Posted by Overview of amendments adopted by the European Parliament and the Council of the EU
Eléonore Scaramozzino, Avocate partenaire de Constellation Avocats
The legislative timetable for the Digital Omnibus, presented by the European Commission on November 19, 2025, as one of the priority projects of its mandate, is accelerating. Following the joint position adopted on March 18 by the parliamentary committees on « industry, research and energy » and « civil liberties, justice and home affairs, » the European Parliament voted on March 26 on some of the measures included in this Omnibus package.
Indeed, the European Parliament adopted (569 for/45 against/23 abstentions) in favor of simplifying the regulation on artificial intelligence (AI Act).
Main changes
The main changes proposed are as follows:
| Application timeline of high-risk AI rules | The Commission proposes to amend the date of application of high-risk AI rules (initially 2 August 2026), by linking the date of application to the availability of harmonized standards or other tools supporting compliance with the AI Act. Once the Commission confirms the availability of such tools, high-risk rules would apply six months afterwards for Annex III systems (by 2 December 2027 at the latest) and 12 months afterwards for Annex I systems (by 2 August 2028 at the latest). |
| Centralised enforcement . | The EU’s AI Office would supervise the compliance of AI systems integrated into very large online platforms or search engines ,1 as well as the compliance of AI systems based on general-purpose AI models where the system and model are provided by the same entity. |
| AI literacy : | The mandatory obligation for providers and deployers of AI systems to ensure AI literacy among their staff is replaced by a requirement for the Commission and Member States to promote AI literacy initiatives. |
| Single application for conformity assessment : | Conformity assessment bodies that apply for a designation would be able to submit a single application and undergo a single assessment procedure. |
| Post-market monitoring : | the requirement for a harmonized template for the post-market monitoring plan is removed. |
| Extension of special regime applied to SMEs : | Simplified documentation and special consideration in the application of penalties granted to SMEs are extended to small mid-caps (SMCs). |
| Special categories of personal data and bias correction : | Providers and deployers of AI systems and models2 may, on an exceptional basis, process special categories of personal data, subject to specific safeguards ,3 to ensure bias detection and correction. |
| Registration is mandatory . | providers would no longer have to register AI systems in the EU database if they conclude that these systems are not high-risk due to their narrow or procedural tasks. |
| AI regulatory sandboxes : | the scope of testing high-risk AI systems in real-world conditions is expanded. The AI Office is granted the legal basis for establishing an EU-level AI regulatory sandbox. |
| Generative AI marking : | providers of generative AI systems already on the market before 2 August 2026 are granted a transitional period of six months to comply with obligations to mark AI-generated content. The original deadline for these obligations was 2 August 2026. |
| Interplay between the AI Act and other EU legislation :. | the interplay between the AI Act and other EU legislation, such as civil aviation rules and the General Data Protection Regulation, is clarified. |
Postponement of the application of certain AIA rules: time needed for the development of standards and for stakeholders to adapt.
The adopted proposal aims to postpone the application of certain rules relating to high-risk artificial intelligence (AI) systems, in order to ensure the availability of guidelines and standards necessary for their implementation by companies.
In their amendments, the European parliamentarians introduce fixed application dates to ensure predictability and legal certainty.
Background
In the initial version of the proposal, the entry into force of obligations relating to high-risk AI systems (HRAIS) was to be linked to the availability of the instruments necessary for compliance, such as harmonised standards, common specifications or Commission guidelines.
Once these instruments were adopted and confirmed by a Commission decision, the obligations would have been applicable after a period of six months for systems falling under Article 6(2) and Annex III and twelve months for those falling under Article 6(1) and Annex I.
In its revised version, however, the Council abandoned this conditional mechanism and introduced fixed dates, postponing the application of the obligations to December 2, 2027 for systems covered by Annex III and to August 2, 2028 for those covered by Annex I.
This development, however, significantly delays the effective implementation of the regulations applicable to high-risk AI systems, which are central to the regulation’s framework. This postponement raises the question of the balance between the objective of simplification and the effective implementation of the safeguards designed to protect the most sensitive artificial intelligence systems.
Nudification ban
Introduced by the latest compromise of the Council of the European Union on March 13, 2026, the ban on AI nudifier Systems was adopted by the European Parliament in its position of March 26, 2026. Nudity systems use AI to create or manipulate sexually explicit or intimate images resembling an identifiable real person, without their consent. The new ban, introduced in Article 5 of the RIA, targets » nudifier » systems and therefore AI practices that generate non-consensual sexual or intimate content, as well as content related to child sexual abuse. It remains subject to limitations, as it excludes certain types of content, such as content that does not depict identifiable individuals, realistic partially nude representations that do not reveal intimate parts, non-realistic artistic works, and satirical works. By limiting its scope to realistic content involving identifiable individuals and generated without consent, the measure demonstrates a desire to balance the protection of fundamental rights with freedom of expression. This prohibition would not apply to AI systems equipped with effective security measures that prevent the creation of such images.
