On 19 November 2025, the European Commission published its "Digital Omnibus", which included a proposal to simplify the EU's Artificial Intelligence Act. The Council and European Parliament have now adopted their respective negotiating positions. They are closely aligned on several issues but less so on others, so there will be some negotiations to do during the trilogue stage.  We look at some of the key issues below.

Fixed timelines for high-risk AI systems

The Council and Parliament have proposed fixed deadlines for the rules around high-risk AI systems to apply:

• 2 December 2027 for stand-alone high-risk AI systems listed in Annex III of the AI Act (including those involving biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice, and border management), and
• 2 August 2028 for AI systems embedded in products regulated under EU sectoral safety and market surveillance legislation. 

Prohibition on non-consensual AI-generated intimate imagery

Both the Council and Parliament call for a new prohibited practice under Article 5 of the AI Act, targeting AI systems capable of generating realistic, sexually explicit images or videos of identifiable individuals without their consent. The Council's text also expressly covers the generation of child sexual abuse material. Both positions exclude AI systems that incorporate effective technical safeguards to prevent users from creating such content. 

Reinstatement of registration obligations

The Commission had proposed removing the obligation for providers to register AI systems in the EU database where they self-assess those systems as non-high-risk under Article 6(3). Both the Council and Parliament have rejected this proposal and reinstated the registration requirement, whilst agreeing to streamline the information that needs to be provided. 

Sensitive personal data

The Commission proposed lowering the threshold for processing special categories of personal data to detect and correct bias from "strictly necessary" to merely "necessary," and extending this legal basis from high-risk AI systems to all AI systems and models. Both the Council and Parliament texts have reinstated the "strict necessity" standard. They also clarify that this provision does not create any positive obligation to carry out bias detection and correction using special categories of personal data.

Support for small mid-cap enterprises

Both the Council and Parliament support the Commission's proposal to extend certain regulatory support measures currently available to small and medium-sized enterprises (SMEs) to small mid-cap enterprises (SMCs), helping EU companies as they scale beyond SME status.

AI Office

Both positions reinforce the AI Office's supervisory role over AI systems based on general-purpose AI (GPAI) models where the model and the downstream AI system are developed by the same provider, including systems developed by providers belonging to the same company group. They have also said that national authorities should retain responsibility for law enforcement, border management, judicial authorities, and financial institutions. 

Commission guidance on sectoral legislation

Both co-legislators support the introduction of an obligation for the Commission to provide guidance to help economic operators of high-risk AI systems covered by sectoral harmonisation legislation to comply with the AI Act's high-risk requirements in a way that minimises the compliance burden. The European Parliament wants to make sectoral conformity assessment procedures the primary compliance pathway for AI systems embedded in products already regulated under sector-specific EU safety legislation, with the AI Act's own requirements integrated into those frameworks. 

AI literacy

The Commission and Council proposals amend the AI literacy obligation under Article 4 of the AI Act. Instead of being a binding requirement on providers and deployers, it would be a framework led by the Commission and Member States. However, the Parliament wants the original mandatory obligation on providers and deployers, though it lowers the standard from ensuring "a sufficient level of AI literacy" among staff to "supporting the improvement of AI literacy." The Parliament's position also adds a requirement for the Commission to issue practical implementation guidance and encourages public-private partnerships to support broader literacy efforts.

Watermarking

The Commission proposed a six-month grace period (until 2 February 2027) for providers to comply with Article 50(2) obligations regarding the watermarking and labelling of AI-generated audio, image, video, or text content. The Parliament has shortened this transition period to approximately three months, setting a deadline of 2 November 2026. 

Regulatory sandbox

The Council's position postpones the deadline for the establishment of AI regulatory sandboxes by national competent authorities to 2 December 2027.

Next steps

Given the Cypriot Presidency's stated ambition to reach a political agreement by April or May 2026, and the pressure to finalise amendments before the AI Act's general application date of 2 August 2026, the pace of negotiations is expected to be rapid. The European Parliament continues to work on the other aspects of the Digital Omnibus relating to data and personal data.