Přejít na obsah
EU flags outside an institutional building
Regulation09 Jul 20267 min read

EU AI Act: Where Data Controllers Stand After the 2026 Omnibus

The EU has finalised the AI Act simplification package, moving the high-risk deadlines and adding new obligations. What data controllers and deployers should do now.

The short version

On 29 June 2026 the Council of the EU gave final approval to the “Digital Omnibus on AI” — a simplification package that amends the EU AI Act. The headline change for most organisations: the compliance deadlines for high-risk AI systems have moved. Annex III high-risk obligations shift from 2 August 2026 to 2 December 2027, and Annex I (product-embedded) high-risk obligations from 2 August 2027 to 2 August 2028.

That is relief, not a reprieve. The rules that are already in force stay in force — and the omnibus also tightened some obligations.

What is already binding today

  • Prohibited practices (applying since 2 February 2025): social scoring, manipulative techniques, most real-time biometric identification in public spaces, and — newly added by the omnibus — AI practices for generating non-consensual sexual or intimate content and child sexual abuse material.
  • AI literacy (Article 4): organisations using AI must ensure staff have an appropriate level of AI competence.
  • General-purpose AI (GPAI) obligations (applying since 2 August 2025) for model providers.

What the omnibus changed

Key dates after the 2026 omnibus
Annex III high-risk systems2 Aug 2026 → 2 Dec 2027
Annex I high-risk systems2 Aug 2027 → 2 Aug 2028
Transparency marking of AI-generated contentGrace period cut from 6 to 3 months — deadline 2 Dec 2026

Why controllers should not slow down

If you are a GDPR data controller deploying AI — a chatbot handling customer data, CV screening, credit or fraud scoring, workplace monitoring — the AI Act treats you as a deployer, and your GDPR duties never moved. DPIAs, lawful basis, transparency to data subjects, and vendor due diligence apply to AI projects today. Regulators have been clear that GDPR enforcement around AI is not waiting for AI Act deadlines.

The extra 16 months is best spent the way procurement and audits will eventually demand: build the AI inventory, classify systems against Annex III, assign provider/deployer roles, and fold AI risk into your existing DPIA and vendor-review workflow. Organisations that start when the deadline is close pay more and document worse.

A practical 90-day plan

  1. Inventory: list every AI system in use or in procurement, including AI features inside SaaS tools.
  2. Classify: map each system to AI Act risk categories and your role (provider, deployer, importer).
  3. Integrate: add AI triggers to your DPIA checklist and vendor onboarding questions.
  4. Train: meet the Article 4 AI-literacy duty with role-appropriate training, and keep evidence.
  5. Monitor: assign an owner to track guidance from the AI Office and your market-surveillance authority.

Sources: Council of the EU press releases of 7 May and 29 June 2026; European Commission Digital Omnibus on AI (19 November 2025); Regulation (EU) 2024/1689.