The new ban, however, introduces a partially content-based dimension by directly targeting the generated outputs. This development stems from the specific characteristics of generative AI, whose risks cannot be fully grasped through a strictly risk-based approach. Therefore, this provision does not represent a break with the past, but rather an adaptation of the risk-based model to the transformations brought about by generative AI.
However, a comparison with the European Parliament’s position reveals a significant shift. While the Council adopts a broad and technically structured approach, based in particular on the « capacity » of systems to generate such content, Parliament favors a more concise and operational formulation, focused on actual use. Above all, the introduction of an exception based on the existence of effective security measures transforms the very nature of the ban, making it conditional. Yet, if these measures were truly effective, the generation of such content should not be possible. The fact that it can nevertheless be produced therefore tends to reveal the inadequacy of these measures, thus undermining the effectiveness of the ban.
While Parliament’s approach aims to preserve innovation, freedom of expression and freedom to conduct business, it nevertheless raises questions about the balance struck, insofar as it is likely to weaken the effective protection of dignity, privacy and vulnerable people, in particular women and children.
This development also occurs within a context of increased visibility of the risks associated with non-consensual intimate content generated by AI, which has recently emerged as a central topic of public debate. The rapid spread of generative AI tools accessible to the general public has facilitated the production of » nude » content. » fake , » contributing to the normalization of these practices.
Avoid overlap between medical device regulations/specific regulations and AIA obligations:
In order to avoid the simultaneous application of EU sector-specific product safety rules and the AIA, MEPs argue that the obligations arising from the AIA can be less stringent for products already regulated by sector-specific laws (e.g., medical devices, radio equipment, toy safety, etc.).
Consequences of reducing the administrative burden on protection through an amendment to Annex I
From a technical standpoint, the European Parliament removes Section A from Annex I and incorporates it into Section B, in order to reduce regulatory overlaps and clarify the relationship between the AI Regulation and sector-specific product legislation. While this strengthens legal certainty and reduces regulatory overlaps, it also carries a risk of diluting the horizontal approach of the AI Regulation, particularly due to the increased reliance on sector-specific frameworks that are not always focused on protecting fundamental rights.
The proposal amends Article 43 of the RIA to align conformity assessment requirements with Article 16 and clarify their relationship with EU product legislation. While these adjustments aim to reduce redundancies and strengthen procedural consistency, they nevertheless raise fundamental rights concerns. The emphasis placed on sector-specific conformity procedures and the integration of AI Act requirements into existing frameworks may lead to a purely technical and administrative interpretation of risks, at the expense of a substantive and contextualized analysis of the impacts on individuals. The amendment introduced by the EU Council compromise specifies that when a conformity assessment body is already designated under several EU harmonisation laws listed in Annex I, Section A, it only needs to submit one application to be designated as a notified body under the AI Regulation. This clarification confirms the alignment of the RIA regime with the logic of EU product legislation.
Bodies already designated under other Union harmonisation legislation may be designated under the RIA through a single procedure, which aims to reduce administrative burdens and accelerate the implementation of the compliance system.
Consequence of the change in the method of designating notified bodies
The latest compromise from the EU Council proposes a change in the logic of the designation mechanism. Until now, conformity assessment bodies (CABs) had to be pre-designated as notified bodies (NBs) to be able to act. Now, these conformity assessment bodies can:
- Under certain conditions, exercise the power to assess the compliance of high-risk AI systems for a transitional period of 18 months , even in the absence of a formal designation .
- Furthermore, it is possible to submit a nomination request at any time, including during and after this period.
This change reflects a shift from a system based on prior authorization to a mechanism of temporary accreditation . It aims to accelerate the market launch of AI systems and address the practical constraints related to the insufficient number of notified bodies. The implications for the protection of fundamental rights are open to question.
« unified assessment procedure »
By specifying that the unified assessment procedure must be implemented in accordance with the missions and responsibilities of the authorities involved, this precludes any centralization of competences but does not guarantee a holistic understanding of risks, which can lead to the invisibility of violations of fundamental rights situated at the intersection of several legal regimes. The European Parliament has, on the one hand, removed the proposed amendments to Article 43 of the RIA, but on the other hand, it has introduced a restructuring of Annex I that partially shifts the focus towards sectoral frameworks.
