EU AI Act Omnibus: What Irish Firms Need to Know

AI Policy and Governance

EU AI Act Omnibus: What Irish Firms Need to Know

The EU AI Act Omnibus Ireland update moved one high-risk deadline, not Article 4 or the August 2026 enforcement date. Here is what changed and what to do.

Eileen Weadick, PhD

Founder, Clear Gate Systems • 27 May 2026 • 6 min read

EU AI Act Omnibus: What Irish Firms Need to Know

Some public commentary has described the Digital Omnibus on AI as delaying the EU AI Act. That is not the full picture.

In May 2026, the EU institutions reached a political agreement on the Digital Omnibus on AI, a package of targeted amendments to the EU AI Act originally proposed by the European Commission in November 2025. The European Parliament formally adopted the amendments on 16 June 2026, by 423 votes in favour. The Omnibus focuses mainly on adjusting the application timeline for certain high-risk AI systems. The general framework and many other deadlines remain unchanged. Whatever sector you're in, if your business is using AI tools at all, the obligations that affect you most directly are still firmly on the August 2026 schedule.

Read on for a plain-English breakdown of what moved, what did not, and the five practical steps any Irish SME can take before August.

What is the EU AI Act Omnibus?

The EU Digital Omnibus on AI is not a rewrite of the AI Act. It is a package of targeted amendments proposed by the European Commission in November 2025 and agreed in principle between the Parliament and the Council on 1 May 2026.[1]

The Commission's reasoning was practical: match when the high-risk AI rules kick in to when the standards and tools businesses need to comply with them are actually ready, and set backstop dates in case those tools are delayed.

Both the European Parliament and the Council formally adopted the Omnibus on 16 June 2026. The new deadlines are confirmed by both institutions, subject to publication in the Official Journal before they enter into force.

In summary

The Omnibus is a targeted adjustment to how and when certain high-risk AI rules apply. It is not a general relaxation of the AI Act.

What did the Omnibus actually change?

The main AI Act-related change introduced by the Digital Omnibus concerns the timing for high-risk AI systems listed in Annex III of the EU AI Act.[7] Annex III covers a specific category of AI: systems used to filter job applicants, score creditworthiness, manage access to education, support decisions in the administration of justice, and similar high-stakes applications. Under the original AI Act timeline, Annex III rules would have applied from 2 August 2026, with rules for high-risk AI embedded in regulated products following in August 2027.

The Omnibus ties the start date for these high-risk rules to whether the tools businesses need to comply, such as harmonised standards, are actually ready. If the Commission confirms those tools are in place, the high-risk rules start a set period after that confirmation. If the Commission never makes that confirmation, backstop deadlines apply anyway: 2 December 2027 for Annex III stand-alone systems and 2 August 2028 for Annex I (embedded) systems. These deadlines are confirmed by the EP and Council votes of 16 June 2026, and will be legally binding once the text is published in the Official Journal.[2]

The adopted text also delays Article 50 AI content watermarking obligations until 2 December 2026, by which date AI-generated content must be labelled in a machine-readable way to increase transparency. The Omnibus also introduces a new prohibition on AI systems that generate non-consensual intimate imagery (commonly called nudifier apps) and on AI-generated child sexual abuse material. Providers placing such systems on the EU market, and deployers using them, will not be permitted to do so without adequate safeguards. Systems must comply with this prohibition by 2 December 2026. These dates are confirmed by the EP and Council votes of 16 June 2026,[8] subject to Official Journal publication.

In summary

The Digital Omnibus, adopted by the European Parliament on 16 June 2026, adjusts timelines and technical details for certain high-risk systems. The overall risk-based structure and general obligations of the AI Act stay exactly as they were.

For the full compliance obligations this creates for organisations deploying Annex III high-risk AI systems in financial services, HR technology, or health technology, see What the August 2026 EU AI Act Deadline Means for Irish SMEs.


What did not change, and why this matters for your firm

AI literacy obligations (Article 4) are in force now

Article 4 of the EU AI Act requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy for their staff and other persons dealing with AI systems on their behalf. This obligation entered into application on 2 February 2025, and national market-surveillance authorities will begin supervising and enforcing it from 3 August 2026.[3]

If your firm uses AI tools, whether Microsoft Copilot, a ChatGPT-style service, or AI built into your practice management or document review system, you are already required to ensure the people using those tools understand what AI is, how it works, and what the risks are. There is no formal certificate required, but regulators will look at what training has been documented.

