On May 7, 2026, the EU Council and the European Parliament reached agreement on the Digital Omnibus AI package, marking the first substantive amendment to the AI Act since the regulation entered into force in 2024. This is not a full rewrite. Deadlines shift, compliance burdens ease for smaller businesses, and the boundaries between risk categories get recalibrated. For companies operating across Europe, the practical implications are still filtering through, and most compliance teams have not finished reading them.
Start with a number that matters: according to data published in May 2026, 79% of Italian SMEs already use AI tools. Fewer than 4 in 10 have a formal internal policy on AI use. That gap between de facto adoption and formal governance is precisely the territory the Digital Omnibus tries to address, with less rigidity than the original AI Act framework allowed.
Which AI Systems Fall Under New Obligations
The EU AI Act classifies AI systems into four risk categories. The Digital Omnibus does not alter the underlying structure: the changes focus on deadlines and application thresholds within each category.
AI system distribution by risk category under the AI Act, Digital Omnibus 2026 application
Source: European AI Office, SpazioCrypto analysis, May 2026
In practice, the vast majority of AI systems that European SMEs use daily, including internal chatbots, writing assistants, data analytics tools, product recommendation engines, and virtual assistants, fall into the “minimal risk” category. Obligations under the original AI Act were already light for these systems, and the Digital Omnibus keeps them that way: no mandatory registration, no formal conformity assessment, only recommended best practices.
The European Commission’s official position on the Digital Omnibus is being updated on its X profile: EU_Commission on X.
What Changes in Practice: Deadlines and SMEs
Three concrete operational changes emerge from the May 7 agreement.
First: deadlines for high-risk AI systems in non-critical sectors have been extended. The obligation to register in the European database and complete conformity assessments for certain system categories has been pushed back. Companies operating in less-regulated sectors, such as marketing, non-decisional HR, and logistics optimisation, gain additional runway to comply.
Second: SMEs with fewer than 250 employees and annual turnover below 50 million euros face reduced mandatory technical documentation requirements for AI systems they deploy internally. The Commission responded to sustained pressure from European industry groups, which had flagged disproportionate compliance burdens on smaller businesses.
Third: generative AI systems, including language models used to draft text, generate code, or answer queries, that do not qualify as “high-impact models” (defined as systems trained using more than 10²&sup5; FLOP) are now outside the heaviest obligations tied to “general-purpose AI models.” Concretely, Claude Sonnet, GPT-4o, and Gemini Flash, when used by an SME to automate emails or documentation workflows, do not require specific conformity certification. Models such as GPT-5 or Claude Opus, by contrast, cross that threshold. For teams managing AI-driven business automation, that distinction has real operational weight.
What This Means for the 60% Without an AI Policy
Functionally, the short answer: little changes right now, but a lot changes over the next 18 months. The Digital Omnibus moved the deadlines, it did not erase the obligations. Companies that still lack a formal internal AI policy, more than 60% of European SMEs according to May 2026 data, have more time. Not a permanent exemption.
Three practical steps worth structuring now: (1) map every AI system deployed across the business and identify its risk category under the AI Act; (2) verify whether the AI tools in use qualify as “high-impact models” under the 10²&sup5; FLOP threshold; (3) draft an internal AI use policy even for minimal-risk systems, since public procurement frameworks in multiple EU member states will require one from 2027 onward.
The consolidated text of the AI Act (EU Regulation 2024/1689) is published on EUR-Lex and remains the primary legal reference.
The Digital Omnibus amendments will enter the official legal text through a delegated regulation, expected to be published by September 2026. For compliance officers and technology managers, tracking that delegated regulation is more actionable than following political statements. In the UK context, the ICO and the AI Safety Institute are monitoring MiCA-adjacent AI frameworks. The UK has not adopted the AI Act directly. Across the EU, national competent authorities, including France’s CNIL and Germany’s BaFin-equivalent AI supervisors, will publish implementation guidance in the months ahead.
One question still largely absent from the broader European compliance debate: how many of the businesses that report using AI have actually verified that their tools meet the transparency obligations toward end users, one of the requirements that survived unchanged in the Digital Omnibus. Google, Microsoft, and Anthropic have already aligned their enterprise products with that requirement. For companies using niche tools or internally developed solutions, that verification is still mostly undone. That is the next compliance gap to close before September 2026.