The obligation to register SIAHRs: towards a simplification of content
Article 6(4) of the RIA stipulates that suppliers of high-risk AI systems listed in Annex III must register these systems in the Union database in accordance with Article 49(2), even if they conclude, following their self-assessment, that the systems do not present a significant risk. However, removing this registration requirement, justified by the argument that such requirements would impose a disproportionate compliance burden, weakens the level of protection provided by the regulation. Such a removal would undermine the principle of supplier accountability and weaken market transparency and the traceability of these systems for the public and competent national authorities, potentially opening the door to unjustified exemptions.
While the European Commission’s proposal considered removing the requirement to register AI systems covered by Article 6(3) in the Union database, the version revised by the Council of the EU ultimately maintains this requirement. Parliament adopted the same position as the Council of the EU.
The compromise thus opts for a more moderate approach consisting not of abolishing the registration, but of simplifying its content by reducing the content required in section B of Annex VIII of the regulation in order to reduce the administrative burden for suppliers.
Consequences for fundamental rights
While this solution may seem pragmatic from a regulatory simplification standpoint, it continues to raise concerns regarding fundamental rights. Indeed, Article 6(3) of the regulation is already seen as a potential « grey area » within the framework, as it allows providers to consider that a system falling under Annex III should not be classified as a high-risk AI system. In this context, the EU database plays a crucial role in ensuring transparency. Reducing the information required for registration could therefore limit the ability of authorities, researchers, or civil society to identify and analyze certain systems that may pose risks.
Simplification: Extension of SME measures to PEMCs / SMCs ( small mid -cap enterprises )
Definition of PEMC , a concept introduced in 2025 by the European Commission to support growing businesses.
« The category of small to medium-sized enterprises (SMEs) consists of companies that are not small and medium-sized enterprises as defined in Recommendation 2003/361/EC, that employ fewer than 750 people and whose annual turnover does not exceed €150 million or whose annual balance sheet total does not exceed €129 million. »
In order to help EU companies grow when Scale up exceeds SME status, MEPs propose allowing them to benefit from certain aid and extending its scope to Small and Medium Capitalisation Enterprises (SMEs ) .
Consequences of simplification extended to PEMC
The proposal provides for a relaxation of the obligations relating to technical documentation (Article 11) and quality management systems (Article 17) for suppliers of high-risk AI systems, particularly for the benefit of SMEs and Small and Medium-Sized Enterprises (SMEs), in the name of the principle of proportionality. However, this proportionality is primarily driven by a desire to reduce administrative burdens rather than by a fundamental rights-based approach. These simplifications implicitly establish a questionable link between the economic size of the company and the intensity of the risks associated with AI systems. Yet, the impact of a high-risk AI system on fundamental rights does not necessarily depend on the size of the supplier. A small player can just as easily generate significant infringements.
SMEs and SMCs represent approximately 99% of businesses in the Union; such an attachment enshrines a lower compliance regime for the vast majority of European AI system suppliers.
Regarding technical documentation, the amendment introduces a simplified form developed by the Commission for SMEs and PEMCs , which notified bodies will have to accept as part of the conformity assessment. Technical documentation is a central element in the oversight of high-risk AI systems, ensuring the traceability of design choices and risk management. However, streamlining it could reduce the information available to authorities and complicate the identification of systemic risks, particularly concerning non-discrimination, privacy, and transparency.
A more flexible approach to regulating general-purpose AI models and generative AI systems
Extension of the influence of soft law instruments
The proposal removes the Commission’s powers under Articles 50 and 56 of the RIA to codes of good practice applicable to general-purpose AI models and to certain transparency obligations, thereby limiting its ability to give them general validity in the Union.
It also strengthens, under Article 75, the role of the AI Office in oversight, placing under its supervision all systems based on the same general-purpose AI model developed by a single provider. However, the EU Council compromise introduces an exclusion for systems covered by point (2) of Annex III relating to critical infrastructure and also provides for assistance from national authorities, including enforcement authorities such as the police.
The compromise of March 9, 2026, also introduces a significant amendment to Article 50, extending the reference in paragraph 7 to paragraph 4. Codes of good practice can now also be used by implementers . This extension thus gives soft law instruments greater influence on the practical implementation of transparency requirements. However, it raises questions about the effectiveness of the protection of fundamental rights, insofar as these instruments, lacking binding force, can lead to inconsistent application of transparency requirements.
The European Parliament amended the reference to paragraphs 2 and 4, removing the one relating to paragraph 4.
Role of the Commission in supervision
The Council compromise of 9 March 2026, however, introduces a further development by strengthening, in certain cases—particularly for systems based on general-purpose AI models and those integrated into very large online platforms—the Commission’s supervisory role. This strengthening is nevertheless accompanied by a more precise framework for its powers, notably through the introduction of substantive limits and the reinforcement of the role of national authorities, thus reflecting a logic of rebalancing in the exercise of supervisory powers.
