Preparing for the Next AI Act Amendments (Without Overreacting)

Practical guidance for a shifting regulatory landscape, and why good governance is your best long-term investment.

AI regulation is no longer an abstract concern. The EU AI Act is in force, its obligations are phasing in on a staggered timetable, and it has already been amended once, significantly, less than two years after its original adoption. For SMEs, public sector organisations, heritage bodies, and research institutions trying to do the right thing with AI, the pace of change can feel destabilising. Every new announcement prompts a fresh wave of compliance anxiety, consultancy warnings, and urgent webinars.

This post is an attempt to offer something different: a measured, practical view of where we actually are, what has genuinely changed, and how organisations of all sizes can prepare sensibly, without either overreacting to every update or burying their heads in the sand.

The central argument is straightforward. The regulatory landscape will keep shifting. But the organisations that will navigate it best are not those that scramble to respond to each development. They are those that have built sound, transparent, and well-documented AI practices from the outset, practices that remain defensible regardless of which specific rules happen to be in force at any given moment.

What Has Actually Changed: The AI Act Omnibus in Plain Terms

In May 2026, EU legislators reached a political agreement on what has become known as the "Digital Omnibus on AI", the first substantive set of amendments to the AI Act since its adoption in June 2024. Understanding what changed, and what did not, matters more than the volume of commentary surrounding it might suggest.

The most significant development is a timeline extension. Obligations for high-risk AI systems covered under Annex III, which includes AI used in areas such as employment, education, and health insurance, have been deferred from August 2026 to December 2027, a delay of 16 months. For organisations that had been racing to meet the original summer deadline, this is genuine breathing room. It is not, however, a signal to slow down.

The agreement also extends a range of accommodations to SMEs and small mid-cap enterprises, including simplified technical documentation requirements, proportionate quality management obligations, reduced fine caps, and priority access to regulatory sandboxes. Crucially, these SME simplifications now extend to companies with up to 750 employees and €150 million in annual revenue, a meaningful expansion that will benefit many UK-based organisations operating across the EU that previously assumed they fell outside the original SME threshold.

The agreement also introduces new prohibitions on AI systems designed to generate non-consensual intimate imagery or child sexual abuse material, effective December 2026. These are rightly targeted additions that address genuine harms, and they should not require most legitimate organisations to make any changes to their existing systems.

The core requirements and underlying obligations of the AI Act, however, remain substantively unchanged. Transparency, human oversight, risk management, and data governance remain the foundations of compliance. The Omnibus adjusts deadlines and reduces friction in some areas; it does not alter the fundamental direction of travel.

Why Organisations Should Resist Both Panic and Complacency

The instinct to treat each regulatory development as a five-alarm emergency is understandable. Fines under the AI Act are substantial, the fine structure exceeds GDPR in some areas, reaching up to €35 million or 7% of global turnover for the most serious violations. No responsible organisation should be indifferent to that.

But overreaction carries its own risks. Organisations that restructure their AI programmes around each specific regulatory update, rather than around sound underlying principles, are likely to find themselves perpetually behind the curve.

Regulatory language changes; legal interpretations evolve; enforcement priorities shift. The May 2026 Omnibus agreement itself, for example, still requires formal adoption by the European Parliament and Council before it enters into force. Once adopted, it will be published in the Official Journal and enter into force three days later. That process introduces further uncertainty about exact timelines.

There is also an important practical dimension here for smaller organisations. The compliance burden associated with constant reactive change is not evenly distributed. Large organisations with dedicated legal and compliance teams can absorb the cost of chasing every update. SMEs, public bodies, and heritage organisations operating on constrained budgets typically cannot. For these organisations, investing in durable governance infrastructure, rather than reactive compliance cycles, is not only more efficient but more effective.

The right disposition is neither panic nor complacency. It is informed, proportionate readiness.

Focus on Fundamentals

The good news is that the principles of good AI governance are not, in any meaningful sense, a moving target. They are the same principles that competent engineers, researchers, and public sector professionals have always applied to consequential systems. What the AI Act does and what its amendments reinforce is give those principles a formal regulatory expression.

For most organisations, preparing well for AI regulation means attending to four areas:

Transparency and documentation.

 Can you explain what your AI systems do, why they produce the outputs they do, and on what basis decisions are made?

This is both a regulatory requirement and a fundamental marker of responsible practice. The AI Act requires technical documentation, conformity assessments, and registration in the EU database for high-risk systems. But the underlying obligation, to be able to account for your systems, applies regardless of regulatory category.