The EU is not asking everyone to become AI engineers. It is asking organisations to make sure the people driving AI in their work know what they are doing and what the rules are.

One note on Article 4: in the Digital Omnibus proposal, the Commission suggested moving the general AI literacy duty off individual organisations and onto Member States and the Commission instead, as part of a broader push to promote AI literacy and skills, according to the Commission's own AI literacy Q&A.[3] The European Parliament and Council adopted the Omnibus text on 16 June 2026. The specific wording of this Article 4 amendment will be confirmed once the text is published in the Official Journal. Until that publication, Article 4 as enacted continues to require organisations to take measurable steps on AI literacy. Do not treat this change as a reason to deprioritise staff training.

Deployer obligations still apply

If your firm uses an AI system in a professional context within the EU, you will generally be a "deployer" under the Act. That means any person or organisation, public or private, using an AI system as part of their work rather than for purely personal reasons. For deployers of high-risk AI systems, the Act requires measures such as appropriate human oversight, use of the system in line with the provider's instructions, monitoring during operation, and reporting certain serious incidents to the competent authorities. For other AI systems subject to transparency rules, deployers must meet those specific transparency obligations and should adopt appropriate internal controls as part of responsible governance.

For most Irish SMEs, the most immediate EU AI Act priorities are Article 4 AI literacy and oversight of AI used in customer-facing or decision-support work, and the obligations differ depending on which side of that line your use case sits. See Using AI Yourself Versus Deploying AI for Customers for how the same six Article 26 duties bite differently depending on who the AI is for. Annex III high-risk obligations, including conformity assessment requirements, will apply only if the business deploys an AI system that falls within an Annex III category. Under the Omnibus adopted by the European Parliament and Council on 16 June 2026, these obligations apply at the latest from 2 December 2027 for relevant Annex III systems, subject to Official Journal publication.

You cannot assume your software vendors handle compliance for you. If your people are using AI tools in client work, your firm has duties regardless of whether the vendor is compliant.

In summary

Article 4 AI literacy obligations are already in force (since February 2025), with national supervision beginning from 3 August 2026. That is the date that matters most for Irish professional services firms right now.

What does this mean if your AI use has outpaced your AI governance?

Ireland has adopted a distributed regulatory model. Rather than one mega-regulator for all AI, S.I. No. 366 of 2025 designates multiple national competent authorities, including existing sectoral regulators, to supervise AI use within their current areas of responsibility. The Government's General Scheme of the Regulation of Artificial Intelligence Bill 2026 proposes establishing a new statutory independent body, the AI Office of Ireland, as a central coordinating authority for AI Act implementation, with the intention that it will be operational around 1 August 2026.[6]

Whatever sector you're in, if your business uses AI tools that process customer data, the Data Protection Commission is a live regulator for you regardless of whether a sector-specific body also applies. Where a sectoral regulator does apply, such as the Central Bank of Ireland for financial services or the Law Society of Ireland for solicitors, expect it to ask how AI is used in your operations and what safeguards are in place, on top of the DPC's general remit. In practice, this typically means having clear internal rules on when AI can be used, who reviews AI generated content before it reaches a customer, and how confidential or personal data is protected.

The gap this creates is not a professional services problem specifically. It is the general Irish SME picture. An ESRI study of Irish SMEs published in April 2026, drawing on the Central Bank's Credit Demand Survey, found that only 16.0% of firms already using AI describe that use as formal, with 55.5% describing it as ad-hoc, rising to 67.2% among firms still at the testing stage.[5] Most Irish businesses using AI today have not yet built the structure around it that the Act now expects, whatever sector they're in.

In summary

The gap between using AI and governing it is not a law firm problem or an accountancy problem. ESRI's most recent SME survey found more than half of Irish firms using AI describe that use as ad-hoc rather than formal, whatever sector they're in.

What do you have to do before August 2026?

Your pre-August AI Act starter pack: five steps any Irish SME can take now.

Step 1: Make an AI inventory

Write down, on one page, where AI shows up in your business. Include tools like Copilot, AI built into your CRM or practice management systems, any document review or drafting tools, and any experimental projects your team has been running. Do not overlook shadow AI: tools that staff may be using on their own initiative without formal approval.

