The Digital Omnibus on AI explained. What the EU AI Act delay actually changes.

The EU AI Act is being amended. The Commission's Digital Omnibus proposal (COM(2025) 836) would defer the core Annex III high-risk obligations by sixteen months. Parliament and Council have adopted positions. Trilogue begins Monday 28 April 2026. This reference maps every provision: what shifts, what stays, the institutional process, and the practical implications for deployers, providers, and the insurance market in the period between now and formal adoption.

Section 1. What the Digital Omnibus on AI is

On 19 November 2025, the European Commission presented two interconnected packages under the Digital Omnibus heading. The first, the Digital Omnibus Regulation (COM(2025) 834), amends four instruments simultaneously: the General Data Protection Regulation, the Data Act, the Network and Information Security Directive (NIS 2), and repeals the Data Governance Act. The second, the Digital Omnibus on AI (COM(2025) 836), is a targeted amendment to Regulation (EU) 2024/1689, the EU AI Act itself.¹

The Commission presented the package as an application of the simplification agenda advanced under the Competitiveness Compass and the 2025 Annual Work Programme. The stated rationale had three elements. First, the harmonised technical standards developed by CEN-CENELEC Joint Technical Committee 21 (JTC 21) were not ready in time to give businesses the practical compliance benchmarks they need. Standards are not legally mandatory under the AI Act, but conformity with them creates a presumption of compliance, making their absence a material gap. Second, the EU AI Office had not published guidance at the speed originally anticipated, leaving the contours of key obligations uncertain. Third, the conformity assessment body infrastructure across Member States was not sufficiently developed to accommodate the volume of assessments that Annex III compliance would require by August 2026.²

The AI Omnibus was separated from the broader Digital Omnibus Regulation precisely because time pressure is more acute. Annex III obligations were due in August 2026; GDPR amendments could be handled on a slower track. As Timelex noted in their analysis published the same week as the Commission proposal: "the AI Omnibus faces greater time pressure, given that the high-risk rules start applying in August 2026."³

The proposal is not a general weakening of the AI Act. The prohibitions in Article 5 are untouched. GPAI obligations remain. The enforcement architecture, the penalty structure under Article 99, and the supervisory designation framework under Article 70 are all unaffected. What the proposal modifies is the application date for a specific subset of obligations tied to the high-risk classification, and it introduces targeted adjustments to AI literacy, GPAI supervision, Article 6(3) disclosure, and penalty proportionality for small mid-cap companies.

Section 2. The political process: Commission, Council, Parliament, and trilogue

The Digital Omnibus on AI follows the ordinary legislative procedure under Article 294 TFEU. The Commission proposed the text on 19 November 2025. Three institutions have now adopted formal positions.

Commission proposal (19 November 2025)

The Commission text (COM(2025) 836) proposed: deferring Annex III obligations to 2 December 2027 in the absence of an earlier Commission decision confirming adequate compliance tools; deferring Annex I obligations to 2 August 2028; introducing an acceleration clause allowing earlier application once harmonised standards and AI Office guidance are in place; softening the AI literacy obligation from binding to encouraged; and extending SME-equivalent proportionate penalties to small mid-cap companies.⁴

Council general approach

The Council adopted its general approach in early 2026. The Council broadly accepted the Commission's timeline proposals on Annex III and Annex I. Key Council positions included maintaining a strict scope for the acceleration clause, resisting extensions of the GPAI supervisory changes beyond what the Commission had proposed, and preserving the existing Article 5 prohibition scope without modification. The Council did not materially contest the new Annex III date of 2 December 2027.⁵

Parliament position (IMCO and LIBE committees, March 2026)

The European Parliament's IMCO and LIBE committees adopted their position in late March 2026. The Parliament's press release, issued 23 March 2026, confirmed agreement with the broad Annex III deferral while adding specific Parliament amendments.⁶ The Parliament's most notable additions were a ban on nudifier applications (AI systems that generate non-consensual intimate imagery), a strengthening of the acceleration clause conditions to require both Commission confirmation and Member State authority readiness, and a clarification of how the Article 50(2) grace period operates for systems already on the market at the August 2026 date. MEP Michael McNamara served as Parliament's co-rapporteur for the file.

