The adoption of AI in the business environment is advancing rapidly. According to the latest data from the INE, 21.1% of Spanish companies with 10 or more employees used AI technologies in the first quarter of 2025. In the European Union, Eurostat places this percentage at 20%, a figure that exceeds 55% in the case of large companies.
Faced with this new scenario, the European Union has promoted the so-called Digital Omnibus, a package of legislative proposals that proposes adjustments in the application of the European Artificial Intelligence Regulation with the aim of simplifying its deployment and facilitating the adaptation of companies, suppliers and administrations.
Reorder application times
“This new framework does not eliminate obligations, but rather rearranges application times. The key is to use this margin to reinforce security, traceability and control over the artificial intelligence systems that are already being incorporated into company processes,” explains Francisco Valencia, general director of Secure&IT, a Spanish company specialized in information security.
The European Commission has established a new calendar to give companies more room to adapt to these new requirements linked to high-risk AI systems. Obligations for systems used in areas such as biometrics, critical infrastructure, education, employment, migration, asylum or border control will apply from December 2, 2027, while those relating to systems integrated into regulated products will apply from August 2, 2028.
“This postponement should not be interpreted as a reduction in obligations or as an invitation to wait. In addition, some transparency requirements, such as informing users when they interact with AI systems or labeling certain deepfakes and content generated or manipulated by AI, will be applicable from August 2, 2026,” says Valencia.
For companies, the new regulatory scenario requires knowing precisely how AI is being used within the organization: what tools are used, for what purpose, what data they process, what suppliers are involved and what controls exist to guarantee security, traceability and human supervision. For this reason, companies should not postpone the management of artificial intelligence and advance in some priority lines.
No time to postpone adoption
Although the new European calendar offers more room to adapt to certain obligations, companies should not delay the management of artificial intelligence and must advance from now on in five priority lines:
- Inventory the uses of AI, identifying what tools are used, by whom they are used, for what purpose, on what data, in what business processes of the companies and what role and risk each system assumes according to the RIA.
- Define a corporate AI policy that establishes permitted uses, supervised uses, prohibited uses, information that should not be entered into these tools and internal responsibilities for companies.
- Control Shadow AI to avoid the use of unauthorized solutions that may expose confidential information, personal data or sensitive company content.
- Evaluate suppliers and classify systems by analyzing which third parties are involved, where the data is processed and what level of risk each AI system used by companies has.
- Integrate AI into the security and compliance strategy, incorporating cybersecurity controls, privacy, traceability, training and incident response so that companies can comply with the new regulatory framework.
The new regulatory scenario requires knowing precisely how AI is being used within the organization
“Regulation gives more time, but it does not eliminate the urgency. Companies that start now will arrive better prepared, will reduce risks and will be able to adopt AI with more guarantees. The challenge is not to stop innovation, but to govern it,” concludes Valencia.
