EU AI Act Update: What the Digital Omnibus Agreement Means for European Companies in Malaysia

This article updates our November 2025 piece on the EU AI Act. The legislative landscape has shifted materially since then – and the timing affects decisions European companies operating in Malaysia should be making right now.

When we wrote about the EU AI Act last November, the key compliance deadline was clear: most operational obligations were set to land on 2 August 2026. That date was the anchor around which European companies – including those running operations in Malaysia – were building their compliance roadmaps.

That anchor has now moved.

On 7 May 2026, the European Parliament and the Council of the EU reached a provisional agreement on what is being called the Digital Omnibus on AI – the first set of amendments to the EU AI Act since it was adopted in June 2024. This is not a minor technical adjustment. It materially changes the compliance timeline, simplifies certain obligations, and introduces new prohibitions. For management teams at European companies active in Malaysia, it is worth understanding what has changed, what has not, and what to do next.

The headline change: more time for high-risk AI

The most practically significant change is a substantial extension of the deadlines for so-called "high-risk" AI systems – the category that covers AI used in employment decisions, credit assessments, access to essential services, biometrics, education, and critical infrastructure.

Under the original Act, companies had until 2 August 2026 to comply. Under the Omnibus agreement, that deadline has been pushed back significantly: high-risk AI systems in sensitive areas now have until 2 December 2027, while those embedded in physical products – medical devices, machinery and similar – have until 2 August 2028.

Why the delay? Straightforwardly, the EU co-legislators acknowledged that the technical standards and guidance documents companies need to actually implement the rules are not yet fully ready. Holding companies to deadlines based on standards that do not yet exist was recognised as unreasonable and the revised timeline corrects that.

For European companies in Malaysia, this breathing room is welcome – but it does not mean compliance work can be set aside. The hard work of identifying which AI systems you use, classifying them against the Act's risk framework, and building appropriate governance is work that takes time and does not get easier with delay. Companies that start now will be in a far stronger position than those that treat the extended deadline as permission to wait.

What is still coming on 2 August 2026

Not everything has been delayed. Several obligations remain on the original August 2026 timeline and are live concerns for management teams right now.

The transparency obligations under Article 50 of the Act – which require companies to disclose when users are interacting with AI systems and to clearly label AI-generated content – continue to apply from 2 August 2026. If your marketing, customer service, or communications functions use AI-generated text, images, or audio in any customer-facing capacity, your teams should already be adapting workflows and content practices.

The prohibition on manipulative and exploitative AI practices has also applied since February 2025 and remains fully in force.

New prohibitions: a line drawn on synthetic intimate content

The Omnibus agreement also introduces a new category of outright prohibited AI: systems whose primary purpose is to generate non-consensual intimate imagery – what is commonly called deepfake pornography – as well as AI-generated child sexual abuse material. This prohibition is expected to apply from December 2026.

For most European companies in Malaysia this will not require operational changes. But it is relevant for any business operating in digital media, content platforms, or technology services and it reflects a broader direction of travel: the EU is willing to use the AI Act as a tool to respond to emerging societal harms, not just to manage pre-existing risk categories.

The Malaysia context

For European companies running regional operations out of Malaysia, the EU AI Act's extraterritorial reach remains unchanged: if your AI systems produce outputs that reach EU users or markets, the Act applies to you regardless of where those systems are built or deployed.

What has shifted since November is the Malaysian side of the picture. Malaysia is actively developing its own AI governance framework, with dedicated legislation expected to be tabled in the second half of 2026. Malaysia's forthcoming National AI Action Plan 2026–2030 is explicitly designed to align with international frameworks – including the EU AI Act. In practical terms, this means that companies building EU-compliant AI governance practices in Malaysia are not just meeting a European regulatory requirement; they are positioning themselves ahead of the local regulatory curve as well.

What to do now

The revised timeline gives companies more room to get high-risk AI compliance right. Use it deliberately:

• Audit your AI use-cases now: classify what you use, identify what falls into high-risk categories, and confirm where you act as provider versus deployer. This foundational work is the same regardless of which deadline applies.
• Do not defer transparency obligations: Article 50 requirements apply in August 2026. Labelling, disclosure workflows, and synthetic content practices need to be in place before then.
• Review your vendor contracts: documentation obligations, audit rights, and change-in-law provisions matter regardless of the extended deadlines. Update agreements with AI vendors and model providers accordingly.
• Nominate an internal owner: AI compliance without a clear internal accountable person tends to drift. Assign ownership now while the timeline is more manageable.

If your organisation would like a practical review of how the Digital Omnibus changes affect your current compliance position, our team is available for a complimentary scoping call. Contact us at info@aqranvijandran.com.