In November 2025 the European Commission published its “Digital Omnibus Package”, meaning its proposals to reform data and cyber laws (the GDPR, ePrivacy Directive, Data Act, Data Governance Act and the NIS2 Directive) and the EU AI Act. The proposals to update the AI Act have been separated out, because of the need to move quickly to extend deadlines that are currently due to become applicable in August. Please see our previous articles for an overview of the Digital Omnibus proposals and the EDPB and EDPS Joint Opinion on the AI Digital Omnibus proposals. On 13 March, the European Council adopted its position on the AI Digital Omnibus, which reflects some of the concerns raised in the EDPB and EDPS Joint Opinion. On 26 March, the European Parliament adopted its position. The Council and the Parliament will now begin negotiations with the Commission to agree the final version of the amendments to the AI Act.
The key points of the institutions’ negotiating positions are:
High-risk AI: extension of compliance deadlines
At present, the AI Act’s core obligations on providers and deployers of high-risk AI systems are due to become applicable in August 2026. The Council agrees with the Commission’s proposal to extend the deadline, but inserts the fixed dates of 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products. The Parliament agrees with these dates.
AI transparency: extension of grace period
The AI Act' contains transparency or “watermarking” obligations for AI systems placed on the market before 2 August 2026, which are also due to become applicable on that date. The Commission proposed extending the compliance deadline until 2 February 2027, but the Parliament has proposed a shorter extension until 2 November 2026.
Use of special category data for bias detection and correction
The Commission proposed extending, in certain circumstances, the right to process special category data (as defined in the GDPR) for the purpose of ensuring bias detection and correction (which is currently limited to providers of high-risk AI systems where it is strictly necessary) to deployers of high-risk systems and models and providers and deployers of other types of AI systems. The Council’s proposal reinstates the requirement that special category data may only be processed for this purpose where it is strictly necessary. The Parliament supports this approach, subject to amendments to clarify the scope of the right.
Registration of high-risk AI systems in the EU database
The Digital Omnibus proposes providing an exemption from the obligation for providers to register AI systems in the database for high-risk AI systems where the system does not pose a significant risk of harm to health, safety or fundamental rights. The Council’s amended draft reinstates the obligation to register AI systems where the provider does not consider that it poses a significant risk, but recommends simplifying the registration requirements. The Parliament supports this approach.
AI literacy
The Council has retained the Commission’s proposal to move the duty for AI providers and deployers to ensure AI literacy among their staff (which became applicable in February 2025) from the organisation itself to the EU and national authorities. However, it adds a paragraph to refer to the training and competence obligations on providers and deployers of high-risk AI systems under other provisions of the AI Act. The Parliament’s draft replaces this with an obligation on the organisation to support the improvement of (rather than ensure) AI literacy and makes amendments clarifying the Commission’s role to complement this.
Ban on explicit deepfakes
The Council has proposed to introduce a ban on AI systems that generate non-consensual intimate imagery and child sexual abuse material. This addresses a regulatory gap highlighted by recent scandals in which AI models produced sexualised images of real people, including minors, as a product feature. The measure is essential to protect fundamental rights, prevent large-scale harm enabled by generative AI, and eliminate the economic incentives for exploiting such harms. The Parliament supports this proposed ban.
Allocation of responsibilities between EU AI Office and national authorities
While the Commission proposed strengthening the role of the EU AI Office and reducing that of national authorities, the Council’s draft adjusts the balance, proposing that the national authority should retain responsibility in certain cases, in particular where there is sector-specific supervision. The Parliament’s draft proposes a slightly different approach to how the national authorities and AI Office should work together.