MEP Sergey Lagodinsky (Greens/EFA) voiced the civil society concern in public statements: the combination of delay and the AI Act's non-retroactivity provision under Article 111 creates "a loophole" allowing high-risk systems placed on the market before December 2027 to escape the Act's requirements indefinitely, or until substantial modification or deployment by public authorities after 31 December 2030.⁷

Trilogue: 28 April 2026 and beyond

The first formal trilogue session between Parliament negotiators, the Polish Presidency of the Council, and the Commission is scheduled for 28 April 2026. Legal experts writing before the session, including the teams at A&O Shearman, Morrison Foerster, and Taylor Wessing, assessed the positions as broadly convergent on the main timeline questions, with contested territory concentrated in three areas: the precise conditions for the acceleration clause, the scope of the nudifier ban added by Parliament, and the Article 50(2) grace period detail.^{8, 9, 10}

If a political agreement is reached at the 28 April session, the agreed text would enter legal-linguistic review across all 24 official EU languages, typically lasting six to eight weeks. Formal votes in Parliament plenary and by the Council would follow. Publication in the Official Journal would then be required before the Regulation enters into force, twenty days after publication. A realistic adoption window under an optimistic scenario is late June to mid-July 2026, allowing the new dates to take effect before 2 August 2026.

If trilogue extends beyond one session, adoption in time to precede 2 August 2026 becomes increasingly uncertain. The risk identified by Timelex in November 2025 applies: a window in which the high-risk obligations technically apply while co-legislators are still debating whether to postpone them, creating an enforcement ambiguity that national supervisors will need to address publicly.³

Section 3. The new dates: a provision-by-provision table

The table below maps each affected AI Act provision, the original application date, the proposed new date under the Omnibus, and the status of agreement between the three institutions.

Section 4. What is not delayed and why it matters

The framing of the Digital Omnibus in general reporting has been predominantly "AI Act delayed." That framing is accurate as far as it goes and dangerously incomplete for compliance teams that act on it. Six obligation clusters are not delayed. Each has its own logic and its own risk architecture.

Article 5 prohibitions

The bans on the highest-risk AI practices entered force on 2 February 2025 and are not part of the Digital Omnibus negotiations. Supervisory enforcement authority became active from that date under the AI Office for GPAI-related prohibitions and under national supervisors for all other Article 5 matters. Systems that deploy subliminal manipulation techniques targeting subconscious vulnerabilities, systems that conduct social scoring of natural persons by public authorities, and systems used for real-time remote biometric identification in public spaces in most law enforcement contexts are operating illegally today, regardless of the Omnibus outcome. The prohibition on scraping facial images from public spaces for database construction is also already in force. The AI Office has published enforcement guidance on the prohibitions.¹¹

GPAI obligations (Articles 53 and 55, Chapter V)

General-purpose AI model obligations entered application on 2 August 2025. GPAI providers subject to Articles 53 and 55 are already in scope. The Digital Omnibus does modify the supervisory architecture for one specific category: providers who develop both a GPAI model and a system built on that model are now supervised by the AI Office rather than national authorities for the integrated product. This is a governance adjustment, not a timeline deferral. All GPAI transparency, safety evaluation, and incident reporting obligations apply on their original timelines.⁴

Article 50 transparency obligations for new systems

From 2 August 2026, any deployer placing a new chatbot, synthetic content generation system, emotion recognition system, or deepfake production tool on the market must comply with Article 50's four transparency duties. These obligations apply to systems first placed on the market after that date. The Omnibus introduces a targeted grace period of six months for the machine-readable AI-origin marking requirement under Article 50(2) specifically, for systems that are already on the market by 2 August 2026. That grace runs to 2 February 2027. The chatbot notification duty, the emotion recognition disclosure duty, and the deepfake labelling duty under Article 50(4) are not subject to any grace period adjustment in the Commission or Council texts.¹²

