On May 7, 2026, the European Parliament and Council reached a provisional political agreement on the Digital Omnibus on AI — a legislative package that amends the EU AI Act in several significant ways, most importantly by extending the compliance deadline for high-risk AI systems.
This guide explains precisely what the Omnibus changed, what it did not change, what the caveats are, and what it means for your compliance programme.
The headline change: deadlines extended
The original EU AI Act brought most high-risk AI obligations into application from 2 August 2026. The Omnibus deal changes this as follows:
These revised dates cover the core obligations for high-risk AI systems under Articles 8 through 15 of the EU AI Act — risk management, data governance, technical documentation, record-keeping (Article 12), transparency, human oversight, and accuracy requirements.
The critical caveat: provisional agreement
The Omnibus is a legislative proposal that still requires formal adoption before the changes can become law.
As of publication, the May 7 deal is a provisional political agreement between the European Parliament, the Council of the EU, and the European Commission. It must still go through formal adoption procedures — formal votes in both the Parliament and the Council, legal-linguistic finalisation, and publication in the Official Journal of the EU.
If the Omnibus is not formally adopted before 2 August 2026, the original AI Act's provisions — including the high-risk obligations and their current timeline — will apply from that date as written.
Most legal experts expect formal adoption to happen quickly given the urgency. However, organisations should not treat December 2027 as a confirmed deadline until formal adoption is published in the Official Journal. Continue compliance preparation in parallel.
What the Omnibus changes
1. High-risk AI deadlines extended (primary change)
The obligations applicable to high-risk AI systems designated under Article 6(2) and Annex III of the AI Act will take effect on 2 December 2027, instead of 2 August 2026. The obligations applicable to high-risk AI systems subject to existing EU sectoral legislation listed in Annex I and covered by Article 6(1) will take effect on 2 August 2028.
2. New prohibition on non-consensual intimate imagery
The Council and Parliament have agreed to introduce a ban on AI systems that either have the purpose of generating non-consensual intimate imagery and child sexual abuse material, or do not have in place reasonable safety measures to prevent this.
This prohibition is effective from December 2, 2026 — earlier than the high-risk deadline. It is an outright ban, with no compliance pathway.
3. Transparency and watermarking deadline adjusted
The AI Omnibus has moved the application date for new transparency and marking obligations to 2 December 2026, pushing the compliance date back from 2 August 2026. These rules are designed to make AI-generated audio, image, video and text detectable and traceable.
For providers of AI-generated content — images, audio, video, text — this is a modest three-month extension from August 2026 to December 2026. The obligation itself is unchanged.
4. Regulatory sandboxes extended
The Omnibus extends the deadline for Member States to have at least one national AI regulatory sandbox operational from 2 August 2026 to 2 August 2027, and in parallel creates a separate EU-level sandbox operated by the AI Office, with priority access for SMEs and startups.
5. SME privileges extended to small mid-caps
Companies that do not qualify as SMEs under EU definitions but are nonetheless small — what the Omnibus terms “small mid-cap companies” — now benefit from the same simplified compliance pathways previously available only to SMEs.
6. Strengthened central enforcement for GPAI
The AI Omnibus strengthens central EU-level enforcement by giving the AI Office supervisory competence over AI systems based on a general-purpose AI model developed by the same provider or same group of undertakings, and over AI systems integrated into very large online platforms or very large online search engines as designated under the EU Digital Services Act.
7. Definition of “safety component” clarified
The definition of safety component — which determines whether an AI system falls under the Annex I high-risk route — has been modified to reduce ambiguity. The practical effect is to clarify which AI systems in regulated product contexts require the full conformity assessment process.
What the Omnibus does NOT change
This is equally important. Several significant obligations remain on their original timeline.
GPAI obligations: unchanged
“General Purpose AI provider obligations are not among the extended items.”
Providers of foundation models and general-purpose AI systems — companies offering GPT, Claude, Gemini, Mistral, and similar models as a service — remain subject to their GPAI obligations on the original timeline.
Prohibited AI practices: largely unchanged
The prohibitions under Article 5 — real-time biometric identification in public spaces, social scoring, manipulation of vulnerable groups, exploiting subconscious behaviour — have been in force since 2 February 2025 and are not modified by the Omnibus extension.
GDPR: unchanged and actively enforced
“Companies should remember that their high-risk AI systems may already be subject to other applicable legal obligations — particularly under the GDPR in relation to personal data, which is very broadly defined. EU data protection authorities are already actively enforcing the GDPR in the AI sector.”
The Omnibus does not touch GDPR. If your AI system processes personal data of EU residents — which almost all LLM-based systems do — GDPR applies now, fully, regardless of the Omnibus extension. Data protection authorities are not waiting for December 2027.
Article 50 transparency obligations: modest extension only
Transparency obligations for AI-generated content — watermarking, disclosure that content is AI-generated — are extended by three months to December 2026, not to December 2027. If your product generates synthetic content intended to influence public opinion or presents AI-generated media, these obligations apply this year.
National supervisory authority establishment: unchanged
Member states are still expected to designate their national AI competent authorities by August 2026, even though the high-risk compliance deadline has moved. The enforcement infrastructure is being built even while the compliance deadline moves. When December 2027 arrives, regulators will be ready.
Why the extension happened
The Omnibus was prompted by practical problems with the original August 2026 timeline, not by a change in political will to regulate AI.
