On November 19, 2025, the European Commission dropped a proposal that caught the attention of every company working on AI Act compliance: the Digital Omnibus on AI. It is part of a broader package aimed at simplifying the EU's digital rulebook, and it could change some important deadlines under the AI Act (Regulation (EU) 2024/1689).
If you are an SME trying to figure out your compliance timeline, this article breaks down what the proposal means, what stays the same, and what you should do right now.
What Is the Digital Omnibus?
The Digital Omnibus is actually two proposed regulations. One covers data protection and cybersecurity rules (amending the GDPR, ePrivacy Directive, NIS2, and Data Act). The other focuses specifically on the AI Act. Together, the Commission says they aim to cut administrative burdens by at least 25% for all businesses and at least 35% for SMEs by 2029.
The AI-specific part of the package acknowledges a practical problem: the support tools that companies need to comply with the AI Act's high-risk requirements are not ready. Harmonised standards, common specifications, and Commission guidelines that were supposed to help companies demonstrate conformity have been delayed. The Commission's own standardisation organisations missed their deadlines.
The core logic of the proposal is straightforward: if the compliance tools are not ready, companies should not be penalised for failing to meet requirements they cannot yet properly measure themselves against.
What Might Change?
The biggest proposed change affects the timeline for high-risk AI systems. Under the current AI Act, most high-risk obligations were set to apply from August 2, 2026 -- roughly five months from now. The Digital Omnibus proposes linking those dates to the actual readiness of harmonised standards and other compliance support tools.
Here is what the proposal lays out:
Annex III high-risk AI systems (things like AI used in employment, credit scoring, law enforcement, education, and critical infrastructure): obligations would apply six months after the Commission confirms that compliance support measures are available, with an absolute backstop date of December 2, 2027.
Annex I high-risk AI systems (AI systems that are safety components of products already regulated under existing EU legislation, like medical devices or machinery): the deadline would shift from August 2, 2027 to a backstop of August 2, 2028.
Generative AI transparency: Providers of generative AI systems released before August 2, 2026 would get an additional six months (until February 2, 2027) to retrofit their systems to meet transparency obligations.
In practice, this means the August 2026 date might not be the hard deadline it currently appears to be, at least for some high-risk categories. But there is an important caveat: this is still a proposal, not law.
What Does NOT Change?
Several major parts of the AI Act are already in effect and the Digital Omnibus does not touch them:
Prohibited AI practices (Article 5): These have been in force since February 2, 2025 -- over a year ago. If you are using AI for social scoring, manipulative techniques targeting vulnerabilities, or real-time biometric identification in public spaces (with limited exceptions), you are already required to have stopped.
General-Purpose AI (GPAI) obligations: These took effect on August 2, 2025 -- six months ago. Providers of GPAI models must comply with transparency and documentation requirements.
AI literacy requirements: Also in effect since February 2, 2025. However, the Omnibus does propose a notable change here: shifting the responsibility for AI literacy from individual providers and deployers to Member States and the Commission, who would "encourage" these measures through non-binding guidance rather than direct obligations. This is welcome news for smaller companies that found the literacy requirement difficult to implement.
Transparency requirements (Article 50): These remain unchanged and on track.
The bottom line: anything that is already in force stays in force. The delays only affect future deadlines, primarily for high-risk AI systems.
Why This Matters for SMEs
If you are a small or medium-sized enterprise developing or deploying AI, the harmonised standards question is not abstract. These standards are the most straightforward path to demonstrating that your AI system meets the AI Act's requirements. Without published standards, you are left with alternative paths:
- Common specifications issued by the Commission (which are also delayed)
- Internal conformity assessments based on your own interpretation of the requirements
Neither of these alternatives is simple or cheap, especially for smaller companies without dedicated legal and compliance teams.
The Digital Omnibus also proposes extending the simplified compliance regime that currently applies to SMEs to include small mid-cap enterprises (companies with fewer than 750 employees and less than 150 million euros in revenue). This is a meaningful expansion that would give more companies access to lighter-touch compliance procedures.
Another practical change: under the current AI Act, if you can demonstrate that your Annex III use case is not actually high-risk, you still have to register the system in the EU database. The Omnibus would remove that registration requirement, saving time and administrative effort.
What Should SMEs Do Right Now?
Here is the uncomfortable truth: you should keep preparing as if August 2, 2026 still applies.
There are several reasons for this:
The proposal is not law yet. It is working its way through the European Parliament and the Council. Members of the European Parliament are divided on the proposal. Some political groups welcome it, while others question whether it weakens important safeguards. There is no guarantee it will pass in its current form, or that it will pass before August 2026.
Even if delayed, you will still need to comply eventually. The backstop dates (December 2027 for Annex III, August 2028 for Annex I) are not that far away. Companies that wait will face the same scramble later, just with higher stakes and less time.
Compliance readiness is a competitive advantage. Customers, partners, and investors increasingly ask about AI governance. Having your compliance infrastructure in place -- even before it is legally required -- signals maturity and trustworthiness.
The parts of the AI Act that are already in force are not going anywhere. Prohibited practices, GPAI requirements, and AI literacy obligations are active now. If you have not addressed these, that is your most urgent priority regardless of what happens with the Omnibus.
Current Status of the Proposal
As of February 2026, the Digital Omnibus on AI is in the preparatory phase in the European Parliament. It has been assigned to the Committee on the Internal Market and Consumer Protection (IMCO) and the Committee on Civil Liberties, Justice and Home Affairs (LIBE).
The EDPB (European Data Protection Board) and EDPS (European Data Protection Supervisor) published a Joint Opinion in early 2026 stating that while simplification is needed, it cannot come at the cost of fundamental rights. This signals that the proposal may face amendments before adoption.
A critical risk is timing: because the Commission bundled all AI Act changes into the Omnibus rather than issuing a separate "stop-the-clock" regulation, failure to reach political agreement before August 2026 would mean the original deadlines apply as written. This is another reason to keep your compliance work on track.
The Commission has also launched a Digital Fitness Check consultation (open until March 11, 2026) to gather input on how the EU's digital rules interact and affect businesses. If you have views on the regulatory burden, this is your chance to be heard.
Action Items for Your Business
Here is a practical checklist:
Audit your AI systems against the current prohibited practices list (Article 5). This is already law.
Check if you operate GPAI models. If so, ensure you meet the transparency and documentation requirements that took effect in August 2025.
Classify your AI systems by risk level. Understand whether they fall under Annex I or Annex III. Our free risk assessment quiz can help you get started in two minutes.
Start building your compliance documentation even if the high-risk deadline shifts. Technical documentation, risk management systems, and data governance frameworks take time to build properly.
Monitor the legislative process. Check the EU AI Act Service Desk for updates on harmonised standards and the Omnibus progress.
Consider the Digital Fitness Check. If the regulatory burden is affecting your business, submit your feedback before March 11, 2026.
The Bottom Line
The Digital Omnibus is a recognition that the AI Act's implementation timeline was too ambitious given the state of supporting infrastructure. For SMEs, it is potentially good news: more time to prepare, a broader simplified compliance regime, and fewer registration requirements.
But "potentially" is doing a lot of work in that sentence. Until the proposal becomes law, the current deadlines stand. The smartest move is to prepare now and treat any delay as bonus time rather than an excuse to wait.
Not sure where your company stands? Take our free 2-minute AI Act risk assessment to find out your risk level and get personalised guidance.