EU AI Act Omnibus Deal Pushes High-Risk Compliance to December 2027

In the early morning hours of Thursday, 7 May 2026, negotiators from the European Parliament and the Council of the European Union reached a provisional agreement on the Digital Omnibus on AI, a legislative package that rewrites significant portions of the EU AI Act (Regulation (EU) 2024/1689) less than three months before the first major compliance deadline was set to land. The deal, confirmed after a marathon session that followed a failed trilogue the previous week, amends the Act's high-risk classification architecture, clarifies the law's overlap with the EU's longstanding machinery regulation, and introduces an outright ban on AI applications designed to generate non-consensual sexually explicit imagery, the so-called nudification tools. The International Association of Privacy Professionals reported that the agreement forms part of the broader Omnibus on AI simplification package, a Commission initiative aimed at reducing regulatory duplication across the digital acquis.

The political deal ends a months-long deadlock that had left in-house counsel, national data protection authorities, and the European Commission's own Artificial Intelligence Board scrambling to prepare guidance against a legislative text that was still a moving target. The Verge reported in March that the European Parliament had voted to delay deadlines for high-risk AI systems and AI-generated content watermarking that were due to take effect in August 2026, pushing them to at least the following year; the Parliament's resolution noted pointedly that the Commission had repeatedly missed its own deadlines to publish the implementing guidance businesses need to comply. That March vote was the procedural gateway to the trilogue negotiations that followed, and the 7 May agreement is its legislative conclusion.

The Omnibus deal modifies the AI Act along several axes simultaneously, a characteristic of EU digital lawmaking that rewards close reading of the final compromise text. The headline change is temporal: the compliance deadline for high-risk AI systems listed in Annex III of the Act moves from 2 August 2026 to December 2027, a shift of roughly sixteen months. A further tranche of obligations, covering systems that fall under existing sectoral regulation, slides to August 2028. The machinery-regulation overlap, which had bedevilled manufacturers of industrial equipment incorporating AI-driven safety functions, receives a deliberate clarification; the Omnibus text eliminates the double-registration requirement that would have forced companies to certify the same product under both the AI Act and the Machinery Regulation (Regulation (EU) 2023/1230), substituting a single-assessment pathway where the sectoral regime takes primacy.

The nudification-app ban, which attracted substantial public attention during the trilogue, operates on a different logic. It is not an amendment to the high-risk classification schedule but a standalone prohibition inserted into the AI Act's Title II, covering prohibited practices. The provision outlaws the placing on the market, putting into service, or use of an AI system designed to generate or manipulate intimate images of identifiable natural persons without their consent. The ban applies regardless of whether the system's provider or deployer claims a lawful purpose; the prohibited-practice designation means no conformity assessment, no CE marking, and no grace period. The ban becomes enforceable on the twentieth day following publication of the Omnibus in the Official Journal of the European Union, making it the fastest-acting provision in the entire AI Act framework.

For enterprises that have been tracking the 2 August 2026 date as the moment Annex III high-risk deployer obligations would crystallise, the Omnibus deal does not provide the clean postponement it appears to provide at first reading. The IAPP's Abhishek Sharma reported on 7 May, the same day the deal was struck, that the current AI Act timetable still points to 2 August 2026 for certain Annex III high-risk deployer obligations that are not affected by the Omnibus amendments. The distinction turns on which provisions of the Act are subject to the delayed-entry provisions of the Omnibus and which are not: the general obligation on deployers of high-risk AI systems to establish and maintain technical documentation, to keep logs, and to conduct human-oversight assessments remains in force on the original schedule unless explicitly deferred by the amending regulation.

This bifurcation creates what one parliamentary advisor described in the IAPP's Brussels correspondent Isabelle Roccia's analysis as a staggered compliance landscape in which different articles of the same regulation activate on different dates, requiring organisations to maintain a running compliance calendar rather than a single go-live milestone. Roccia noted that the Omnibus process raises doubts about whether the AI regime provides certainty and clarity to operators, a concern echoed by multiple MEPs during the March plenary debate. The complexity is compounded by the uneven pace at which the Commission has produced implementing acts and delegated regulations under the AI Act's empowerment provisions.

