EU AI Omnibus Deal Delays High-Risk Rules to December 2027

EU co-legislators struck a provisional political agreement in the early hours of Thursday 7 May 2026 on the so-called Digital Omnibus on AI — a regulation amending the AI Act that postpones key compliance deadlines and adds a new prohibition on AI “nudification” apps. As the formal adoption process accelerates, the deal will reshape the regulatory landscape for AI providers in Europe over the next eighteen months.

The high-risk delay: 16 months

The single most consequential change is the deferral of the AI Act’s high-risk obligations. Under the original Regulation (EU) 2024/1689, these were set to apply from 2 August 2026. Under the Omnibus, the new dates are:

• 2 December 2027 for stand-alone high-risk AI systems under Annex III — covering biometrics, critical infrastructure, education, employment, law enforcement and border management;
• 2 August 2028 for AI systems embedded in products covered by EU sectoral safety legislation (Annex I) — including medical devices, machinery, toys, lifts and watercraft.

The European Commission had originally proposed a 16-month delay, and the co-legislators broadly maintained the thrust of that proposal. The deferral is conditional on the publication of the harmonised standards and the establishment of the necessary tools and bodies — a clause introduced by the Council that fixes a hard deadline rather than an open-ended one.

The nudification ban

The deal also adds — at the trilogue stage — a new prohibition on AI systems that generate non-consensual sexually explicit images, audio or video content, as well as child sexual abuse material created with AI. Companies offering such systems will have until 2 December 2026 to bring their products into compliance, meaning these tools must be removed from the European market entirely by that date.

Co-rapporteur for the IMCO committee Arba Kokalari (EPP, Sweden) framed the broader deal in defensive terms: “We are not weakening any safety rules; we are clarifying the rules for companies in Europe. The current state is that companies are confused about whether they should follow the AI act or sectoral legislation … companies should not be regulated twice for one thing.”

Co-rapporteur for the LIBE committee Michael McNamara (Renew, Ireland) emphasised the fundamental-rights dimension: “I’m pleased that this morning we reached an agreement on the AI Omnibus. Alongside simplification measures, we are banning nudification apps, a key part of the Parliament’s mandate, and, of course, the creation of child sexual abuse material using AI systems. This way, we have the tools to act if providers do not address AI systems that compromise fundamental rights or human dignity.”

Watermarking and transparency

The transparency obligations for AI-generated content have also been recalibrated. The grace period for providers to implement watermarking and transparency solutions has been reduced from six to three months, with the new deadline set on 2 December 2026. The AI regulatory sandboxes at national level have been postponed to 2 August 2027.

SME and small mid-cap exemptions

The deal extends a series of regulatory privileges previously available only to small and medium-sized enterprises (SMEs) to small mid-cap companies (SMCs) — businesses larger than SMEs but still without the compliance resources of major corporations. The aim is to smooth the cliff edge that growing companies otherwise face when they cross the SME size threshold.

Other elements confirmed in the final text include the simplified registration obligation in the EU database for systems self-classified as non-high-risk by their providers, the extension of the AI Office’s supervisory powers for AI systems built on general-purpose AI models, and a mechanism to resolve interplay between the AI Act and sector-specific legislation through equivalence clauses.

The political stakes

The Digital Omnibus on AI is the first deliverable under the “One Europe, One Market” roadmap agreed by the three institutions and forms part of the broader simplification agenda pushed by the Commission since February 2025. To date, the Commission has put forward ten Omnibus packages aiming to simplify legislation on sustainability, investment, agriculture, small mid-caps, digitalisation, defence readiness, chemicals, environment, the automotive sector, and food and feed safety.

The deal was politically significant because it was reached just nine days after a failed trilogue on 28 April that had ended without agreement after twelve hours of negotiation. The closure of the file on 7 May — before the original 2 August 2026 compliance date — was, as Ms Kokalari put it, evidence that politics “can move just as quickly as technology.”

What happens next

The provisional agreement must now be formally adopted by both the Parliament and the Council. The co-legislators intend to complete that process before 2 August 2026, the original start date for high-risk obligations. Should formal adoption slip past that date, the original timelines would apply, creating a brief but disruptive period of legal uncertainty.

Beyond the AI Omnibus, the next chapter is the Data Omnibus — a separate proposal published on 19 November 2025 that amends the GDPR and the ePrivacy Directive. With no imminent deadline pressure, that process will unfold more slowly, and the substantive changes it proposes — including a narrower definition of personal data and the recognition of AI training as a legitimate interest — are expected to be far more disruptive than the AI Omnibus itself.