Skip to content 
Article by Barbara Azoulay, Senior Associate at A&O SHEARMAN
1. THE BACKGROUND
When the EU Artificial Intelligence Act entered into force in August 2024 with a first batch of obligations as of February 2025, it was hailed as the world’s first comprehensive AI rulebook. However, early experience quickly revealed practical challenges that could slow down its rollout, particularly for high-risk AI systems, those used in areas such as recruitment, credit scoring, or critical infrastructure. Delayed preparation of standards, late establishment of national governance frameworks and heavier-than-expected compliance burdens prompted a legislative response.
In response, the European Commission tabled the “AI Omnibus” proposal on 19 November 2025, as part of a broader Digital Omnibus Package aimed at simplifying and modernising the EU’s digital regulatory framework. The AI Omnibus was deliberately separated from the wider Digital Omnibus (which covers data protection, cybersecurity, cookies and the Data Act) to ensure it could be fast-tracked ahead of the August 2026 deadline for the AI Act’s high-risk system obligations.
The core philosophy behind the AI Omnibus is straightforward: make the AI Act more operational and easier to apply, without weakening the protections it affords to health, safety, or fundamental rights. Core prohibitions, including the ban on social scoring and mass biometric surveillance, remain untouchedTHE DISCUSSIONS
2. THE DISCUSSIONS
Negotiations moved at unusual speed. On 6 May 2026, the European Parliament, the Council, and the Commission reached a trilogue agreement, subsequently confirmed by COREPER on 13 May 2026. This was a notable achievement given the political complexity involved.
Several topics proved politically charged during trilogue. The Commission had originally proposed a “readiness-linked” mechanism for phasing in high-risk system obligations, meaning the compliance clock would only start once the Commission confirmed that support measures were available. Both the Parliament and the Council rejected this open-ended approach in favour of fixed, predictable deadlines. The treatment of AI literacy also proved contentious: the Council favoured a purely voluntary model, while the Parliament pushed for a more prescriptive formulation. The compromise lands on a binding obligation of means, companies( both providers and deployers) must take measures to support the development of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education, as well as the context of use. They are however not required to guarantee any specific level of competence.
A notable addition that emerged directly during trilogue, and which attracted significant public attention, was the prohibition of so-called “nudifier” AI applications: systems that generate, manipulate, or reproduce non-consensual intimate images or child sexual abuse material. This ban was not part of any institution’s pre-trilogue mandate and appeared for the first time in the final compromise text.
3. THE OUTCOME
On 12 June 2026, the European Parliament approved the trilogue deal by a significant majority. The key outcomes that firms should note are as follows:
- Fixed compliance deadlines. The final text introduces hard dates: 2 December 2027 for stand-alone high-risk AI systems under Annex III, and 2 August 2028 for AI systems embedded in regulated products under Annex I. There is no longer any discretionary “readiness” trigger, i.e. companies must plan against these dates. From a private equity perspective, these deadlines should be mapped against investment holding periods: any portfolio company developing or deploying high-risk AI will need to demonstrate compliance readiness well before exit.
- Extended proportionality benefits. The regulatory privileges currently available to SMEs, including simplified technical documentation, proportionate quality management systems, and reduced penalties, are now extended to “small mid-cap enterprises” (SMCs) with specific definitions and penalty caps for each category. This is relevant for portfolio companies that may fall within this expanded category, particularly growth-stage businesses that have recently outgrown the SME thresholds but remain below large-enterprise size.
- New value chain obligations. Where a high-risk AI system is modified or integrated by another provider, the initial provider is no longer considered the provider of that system but must cooperate closely with the new provider and make available the necessary information, technical access, and assistance for compliance, unless it has clearly specified that its system is not to be changed into a high-risk system. Providers and third parties supplying AI systems, models, tools, services, or components used in high-risk systems must now enter into written agreements covering the information, capabilities, technical access, and other assistance, based on the generally acknowledged state of the art, needed to ensure compliance with the AI Act. Importantly, this written-agreement requirement does not apply to third parties making publicly accessible tools, services, processes, or components (other than general-purpose AI models) under a free and open-source licence. For Private Equity-backed groups with shared service models or AI platforms deployed across portfolio companies, these obligations will require careful structuring of intra-group agreements and third-party vendor contracts alike.
