Digital Omnibus AI: Analysis of the Final Compromise Text

The agreed compromise text of the Digital Omnibus on AI — the legislative package amending Regulation 2024/1689 (the EU AI Act) — represents the output of intensive trilogue negotiations between the European Parliament, the Council of the European Union, and the European Commission. For businesses that have been tracking the AI Act since its entry into force, the compromise text introduces substantive changes to several provisions that directly affect compliance timelines and documentation requirements. This article provides an article-by-article analysis of the key modifications.

Article 3: Simplified AI System Definition

One of the most consequential changes in the compromise text concerns Article 3(1), which defines an "AI system" for the purposes of the Regulation. The original AI Act definition, aligned with the OECD's 2023 recommendation, describes an AI system as a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness, producing outputs such as predictions, recommendations, decisions, or content.

The compromise text clarifies this definition by introducing an explicit exclusion for deterministic rule-based software that does not adapt its behaviour through learning from data. This addresses a long-standing concern from business associations and legal practitioners that the original definition was broad enough to capture conventional software with conditional logic — a feature of virtually every enterprise application — alongside genuinely AI-based systems.

The practical effect of this clarification is that businesses can more confidently determine which of their software systems fall within the AI Act's scope. A static decision tree that applies fixed rules to calculate an output — even a consequential output such as an eligibility determination — is now more clearly outside the definition, while a model that updates its weights or adjusts its outputs based on feedback from operational data is clearly inside it.

Article 6: Revised High-Risk Classification Threshold

Article 6 is the provision that determines which AI systems must comply with the most demanding requirements of the AI Act, including the full risk management system of Article 9, extensive technical documentation under Article 11, and mandatory third-party conformity assessment in certain categories.

The original Article 6(2) classified as high-risk any AI system performing one of the tasks listed in Annex III across eight domains. The compromise text modifies this by introducing a significance test: an AI system performing an Annex III task is high-risk only if it poses a significant risk of harm to health, safety, or the fundamental rights of natural persons, taking into account the intended purpose, the context of deployment, and the degree to which the AI system's output influences the final decision.

This change has been characterised both as a sensible proportionality measure and as a potential loophole. The significance test places the initial classification burden on the provider or deployer — they must assess and document whether their system crosses the significance threshold, and that assessment is itself subject to supervisory review. The compromise text requires that this self-assessment be documented and made available to competent authorities on request.

For compliance programme design, the revised Article 6(2) means that businesses should not assume all Annex III AI deployments are high-risk, but they also cannot assume that systems performing sensitive tasks are automatically out of scope. A documented significance assessment — grounded in the specific deployment context, the population of affected individuals, and the consequentiality of AI-influenced outputs — is now a required compliance artefact for any Annex III AI system regardless of the outcome of that assessment.

Article 28: Modified Deployer Obligations

The original AI Act treated providers (those who develop and place AI systems on the market) and deployers (those who use AI systems in a professional context) as having substantially different obligation levels, with providers bearing the primary compliance burden. Critics argued that this allocation underweighted the compliance responsibilities of deployers, who make the operational decisions about how AI systems are actually used.

The compromise text modifies Article 28 by strengthening deployer obligations in two areas. First, deployers of high-risk AI systems must conduct a fundamental rights impact assessment (FRIA) before deploying systems in contexts where outputs could affect individuals' rights, adding a structured human rights analysis to the existing technical compliance obligations. Second, deployers must maintain a register of their AI system deployments and provide this register to competent authorities on request — creating a deployer-side audit trail that complements the provider's technical documentation.

These changes are significant for enterprise AI purchasers. A large company deploying a vendor-supplied AI system for HR screening, customer credit assessment, or insurance risk pricing is now subject to both the FRIA requirement and the deployment register obligation, regardless of whether the AI system provider has completed its own conformity assessment. Procurement contracts for AI systems should be reviewed to ensure that providers are contractually required to supply the information deployers need to complete their Article 28 obligations.

Article 43: Updated Conformity Assessment Routes

Article 43 governs the conformity assessment procedures through which AI system providers demonstrate compliance with the Regulation's requirements. The compromise text makes three notable changes to the original text.

First, it clarifies that AI systems substantially modified after initial conformity assessment must undergo a new assessment under the modified system's applicable category — addressing concerns that incremental model updates could silently shift a system's risk profile without triggering reassessment obligations.

Second, the compromise text introduces a simplified conformity assessment route for AI systems deployed exclusively by SMEs with fewer than 250 employees, allowing these deployers to use an abbreviated internal control procedure for certain Annex III categories (specifically those in the employment, essential services access, and education domains) provided the system has already been assessed by a notified body for a different deployer. This shared assessment mechanism is intended to reduce the duplicative burden on the market for commercially licensed AI systems.