Product Liability Directive 2024/2853

Directive 2024/2853 on product liability is entirely outside the AI Act legislative framework and is not part of any Omnibus negotiation. All 27 Member States must transpose it into national law by 9 December 2026. Once transposed, AI software is classified as a product for the purposes of strict liability. The rebuttable presumption of defect under Article 10 of the Directive applies where a deployer cannot demonstrate that its AI Act compliance obligations were met, creating a direct bridge between AI Act non-compliance and product liability exposure. Claimants gain rights to access evidence from deployers and providers under Article 9 of the Directive. This deadline is not negotiable and is not subject to any form of Omnibus-linked deferral.¹³

Member State implementation legislation

Several Member States have enacted national implementation legislation that operates in parallel with the EU AI Act. Italy enacted Law 132/2025 in October 2025, creating a national AI governance framework with obligations on public sector deployers timed to the AI Office's own guidance cycles. Hungary enacted Act LXXV of 2025, establishing a national AI supervisory authority and a national risk register. Lithuania, Finland (Government Proposal HE 46/2025), and Cyprus have enacted or substantially progressed national implementation measures. These national instruments create obligations that are not contingent on the Digital Omnibus outcome and apply on their own domestic timelines.¹⁴

US state AI law: Colorado and beyond

Colorado SB 24-205 (the Colorado AI Act) enters force on 30 June 2026 and applies to any developer or deployer of a high-risk AI system that affects Colorado residents, regardless of where the entity is incorporated. The Colorado definition of high-risk substantially overlaps with EU AI Act Annex III. European companies with US operations or US users face a parallel compliance obligation that is fixed, regardless of EU Omnibus developments. No equivalent of the Digital Omnibus exists in the Colorado legislative process. Texas HB 149 and Virginia SB 1047 are in various stages of consideration and may add further state-level obligations before 2027.¹⁵

NIST AI RMF and ISO/IEC 42001

NIST AI RMF 1.0 (published January 2023) and ISO/IEC 42001:2023 (AI management system standard) are not EU legislative instruments and are not affected by the Digital Omnibus. Both are increasingly referenced in insurance underwriting criteria and in procurement tender requirements across Member States and internationally. Deployers who have built their compliance programme around these frameworks should not pause that work on Omnibus grounds.

Section 5. Why the delay happened: the readiness gap

The Digital Omnibus proposal did not emerge from a reassessment of the AI Act's policy substance. It emerged from three concrete infrastructure gaps that became apparent during 2025.

Harmonised standards: CEN-CENELEC JTC 21

Harmonised standards under the AI Act are developed by CEN-CENELEC Joint Technical Committee 21 (JTC 21), which was established following a Commission standardisation request issued in May 2023. JTC 21 has been developing standards in parallel with AI Act implementation, but the production timeline for finalised, Commission-referenced harmonised standards consistently extended beyond August 2026. Conformity with harmonised standards creates a presumption of compliance with the corresponding AI Act requirements. Their absence does not make compliance impossible, but it does leave deployers and providers without a clear technical benchmark for conformity assessment. The Commission cited this gap explicitly in the Omnibus explanatory memorandum.⁴

AI Office guidance gap

The EU AI Office, established in February 2024, was mandated to produce operational guidance on a number of AI Act obligations, including the Article 27 FRIA structure, the Article 71 registration process, and the classification methodology under Article 6. As of April 2026, several key guidance documents remained unpublished or in draft form. The OneTrust analysis of the Digital Omnibus noted that this gap was a primary Commission justification: guidance documents that businesses needed to complete their operator files were simply not yet available.¹⁶

Conformity assessment body capacity

Third-party conformity assessment under Article 43 applies to a subset of Annex III systems, including biometric identification systems and AI systems in critical infrastructure. The notified body infrastructure across Member States was not scaled to absorb the assessment volume that August 2026 would have triggered. Designation of notified bodies under AI Act Annex VII requirements proceeded, but at a pace below that needed for the anticipated market demand.

