European Union: European Commission announced Proposal for Digital Omnibus on AI Regulation (2025/0359) including cybersecurity requirements for "high-risk AI systems"

On 19 November 2025, the European Commission announced a Proposal for the Digital Omnibus on AI Regulation (2025/0359), which amends the EU AI Act by altering the implementation timeline of cybersecurity requirements for high-risk AI systems. The implementation period would be calculated by reference to the Commission adopting a decision confirming that adequate measures in support of compliance were available. High-risk AI systems classified according to Annex III would be required to comply 6 months after the Commission decision, while high-risk AI systems classified according Article 6(1) would be required to comply 12 months after the Commission decisions. In any case, the provisions would apply at the latest from 2 December 2027 for Annex III high-risk systems, and from 2 August 2028 for Article 6(1) high-risk systems.