The EU AI Act Enters Its Next Phase: What the Upcoming Amendment Will Change
On 16 June, the European Parliament voted in favor of a targeted amendment to the EU AI Act as part of the so-called “Digital Omnibus”. The goal is to improve the practicality of the regulatory framework by reducing overlap, clarifying scope, and simplifying implementation while maintaining the level of protection for health, safety, and fundamental rights. However, compared to previous drafts, the changes for companies are less far-reaching. We have compiled a list of the most significant changes.
From Formal Obligations to Practical AI Literacy
One of the most visible changes concerns AI literacy (Art. 4 of the AI Act). The AI Act already requires providers and deployers to ensure that people dealing with AI systems have sufficient understanding of them. The amendment reframes this obligation. Providers and deployers will be required to take measures to support the development of AI literacy, taking into account the technical knowledge, experience and training of the persons involved, as well as the context in which the AI system is used. The obligation will explicitly not be understood as a requirement to guarantee a specific level of knowledge for each individual.
This is more than a semantic change. It aligns the legal requirement with operational reality and reduces the risk that organizations are held to an unrealistic standard. The Commission and the Member States are supposed to support these efforts, in particular for SMEs, and the European Artificial Intelligence Board will issue recommendations to promote a common understanding of AI literacy across the Union.
Bias Detection Meets Data Protection Reality
The amendment also addresses a long-standing tension between AI governance and data protection law. A new Art. 4a AI Act will expressly allow the exceptional processing of special categories of personal data where this is strictly necessary for bias detection and correction. This will apply primarily to high-risk AI systems, but the framework will also extend to other AI systems and models, as well as to deployers, provided strict safeguards are respected.
The conditions are deliberately narrow. Processing will only be permitted where bias detection cannot be achieved with other data, where strong technical and organizational safeguards are in place, where access is tightly controlled and documented, and where the data is deleted as soon as it is no longer needed. The amendment does not lower the GDPR threshold, and it can be questioned how much legal certainty it delivers for organizations that need to test and mitigate bias in a meaningful way.
Clearer Red Lines for Harmful AI Uses
The amendment will also expand and clarify the list of prohibited AI practices (Art. 5 of the AI Act). AI systems that generate or manipulate realistic intimate images, videos or audio of identifiable persons without consent will be explicitly banned. The same applies to AI systems used to generate or manipulate child sexual abuse material.
Importantly, the prohibition is carefully framed. It applies where such generation or manipulation is the intended purpose of the system, or where it is a reasonably foreseeable and reproducible outcome that is not adequately prevented by technical safeguards. Mere accidental generation or legitimate, consent-based use cases are not targeted. For providers and deployers alike, this change draws a regulatory line around so-called “nudification” and similar abuse scenarios.
High-Risk AI: Narrower Scope, Less Duplication
Another key change concerns the definition of safety components (Art. 3(14) of the AI Act) and the classification of high-risk AI systems (Art. 6 of the AI Act). AI systems used solely for non-safety-related purposes such as user assistance, performance optimization, service efficiency, automation, convenience or quality control will not qualify as safety components. At the same time, AI systems whose failure would endanger health or safety will continue to fall within the high-risk regime.
In addition, where sector-specific product legislation already provides an equivalent or higher level of protection, the application of certain AI Act requirements may be limited. This is particularly relevant for manufacturers and regulated industries, as it reinforces a sectoral approach and reduces the risk of overlapping conformity assessments and documentation duties. The original plan of the Commission to reduce duplicate efforts on a much larger scale, however, did not survive trilogue negotiations, and providers of, for instance, medical products will still have to comply with both the MDR and AI Act requirements.
More Time and Proportionate Tools for Implementation
The amendment will also adjust the timeline for compliance. The application of the high-risk AI obligations in Chapter III will be postponed, with obligations for standalone AI systems (e.g., in the employment context) applying from 2 December 2027 and for embedded AI systems from 2 August 2028. This additional time is combined with more proportionate compliance tools for SMEs and small mid-cap enterprises, including simplified technical documentation and a more flexible approach to quality management systems.
At the same time, regulatory sandboxes and real-world testing frameworks will become more innovation-friendly, including the possibility of EU-level sandboxes coordinated by the AI Office. For companies developing or deploying AI systems, this creates more room to test and adapt solutions within a controlled legal environment.
What Companies Should Do Now
The amendment will not weaken the AI Act, but it will change how compliance should be approached. Companies should reassess whether their systems fall under the revised high-risk and safety-component definitions, review their handling of bias detection and sensitive data, and check whether any of their use cases could fall under the newly clarified prohibitions. They should also use the extended timelines strategically to put governance structures, documentation processes and training measures in place.
For businesses, the amendment is certainly not a reason to slow down, but an opportunity to recalibrate compliance efforts in a way that is both legally robust and operationally realistic.