On 29 June 2026, the Council of the European Union definitively approved the new “Digital Omnibus on AI” Regulation. This is a measure amending Regulation (EU) 2024/1689 (the “AI Act”) and other related legislation, with the main objective of simplifying the application of artificial intelligence rules and reducing bureaucratic burdens for businesses, providers and users, referred to as “deployers”, while maintaining a high level of protection of fundamental rights.
Key dates to remember
| 2 December 2026 | 2 August 2027 | 2 December 2027 | 2 August 2028 |
|---|---|---|---|
| The two new prohibitions added to Article 5 of the AI Act become applicable | Deadline for establishing regulatory sandboxes in the Member States | Rules applicable to standalone high-risk AI systems (“non-embedded”) | Rules applicable to high-risk AI systems embedded in products |
Deferral of deadlines for high-risk systems
One of the most significant changes concerns the deferral of the deadlines laid down for high-risk artificial intelligence systems. In particular, the rules will become applicable: on 2 December 2027 for standalone high-risk systems, i.e. systems that operate independently, referred to as “non-embedded” systems; on 2 August 2028 for systems embedded in products. The deadline by which Member States must also establish at least one “AI regulatory sandbox”, i.e. a controlled environment for testing new technologies, has been postponed to 2 August 2027.
Two new prohibitions from 2 December 2026
The Regulation also introduces two new prohibitions, in addition to those already provided for under Article 5 of the AI Act, which will become applicable from 2 December 2026. These prohibitions concern the use of artificial intelligence to create or manipulate, without the consent of the person concerned, realistic intimate images or videos, namely sexual deepfakes, and child sexual abuse material.
Simplification and coordination with sector-specific legislation
From a simplification perspective, the Regulation addresses the issue of overlaps between the AI Act and sector-specific legislation, such as rules on medical devices or toys. In such cases, duplication may be avoided: where special legislation already ensures equivalent or higher safeguards, certain obligations under the AI Act may not apply.
In addition, Regulation (EU) 2023/1230 on machinery is now included in the list of sector-specific legislation in Annex I to the AI Act. This means that safety requirements relating to artificial intelligence will be directly integrated into the machinery regulatory framework.
Personal data protection developments
The Regulation also addresses the relationship with personal data protection legislation. In particular, two key developments are introduced. The first concerns a new legal basis allowing providers of high-risk AI systems to process, in exceptional cases and subject to strict safeguards, personal data belonging to special categories of data within the meaning of Article 9 GDPR, for the purpose of detecting and correcting potential algorithmic distortions, commonly referred to as “bias”.
The second development provides for the possibility of coordinating the fundamental rights impact assessment (FRIA) with the data protection impact assessment already provided for under the GDPR (DPIA), thereby avoiding unnecessary duplication.
Entry into force
The Regulation will enter into force on the third day following its publication in the Official Journal of the European Union.