However, Parliament is transferring powers by entrusting the Commission, rather than the AI Office, with the task of encouraging and facilitating the development of codes of good practice. Parliament is significantly strengthening the mechanism by replacing the Commission’s discretionary power (« may assess ») with an obligation ( » shall assess »), thus imposing systematic review of the adequacy of codes of good practice.
Regarding generative AI systems, the text introduces procedural adjustments, notably a six-month transition period, until February 2, 2027, for systems already placed on the market before August 2, 2026, thus deferring the application of essential obligations, particularly concerning transparency. However, the Parliament’s text reduces this period to three months.
Training with personal data
The current wording of Article 10(5) of the RIA refers to the processing of sensitive data that is « strictly necessary » to detect and correct bias. The proposed new provision in Article 4a(1) refers only to what is « necessary , » while the new Article 4a(2) refers to processing that is « necessary and proportionate. » The proposal extends the scope of Article 10(5) of the RIA and now makes the processing of special categories of personal data applicable to all providers and deployers of AI systems and models for the purpose of detecting and correcting bias, which raises serious concerns regarding the right to privacy. Furthermore, the substitution of the « strictly necessary » criterion with that of « necessary » represents a significant relaxation of the legal threshold applicable to the processing of special categories of data. This seemingly technical terminological shift actually broadens the scope for interpretation by actors and weakens the level of requirements associated with the use of sensitive data. The measure thus reflects a persistent tension between combating bias and protecting data. The Council’s compromise introduces changes to the processing of sensitive data by framing this possibility with the terms « for reasons of substantial public interest, » « exceptionally, » and « when strictly necessary. » The text emphasizes that the exceptional circumstances justifying recourse to this legal basis should, in practice, arise less frequently due to the lower risks posed by these systems. However, this assertion rests more on a normative presumption linked to the risk-based approach of the regulation than on clearly established empirical reality. Indeed, the need to use sensitive data to detect or correct bias does not necessarily depend on the classification of the AI system as « high risk, » but rather on the nature of the data and the context in which the system is used.
The Council compromise of March 9, 2026, specifies the example of biases in eligibility or risk assessment systems used for access to public services or administrative authorizations. This illustrates the potentially serious consequences of algorithmic bias in terms of discrimination and exclusion. By highlighting situations with a significant impact on fundamental rights, the legislator intends to justify the processing of specific categories of data in the name of substantial public interest. However, such a demonstration relies on a questionable generalization: these examples, while relevant, cannot cover all AI systems and contribute more to legitimizing the envisaged expansion than to defining its legal limits.
Members of Parliament support service providers being able to process personal data to detect and correct biases in AI systems, but they have introduced safeguards to ensure that this processing is only carried out when strictly necessary .
By using examples of discrimination to justify this extension, the legislator is thus shifting the normative framework, making the fight against bias an objective that could, in practice, take precedence over data protection requirements. Such an approach reveals a fundamental tension between two requirements of EU law: the fight against discrimination (Article 21 of the Charter) and the protection of personal data (Articles 7 and 8). While the former constitutes a legitimate objective, it cannot, on its own, justify a general extension of the processing of special categories of data. Without a genuine balancing test in accordance with the principle of proportionality, such reasoning risks disrupting the hierarchy of fundamental rights. However, according to the case law of the Court of Justice of the EU, any interference with these rights must be strictly necessary and proportionate, implying, in particular, the consideration of less restrictive measures.
The European Parliament adopted the same position as the Council’s latest compromise by removing the given example. Ultimately, extending this derogation to all suppliers and deployers of AI models and systems, regardless of their risk level, is likely to weaken data protection safeguards.
Institutional hierarchy
With the amendment to Article 77 of the Regulations on Information Technology (RIA), data protection authorities can no longer directly request information from providers and operators, but must instead go through the designated market surveillance authority as the single point of entry. While this mechanism may strengthen administrative coordination, it risks making the exercise of fundamental rights control more indirect. The loss of autonomy for the authorities concerned could create a problematic institutional hierarchy and weaken their powers, even though their independence is a fundamental principle of European law.
The EU Council compromise introduced a clarification stating that the cooperation mechanism with market surveillance authorities does not affect the powers of fundamental rights authorities, which retain the ability to directly request information from operators within the scope of their mandate. However, this clarification does not entirely eliminate the risk of a gradual centralization of supervision around market surveillance authorities, which could alter the institutional balance initially envisioned by the regulation.
NEXT STEP: Trilogue negotiations
In the coming weeks, the European Parliament will have to vote on the remaining parts of the Omnibus Digital Act. The EU co-legislators can launch trilogue negotiations.