What happened on 7 May 2026
After months of negotiations, and against a backdrop of widespread industry concern that the August 2026 high-risk AI deadline was unachievable given the absence of finalised harmonised standards, the European Parliament and Council reached provisional agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The agreement is the most significant development in EU AI Act implementation since the regulation entered into force in August 2024.
The Omnibus is a set of targeted amendments — not a wholesale revision of the EU AI Act. The core architecture remains: risk-based classification, provider and operator distinctions, technical documentation requirements, conformity assessment processes, and penalty framework. What changed is the compliance timeline for specific categories of obligation.
The key timeline changes
Annex III standalone high-risk AI systems: 2 August 2026 → 2 December 2027
Annex III lists eight categories of high-risk AI: biometric identification and categorisation; critical infrastructure management; education and vocational training; employment, workers management and access to self-employment; access to essential private and public services (including credit scoring); law enforcement; migration, asylum and border control; and administration of justice and democratic processes. AI systems that fall into these categories and are deployed as standalone systems — not embedded in regulated products — have until 2 December 2027 to meet the full Annex III compliance requirements. This is a 16-month extension from the original 2 August 2026 deadline.
Annex I embedded systems: 2 August 2027 → 2 August 2028
AI systems that are embedded as safety components in, or themselves constitute, products covered by EU sectoral harmonisation legislation listed in Annex I — medical devices, machinery, radio equipment, toys, lifts, watercraft, and others — have until 2 August 2028. The Omnibus also provides a mechanism for the Commission to issue implementing acts limiting AI Act application in sectors where existing sectoral law already covers equivalent requirements. The Machinery Regulation receives a direct carve-out: AI within that regulation is exempted from direct AI Act applicability.
Dates that were NOT extended
August 2026 transparency obligations remain. Article 50's requirements — deployers of AI systems that interact with natural persons must ensure that these persons know they are interacting with an AI — apply from 2 August 2026 as originally planned. This covers AI chatbots, virtual assistants, and AI-generated content. No organisation deploying such systems with EU users has received an extension for this obligation.
GPAI model obligations (Articles 50-55) remain unchanged. These have been in force since 2 August 2025 and are not affected by the Omnibus.
Prohibited AI practices remain in force since February 2025. The Omnibus adds a new prohibition on AI systems that generate non-consensual intimate imagery (nudifiers, CSAM-generating AI) effective 2 December 2026.
The new AI-generated content watermarking date
Article 50(2) requires providers of AI systems that generate synthetic audio, image, video, or text content to mark those outputs as AI-generated. The original August 2026 deadline is extended to 2 December 2026 under the Omnibus — a three-month grace period, reduced from the originally proposed six months. Providers of generative AI systems should treat December 2026 as the operative deadline for watermarking and content labelling capabilities.
SME and small mid-cap relief
The Omnibus extends certain regulatory privileges previously available only to SMEs (under 250 employees) to small mid-cap companies — a new category covering organisations roughly in the 250 to 500 headcount range that lack the compliance resources of large incumbents. The specific privileges extended will be confirmed in the final legal text, but include simplified technical documentation formats and regulatory sandbox access. For organisations in this size range, the Omnibus provides meaningful compliance relief while maintaining the substantive high-risk AI obligations.
The bias detection data exception
One technically significant change: the Omnibus broadens the circumstances in which GDPR special category personal data — health information, biometric data, race, sexual orientation — can be used to detect and mitigate bias in AI models. This is subject to strict necessity, but it addresses a genuine compliance tension between GDPR's data minimisation requirements and the need to test AI systems for discriminatory outcomes across sensitive characteristics.
Formal adoption and legal status
The 7 May 2026 agreement is a provisional political agreement. It requires formal endorsement and adoption by both the European Parliament and the Council before it becomes law. Given the proximity of the original August 2026 deadline, both institutions have committed to completing formal adoption before that date. The political agreement is now the operative planning baseline — organisations should plan against the revised timeline.
What to do now
The extension is not permission to pause AI governance programmes. The compliance work required — AI inventory, risk classification, technical documentation, conformity assessment preparation, human oversight architecture, monitoring infrastructure — takes 12-18 months to build properly. Starting that work in Q1 2027 for a December 2027 deadline is too late. The organisations that will be best positioned are those that use the additional time strategically: identifying AI use cases, mapping data flows, assessing risks, and building the documentation and audit trails the regulation requires.
Address the August 2026 transparency obligation now. If you deploy AI systems that interact with EU users — chatbots, virtual assistants, AI-generated communications — you have an unamended compliance obligation from 2 August 2026. This is the most immediate requirement for most consumer-facing organisations and has not been extended.
