EU AI Act Omnibus 2026: What Swiss SMEs Must Know About AI Agents and High-Risk AI

Political Agreement on AI Omnibus: New Deadlines, No All-Clear

The AI Omnibus—part of the Digital Simplification Package agreed by the European Parliament and Council on 7 May 2026—postpones key EU AI Act compliance deadlines. High-risk Annex III systems receive a 16-month extension: standalone systems must now comply by 2 December 2027, product-embedded systems by 2 August 2028. Simultaneously, the EU extends SME relief to mid-caps with up to 750 employees or €150 million turnover—simplified documentation, reduced fines, privileged sandbox access.

Formal adoption by Parliament and Council is expected in July 2026. For Swiss companies, however, the deadline extension changes little: transparency obligations, GPAI requirements and prohibited AI practices are already in force. Anyone deploying AI agents in an EU context is already subject to strict governance requirements—regardless of where the company is headquartered.

Extraterritorial Scope: Why Swiss Firms Are Affected

Switzerland has not adopted the EU AI Act. In February 2025, the Federal Council outlined a sector-specific, innovation-friendly regulatory strategy. Nevertheless, the EU AI Act applies to Swiss companies—through the extraterritorial application provision in Article 2(1)(c). What matters is not the company's domicile but where the AI outputs are used.

Lenz & Staehelin note in their June 2026 analysis: the mechanism functions like GDPR. Anyone serving the EU market must comply with EU rules. For Swiss SMEs with international clients, EU subsidiaries or cross-border supply chains, the compliance obligation is real—and since August 2025, backed by severe penalties: up to €35 million or 7% of global turnover for GPAI violations.

AI Agents in the Enterprise: Why They Are Almost Always High-Risk

Autonomous AI agents differ fundamentally from chatbots or generators: they make decisions and trigger actions. An agent approving invoices, reviewing contract clauses or pre-screening job applications intervenes in business-critical processes—and typically falls under Annex III of the AI Act: high-risk.

• Financial services: AI agents preparing credit decisions or authorising transactions
• Human resources: systems evaluating applications, assessing interviews or generating termination recommendations
• Critical infrastructure: agents in energy supply, traffic control or healthcare
• Access to essential services: AI-supported allocation of social benefits, education or insurance services

The Omnibus clarifies: systems that merely assist users or optimise performance without creating health or safety risks may be excluded from high-risk classification. Yet this exception rarely applies to genuine agents—whose core function is precisely to act autonomously.

What Distinguishes an Agent from a Tool?

The decision-making logic is the criterion. As we explain in our article 'Which Tool Does an AI Agent Call First? The Decision Logic of Autonomous Content Pipelines': an agent independently chooses which tools to use in which sequence. This autonomy—not the model's complexity—justifies the high-risk classification. Learn more about autonomous agent architecture: <a href='/insights/welches-tool-ruft-ein-ki-agent-zuerst-auf-die-entscheidungslogik-autonomer-conte'>Decision Logic of Autonomous Pipelines</a>.

Compliance Requirements for AI Agents: The Four Pillars

High-risk AI agents must meet four core requirements that extend far beyond typical IT governance:

1. Complete Audit Trails

Every decision, every input, every output and every intermediate reasoning step by the agent must be logged. This includes: What data were used? Which rules were applied? Which alternative was rejected and why? The GPAI Code of Practice, binding since August 2025, requires privacy-preserving logging, watermarking and provenance tracking—with a ten-year retention period.

2. Human Oversight

High-risk systems may not operate fully autonomously. Article 14 of the AI Act requires that qualified individuals can intervene at any time, review decisions and override them when necessary. This means: no agent may control critical processes without escalation mechanisms.

3. Technical Documentation

System architecture, training methods, data sources, risk analyses and validation procedures must be comprehensively documented—before deployment. This demands close collaboration between development, legal and compliance teams.

4. Incident Reporting

Serious incidents—such as discriminatory decisions, system failures or data breaches—must be reported to competent authorities. For Swiss companies with EU nexus, this means: reporting channels to national supervisory authorities in the affected EU member states.

What Already Applies—and What Is Coming

The EU AI Act enters into force in stages. For Swiss companies with EU nexus, the following are already binding:

1. Since February 2025: prohibited AI practices (manipulative systems, social scoring, real-time biometric identification in public spaces) and AI literacy obligations
2. Since August 2025: GPAI obligations, governance framework, penalty regime
3. From August 2026: transparency obligations under Article 50 (labelling AI-generated content), regular high-risk deadlines—though the Omnibus is likely to postpone these to December 2027

The extension to December 2027 applies only to Annex III high-risk systems. GPAI providers, transparency obligations and prohibited practices remain unchanged. Anyone deploying AI agents today should not speculate on transitional periods—authorities have already announced active enforcement from 2026.

C-Level Action Guide: Six Concrete Steps

For Swiss companies using or planning AI agents, the following roadmap is recommended:

1. Create an AI system inventory: capture all AI tools—internally developed, purchased, as SaaS solutions, embedded in products. Include pilot projects and departmental solutions.
2. Perform risk classification: classify each system by use case, not by technology. What matters is function: does the system make autonomous decisions affecting persons or assets?
3. Appoint an executive AI compliance owner: responsibility belongs at C-level—typically CTO, CLO or COO—with budget, decision authority and direct board access.
4. Establish a cross-functional governance team: legal, IT, risk, data protection and business units must coordinate. Silos lead to gaps.
5. Intensify vendor due diligence: GPAI obligations and high-risk requirements apply throughout the supply chain. Contracts with AI vendors must include compliance clauses, audit rights and liability provisions.
6. Prepare EU database registration: high-risk systems must be registered in the European AI database. This requires technical documentation, conformity assessments and ongoing updates.

Companies deploying AI agents without central governance risk not only fines but reputational damage and operational disruption. The AI Act is not an IT issue—it is a board-level issue.

Why AI Outsourcing Can Simplify Compliance

The complexity of the AI Act overwhelms many mid-market companies. External specialisation—AI as an outsourced business function—offers structural advantages: professional partners bring integrated compliance frameworks, handle vendor management, provide audit trails and maintain technical documentation.

Contract design is critical: clarify who legally qualifies as 'deployer' or 'provider' under the AI Act, who bears documentation obligations, who is liable in incidents. A qualified outsourcing partner does not assume legal responsibility—but ensures you can fulfil your obligations.