Third, the Article 43 compromise clarifies the relationship between notified body assessments and accreditation under the European Accreditation Regulation, ensuring that notified body competency requirements for AI assessment are harmonised across member states and that mutual recognition of assessments is the default rather than the exception.

Article 51: Lighter GPAI Model Obligations

The compromise text's most commercially significant change for the AI industry may be the revised Article 51 governing General Purpose AI model obligations. The original text imposed extensive documentation, transparency, and evaluation requirements on all GPAI models, with enhanced obligations for models designated as presenting systemic risk based on training compute.

The compromise text restructures Article 51 into a two-tier framework with clearer obligations at each tier. Tier 1 (baseline GPAI models, training compute below 10^25 FLOPs) must provide downstream deployers with a model card containing technical capabilities and limitations, known risks, and a summary of training data provenance. Tier 2 (systemic risk models) must additionally undergo adversarial testing using Commission-approved methodologies, maintain an incident register, and cooperate with Commission investigations.

Crucially, the compromise text removes from Tier 1 the original draft's requirement for granular training data documentation — one of the most operationally contentious requirements, given the complexity of GPAI model training pipelines and the difficulty of retrospectively documenting all data sources. This documentation requirement is now applicable only to Tier 2 systemic risk models.

For providers of commercially distributed GPAI models, the compromise text significantly reduces baseline compliance costs while maintaining meaningful oversight for the highest-capability models. For businesses licensing GPAI models, the model card requirement ensures that the information needed to complete deployer-side obligations under Articles 28 and 9 will be available from providers as a matter of regulatory obligation.

What the Changes Mean for Compliance Timelines

The aggregate effect of the compromise text changes is to create a more proportionate compliance architecture in which the heaviest obligations concentrate on the highest-risk deployments. Businesses that had structured their compliance programmes around the original AI Act text should review their classification analyses under the revised Article 3 definition and Article 6 significance test, update their deployer obligation assessments under Article 28, and check whether the Article 43 SME simplified route applies to any of their deployments.

The compliance application dates in the original AI Act remain the primary timeline reference — the Digital Omnibus changes are amendments to those dates and obligations, not a reset. Prohibited AI practices obligations applied from February 2025. General-purpose AI model obligations apply from August 2025. High-risk AI system obligations under Annex III apply from August 2026.

Frequently Asked Questions

Does the simplified AI system definition in the compromise text exclude my rule-based software from the AI Act?

The revised Article 3 definition more clearly excludes purely deterministic, rule-based software that applies fixed logic without learning from data. However, the boundary between "rule-based" and "AI-based" systems is not always obvious in practice — systems that use statistical models for scoring or ranking, even without deep learning architectures, are likely still within scope. A documented classification analysis is advisable for any software that influences consequential decisions about individuals.

What is the fundamental rights impact assessment (FRIA) required under the modified Article 28, and when does it apply?

The FRIA is a structured assessment that deployers of high-risk AI systems must conduct before deployment in contexts where AI outputs could affect individuals' rights. It requires identifying the rights at stake, assessing the likelihood and severity of potential impacts, and documenting mitigation measures. It applies to all deployers of high-risk AI systems, not just public authorities — meaning private sector deployers in financial services, employment, and essential services must complete FRIAs under the compromise text.

How does the two-tier GPAI model framework under the revised Article 51 affect businesses licensing foundation models?

Under the revised Article 51, all GPAI model providers must supply a model card to downstream licensees. For Tier 1 models (below the systemic risk threshold), this replaces the more extensive training data documentation requirements of the original draft. For businesses licensing GPAI models, the model card provides the technical information needed to complete their own Article 9 risk management and Article 28 deployer obligations — meaning the licensing agreement should confirm that an Article 51-compliant model card will be provided and kept current as the model is updated.

Sources

• Regulation (EU) 2024/1689 (EU AI Act), Articles 3, 6, 9, 11, 13, 28, 43, 51
• European Parliament / Council of the EU, Digital Omnibus AI Compromise Text (2025 trilogue outcome)
• OECD Recommendation of the Council on Artificial Intelligence, OECD/LEGAL/0449 (updated 2023)
• European Commission, Proposal for a Regulation amending Regulation (EU) 2024/1689, COM(2025)
• European Accreditation Regulation, Regulation (EC) No 765/2008
• Council of the EU, General Approach on Digital Omnibus AI, Council Document 2025