AI Omnibus: Trilogue Underway…What to Expect as Negotiations Progress

With both the Council of the European Union (the “Council”) and the European Parliament (the “Parliament”) having adopted their respective positions on the AI Omnibus, the proposal has entered the decisive trilogue phase — the final stage of negotiations before agreement on a consolidated legislative text.

The AI Omnibus package, first introduced by the European Commission on 19 November 2025, is intended to streamline key elements of the existing EU AI framework, including targeted simplifications of compliance obligations and more proportionate requirements for certain categories of providers. Political agreement on the AI Omnibus could be reached as early as 28 April 2026, with formal adoption expected by July — just ahead of the 2 August 2026 deadline for the implementation of the EU AI Act's obligations for high-risk AI systems. While this accelerated timetable is unusual by EU standards, it reflects the practical need to settle the rules before the remaining provisions take effect.

For businesses, the implication is clear: the AI compliance framework they are building towards under the EU AI Act may shift at the very moment the underlying legislation becomes fully operational. Against this backdrop, we outline the key issues to follow as the final agreement takes shape.

1.  Consensus: Delayed Application of High-Risk AI Rules

Perhaps the most significant outcome of the trilogue process is likely to be changes to the timeline for compliance obligations applicable to high-risk AI systems under the EU AI Act.

AI systems are considered high-risk if they fall into either of the following categories:

1.  AI systems that are within scope of the use-cases set out in Annex III, which currently spans eight broad categories and includes AI systems used in areas such as law enforcement, recruitment, education, employment and worker management.
2. AI systems intended to be used as a safety component of a product, or which themselves constitute a product, covered by the harmonisation legislation listed in Annex I of the EU AI Act. If that product is also required to undergo a third-party conformity assessment before being placed on the EU market, the AI system will be classified as high-risk.

Both the Council and Parliament have converged on fixed postponement dates, pushing back the original 2 August 2026 deadline under the EU AI Act to: 2 December 2027 for stand-alone high-risk AI systems classified under Annex III, and 2 August 2028 for AI embedded in regulated products under Annex I. 

The extension reflects a pragmatic acknowledgment of industry concerns. Many stakeholders have pointed to gaps in harmonised standards, conformity assessment infrastructure and regulatory guidance — all of which are necessary to make the EU AI Act’s requirements operational. The additional time is intended to provide organisations room to complete risk classification exercises; establish governance frameworks; and prepare the requisite technical documentation and monitoring systems.

2.  Consensus: Targeted Ban on “Nudifier” Applications

Although the extension of the compliance timeline for high-risk AI systems suggests that the EU may be taking a more innovation-friendly approach to AI regulation, the positions of both the Council and the Parliament on “nudifier” apps demonstrate a clear willingness to intervene where risks are considered most acute. The institutions have introduced a new prohibition on AI-enabled applications which “alter, manipulate or artificially generate realistic images or videos so as to depict sexually explicit activities or the intimate parts of an identifiable natural person, without that person's consent.”

This mirrors the approach taken by Ofcom, the UK’s communications regulator, which in January 2026 opened a formal investigation into X, specifically in relation to the use of Grok to create and share non-consensual sexualised and “nudified” images. Together, these developments suggest an emerging regulatory consensus: while innovation in AI is to be supported, novel applications that facilitate serious abuses (particularly those involving exploitation, harassment, or violations of personal autonomy) will be subject to reactive and risk-specific enforcement.

Crucially, this prohibition goes beyond just purpose-built tools and extends to systems where such misuse is reasonably foreseeable based on the systems functionality. In practice, this means organisations must anticipate and mitigate potential misuse at the design and deployment stages, rather than relying on intent alone. Accordingly, organisations should implement robust guardrails, conduct thorough risk and impact assessments and continuously monitor for emergent harmful uses. Organisations will need to demonstrate that they have taken proportionate technical and organisational measures to prevent foreseeable misuse, particularly where it could result in serious harm to individuals’ rights and freedoms.

3.  Consensus: Proportionality Benefits for small and medium-sized enterprises (SMEs)

Both the Parliament and Council support extending the proportionality measures currently available to small and medium-sized enterprises (SMEs) under the EU AI Act to also cover small mid-cap enterprises (SMCs). To that end, both institutions recognise the need to introduce a clear definition of SMCs within the Act's framework. Recent policy discussions, informed in particular by Commission Recommendation (EU) 2025/1099, suggest that SMCs may be defined by reference to ceilings of up to 750 employees and €150 million in annual turnover.

This reflects a broader and consistent policy objective across the omnibus proposals: ensuring that regulatory obligations are scaled appropriately to organisational size, rather than applying a uniform compliance model. This approach does not exempt SMEs or SMCs from their underlying legal obligations. Instead, it provides a proportionate implementation framework through simplified guidance tools, reduced fees and access to support mechanisms such as regulatory sandboxes and standardised documentation templates.

Open Questions: Where the Institutions Still Disagree

While the legislative bodies are aligned on the major structural changes, several significant issues remain unresolved heading into the trilogue:

• Although both institutions agree on delaying the implementation of obligations applicable to high-risk AI systems, the Parliament has gone further by proposing to narrow the scope of what qualifies as high-risk. Under the EU AI Act, AI systems will fall within the high-risk category where they are a safety component of a regulated product. A “safety component” is defined as a component that performs a safety function for a product or system. The Parliament has introduced language clarifying that AI features intended solely for user assistance, performance optimisation, service efficiency, automation or convenience should not be treated as “safety functions”, unless their failure would create actual safety risks. The practical effect of this narrower definition reduces the range of AI systems that may be classified as high-risk. The Council has not proposed an equivalent limitation.

• AI literacy obligations present one of the starkest divides. The Council favours replacing the existing legal obligation with a purely non-binding encouragement model, while the Parliament retains a binding duty on providers and deployers to “support the improvement of AI literacy” among their staff — albeit clarifying that this does not guarantee any particular level of individual literacy. The outcome here will matter for how organisations structure internal training and awareness programmes.

• The Parliament proposed that high-risk AI systems meeting the Cyber Resilience Act’s essential cybersecurity requirements should be presumed compliant with Article 15 of the EU AI Act, which requires AI systems to be designed in a manner that ensures they are robust and resilient against cyberattacks. The Council did not include a comparable provision.

What Happens Next?

Trilogue negotiations between the Parliament, Council and the European Commission to agree the final text have already begun. While finalising the text of the AI Omnibus before 2 August 2026 is an ambitious goal, the fact that the Parliament and Council appear to agree in principle on a substantial number of amendments is a positive sign that agreement can be reached by this deadline. 

In the event that the trilogue negotiations are not completed on time, then the original provisions of the EU AI Act, including the high-risk obligations timelines, will apply from 2 August 2026. Businesses in scope should therefore keep progressing with their preparations in line with the current deadlines, as regulatory expectations continue to take shape ahead of the final text.

Subscribe to Ropes & Gray Viewpoints by topic here.