The Digital Omnibus Regulation on Artificial Intelligence

Background to the ‘Digital Omnibus Regulation on AI’

On 19 November 2025, the European Commission published the first drafts of the so-called Digital Omnibus. The term “Omnibus” refers to several comprehensive legislative packages aimed at simplifying the EU’s digital legal framework, eliminating duplication and making implementation more practical for businesses.

In addition to proposed amendments to legal acts such as the GDPR, the e-Privacy Directive, the NIS2 Directive and the Data Act, the extensive package contains proposals to amend the EU AI Act, also referred to as the “Digital Omnibus Regulation on AI” (Digital Omnibus on AI) or AI Omnibus.

With this initiative, the European Commission aims to address several challenges identified during consultations in relation to the EU AI Act. For example, it seeks to address delays in establishing standards for regulations on high-risk AI systems, as well as in the designation of national competent authorities and conformity assessment bodies.

In March 2026, the European Parliament and the Council adopted the negotiating positions and agreed on a general approach. The agreement is currently in the voting phase, before the European Council is expected to formally adopt the texts. For the amendments to take effect in time, the current regulatory framework must be formally adopted and published in the Official Journal of the EU before 2 August 2026.

What is already becoming clear: The AI Omnibus aims to simplify implementation, not to fundamentally reorient the content of the AI Act. The aim of the process is to bring about a more efficient and consistent implementation of existing obligations.

The expected changes

Under the AI Omnibus, companies expect significant changes regarding prohibited AI practices, extended deadlines for high-risk AI and transparency obligations (machine-readable labelling), the relaxation of the AI competence requirement (Article 4), less duplication of regulation in the areas of product and machinery law, and greater scope for the processing of sensitive personal data to identify and correct bias. In addition, targeted amendments are planned to ease the regulatory burden on SMEs and small mid-caps.

For banks and financial institutions, the planned deadline extensions in the area of high-risk AI and transparency obligations are of particular significance. For AI systems in the fields of biometrics, critical infrastructure, education, employment, private and public services, law enforcement, migration, asylum and border control management, as well as the administration of justice and democratic processes (Annex III, EU AI Act), the deadline is extended from 2 August 2026 to 2 December 2027, whilst high-risk AI systems incorporated into regulated products such as toys or lifts (Annex I, EU AI Act) are to be granted an extension to 2 August 2028. Banking products typically affected by these changes generally operate in areas such as creditworthiness checks or human resources management processes.

The deadline for machine-readable labelling of synthetic content under Article 50(2), also known as the watermarking requirement, which applies as soon as an AI system is classified as a low-risk AI system, is also to be postponed to 2 December 2026, thereby extending it by a further four months. The transparency obligations under the EU AI Act essentially impose requirements regarding the labelling, disclosure and technical marking (watermarking) of AI-generated content.

With regard to the extended deadline, it is important to distinguish between existing AI systems and new AI systems. Whilst existing AI systems may align with the new deadline, new AI systems introduced after the original deadline of 2 August 2026 must comply with it. It is also important to understand that the core obligations under Article 50(1), (3) and (4) will become applicable on 2 August 2026 and are not affected by the Digital Omnibus.

More time does not mean fewer responsibilities

Deadlines may be postponed, but the fundamental obligations remain. Anyone operating AI systems in a regulated environment must monitor them. More lead time is an opportunity for better governance, not an argument for postponing structural work. From a business perspective, the political agreement initially brings greater planning certainty. Key high-risk obligations are now linked to a more realistic timetable. From a fundamental rights perspective, however, this can also be viewed critically. The later high-risk obligations come into effect, the longer certain safeguards remain incomplete. The most accurate characterisation of the Digital Omnibus Regulation on AI therefore lies somewhere in the middle, as it represents neither a complete departure from the AI Act nor a purely technical correction. Rather, it is a political readjustment of the implementation roadmap, which gives companies time but does not mean an exemption from obligations.

What banks should be doing now

In November 2025, the European Banking Authority (EBA) published a factsheet on the impact of the AI Act on the EU banking and payments sector. The conclusion: no significant conflicts were identified between the AI Act and existing EU banking regulations. The AI Act complements the existing framework but does not replace it. Financial institutions that already implement outsourcing requirements, DORA and traditional risk management have a solid foundation, but must specifically extend these frameworks to include AI-specific requirements. A workable AI governance framework must include, at a minimum, a complete inventory of all AI systems in use, including third-party providers; clearly defined responsibilities for business, technical and compliance roles; a transparent risk classification of use cases; a robust documentation standard; monitoring processes; and structured change management processes for model or data changes.

The additional time that can be gained through the AI Omnibus should therefore be used for structured governance work.

These recommendations apply regardless of whether the final legal text corresponds exactly to the current indications. Those who take a structured approach now will create a more robust compliance framework and be able to respond flexibly in the next regulatory cycle.

Conclusion

The political agreement on the Digital Omnibus Regulation on AI of 7 May 2026 defers key obligations under the EU AI Act, simplifies certain implementation issues and, at the same time, introduces new prohibitions on particularly harmful AI applications. This gives companies more time, but does not constitute a regulatory reprieve.

Key deadlines at a glance

The general transparency requirements under Article 50 (paragraphs 1, 3 and 4) apply from 2 August 2026. The watermarking requirement (Article 50(2)) applies from the same date for new systems, whilst existing systems are granted an extended deadline until 2 December 2026. High-risk AI systems under Annex III (including creditworthiness checks and HR screening) must be compliant by 2 December 2027, whilst high-risk AI systems integrated into regulated products under Annex I must be compliant by 2 August 2028. Standalone high-risk systems under Article 6(2) in conjunction with Annex III have also been postponed to 2 December 2027 (from the original date of 2 August 2026).

The final text of the legislation is still pending, but the direction is sufficiently clear. The Omnibus must be published in the Official Journal of the EU by 30 July 2026 at the latest so that it can enter into force on 2 August. Following the EP vote (expected on 16 June 2026) and the Council’s approval (expected on 29 June), the signing is expected on 8 July, followed by publication in the Official Journal between 18 and 25 July. Further guidance from the Commission, as well as clarifications on the interaction between the EU AI Act and sector-specific financial legislation, will follow in the coming months.

The key message for banks and financial institutions remains unchanged: those who use the time gained to complete AI inventories, establish control frameworks and integrate governance structures with DORA and the GDPR will be significantly better positioned, regardless of what the final consolidated legal text ultimately stipulates. For the direction is clear enough to continue working in a structured manner now.