Market surveillance authority designation

Article 70 required Member States to designate national market surveillance authorities by 2 August 2025. As of April 2026, nine months after that deadline, fewer than ten Member States had completed or substantially completed formal designation. France, Germany, and the Netherlands, which together account for a major share of European AI deployment by value, had not yet finalised designation. Enforcement of Annex III deployer obligations without a fully operational supervisory network across all 27 Member States would have produced highly uneven application of the Regulation.¹⁴

Industry readiness research

European law firm readiness surveys published in Q4 2025 and Q1 2026 consistently placed self-reported compliance readiness among Annex III deployers at below 30 per cent. AFME's paper on the Digital Omnibus AI proposals identified financial services as a sector with specific readiness concerns, particularly around conformity assessment requirements for creditworthiness and insurance risk scoring systems classified under Annex III points 5(b) and 5(c).¹⁷

Section 6. What it means for deployers in 2026

The Omnibus does not change the substance of what deployers must eventually build. It changes the date by which they must build it. The operational implications for 2026 are therefore more nuanced than either "stop preparing" or "nothing changes."

The Article 26 operator file: still build it

The five-document operator file (risk record, oversight register, instructions-for-use map, logging schedule, and incident protocol) is the minimum compliance artefact under Article 26. If the Omnibus is adopted, deployers gain until December 2027 to have this file ready for supervisory inspection. This is not an instruction to postpone construction. Organisations that build the file now will have a 19-month advantage in refining it, testing it against operational reality, and using it as a basis for insurance placement. Organisations that begin in late 2026 will face the same time pressure that deployers face today, with less institutional knowledge of what supervisors will actually request.⁸

The FRIA: still draft it

The FRIA is the most substantive single document in the deployer compliance architecture. Completing it requires a structured assessment of the system, the affected persons, the fundamental rights risks across the EU Charter dimensions, and the mitigation measures. For public sector deployers in healthcare, social benefit administration, and criminal justice, the FRIA will require input from legal, technical, and policy functions that operate on their own institutional timescales. A FRIA that is drafted starting in 2026 will be of higher quality than one produced in a compressed window before a 2027 deadline. The AI Office has committed to publishing a questionnaire template under Article 27(5); when that template is published, organisations that have already drafted their FRIA will be able to map it quickly rather than starting from scratch.¹²

Insurance posture: do not relax

The Product Liability Directive 2024/2853 transposition deadline of 9 December 2026 is fixed. This creates concrete strict-liability exposure for AI software across all 27 Member States within eight months. Specialist AI insurance carriers are building products designed for this exposure in parallel with AI Act compliance tools. Deployers who pause compliance preparation may find that they are also unprepared for the PLD coverage review that informed insurers will request before the December deadline. The operator file is simultaneously a regulatory requirement and an insurance underwriting input.

Vendor due diligence: continues

Article 26 obligations attach to the deployer regardless of what the provider's contractual terms say. Reviewing provider contracts for language that purports to transfer Article 26 duties is an exercise that does not become less important because the deadline has moved. Deployers who complete their vendor due diligence before December 2027 are also better positioned to renegotiate terms with providers whose documentation packages are inadequate.

Member State engagement: continues

Supervisory authority designation is ongoing across Member States. Knowing which authority will receive a FRIA notification, which authority a serious incident report goes to, and which authority has published sector-specific guidance for your industry is operational knowledge that takes time to develop. Deployers with cross-border operations should engage with this landscape now rather than in the compressed period before a 2027 deadline.

Section 7. What it means for providers

The Digital Omnibus's effect on providers varies significantly by the pathway through which their systems are classified as high-risk.

Annex I product manufacturers: longest deferral

Providers of AI systems embedded in regulated products under Annex I (medical devices under Regulation 2017/745, in-vitro diagnostic devices under Regulation 2017/746, machinery under Directive 2006/42/EC, vehicles, toys, aviation, lifts, and similar) benefit from the longest deferral. The original Annex I date of 2 August 2027 shifts to 2 August 2028 if the Omnibus is adopted. These providers face the most complex conformity assessment pathway because their AI systems must comply with both the AI Act and the relevant sectoral harmonised legislation, requiring coordination between AI Act notified bodies and existing sectoral notified bodies. The additional year is substantial for product development cycles in medical technology and automotive manufacturing.¹⁰

Annex III standalone providers: gain time but face standards uncertainty

Providers of standalone AI systems classified under Annex III (systems used in employment, education, creditworthiness, insurance, law enforcement, migration, and justice that are not embedded in a regulated product) face the Annex III deferral to December 2027. These providers retain the obligation to prepare technical documentation under Article 11 and to ensure their conformity assessment approach is ready for the new deadline. The standards uncertainty that drove the deferral applies equally to providers: JTC 21's eventual harmonised standards will define the conformity pathway, and providers developing their technical documentation before those standards are finalised face residual uncertainty.

