May 25, 2026
EU AI Act for Swiss Companies: What the May 2026 Digital Omnibus Changes
The EU AI Act applies to Swiss companies via the market access principle. The May 2026 Omnibus deferred some deadlines — but not the prohibitions already in force since February 2025.
On May 7, 2026, the EU Council and the European Parliament reached a political agreement on the "Digital Omnibus on AI" — an amendment package extending key compliance deadlines for high-risk AI systems by 16 to 24 months. The Omnibus was driven in part by pressure from European technology companies like SAP, Airbus, and Siemens, who argued the original timelines were unrealistic for complex product landscapes. For Swiss companies, this sounds like breathing room. The reality is more nuanced: what is already in force, stays in force.
Does the EU AI Act apply to Swiss companies?
The market access principle is decisive: any provider placing AI systems on the EU market, or whose AI outputs are used by users within the EU, falls under the Regulation — regardless of whether the company is registered in Zurich, Zug, or Basel. Two triggers apply: first, a provider placing an AI system on the EU market; second, AI outputs used within the EU, even if the system technically runs on Swiss servers. A Swiss SaaS provider selling AI-driven HR software to a German company is a provider under the AI Act. A Swiss law firm using GPT-based contract analysis as a service for EU clients is a deployer. Estimates suggest 60–70% of larger Swiss AI providers serve EU clients. These companies need a written EU representative — a requirement the Omnibus did not defer.
What has been in force since 2025:
Prohibited AI practices have been banned since February 2, 2025: social scoring by public authorities, real-time biometric surveillance in public spaces, and subliminal manipulation systems. Since August 2, 2025, GPAI model providers must publish technical documentation, copyright policies, and training data summaries. Neither set of rules was part of the Omnibus deferral — they apply to Swiss providers serving the EU market today.
What the May 7, 2026 Digital Omnibus deferred:
Standalone high-risk AI systems (Annex III) — including systems for job application screening, employee evaluation, credit scoring, and emergency service prioritization — now have until December 2, 2027 instead of August 2, 2026 (+16 months). AI embedded in regulated products (Annex I), such as medical devices and industrial machinery, must comply by August 2, 2028 (+24 months). SMEs and newly included "small mid-cap" companies (up to 750 employees, up to €150M annual revenue) receive simplified documentation requirements, regulatory sandbox access, standardized templates, and a more favorable fine structure: the lower rather than the higher amount between the percentage of revenue and fixed maximum caps. (Source: EU Council press release, May 7, 2026)
What the Omnibus did not change:
- Prohibited AI practices (since February 2025): no deferral, no exceptions - GPAI transparency obligations (since August 2025): no deferral - AI-generated content must be machine-readable marked as such by December 2, 2026 - Two new prohibitions from December 2, 2026: AI for non-consensual intimate imagery and CSAM Running a customer-facing AI chatbot without labeling its output as AI-generated is already a compliance gap — not a future risk starting in 2027.
Switzerland's own regulatory trajectory:
Switzerland is following the GDPR pattern: observe, then harmonize. The Federal Council has tasked the Federal Department of Justice and Police (FDJP) with preparing a consultation document by end of 2026. Switzerland signed the Council of Europe's AI Convention in March 2025, with ratification underway. The political direction: ratify the CoE AI Convention plus sector-specific adaptations to existing laws — no standalone Swiss AI Act is planned. Switzerland's Federal Data Protection Act (nFADP) already covers AI applications that process personal data, with a data protection impact assessment required when risks to fundamental rights are high. For Swiss SMEs today, the EU AI Act is the operative framework for anyone serving EU clients. Swiss domestic regulation will follow, but not before 2027–2028.
Four steps to take now:
- AI inventory: List all AI systems in use — internal and customer-facing, including embedded models in SaaS products - Risk classification: Rule out prohibited practices, identify high-risk systems (EU Commission guidance is free at digital-strategy.ec.europa.eu) - Clarify roles: Are you a provider (you developed or substantially modified the system) or a deployer (you use it)? Mixed cases are possible - Designate an EU representative: If you are a provider with EU clients based outside the EU, a written EU representative is mandatory — the Omnibus did not touch this requirement
The EU AI Act applies to Swiss companies, and the Digital Omnibus does not change that fundamentally. It gives high-risk AI providers more preparation time, but prohibitions have been in force since February 2025 and GPAI obligations since August 2025. Companies waiting because "the Omnibus bought time" risk compliance gaps in areas that were never deferred. *Sources: EU Council, press release, May 7, 2026 (consilium.europa.eu) — Steiger Legal, "EU verschiebt Pflichten für Hochrisiko-KI und vereinfacht KI-Verordnung", May 8, 2026 (steigerlegal.ch)*