- Nudifier ban effective December 2026. The prohibition on AI systems generating non-consensual intimate imagery applies from 2 December 2026. For providers, the ban applies where generation or manipulation is the system’s intended purpose, or a reasonably foreseeable reproducible outcome without significant technical modification and without reasonable and adequate safeguards. For deployers, use is prohibited where the system is used for that purpose.
- AI literacy retained as binding. Providers and deployers must take measures to support AI literacy development among staff, though with flexibility as to how this is achieved. The Commission and Member States must support implementation, and the AI Board will issue recommendations. In practice, this means Private Equity firms should expect portfolio companies to embed AI literacy programmes into their operational compliance frameworks, a non-trivial cost item for organisations scaling AI deployment across functions.
- Narrowed high-risk scope. A revised definition of “safety component” clarifies that AI features used purely for convenience, automation, or optimisation do not constitute safety functions unless their failure creates actual safety risks. This is a meaningful de-scoping for tech-enabled products and could reduce compliance costs across a number of Private Equity portfolios in sectors such as logistics, retail tech, and smart building management.
- Cybersecurity alignment with the Cyber Resilience Act (CRA). Where high-risk AI systems fall within the scope of the CRA and its Article 12(1) conditions are fulfilled, they are deemed to comply with AI Act cybersecurity requirements to the extent covered. This presumption of compliance reduces duplication and should be actively leveraged in compliance planning.
- Fundamental rights impact assessment/DPIA linkage. Where relevant elements are already addressed in a data-protection impact assessment under the GDPR, deployers may cross-reference or reuse those sections in the fundamental rights impact assessment. The AI Office will provide a questionnaire and template to support simplified completion. For privacy-mature portfolio companies that already conduct DPIAs, this means building on existing processes rather than creating entirely new compliance workflows.
Formal adoption and publication in the Official Journal are expected over the summer of 2026.
4. THE NEXT STEPS
For fund managers and their portfolio companies, the practical implications are clear:
- First, review the compliance calendar. The hard deadlines of December 2027 (Annex III) and August 2028 (Annex I) are now locked in. Portfolio companies developing or deploying high-risk AI systems should begin compliance planning now, not once the regulation is formally published. Commission guidance on integrating AI-specific risk and quality management into existing sectoral processes is mandated by 1 August 2027, with a post-market monitoring plan template due by 2 September 2027 but waiting for these is not a viable strategy.
- Second, assess high-risk classification. The narrowed definition of “safety component” and clarifications under Article 6(1) may take certain AI-enabled products out of the high-risk category. This is worth revisiting across portfolios, particularly in manufacturing, mobility, and healthtech. Note that providers must still document Article 6(3) non-high-risk assessment before placing the system on the market, and registration in the EU database remains required.
- Third, update contractual frameworks. The new written-agreement requirement for the AI value chain means that supplier contracts, licensing arrangements, and intra-group service agreements involving AI components will need to be reviewed and, where necessary, renegotiated. For Private Equity firms, this means conducting a mapping exercise across portfolio companies to identify where AI systems, models, tools, or components flow between entities, including shared platforms, white-labelled AI products, and outsourced development arrangements. The open-source carve-out should also be tracked, as reliance on open-source AI components (other than general-purpose AI models) does not trigger the written-agreement requirement.
- Fourth, screen for prohibited practices. The nudifier ban takes effect as early as December 2026. While this is unlikely to affect mainstream PE portfolios directly, due diligence on generative AI investments should include an assessment of exposure to the new prohibited-practices list. particularly regarding systems that could foreseeably generate prohibited material without adequate safeguards.
- Fifth, leverage proportionality. Portfolio companies qualifying as SMEs or SMCs should take advantage of simplified documentation requirements, proportionate quality management systems, and reduced penalty caps. In practice, fund managers should verify where each portfolio company falls on the SME/SMC spectrum and ensure those entities affirmatively opt into the simplified regimes available to them.
- Sixth, align cybersecurity compliance. Where portfolio companies’ AI systems already comply with the Cyber Resilience Act, the presumption of compliance with AI Act Article 15 should be actively documented and relied upon. This avoids duplicative testing and assessment costs.
Finally, bear in mind that the broader Digital Omnibus, covering GDPR amendments, data-sharing rules, and cookie frameworks, remains under negotiation and is subject to deep political divisions among Member States. That broader package will follow its own timeline and may yet reshape the data compliance landscape in ways that interact with the AI rules now agreed. Stakeholders should monitor both tracks closely and design adaptive governance that can absorb further adjustments.
