EU AI Act trilogue concludes with high-risk rules delayed to 2027
In the early hours of Wednesday 7 May 2026, after months of negotiation and a first trilogue that collapsed on 28 April, the European Parliament and the Council reached a provisional agreement on the Digital Omnibus on AI — the most significant rebalancing of the EU’s flagship artificial intelligence rulebook since Regulation 2024/1689 entered into force on 1 August 2024. The European Commission framed the deal as: “EU agrees to simplify AI rules to boost innovation and ban ‘nudification’ apps to protect citizens.”
The new dates: 2 December 2027 and 2 August 2028
Under the original AI Act calendar, obligations on high-risk AI systems under Annex III — covering employment, education, credit, biometrics, critical infrastructure, law enforcement, justice and migration — would have applied from 2 August 2026. The 7 May agreement moves that to 2 December 2027. AI embedded in regulated Annex I products — medical devices, machinery, toys, lifts, watercraft — moves to 2 August 2028. Brussels regulatory specialists Timelex summarised the deal as: “the supporting framework — harmonised standards, designated notified bodies, guidance documents, conformity assessment procedures — will not be ready by then.”
Watermarking: 2 December 2026
The deal’s most immediate operational deadline applies to generative AI providers. The grace period for Article 50(2) transparency obligations — requiring marking and disclosure of AI-generated synthetic content — was compressed from six months to three. Production-ready watermarking and labelling capabilities are now required by 2 December 2026. This date matters because, unlike the postponed high-risk regime, watermarking is technically operational today and does not require notified bodies. Compliance teams at major foundation-model providers — including signatories of the GPAI Code of Practice — have approximately seven months to deliver.
Nudification ban: a new Article 5 prohibition
The deal introduces a new prohibition under Article 5 targeting AI systems that generate child sexual abuse material (CSAM) or that depict the intimate parts of an identifiable person without consent — popularly known as “nudification” or “deepfake undressing” apps. Companies have until 2 December 2026 to bring their systems into line. The prohibition targets not only intentional deployment but also the failure of providers of more general-purpose generative AI tools to put in place reasonable safeguards.
The registration obligation that survived
The operationally consequential provision sits lower in the press release: the registration obligation under Article 6(3) survived intact. The Commission’s original proposal would have deleted the obligation to register, in the EU database, AI systems operating in Annex III contexts that providers self-assess as not meeting the high-risk threshold. Both Council and Parliament rejected the deletion. As Modulos summarised: “This converts self-assessment from a private internal memo into a public artefact. Every provider claiming that their HR, education, credit, essential-services, biometric or law-enforcement-adjacent AI does not meet the high-risk threshold will have to file that position in an EU database and stand behind it.”
The Cypriot Presidency’s flagship
The Cypriot Presidency, which holds the rotating chairmanship until 30 June, framed the AI Omnibus as a flagship deliverable — the first under the “One Europe, One Market” roadmap. The next institutional milestone is the formal vote in plenary, expected in June 2026. The presidency hands over to Lithuania on 1 July. For now, the Brussels regulatory community has its operational targets: 2 December 2026 for watermarking and the nudification ban, 2 December 2027 for stand-alone Annex III, and 2 August 2028 for AI in Annex I products.