Certain high-risk AI systems used in financial services, such as those involved in creditworthiness assessment or risk scoring, are subject to additional obligations under the AI Act, including registration in an EU database and compliance with Annex III requirements. These go beyond a basic internal inventory and should be checked against the specific provisions that apply to your use case. See Does Your Financial Services Firm Have an AI Register? for the detailed treatment.

Step 2: Set your red lines

List three to five rules that apply to everyone, with no exceptions. Examples: never paste confidential customer or business information into a public AI tool; never send AI-generated output to a customer without human review; never use an AI tool that has not been reviewed by the business.

Step 3: Write a one-page AI policy

Answer four questions in plain English: What tools are permitted? Who can use them? For what tasks? What must a human check before it leaves the firm? A one-page policy that is actually read and followed is more valuable than a fifty-page document that is not. If your business is already running AI agents rather than just generative AI tools, see AI Governance and Workflow Blueprint for what a fuller structure looks like once the one-page policy is in place.

Step 4: Train your people

Run one session for all staff that covers: the tools the firm uses and permits, the red-line rules, and two or three practical examples drawn from real work in your firm. This does not need to be a full-day course. It needs to be documented.

Step 5: Assign a named owner

Choose one owner or senior manager who is responsible for keeping the AI inventory up to date, updating the policy when tools change, and keeping a simple record of who has been trained and when. Given the AI Act's and GDPR's accountability requirements, businesses should expect regulators to seek explanations of how AI is used in their operations, what safeguards are in place, and who is responsible for overseeing AI governance.

In summary

Five practical steps you can complete in a week. None of them require external expertise to start.

Need to explain this to your board or management team?

The free Digital Omnibus Briefing covers what changed, what did not, and these five steps in a format you can hand over or read from directly at a meeting.

Get the Briefing

If you want help turning this into an AI policy your firm can actually follow, the AI Policy and Governance Pack gives you the structure to do it.

FAQ

People also ask

Does the Omnibus mean Irish firms do not need to comply with the EU AI Act until 2027?
No. The European Parliament and Council adopted the Digital Omnibus on 16 June 2026. Under the adopted text, the backstop application date for Annex III high-risk AI system rules moves from 2 August 2026 to 2 December 2027, subject to Official Journal publication. Article 4 AI literacy obligations have applied since 2 February 2025, and general deployer duties will be enforced from early August 2026 as planned. For many professional services firms using general productivity AI, Annex III high-risk categories often do not apply in any case.
What is Article 4 of the EU AI Act?
Article 4 requires every organisation that provides or uses AI systems to take measures to ensure a sufficient level of AI literacy for their staff and other persons dealing with those systems. The obligation entered into application on 2 February 2025, and national market-surveillance authorities will begin supervising and enforcing it from early August 2026.
Is my business affected by the EU AI Act?
Yes, if you use AI tools in your work, whatever sector you're in. Any organisation that uses an AI system in a professional context within the EU will generally be a deployer under the Act. Irish SMEs using general productivity AI, including document drafting, research tools, scheduling, or CRM and practice management systems with AI features, are deployers. Deployer obligations include AI literacy, oversight, and following the provider's usage instructions.
What is an AI deployer under the EU AI Act?
Under the AI Act, a deployer is a natural or legal person, public authority, agency or other body that uses an AI system under its authority in a professional or organisational context, other than when a natural person uses AI purely for personal, non-professional activities. If your firm uses AI tools provided by a third-party vendor in its work, your firm will generally be a deployer and will have obligations under the Act that are distinct from those of the provider.
When does EU AI Act enforcement start in Ireland?
Across the EU, the main enforcement phase of the AI Act starts from 2 August 2026, when the majority of rules apply and national penalty regimes are in place. In Ireland, the AI Office of Ireland and designated competent authorities will supervise and enforce the Act under national implementing legislation. Fines and other enforcement measures will be possible from that period onwards, once the relevant domestic legal instruments are in force.

Clear Gate Systems provides technical governance architecture. This article is for informational purposes only and does not constitute legal advice. Clients requiring legal interpretation of the EU AI Act or other regulation should engage a qualified legal practitioner.