Towards a more pragmatic implementation of the IA Act

(Translated by DeepL)

In November 2025, the European Commission presented the Digital Omnibus Package. Its second part (the ‘Digital Omnibus II’) proposes several targeted adjustments to Regulation (EU) 2024/1689 on artificial intelligence (IA Act) that pursue a central objective : to improve its implementation in light of the initial difficulties identified, while maintaining the architecture of the law based on the assessment of the risks presented by an AI system (AIS) or a general-purpose AI model (GPAIM).

As already mentioned in a previous commentary (see Fischer, cdbf.ch/1397), the IA Act applies beyond the borders of the EU. In several scenarios, Swiss companies, such as financial institutions, that make ASIs available or use them to provide certain services to EU residents could be considered deployers or even suppliers and be subject to the IA Act (see also Fischer, cdbf.ch/1418 and cdbf.ch/1420). This commentary aims to present five amendments proposed by the Digital Omnibus II project that deserve particular attention for these actors.

1. New timeline for the entry into force of obligations for ISPs

The draft creates a new mechanism linking the entry into force of certain obligations, in particular those applicable to high-risk ISPs, to the availability of new compliance tools (in particular harmonised standards and Commission guidelines).

In concrete terms, once these tools have been published by decision of the Commission, the obligations concerned will apply after the following transitional periods :

• For high-risk ISPs listed in Annex III (Art. 6(2) IA Act), the obligations will apply six months after the decision, but no later than 2 December 2027.
• For high-risk ISAs listed in Annex I (Art. 6(1) IA Act), the obligations will apply twelve months after the decision, but no later than 2 August 2028.

In addition, there are transparency obligations for providers and deployers of ISAs or GPAIMs that generate audio, image, video or text synthesis content (which fall into the category of low-risk AIS). For systems placed on the market before 2 August 2026, a six-month grace period is granted to comply with these requirements (Art. 50(2) IA Act).

2. Revision of the AI literacy requirement (‘AI literacy’)

The draft removes the current obligation for suppliers and deployers to ensure a sufficient level of AI literacy for their staff (Art. 4 IA Act) and transfers this responsibility to the Commission and Member States, which will now be required to encourage the adoption of appropriate training measures. However, the requirement that high-risk AIS must be supervised by staff with the necessary skills remains unchanged.

3. Relief from the registration requirement

According to Art. 6(3) IA Act, a system that is included in the list of high-risk AIS in Annex III but which the supplier considers not to pose a significant risk of harm to natural persons must be registered in the European database (Art. 6(4) and 49(2) IA Act) .

In the Commission’s proposal, this registration requirement is removed, but the provider must keep documentation justifying this classification and make it available to the competent authorities upon request.

4. Strengthening the role of the European AI Office

In order to improve the supervision of AIS based on GPAIMs developed by the same provider, the Commission plans to strengthen the powers of the European AI Office. The draft envisages the adoption of implementing acts specifying the powers of the Office, for example by giving it the possibility of imposing administrative sanctions.

5. Possibility of processing sensitive data for training AIs

The proposal introduces a new Article 4a allowing, on an exceptional basis, the processing of sensitive data for the training, validation and testing of AIs where this is necessary to detect and correct errors, subject to strict conditions. This possibility extends to high-risk AIs as well as other categories of systems.

Thus, following criticism of the complexity and difficulties of applying the European regulatory framework in the digital field, the European Commission intends, through the Digital Omnibus Package, to adjust this framework in order to improve its implementation. The aim is not to reduce the level of protection but to ease certain obligations deemed too restrictive and to strengthen supervision at European level.

In Switzerland, although no specific regulatory framework for AI has yet been adopted, the applicable requirements are gradually becoming clearer. The financial sector is beginning to put certain rules in place, notably through FINMA’s expectations in terms of governance and risk management, as set out in its Communication on Supervision 08/2024 (see Caballero Cuevas, cdbf.ch/1392/). The objective is clear : to anticipate and control the operational, legal and reputational risks associated with the use of AI.

From this perspective, compliance with the IA Act is not just a requirement for EU-oriented activities. It can also be part of a broader approach to structuring the governance of AI tools, consistent with the prudential expectations already applicable to Swiss financial institutions.