The Council of the EU gave final approval on June 29, 2026 to the Digital Omnibus on AI, closing out a legislative process that began with the Commission's proposal on November 19, 2025 and passed the European Parliament on June 16, 2026 by a lopsided 423 votes in favour, 57 against, and 174 abstentions. The package amends the AI Act (Regulation 2024/1689) less than five weeks before its highest-stakes provisions were due to take effect — and it does more than just move a deadline.
The Steelman: Standards Weren't Ready
The headline change delays application of the AI Act's high-risk system obligations — the rules governing AI used in hiring, credit scoring, law enforcement, and critical infrastructure — from August 2, 2026 to December 2, 2027 for standalone systems, and to August 2, 2028 for AI embedded in regulated products like medical devices and machinery.
That delay has a real technical justification. Compliance with the high-risk rules depends on harmonised standards that CEN and CENELEC, the EU's standards bodies, were supposed to deliver by 2025. They didn't. The standards effort spans more than 1,000 experts across five working groups, and first publications aren't expected before late 2026 at the earliest. Forcing companies to self-certify against a compliance framework nobody has finished writing would have produced exactly the kind of legal uncertainty and box-ticking theater that critics of heavy-handed regulation warn about. A regulator that notices its own implementation machinery isn't ready and adjusts the calendar accordingly is doing something more responsible than a regulator that plows ahead on a fixed date regardless of facts on the ground. Member states and industry were right to push for this.
What Else Changed — Some of It Genuinely Good
The omnibus also adds a new Article 5 prohibition on AI systems designed to generate non-consensual intimate imagery — so-called "nudifier" tools — and child sexual abuse material, covering both providers who place such tools on the market and deployers who use them. That ban takes effect December 2, 2026, and it closes a gap the original AI Act's risk-tiered structure never squarely addressed: tools built for sexual abuse aren't a "high-risk" edge case to be managed, they're a harm to be prohibited outright.
Article 50's transparency and watermarking duties — the requirement that providers label AI-generated audio, video, image, and text in machine-readable form — remain on schedule for August 2, 2026, with only a narrow grace period to December 2, 2026 for systems already on the market before that date. That's a sensible calibration: watermarking is far less technically demanding than full high-risk conformity assessment, so there was no equivalent case for a multi-year delay there, and the omnibus doesn't grant one.
The Part That Isn't About Timing
Where the package goes further than the standards-gap justification can support is Article 49(2). The omnibus deletes the requirement that providers register systems in the EU's public AI database even when they determine, on their own assessment, that the system isn't high-risk after all. Sixty civil society organisations, independent public authorities, and individuals — including European Digital Rights (EDRi) — wrote to lawmakers ahead of the vote warning that removing this backstop lets providers self-exempt from the database with no independent check, turning a chunk of the AI Act's oversight architecture into what the letter called a form of self-regulation. Their estimate of the compliance saving this buys providers — roughly €100 per company — makes the trade look lopsided: a trivial administrative cost avoided in exchange for the loss of a public paper trail regulators, researchers, and journalists rely on to know which systems exist and where.
Irish MEP Michael McNamara, a lead rapporteur on the AI Act, noted that several of the changes tracked demands from US-based technology companies — raising fair questions about whose priorities shaped the final compromise.
Our Take
A regulator ought to be able to distinguish between two very different moves: adjusting a deadline because the underlying technical infrastructure genuinely isn't ready, and quietly narrowing what gets reported to the public because it's politically convenient to bundle both into one omnibus vote. The high-risk timeline extension is the former, and we'd have supported it even without the standards excuse — regulation that outruns implementable technical guidance produces compliance theater, not safety. The Article 49(2) registration deletion is the latter. It costs providers almost nothing to keep, and losing it costs everyone else visibility into a market regulators are supposed to be able to see.
The NCII and CSAM prohibition, meanwhile, is exactly the kind of narrow, harm-specific rule that a proportionate regulatory regime should be adding on a rolling basis rather than waiting for a five-year Act revision cycle. If Brussels wants credit for building AI rules that track real-world capability and harm rather than legislative fixed dates, it should take the same evidence-based posture toward the registration requirement it just weakened — and restore it in whatever technical corrigendum inevitably follows this omnibus.