The Council of the EU has given its final green light to the Digital Omnibus on AI, which updates the EU's Artificial Intelligence Act. It should be published in the Official Journal shortly and enter into force three days later. The key message is that although some deadlines have changed, you still need to be planning for them.
Labelling
Article 50(2) requires that outputs are marked in a machine-readable format, disclosing that the content was artificially generated or manipulated. Providers of AI systems generating synthetic audio, image, video or text content that were placed on the market before 2 August 2026 must comply with Article 50(2) by 2 December 2026. Any such systems placed on the market on or after 2 August 2026 must comply with Article 50(2) from 2 August 2026.
If you deploy genAI tools that produce customer-facing content such as marketing copy, synthetic voiceovers, AI-generated imagery and chatbot responses, you need to make sure that systems can comply with these obligations in time.
High-risk AI systems: confirmed deadlines
The regulation sets out two dates for the AI Act's high-risk rules:
- 2 December 2027 for stand-alone high-risk AI systems classified under Article 6(2) and Annex III (see our article here) on examples of high-risk systems); and
- 2 August 2028 for high-risk AI systems embedded in products regulated under EU sectoral safety legislation (ie classified under Article 6(1) and Annex I).
These dates give operators a clear timetable. Given these later dates, there is a bit more breathing space in which to get your business ready, but the complexity of these systems means that this time is likely to pass quickly.
New prohibitions: intimate imagery and CSAM
From 2 December 2026, Article 5 will ban two new categories of AI system outright:
- systems that generate or manipulate realistic intimate images, videos, audio or similar material of an identifiable person without their freely given, specific, informed, unambiguous and explicit consent; and
- systems that generate or manipulate child sexual abuse material within the scope of Directive 2011/93/EU, subject to a "without right" defence under national law.
The prohibition is nuanced. For providers, for example, it applies only where generation or manipulation is the system's intended purpose, or where it is a reasonably foreseeable and reproducible outcome and reasonable technical safeguards are not in place to prevent it and correct reported misuse.
AI literacy: mandatory but measured
Article 4 now requires providers and deployers to take measures supporting AI literacy among staff and others who operate AI systems on their behalf. But the law does not demand that organisations guarantee a "sufficient level" of literacy for each individual. In other words, no specific outcome is required. The Commission and Member States must support these efforts.
For compliance teams, this means documenting training and awareness programmes, but not, say, certifying individual competence.
Registration
The Commission's attempt to drop registration for Annex III AI systems that providers self-assess as not high-risk under Article 6(3) did not survive the legislative process. The obligation to register those systems in the EU database remains, although the Annex VIII information requirements have been simplified. Providers must still document their Article 6(3) assessment before placing the system on the market or putting it into service, and national competent authorities may request that assessment.
Sensitive data
On sensitive personal data, processing special categories of personal data for bias detection and correction is permitted only to the extent that is "strictly necessary." This applies to providers of high-risk systems and to providers and deployers of other AI systems subject to strict safeguards and conditions.
Sectoral legislation and the Machinery Regulation
Where sector-specific EU law already imposes AI requirements like the AI Act's, implementing acts may now limit duplication by disapplying overlapping AI Act obligations in those specific cases. The Commission must also issue guidance helping operators comply with both regimes at minimal burden.
The AI Act will not apply directly to products covered by the Machinery Regulation. Instead, the Commission may adopt secondary legislation under the Machinery Regulation adding health and safety requirements for high-risk AI systems. For manufacturers of industrial robots, autonomous vehicles and other machinery, this means compliance through a more familiar regulatory channel.
Regulatory sandboxes and the AI Office
National authorities now have until 2 August 2027 to establish at least one AI regulatory sandbox, which is later than originally required. The AI Office may also create a EU-level sandbox for systems covered by Article 75(1), with priority access for SMEs, start-ups and small mid-cap enterprises.
SMEs and small mid-cap enterprises
Regulatory support measures, including sandbox priority access, now extend to small mid-cap enterprises, plugging a gap that previously left growing companies without support the moment they exceeded SME thresholds.
Practical takeaways for in-house teams
- Map your AI estate now, including both internally developed tools and third-party systems, and identify which systems generate synthetic content, may fall within Annex III, or are embedded in regulated products.
- Prioritise Article 50 transparency readiness. The delay is limited. Systems placed on the market before 2 August 2026 have until 2 December 2026, but newer systems must comply from 2 August 2026.
- Do not let the high-risk deadline extensions slow preparatory work. The confirmed 2027 and 2028 dates provide more time, but classification, supplier engagement, technical documentation and governance work will still be substantial.
- Review acceptable use policies and product safeguards in light of the new Article 5 prohibitions, particularly for tools capable of generating or manipulating realistic images, video, audio or other person-related content.
- Document AI literacy measures in a proportionate way. In-house teams should be able to evidence training, guidance and awareness activity for staff and other users, without over-engineering individual certification processes.
- Keep registration and Article 6(3) assessments on the compliance checklist. Even where a provider concludes that an Annex III system is not high-risk, the assessment should be documented and capable of being shared with regulators.
- Check whether sector-specific regimes may affect the compliance route, especially for products covered by EU safety legislation or the Machinery Regulation.
- Use the extra time to build a practical AI governance framework: clear ownership, procurement controls, supplier due diligence, data protection checks, incident reporting routes and board-level visibility of material AI risks.




