The EU AI Act Just Got Simpler. But You're Not Off the Hook

The Omnibus: what changed and what did not

On 7 May 2026, EU co-legislators reached provisional agreement on the Digital Omnibus on AI — targeted amendments to the EU AI Act. The agreement comes after months of industry pressure citing implementation infrastructure gaps: harmonised standards were not finalised, notified bodies were not yet designated in most member states, and the technical guidance needed for conformity assessment was incomplete. The co-legislators acknowledged these practical constraints and provided a revised timeline.

The most significant change is a 16-month extension for high-risk AI obligations. Annex III standalone systems — covering employment, credit, biometrics, education, law enforcement, and critical infrastructure — now have until 2 December 2027. Annex I embedded systems (AI in regulated products like medical devices and machinery) have until 2 August 2028. These are now fixed dates. The political argument for delay has been used once; the institutions signalled clearly it will not be used again.

What the Omnibus does not change

Transparency obligations (August 2026): Deployers of AI systems that interact with users must disclose AI interaction. This is unchanged. Chatbot disclosure, virtual assistant disclosure, and AI-generated content notifications apply from 2 August 2026 as originally planned.

GPAI model obligations: Requirements under Articles 50-55 for foundation model providers have been in force since August 2025 and are substantively unchanged by the Omnibus.

Prohibited AI practices: The bans on social scoring, subliminal manipulation, and certain biometric AI have been in force since February 2025. Unchanged.

The core architecture of the Act: Risk classification, provider and operator obligations, technical documentation requirements, conformity assessment — all remain. The extension changes when, not what.

What the Omnibus adds

New prohibition on nudifier AI: AI systems that generate non-consensual sexually explicit or intimate imagery — including AI nudification apps and CSAM-generating systems — are prohibited from 2 December 2026. This is a new Article 5 prohibition added by the Omnibus, not a delayed version of an existing one.

Watermarking grace period (December 2026): AI-generated content watermarking and labelling obligations under Article 50(2) are extended to 2 December 2026 — a three-month grace period from August 2026.

SME and small mid-cap relief: Certain compliance requirements previously available only to SMEs (under 250 employees) are extended to small mid-cap companies (250-500 employees range). Simplified technical documentation formats and sandbox access are included.

Governance refinements: Stronger role for the AI Office; clarified competences between the AI Office and national authorities for AI systems built on GPAI models; mechanism for Commission to reduce AI Act obligations in sectors where existing sectoral law already covers equivalent requirements.

The strategic implications

Organisations that interpret the extension as permission to pause AI governance programmes are making a mistake. The compliance work required — AI inventory, risk classification, technical documentation, human oversight architecture, monitoring infrastructure — takes 12-18 months to build properly. The December 2027 deadline is fixed. There is no credible path to a third extension. The organisations that will be best positioned are those that use the additional time to build robust, sustainable governance rather than compressed, point-in-time compliance exercises.

The August 2026 chatbot disclosure obligation is not extended. Any organisation deploying AI that interacts with EU users has a live, unamended compliance obligation from 2 August 2026.