“The proposal was prompted by the fact that the Act's timely implementation has faced significant delays, particularly around the designation of national competent authorities and the finalisation of harmonised technical standards and compliance tools needed for high-risk AI system requirements.”
The technical standards that would tell companies exactly how to implement Article 12 logging, Article 9 risk management, and Article 10 data governance are not yet finalised. The standards-developing bodies (CEN-CENELEC, ISO) are still working on them. Enforcing compliance against requirements whose technical specifications are not yet complete is legally problematic.
The extension gives the standards process time to complete. It does not signal that the regulation is weakening.
The trilogue breakdown that preceded the deal
“The 28 April trilogue was the second and final session scheduled to negotiate the Omnibus package. The European Parliament, Council of the European Union and European Commission had already aligned on the broad direction, including new fixed deadlines of 2 December 2027 for standalone Annex III high-risk systems and 2 August 2028 for AI embedded in regulated products. The session ultimately broke down over the increasing intersectionality of existing digital rules.”
The April 28 trilogue ended without agreement. Negotiations continued. A deal was reached on May 7, nine days later. The breakdown and rapid resolution illustrates both the political urgency of extending the deadline before August 2026 and the genuine complexity of aligning the AI Act with other EU digital legislation — GDPR, NIS2, the Data Act, the DSA, DORA — that the Omnibus package also seeks to coordinate.
What this means for your compliance programme
If you have not started: start now
The extension does not reduce the obligation. It provides more time to do the work properly rather than scrambling under deadline pressure.
“For organisations that have been focused on the August 2026 high-risk compliance deadline, the extension creates planning room. Conformity assessments, technical documentation packages and formal registration can now be planned more realistically into 2027 rather than hurriedly completed by August 2026. That does not mean the compliance work goes away.”
The audit trail argument is stronger, not weaker
Companies that begin logging now will have over a year of clean, verified Article 12 audit trail data before regulators can start asking for it. Companies that wait until November 2027 will have weeks.
When a regulator asks for the operation log of your credit scoring AI for the past 12 months, the company that started logging in January 2026 can answer the question. The company that started in October 2027 cannot.
GDPR compliance cannot wait
The extension applies to EU AI Act high-risk obligations. It does not apply to GDPR. If your LLM application processes EU personal data — which it almost certainly does — you need GDPR-compliant data handling now, not in December 2027. Data protection authorities have been and will continue to enforce GDPR against AI deployments independently of EU AI Act timelines.
Plan for the standards landing
When the harmonised technical standards for Article 12 (prEN 18229-1, ISO/IEC DIS 24970) are finalised — expected in Q4 2026 at the earliest — there may be gaps between your current implementation and the standard's requirements. The December 2027 timeline gives you time to close those gaps after the standards land rather than having to implement against a moving target.
Timeline: the complete picture post-Omnibus
| Date | Event |
|---|---|
| 1 August 2024 | EU AI Act entered into force |
| 2 February 2025 | Article 5 prohibitions applicable (social scoring, manipulation, most biometric ID in public spaces) |
| 2 August 2025 | Most penalties applicable |
| 2 August 2026 | GPAI obligations fully applicable. National supervisory authorities must be operational. |
| 2 December 2026 | Article 50 transparency obligations (AI-generated content marking). Ban on non-consensual intimate imagery AI. |
| 2 August 2027 | Member states must have AI regulatory sandboxes operational. |
| 2 December 2027 | Core high-risk obligations for standalone Annex III systems (Articles 8–15, including Article 12 logging). |
| 2 August 2028 | Core high-risk obligations for AI embedded in regulated products (Annex I). |
Frequently asked questions
It is a provisional political agreement as of May 2026. It still requires formal adoption. Most expect this to happen quickly given the urgency. Treat it as highly likely but not yet legally certain. Continue compliance preparation — do not pause work waiting for formal adoption.
No. The obligations themselves are unchanged. Only the dates by which they must be met have changed. Article 12 logging still requires the same tamper-evident, automatic, comprehensive logs. The extension gives more time to implement them, not less to do.
Yes. The extension applies to when the obligations become enforceable, not when they were designed. An AI system deployed in 2024 gains the same extended deadline as one deployed in 2027.
This is extended only to December 2026 — three months, not sixteen. If your product generates synthetic content, this obligation is approaching faster than the high-risk deadline.
The UK has its own AI governance framework and is not bound by the EU AI Act or the Omnibus. UK AI policy remains principles-based at the time of writing, with no equivalent to the EU AI Act's high-risk classification system.
Summary
The EU AI Act Omnibus deal of May 7, 2026 extends the core high-risk AI compliance deadline from 2 August 2026 to 2 December 2027 for standalone Annex III systems, and to 2 August 2028 for AI embedded in regulated products.
The deal is a provisional political agreement pending formal adoption. GPAI obligations, Article 5 prohibitions, GDPR, and most Article 50 transparency obligations are not affected.
The audit trail you start building today will be the evidence you show regulators in December 2027. Start now.
This article reflects the provisional political agreement reached on May 7, 2026. It will be updated when formal adoption is published. This is for informational purposes only and does not constitute legal advice. For questions about Article 12 implementation, contact hello@sovergate.com.
Last updated June 2, 2026. Regulation referenced: EU Regulation 2024/1689 (EU AI Act), Articles 5, 12, 50. AI Act Omnibus provisional agreement, May 7, 2026.
Ready to start building your Article 12 audit trail?
Two lines of code. PII scrubbed locally. Data stored in Germany. Monthly compliance reports ready for your legal team.