EU AI Act Reset: Trilogue Closes in the Early Hours of 7 May, Postpones Annex III to December 2027, Bans Nudification Apps and Tightens Watermarking to a Three-Month Grace Period

In the early hours of Wednesday 7 May 2026, after months of negotiation and a first trilogue that collapsed on 28 April, the European Parliament and the Council reached a provisional agreement on the Digital Omnibus on AI — the most significant rebalancing of the EU’s flagship artificial intelligence rulebook since Regulation 2024/1689 entered into force on 1 August 2024. The deal, framed by the European Commission press release as “EU agrees to simplify AI rules to boost innovation and ban ‘nudification’ apps to protect citizens,” postpones the bulk of the high-risk obligations by sixteen months and fundamentally reshapes the operational deadlines that thousands of compliance teams had been planning against.

The new dates: 2 December 2027 and 2 August 2028

Under the original AI Act calendar, obligations on high-risk AI systems under Annex III — covering employment, education, credit, biometrics, critical infrastructure, law enforcement, justice and migration — would have applied from 2 August 2026. The 7 May agreement moves that to 2 December 2027. AI embedded in regulated Annex I products — medical devices, machinery, toys, lifts, watercraft — moves to 2 August 2028. The political reality, as Brussels regulatory specialists Timelex summarised the deal, is that “the supporting framework — harmonised standards, designated notified bodies, guidance documents, conformity assessment procedures — will not be ready by then.” The clock has been moved back, but it has not been switched off.

The watermarking deadline: 2 December 2026

The deal’s most immediate operational deadline applies to generative AI providers. The grace period for the Article 50(2) transparency obligations — requiring marking and disclosure of AI-generated synthetic content — was compressed from six months to three. Production-ready watermarking and labelling capabilities are now required by 2 December 2026. This date matters because, unlike the postponed high-risk regime, watermarking is technically operational today and does not require notified bodies or harmonised standards. Compliance teams at the major foundation-model providers — including signatories of the GPAI Code of Practice — have approximately seven months to deliver. The Commission’s second draft of the Code of Practice on Marking and Labelling of AI-generated Content was published on 5 March 2026 and remains the operational reference point.

The nudification ban: a new Article 5 prohibition

The deal introduces a new prohibition under Article 5 targeting AI systems that generate child sexual abuse material (CSAM) or that depict the intimate parts of an identifiable person without consent — popularly known as “nudification” or “deepfake undressing” apps. Companies have until 2 December 2026 to bring their systems into line. Importantly, the prohibition targets not only intentional deployment but also the failure of providers of more general-purpose generative AI tools to put in place reasonable safeguards against this type of misuse. In operational terms, providers of generative image, video and audio models must revisit training-data filtering, prompt and output classifiers, and content moderation at the output stage.

The registration obligation that survived

The headline coverage of the deal led with the new dates and the nudification ban. The operationally consequential provision sits lower in the press release: the registration obligation under Article 6(3) survived intact. The Commission’s original proposal would have deleted the obligation to register, in the EU database, AI systems operating in Annex III contexts that providers self-assess as not meeting the high-risk threshold. Both Council and Parliament rejected the deletion. The 7 May agreement reinstates registration with streamlined Annex VIII Section B content. As Brussels-based AI governance consultancy Modulos summarised: “This converts self-assessment from a private internal memo into a public artefact. Every provider claiming that their HR, education, credit, essential-services, biometric or law-enforcement-adjacent AI does not meet the high-risk threshold will have to file that position in an EU database and stand behind it.”

The Annex I machinery compromise

The most contested provision in the negotiations — the conformity assessment architecture for AI integrated into Annex I products — was settled through what observers have called a “face-saving compromise”. AI machinery products will need to comply with sectoral safety rules rather than both the AI Act and sectoral rules in parallel, subject to safeguards ensuring an equivalent level of health and safety. The Parliament’s wider push to move Section A products into the sectoral track wholesale was rejected in favour of a narrower carve-out for the Machinery Regulation and a case-by-case implementing-act mechanism for the rest. The architecture of the AI Act, including direct applicability across most of Annex I, is preserved.

What it means for compliance teams

The deal still needs formal adoption by both institutions, who have indicated they intend to do so before 2 August 2026, the date on which the bulk of the high-risk obligations would otherwise become applicable. Until the agreed Regulation is formally adopted and published in the Official Journal, the original deadlines remain legally in force. In practice, however, enforcement action against organisations preparing for the new dates seems unlikely if the formal adoption process slips beyond 2 August. Compliance teams that had been racing against the August 2026 deadline now have a longer runway to complete Article 11 documentation, Article 12 logging, and Article 14 oversight mechanisms — but the underlying obligations have not been softened. As one Brussels regulatory advisor put it: “Two consecutive postponement rounds would terminate the Brussels-effect leverage. The institutions held the line on the architecture. Holding the line on the dates is the natural consequence.”

The Cypriot Presidency’s flagship deliverable

The Cypriot Presidency, which holds the rotating chairmanship of the Council of the EU until 30 June, framed the AI Omnibus as a flagship deliverable — the first under the “One Europe, One Market” roadmap agreed by the three institutions earlier this spring. The next institutional milestone is the formal vote in plenary, expected in June 2026, before the file moves to publication. The presidency hands over to Lithuania on 1 July. For now, the Brussels regulatory community has its operational targets: 2 December 2026 for watermarking and the nudification ban, 2 December 2027 for stand-alone Annex III, and 2 August 2028 for AI in Annex I products.