The implementing-act calendar is the procedural skeleton beneath the political headlines, and it is where the most consequential decisions about enforceability will be made over the next eighteen months. Under the AI Act's empowerment architecture, the European Commission is mandated to adopt implementing acts specifying the technical requirements for high-risk AI system documentation, the format of the EU declaration of conformity, the template for the fundamental-rights impact assessment required of certain deployers, and the operational parameters of the AI regulatory sandboxes that Member States must establish. Each of these implementing acts follows the examination procedure established by the Comitology Regulation (Regulation (EU) No 182/2011), which means they must secure a qualified-majority vote in the relevant comitology committee before adoption.

As of mid-May 2026, the Commission had published final draft versions of exactly two of the required implementing acts: the one governing the technical documentation for high-risk AI systems, and the one specifying the form and content of the EU declaration of conformity. Both remain under comitology review. A third draft, covering the fundamental-rights impact assessment template, circulated in an informal consultation version in February 2026 but had not reached the comitology committee stage when the Omnibus negotiations began. The Commission's Directorate-General for Communications Networks, Content and Technology (DG CNECT), which leads on AI Act implementation, has not published a revised timeline for the remaining implementing acts since the Omnibus deal was reached. A Commission spokesperson declined to provide a delivery schedule to Computerworld when the magazine inquired in March.

The implementing-act delay has practical consequences that extend beyond the Brussels policy circuit. Without the finalised technical-documentation implementing act, providers of high-risk AI systems cannot know with certainty what evidence their technical files must contain when a notified body conducts a conformity assessment; without the declaration-of-conformity template, they cannot prepare the document that must accompany every high-risk system placed on the Union market. National market surveillance authorities, which are responsible for enforcement under the AI Act's Article 63, similarly lack the standardised reporting formats they need to coordinate cross-border investigations. The result is a regulatory regime that is legally in force but operationally incomplete, a condition that frustrates both compliance teams and the enforcement agencies tasked with policing the market.

The Omnibus deal adds a further dimension to the implementing-act backlog: several of the amendments agreed on 7 May require the Commission to draft new or revised implementing measures to give them effect. The streamlined conformity-assessment pathway for AI systems also covered by the Machinery Regulation, for instance, will need a dedicated implementing act specifying how the single-assessment documentation package is to be structured. Similarly, the nudification-ban provision, while directly effective, raises questions about enforcement protocols that the Commission may need to address through guidance or a delegated act defining what constitutes an AI system 'designed to generate' prohibited imagery. Each new empowerment in the Omnibus text extends the queue of secondary legislation that the Commission's services must produce.

Member State preparedness varies considerably, a dynamic that will influence the pace at which the comitology committees can clear the implementing acts. Germany, through its KI-MIG implementing legislation, has designated the Bundesnetzagentur (Federal Network Agency) as the national market surveillance authority for AI and has begun building the internal classification, routing, and vendor-governance frameworks that high-risk AI regulation demands. France has lodged its designation with the Commission. Several other large Member States, including Italy and Spain, had not formally notified their national competent authorities as of early May 2026, though the AI Act's Article 59 requires them to do so before the relevant provisions become applicable. The staggered designation process complicates the practical operation of the European Artificial Intelligence Board, the coordination body established under Article 65, because the Board cannot function with its full membership until all Member States have designated their representatives.

The nexus between the implementing-act calendar and the global policy-export question is increasingly explicit. Jurisdictions that have modelled their AI legislation on the EU framework, including Brazil's PL 2338/2023 and South Korea's Act on Promotion of the AI Industry and Framework for Establishing Trustworthy AI, calibrate their own timelines against Brussels's enforcement schedule. When the EU's high-risk compliance deadline shifts by sixteen months, it sends a signal that the most ambitious regulatory timeline in the democratic world is negotiable under sufficient industry pressure. Orrick, Herrington and Sutcliffe attorneys noted in a JD Supra analysis published on 8 May that the Omnibus introduces seven key changes to the AI Act, including modifications to the conformity-assessment regime, the transparency obligations for general-purpose AI models, and the severity of penalties for certain categories of infringement.