GPAI providers: no change

Providers of GPAI models are already subject to Articles 53 and 55 from August 2025. The Digital Omnibus modifies the supervisory architecture for vertically integrated providers but does not defer any GPAI obligation dates. GPAI providers who also build systems on top of their models will find that the AI Office, rather than national authorities, has supervisory jurisdiction over the combined product. This is a governance clarification, not a compliance extension.

Section 8. What it means for the insurance market

The Digital Omnibus introduces complexity for the AI insurance market, but the bifurcation thesis that has characterised market analysis since 2024 holds.

Specialist carriers: likely to accelerate

Specialist AI liability carriers, including HSB (a Munich Re subsidiary writing AI operational risk through its aiSure programme), Armilla (writing third-party AI reliability insurance with model performance data requirements), AIUC (a specialist AI underwriting company that raised USD 15 million in seed funding to build dedicated AI coverage capacity), and Testudo (writing AI incident response coverage) are unlikely to pause product development in response to the Omnibus. The Product Liability Directive 2024/2853 creates a December 2026 coverage need that is independent of the Omnibus outcome. Deployers who were allocating budget to compliance in 2026 may redirect some of that spending to risk transfer if the Omnibus reduces the near-term regulatory urgency, which could expand the addressable market for specialist carriers rather than contracting it.¹⁸

Generalist carriers: may slow exclusion roll-out

Broad general liability and professional indemnity underwriters who had begun introducing AI exclusion endorsements (including ISO form CG 40 47 excluding bodily injury and property damage arising from AI, and ISO form CG 40 48 excluding professional services AI claims, which are spreading from the US market into European policy wordings) may slow the introduction of new AI-specific exclusions by one underwriting cycle in response to the Omnibus. The urgency that was driving accelerated exclusion language was partly regulatory: underwriters were anticipating a wave of AI Act enforcement actions creating insurance claims from 2026. If that wave shifts to 2027, the one-cycle delay in exclusion introduction may follow. However, the December 2026 PLD transposition deadline creates its own exclusion-review pressure on the generalist market.¹⁹

The bifurcation deepens

The long-term structural effect of the Digital Omnibus on the insurance market is likely to deepen the bifurcation between specialist and generalist capacity. Deployers who continue compliance preparation and can demonstrate an operator file, oversight programme, and incident management capacity will attract specialist carriers willing to underwrite their AI operational risk. Deployers who interpret the Omnibus as permission to pause will find specialist capacity expensive or unavailable when they need it, and will discover that generalist policies have been tightened through exclusion endorsements in the intervening period. The Omnibus does not compress the adverse selection dynamics of the AI insurance market; it extends the window in which those dynamics play out.

Section 9. The civil society and academic critique

The Digital Omnibus has not been received without objection. A structurally significant critique has emerged from civil society organisations and academic commentators, and it is relevant to compliance teams' understanding of how enforcement priorities may evolve.

The non-retroactivity structural gap

Article 111 of the AI Act provides that systems already placed on the market before the relevant application dates are not subject to the Act's requirements unless they undergo substantial modification. As Tech Policy Press and Laura Caroli (former co-negotiator of the AI Act) explained in April 2026 commentary, the combination of a delayed application date and the non-retroactivity provision creates a structural gap: AI systems, including high-risk systems in recruitment, credit, and justice, placed on the market before December 2027 may remain outside the AI Act's requirements indefinitely, or at least until substantial modification or (for public sector use) until 31 December 2030.⁷

