 2026 the Council of the EU and the European Parliament reached a provisional political agreement. It must be formally adopted by both institutions in order to have legal effect — this is expected to happen before 2 August 2026. Until the final text is adopted, the deadlines stated should be regarded as expected.

When do the requirements for high-risk AI take effect?

Under the agreement, the requirements for standalone high-risk systems under Annex III are postponed until 2 December 2027, and those for high-risk AI embedded in regulated products under Annex I — until 2 August 2028. The original deadlines were 2 August 2026 and 2 August 2027 respectively.

What does the agreement newly prohibit?

From 2 December 2026, the placing on the market and the use of AI systems designed to generate or manipulate intimate content without consent, as well as child sexual abuse material, is prohibited. This also covers “nudifier” applications.

Does the AI Omnibus affect small and medium-sized enterprises?

Yes, in a positive direction. The simplified compliance framework that applied to small and medium-sized enterprises is being extended to companies with up to 750 employees and up to EUR 150 million in annual turnover. It includes simplified guidance, reduced fines, access to regulatory sandboxes and standardised documentation templates.

When must AI-generated content be labelled?

The transparency obligations under Art. 50 of the Act apply from 2 August 2026. Under the agreement, however, generative AI systems placed on the market before that date must comply with the watermarking requirements only from 2 December 2026.

What are the fines under the AI Act?

Infringements of the prohibited practices under Art. 5 are penalised with a fine of up to EUR 35 million or up to 7% of worldwide annual turnover, whichever is higher. Infringements of the transparency obligations under Art. 50 may lead to a fine of up to EUR 15 million or up to 3% of turnover.

Should I wait for the new deadlines before starting preparation?

No. The postponement gives time but does not remove the obligations. The harmonised technical standards may be ready only close to the new deadlines, leaving little time to react. We recommend that businesses start classifying their systems and building a risk-management framework now.

Legal notice: This article is for informational purposes only and does not constitute individual legal advice. As at the date of publication, the AI Omnibus is a provisional agreement subject to formal adoption. For a specific situation, consult a qualified lawyer.

Need Assistance?

The Innovires Legal team can classify your artificial intelligence systems by risk, prepare the necessary documentation and bring your activity into compliance with the AI Act and the GDPR.