The penalty recalibration is worth isolating: the Omnibus reduces the maximum fine for breaches of certain transparency obligations from the original 15 million euros or 3 percent of global annual turnover, whichever is higher, to a tiered structure that distinguishes between systemic and administrative infractions. This adjustment responds to sustained lobbying from the software industry, which argued that the original penalty framework treated a failure to label AI-generated content with the same severity as deploying a prohibited high-risk system. Member of the European Parliament (MEP) Svenja Hahn, the Renew Europe shadow rapporteur on the file, had pressed for proportionality in sanctions during the committee-stage negotiations; the final Omnibus text partially reflects her group's amendments.

Industry reaction to the Omnibus deal has cleaved along predictable lines. Large technology firms with established Brussels-facing compliance operations welcomed the deadline extension, which gives them time to align their AI governance frameworks with the finalised implementing acts before they must submit to conformity assessments. Small and medium-sized enterprises, which the AI Act's original text purported to shield through a dedicated Article 55 on SME support measures, expressed concern that the staggered compliance calendar increases rather than reduces the compliance burden, since it requires them to track multiple activation dates across different articles of the same regulation. The European DIGITAL SME Alliance issued a statement shortly after the deal was announced, calling the Omnibus text 'an improvement on the original but not the simplification that was promised,' a judgment that captures the tension between deregulation and regulatory coherence.

Where the File Sits and What Comes Next

The 7 May agreement is a provisional political deal, not a final legal text. It must now pass through the formal adoption procedures in both the Parliament and the Council. In the Parliament, the file returns to the Committee on the Internal Market and Consumer Protection (IMCO) and the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which share competence under the rule 58 joint-committee procedure that governed the original AI Act file. The committees are expected to vote on the agreed text before the end of May 2026, with a plenary vote tentatively scheduled for the 2-5 June Strasbourg session. In the Council, the Permanent Representatives Committee (Coreper) must endorse the agreement before it can be placed on the agenda of a forthcoming Competitiveness Council configuration.

Assuming adoption proceeds on the anticipated timetable, the Omnibus amending regulation will be published in the Official Journal of the European Union in late June or early July 2026. The nudification-app ban will become enforceable twenty days after publication. The delayed high-risk compliance deadline will take effect on the date specified in the final text, which the negotiators have agreed to set as 2 December 2027. Between now and that date, the Commission must deliver at least six additional implementing acts; the comitology committees must clear them; the Member States must designate their national competent authorities; and the notified bodies must complete their own accreditation under the AI Act's Article 31, a process that typically takes twelve to eighteen months from the date the relevant standards are harmonised.

For the enterprise compliance teams watching this file, the practical question is whether the December 2027 deadline is genuinely achievable on the supply side of the regulatory infrastructure. The answer depends on variables that the Omnibus deal does not control: the speed at which the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) can produce the harmonised standards that operationalise the Act's essential requirements; the willingness of the Commission to issue standardisation requests that are specific enough to be actionable; and the capacity of the notified bodies to scale their assessment procedures to meet demand from thousands of high-risk AI system providers across the Union. None of these variables is resolved by a legislative deadline extension.

The next checkpoint on the calendar is the IMCO-LIBE joint committee vote, expected before the end of May 2026. The plenary vote follows in the first week of June, and the Coreper endorsement shortly thereafter. The Commission's Artificial Intelligence Board meets on 18 June 2026 and is expected to discuss the implementing-act pipeline in light of the Omnibus amendments. Board agendas are published five working days in advance on the Commission's comitology register; the 18 June agenda will be the first public indication of whether the Commission intends to accelerate its secondary-legislation calendar to match the extended primary-law deadlines, or whether the pattern of missed delivery dates will persist into the new timeline.