Race-to-market risk

MEP Sergey Lagodinsky and Bram Vranken of Corporate Europe Observatory both identified the incentive structure created by the delay: companies facing the heaviest compliance burdens from the Annex III high-risk classification have an incentive to accelerate market placement of their systems before December 2027 to lock in pre-Act status. This is not a theoretical risk. It mirrors the dynamic seen in other regulatory transition periods where non-retroactive implementation dates create competitive incentives to move before the gate closes.⁷

The lobbying dimension

The Jacques Delors Centre, in its analysis of the Digital and AI Omnibus packages, and the Corporate Europe Observatory/LobbyControl joint report identified that 69 per cent of Commission meetings in 2025 were with business groups and only 16 per cent with civil society organisations. The report characterised the Omnibus packages as having emerged from "corporate lobby groups' wish-lists," a framing that has been contested by the Commission but which shapes how MEPs from the left and the Greens/EFA group approach the trilogue.²⁰

These critiques are not relevant to the immediate compliance timeline, but they are relevant to the enforcement environment that will follow adoption. Supervisors who are politically responsive to civil society concerns may prioritise the highest-profile Annex III deployments, particularly in employment and creditworthiness, as early enforcement targets, to demonstrate that the delay has not weakened the Act's practical impact.

Section 10. The 90-day Omnibus Watch

The calendar below tracks what compliance teams should monitor between 25 April 2026 and 25 July 2026. Each week has a defined signal and a defined action if that signal triggers. We will maintain a live version of this tracker at /tools/omnibus-tracker/.

Section 11. Frequently asked questions

Related reading

This reference should be read alongside the following articles on this desk. Where a Digital Omnibus adoption affects the timeline discussed in an article, we have noted it with an editorial update.

• 100 days to August 2. The EU AI Act operator checklist for deployers who are not ready. Editorial note: if the Digital Omnibus is adopted before 2 August 2026, this countdown now runs to 2 December 2027 for most Annex III deployers. The five-document operator file structure described in this piece is unchanged.
• EU AI Act Article 27. The Fundamental Rights Impact Assessment every deployer must file. The FRIA obligation is conditionally deferred alongside the Annex III deployer timeline. Preparation disciplines described in this article remain valid.
• The 90-day FRIA countdown. A deployer checklist for EU AI Act Article 27. The checklist timeline would shift to a 90-day count from 2 September 2027 if the Omnibus is adopted. The document structure is unchanged.
• EU AI Act Article 50. The transparency and labelling obligations every deployer must implement by 2 August 2026. This deadline is not affected by the Digital Omnibus. The Article 50(2) machine-readable marking grace period for in-market systems (to 2 February 2027) is discussed in this reference.
• EU AI Act operator obligations. A 2026 compliance guide. The obligations described here remain the substantive requirements under Article 26. The Omnibus changes the deadline, not the content.
• The Double Exposure. EU AI Act and the Revised Product Liability Directive in 2026. The PLD transposition deadline of 9 December 2026 is fixed regardless of the Omnibus. The double-exposure analysis in this piece is not affected by the Digital Omnibus deferral.
• The Product Liability Directive 2024 and AI software exposure. The Directive 2024/2853 analysis in this article is not affected by the Digital Omnibus.
• EU AI Act Member State Implementation Tracker. Where each of the 27 stands as of April 2026. Member State authority designation and national implementation legislation proceed on their own timelines, separate from the Digital Omnibus negotiation.
• AI policy exclusions in 2026. What your existing coverage actually excludes. The carrier exclusion landscape discussed here is affected by the Omnibus only at the margin. The PLD transposition creates sustained exclusion review pressure regardless.
• Digital Omnibus Live Tracker. Week-by-week tracking of the Omnibus legislative process from 28 April 2026 through Official Journal publication. Updated within 24 hours of each significant development.