Human oversight.

Is there a clear, meaningful human in the loop for consequential decisions?

The AI Act mandates human oversight for high-risk applications, but the principle matters across the board. At Aralia, we have always argued that AI should augment human expertise rather than replace it. This is not just an ethical position; it is an engineering requirement for systems that need to remain accountable and correctable.

Risk management and proportionality.

Not all AI systems carry the same risks. A well-calibrated risk assessment, one that honestly examines what could go wrong, for whom, and with what consequence, is the foundation of proportionate governance. The Omnibus amendments make it easier for smaller organisations to demonstrate compliance through simplified frameworks, but the underlying risk reasoning still needs to be sound.

Data provenance and quality.

Poor data is the source of most AI failures in practice, and it is also a compliance risk. Knowing where your data comes from, how it was collected, and whether it is fit for purpose is not merely good engineering hygiene, it is increasingly a regulatory obligation.

These fundamentals do not require an army of lawyers or a dedicated compliance team. They require thoughtful, documented practice, the kind that responsible organisations should already be building into their AI work

What This Means for UK Organisations Specifically

UK organisations face a more complex picture than their EU counterparts, because the UK has chosen a deliberately different regulatory path. Whilst the EU AI Act creates binding, directly applicable obligations across all member states, the UK Government's current approach is broadly sector-led and principles-based, with the Regulating for Growth Bill signalling a continued preference for enabling innovation over prescriptive compliance frameworks.

This divergence matters in two ways. First, UK-based organisations that operate in EU markets or that supply AI systems or services to EU customers are subject to the AI Act regardless of their location.

With SME simplifications now extended to companies with up to 750 employees and €150 million revenue, many UK mid-cap firms that previously assumed they lay outside the simplified framework may find they now qualify. This is worth reviewing.

Second, the underlying principles of the EU AI Act, transparency, accountability, human oversight, risk management, are also consistent with the UK's emerging sector-specific guidance from bodies such as the ICO, the MHRA, and Ofsted.

Building governance practices that satisfy the AI Act's requirements is very likely to satisfy the UK's emerging expectations as well, even where the formal regulatory instruments differ. It is rarely a wasted investment.

For public sector organisations and heritage bodies in particular, the reputational and operational case for good AI governance extends well beyond regulatory compliance. These organisations hold public trust, manage sensitive data, and make decisions that affect real lives. The standards they apply to AI should reflect that responsibility, whether or not a specific regulation mandates it.

Practical Steps for Right Now

The deadline extension for high-risk AI systems buys time, but it does not remove the need to act. The most productive use of that time is to consolidate good practice rather than to defer it.

Organisations should consider the following priorities:

• Audit your AI systems to understand what you have deployed, what decisions those systems inform or make, and whether any fall into high-risk categories under the AI Act's Annex III classifications.

• Review your documentation practices. Can you produce a clear account of how each system works, what data it uses, and what its known limitations are? If not, begin building that record now.

• Assess your oversight mechanisms. For any system informing consequential decisions, is there a clear human review process? Is it documented and followed in practice?

• Engage with the regulatory sandbox provisions. The Omnibus amendments make regulatory sandboxes more accessible to SMEs and smaller organisations, offering a structured way to test AI systems with real users under a temporarily relaxed regulatory framework. For organisations developing novel AI applications, this is worth exploring.

• Monitor, but do not be paralysed by, ongoing developments. The Omnibus agreement still requires formal endorsement and adoption by both the European Parliament and the Council. Final text may differ in detail. Track these developments through reliable sources, but do not redesign your systems around provisional language.

Final Thought

The AI Act will continue to evolve. There will be further amendments, further guidance documents, further enforcement decisions that clarify the boundaries of what is required. This is the nature of any regulatory framework in a rapidly developing technological domain.

What will not change and what the Omnibus agreement has not changed is the underlying logic of responsible AI governance. Systems that are transparent, well-documented, proportionate in their risk management, and subject to meaningful human oversight are systems that will remain defensible across a wide range of regulatory environments. They are also, not coincidentally, systems that are more likely to work well, to maintain user trust, and to avoid the operational failures that bring both commercial and reputational damage.

Good governance is not a compliance cost. It is a durable asset. The organisations that understand this and invest accordingly will be better placed than those who treat regulation as an obstacle to be managed at the last minute.

The AI Act is asking organisations to do what thoughtful practitioners should have been doing all along. The deadline extension is an opportunity to do it properly. Take it.