AI Act ‘Digital Omnibus’: EU Lawmakers Strike Deal to Postpone High-Risk Rules and Ban Nudification Apps
European Parliament and Council negotiators reached a political agreement in late April 2026 on the so-called ‘digital omnibus’ proposal, which postpones the application of certain high-risk provisions of the EU AI Act and tightens the rules on AI-generated intimate imagery. The deal is the most consequential adjustment to the AI Act since its adoption in March 2024 and reflects sustained pressure from European industry, particularly small and mid-cap deployers, who argued they were not ready to comply with the original timeline.
What is being postponed
The Act’s most demanding obligations apply to so-called high-risk AI systems — those used in employment, education, critical infrastructure, law enforcement, access to essential services and several other listed domains. Operators of such systems face conformity assessments, fundamental rights impact assessments, registration in the EU database, and post-market monitoring. The agreed postponement gives most categories of high-risk deployer an additional 12 to 18 months to come into compliance, with sector-specific differentiation.
What is not changing
The compromise leaves untouched the AI Act’s prohibitions on certain practices — social scoring by public authorities, untargeted scraping of facial images for biometric databases, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions) and several others. These remain in force as already implemented. The transparency obligations for general-purpose AI providers, including those for the largest models, also remain on their original schedule.
Nudification apps banned
The most concrete addition is a Union-wide ban on so-called ‘nudification’ applications — software that uses generative AI to remove clothing from photographs, almost always those of real, identifiable people and disproportionately of women and girls. The ban covers both consumer-facing apps and the underlying APIs that enable them, and applies regardless of whether the model was trained inside or outside the EU. Penalties align with those of the Digital Services Act for very large online platforms.
Industry response
European tech industry bodies broadly welcomed the postponement while criticising what they see as continuing fragmentation between the AI Act, the GDPR, the Data Act and sectoral rules. The Commission has committed to publishing a consolidated AI compliance handbook by the end of 2026 to address those concerns. The European Data Protection Board, in a parallel statement, warned against using the postponement as a pretext to weaken fundamental rights protections.