References and footnotes

1. European Commission, Proposal for a Regulation amending Regulation (EU) 2024/1689 (Digital Omnibus on AI), COM(2025) 836 final, 19 November 2025. Available at: eur-lex.europa.eu.
2. European Commission, Proposal for a Regulation amending Regulation (EU) 2016/679, (EU) 2022/2065, (EU) 2023/2854 and Directive (EU) 2022/2555 (Digital Omnibus), COM(2025) 834 final, 19 November 2025.
3. Timelex, "The European Commission proposes a one-year delay for high-risk AI obligations and softens AI literacy to encouragement," Geert Somers and Wouter Torfs, 21 November 2025. Available at: timelex.eu.
4. Morrison Foerster, "EU Digital Omnibus on AI: What Is in It and What Is Not?", Christoph Wagner, Lokke Moerel, Marijn Storm, and Yesim Tuzun, 1 December 2025. Available at: mofo.com.
5. Council of the European Union, General approach on the Digital Omnibus on AI proposal, adopted Q1 2026. Available via: consilium.europa.eu.
6. European Parliament, "Artificial Intelligence Act: delayed application, ban on nudifier apps," Press release 20260323IPR38829, 23 March 2026. Available at: europarl.europa.eu.
7. Tech Policy Press, "EU's AI Act Delays Let High-Risk Systems Dodge Oversight," Joana Soares, 2 April 2026. Available at: techpolicy.press.
8. A&O Shearman, "Digital Omnibus on AI: What is really on the table as trilogues begin," Laurie-Anne Ancenys et al., published 24 April 2026. Available at: aoshearman.com.
9. Ropes & Gray, "AI Omnibus Trilogue Underway: What to Expect as Negotiations Progress," viewpoint published April 2026. Available at: ropesgray.com.
10. Taylor Wessing, "The Digital Omnibus changes to the AI Act: high-impact on high-risk AI?", Jo Joyce and Caroline Bunz, published 2 February 2026. Available at: taylorwessing.com.
11. EU AI Office, Guidance on the Implementation of Article 5 Prohibitions, published 2025. Available at: digital-strategy.ec.europa.eu.
12. IAPP, "EU Digital Omnibus: Analysis of key changes," published 2026. Available at: iapp.org.
13. Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products, OJ L, 2024/2853, 18 November 2024. Available at: eur-lex.europa.eu.
14. Agent Liability EU, "EU AI Act Member State Implementation Tracker. Where each of the 27 stands as of April 2026," 25 April 2026. Available at: agentliability.eu.
15. Colorado General Assembly, SB 24-205 (Colorado Artificial Intelligence Act), signed May 2024, entering force 30 June 2026. Available at: leg.colorado.gov.
16. OneTrust, "How the EU Digital Omnibus Reshapes AI Act Timelines and Governance in 2026," published 2026. Available at: onetrust.com.
17. AFME (Association for Financial Markets in Europe), "AFME paper on Digital Omnibus AI proposals," 2026. Available at: afme.eu.
18. Agent Liability EU, "AI policy exclusions in 2026. What your existing coverage actually excludes," 24 April 2026. Available at: agentliability.eu.
19. ISO, Commercial General Liability forms CG 40 47 (AI bodily injury and property damage exclusion) and CG 40 48 (AI professional liability exclusion), introduced to the US market 2024, spreading to European policy wordings from 2025.
20. Jacques Delors Centre, "The EU's Digital and AI Omnibus," Hertie School, 2026. Available at: delorscentre.eu.
21. Corporate Europe Observatory and LobbyControl, joint analysis of Commission consultation practices in Digital Omnibus process, 2026. Cited in Tech Policy Press, April 2026.
22. NIST, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST AI 100-1, January 2023. Available at: nist.gov.
23. ISO/IEC 42001:2023, Artificial intelligence. Management system. International Organization for Standardization, December 2023.
24. European Parliament, Legislative Train Schedule, "Digital Omnibus on AI," updated April 2026. Available at: europarl.europa.eu.
25. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L 2024/1689, 12 July 2024. Available at: eur-lex.europa.eu.
26. CEN-CENELEC, Joint Technical Committee 21 (JTC 21), standardisation work programme for Regulation (EU) 2024/1689. Available at: cencenelec.eu.
27. Agent Liability EU, "The Double Exposure. EU AI Act and the Revised Product Liability Directive in 2026," 24 April 2026. Available at: agentliability.eu.