Developments in Accountable AI

EU AI Act Update: The Digital Omnibus and the Realities of AI Governance

A digital illustration of justice scales surrounded by icons representing law, AI, human rights, and data protection, set against an EU flag background.

The European Union’s AI Act was originally framed as the world’s first comprehensive attempt to regulate artificial intelligence (AI) through the lens of fundamental rights, human oversight, and trustworthy AI. Increasingly, however, the law is being forced to confront the institutional and economic realities involved in translating those principles into practice.

That shift became clear earlier this month, when EU lawmakers reached a provisional political agreement to delay several major compliance deadlines for high-risk AI systems as part of the Digital Omnibus initiative.

While still provisional and pending formal adoption, the agreement marks a significant recalibration by European regulators. It reflects the practical challenges of implementing one of the world’s most ambitious AI regulatory regimes and highlights deeper tensions in how Europe balances ethical safeguards, innovation, and global competitiveness.

Changes to the EU AI Act

The Act regulates AI through a risk-based framework. Minimal-risk systems face little oversight, and limited-risk systems trigger transparency obligations. High-risk systems must comply with extensive requirements relating to risk management, data governance, transparency, and conformity assessments. Applications deemed to present “unacceptable risk” are prohibited altogether.

Although the Act formally entered into force in August 2024, its obligations are intended to phase in gradually over several years. The May 2026 changes significantly delay some of these phase-ins.

Originally, many high-risk obligations were scheduled to take effect in August 2026. Under the new agreement, however, obligations involving standalone high-risk systems under Annex III (covering areas like employment, education, biometrics, critical infrastructure, and law enforcement) are delayed until December 2, 2027. Obligations concerning high-risk AI embedded in regulated products under Annex I (such as medical devices or machinery) are postponed until August 2, 2028.

The new agreement also adds prohibitions on AI systems designed to generate non-consensual sexual imagery (often referred to as “nudifier apps”). Mandatory watermarking requirements for AI-generated content are also moving forward.

Despite these delays, several major provisions are already in force. Since February 2025, the Act has prohibited certain AI practices outright, including social scoring, manipulative uses of AI that exploit personal vulnerabilities, some forms of untargeted facial recognition scraping, and certain biometric categorization systems.

The Competitive Imperative

For years, the EU positioned itself as the world’s leading AI regulator. But European regulators are increasingly concerned that overly aggressive regulation could undermine Europe’s position in a global AI race dominated by US and Chinese firms.

Pressure has come from multiple directions. European industry groups have warned that compliance burdens could discourage investment and innovation. American technology firms have argued that the rules are overly restrictive and operationally unclear. Even some EU Member States have become more cautious as competition with the United States and China intensifies.

Germany, for instance, advocated strongly for carve-outs and exemptions for industrial AI applications (e.g., in manufacturing with companies like Siemens), citing risks of overlapping regulatory burdens with existing product safety rules. Broader lobbying highlighted fears that overly prescriptive timelines could stifle innovation and investment in the EU.

As a result, the EU is quietly repositioning itself. Early rhetoric surrounding the AI Act focused heavily on human-centric AI, trustworthiness, and protection of fundamental rights. More recent discussions increasingly emphasize innovation, regulatory flexibility, and European competitiveness.

To critics, the recent changes amount to Europe caving in to lobbying pressure from Big Tech and compromising on its commitment to strong regulation. But to others, the EU is attempting to balance two competing imperatives: protecting European citizens from the harms of AI while ensuring that regulation does not become so burdensome as to simply drive developers and deployers elsewhere.

The GPAI Code of Practice Takes the Stage

Meanwhile, much of the EU’s regulatory attention has shifted toward the Act’s rules governing general-purpose AI systems (“GPAI”)—a category commonly understood to include foundation and frontier models developed by firms such as OpenAI, Anthropic, Google DeepMind, Meta AI, and xAI. The Act’s GPAI provisions became applicable in August 2025 and are increasingly becoming the center of gravity for European AI governance.

That development makes the EU’s GPAI Code of Practice unusually important. Published by the European Commission in July 2025, the Code provides guidance for firms seeking to comply with the AI Act’s requirements for general-purpose AI systems. Formally, the Code is voluntary. Functionally, however, it operates more like a quasi-mandatory governance framework. Firms that sign onto the Code receive a clearer path toward demonstrating compliance, while firms that decline to participate may face greater regulatory scrutiny and legal uncertainty. (This dynamic is familiar in other domains of business regulation. Accounting standards, cybersecurity frameworks, and GDPR guidance documents often become effectively mandatory in practice even when they are not formally binding.)

The Bottom Line: Implications for Accountable AI and Business Strategy

For business leaders, several key takeaways emerge:

  1. Use the runway wisely: The extension allows time to build mature, integrated governance and accountability practices for high-risk systems—think risk classification, impact assessments, and oversight mechanisms—rather than treating compliance as a future checkbox.
  2. Treat GPAI governance as strategic: Engaging proactively with the Code of Practice not only mitigates regulatory risk, but signals responsible innovation and leadership to partners, investors, and regulators.
  3. Balance ethics and competitiveness: The EU’s pivot illustrates that sustainable AI leadership requires aligning regulation with economic realities. Overly rigid ethics-first approaches risk being impractical, but overly lax ones can undermine trust.
  4. Global ripple effects: As the first comprehensive AI law (and the most ambitious one to date), EU developments influence international standards, supply chains, and multijurisdictional compliance. Businesses operating globally should track these signals closely.

The policy battle continues. The EU AI Act remains a landmark regulatory project, but its rocky implementation reveals the tensions inherent in regulating a general-purpose technology amid intense geopolitical competition. For Europe, the central question is no longer how to regulate AI ethically, but how to do so while maintaining its relevance in the AI economy.

Firms that treat accountable AI as a strategic advantage—and choose to prioritize responsibility alongside innovation—will be best placed to navigate the evolving global AI regulatory landscape.

Written by Jon Iwry, Fellow, Wharton Accountable AI Lab