EU gives final green light to Omnibus AI reforms in regulatory shake-up

The EU has officially approved the final text of its AI Omnibus reforms, marking the first significant update to the implementation of the landmark AI Act since it was adopted. The changes are designed to simplify compliance and reduce regulatory burdens, especially for small and medium-sized businesses. They also signal a more pragmatic phase of AI regulation in Europe.

For businesses operating in the EU, compliance deadlines may have shifted, but expectations have not. Organisations that use or develop AI should be using this additional time to strengthen governance.

For UK companies, the reforms are equally significant. The UK is pursuing its own, more principles-based approach to AI regulation but any business placing AI systems on the EU market or serving EU customers will still need to comply with the AI Act.

A shift from legislation to implementation

The Omnibus reforms are part of the EC’s wider simplification agenda aimed at reducing unnecessary regulatory complexity while improving European competitiveness.

The reforms focus on making the AI Act implementation more practical. It provides greater legal certainty, removes duplication between different regulatory regimes and gives businesses more realistic implementation timelines without weakening protections against harmful AI uses.

The focus is moving away from debating what should be regulated in AI towards helping organisations understand how to comply in practice.

The biggest changes 

Perhaps the most significant development is the postponement of the rules governing high-risk AI systems.

Standalone high-risk AI systems will now become subject to the AI Act from 2 December 2027, while AI systems embedded within regulated products, such as medical devices or machinery, will not be fully covered until 2 August 2028.

For many organisations, this provides valuable additional preparation time. But many other AI Act obligations remain unchanged or arrive much sooner.

The reforms also introduce an explicit prohibition on AI systems that generate non-consensual intimate imagery or AI-generated child sexual abuse material. These bans will apply from December 2026, reflecting the EU’s continued commitment to tackling the most harmful uses of generative AI.

Transparency obligations have also been tightened. Providers will now have only a three-month grace period to implement technical solutions identifying AI-generated content, bringing the compliance deadline forward to December 2026.

Meanwhile, national AI regulatory sandboxes designed to help organisations test innovative AI systems under regulatory supervision, have been delayed until August 2027.

Another welcome change is greater clarity on how the AI Act interacts with existing sector-specific legislation covering products such as medical devices, machinery, toys and other regulated products. By reducing overlapping requirements, businesses operating in heavily regulated industries should face less duplication during compliance.

The AI literacy obligation has also been softened from a strict requirement to more of a “best efforts” expectation, offering organisations greater flexibility in how they build AI competence across their workforce.

What this means for EU companies…

For organisations established within the EU, the reforms should reduce uncertainty rather than reduce responsibility.

Many businesses have been struggling to understand how the AI Act would interact with existing regulatory frameworks. The new provisions help clarify supervisory responsibilities, reduce overlapping obligations and provide additional implementation guidance, particularly for companies already subject to sector-specific safety regulations.

The additional time should allow organisations to build more mature AI governance programmes, conduct meaningful risk assessments and integrate AI compliance into existing compliance, privacy and cybersecurity frameworks rather than rushing to meet unrealistic deadlines.

…and for UK businesses 

Although the UK has deliberately chosen not to introduce an equivalent AI Act, many UK organisations remain firmly within the scope of the European legislation.

Any UK company that develops, supplies or deploys AI systems within the EU market or whose AI outputs are used in the EU, may still be required to comply with the AI Act regardless of where it is headquartered.

This means UK companies with European operations cannot afford to view the AI Act as purely an EU issue. In fact, the growing divergence between UK and EU AI regulation means many organisations will increasingly need dual compliance strategies. While UK regulators continue to rely on existing legislation and sector-specific guidance, EU regulators are implementing one of the world’s most comprehensive AI regulatory regimes.

For multinational businesses, governance programmes should therefore be designed around the highest applicable standard rather than separate compliance models wherever possible.

The future of AI legislation?

The Omnibus reforms are likely to shape how AI regulation evolves both inside and outside Europe.

Rather than introducing entirely new obligations, policymakers are increasingly focused on improving implementation, reducing unnecessary administrative burdens and making regulation more workable for businesses.

This reflects growing recognition that successful AI governance depends not only on strong legal safeguards but also on practical, achievable compliance requirements.

The reforms may also influence future AI legislation beyond Europe. Regulators in the UK and elsewhere are closely watching how the AI Act operates in practice. If the EU succeeds in balancing innovation with effective oversight, elements of its implementation model could inform future regulatory approaches internationally.

At the same time, the new prohibitions on harmful generative AI content demonstrate that Europe remains willing to move quickly where significant societal risks emerge.

What should organisations do now?

Despite the revised timelines, organisations should resist the temptation to delay AI compliance programmes.

The most effective organisations are already identifying where AI is being used across the business, classifying systems according to risk, reviewing transparency obligations and establishing governance frameworks that can evolve alongside regulation.

Businesses should also be evaluating contracts with AI vendors, documenting decision-making processes, assigning clear internal accountability and improving AI literacy across technical and non-technical teams.

Those operating in regulated sectors should review how the AI Act will interact with existing product safety, medical device or financial services requirements to avoid duplicated compliance efforts.

Perhaps most importantly, organisations should recognise that AI governance is becoming a core element of corporate risk management rather than simply another legal compliance exercise.

The Omnibus reforms offer businesses clearer implementation pathways and more realistic timelines. But they also indicate that AI governance is becoming a permanent feature of doing business in Europe.

Don't miss our webinar, Understanding the EU AI Act: High-risk AI and global compliance trends

Watch it here →