On May 7, 2026, the European Council and the European Parliament reached provisional political agreement on what is formally known as the Digital Omnibus on AI โ a package of amendments to the EU Artificial Intelligence Act that adjusts compliance timelines, modifies scope thresholds, and adds a new category of prohibited AI applications. Formal adoption is expected by July 2026, ahead of the August 2, 2026 date on which original high-risk AI requirements would otherwise have taken effect.
The omnibus has been covered primarily through the lens of its deadline extensions โ the news that high-risk AI systems now have until December 2027 rather than August 2026 to comply. That is important, but it is not the full picture, and in some respects it is not even the most compliance-critical part of the agreement for many enterprises.
This article focuses on what the omnibus actually changed, what it left intact, and what actions enterprises need to complete before the new December 2026 deadlines arrive.
What the May 7 Agreement Changed
1. High-Risk AI Deadline Extensions
The most widely reported change is the extension of compliance deadlines for high-risk AI systems. Under the original AI Act timeline, organizations deploying high-risk AI systems listed in Annex III โ which covers sensitive applications including biometric identification, critical infrastructure management, educational and vocational training tools, employment and worker management systems, essential private and public services, law enforcement, border management, and administration of justice โ were required to meet full AI Act obligations by August 2, 2026.
The omnibus extends those deadlines as follows:
Annex III high-risk AI systems (stand-alone): Compliance deadline extended to December 2, 2027 โ an additional 16 months.
Annex I high-risk AI systems (embedded in regulated products): Systems that qualify as high-risk because they are safety components of products covered by EU product safety legislation (medical devices, machinery, toys, etc.) have their deadline extended further, to August 2, 2028.
The rationale for the extension was practical rather than political: the technical standards and harmonized guidelines that organizations need to actually implement the AI Actโs requirements are not fully developed. Penalizing organizations for failing to comply with standards that do not yet exist is counterproductive, and the Council and Parliament acknowledged this directly in their negotiating positions.
What this means for enterprise compliance programs: The extended deadlines provide additional time, but they do not eliminate the need to begin implementation now. Organizations that wait until mid-2027 to start will not have enough runway to complete conformity assessments, establish risk management systems, and build required documentation for complex AI deployments. The practical timeline for meaningful compliance work on high-risk AI systems is measured in years, not months.
2. SME Threshold Expansion
The AI Actโs original SME relief provisions provided simplified compliance pathways, reduced fines, regulatory sandbox access, and standardized documentation templates for small and medium-sized enterprises. The original SME definition tracked the EUโs standard definition: companies with fewer than 250 employees and either โฌ50 million in annual turnover or โฌ43 million in annual balance sheet total.
The omnibus raises the threshold for AI Act SME relief to companies with fewer than 750 employees and annual revenue below โฌ150 million. This is a significant expansion that extends simplified compliance frameworks to what the EU typically classifies as mid-cap companies โ a size category that includes a substantial number of European technology firms and AI developers.
Key SME relief provisions that now apply to this expanded category:
- Reduced administrative burden for conformity assessments
- Access to regulatory sandboxes for testing AI systems in supervised environments
- Standardized documentation templates rather than bespoke compliance documentation
- Proportionally reduced fines for violations
Companies operating near the new threshold should analyze their position carefully. The employee count and revenue figures are measured at the enterprise level, not the subsidiary level โ a 700-person subsidiary of a large conglomerate does not qualify for SME relief.
3. Watermarking Deadline Extension
The AI Actโs requirements for watermarking AI-generated content โ requiring that AI-generated audio, video, text, and image content be technically marked in a way that allows detection โ had a compliance deadline of August 2, 2026. The omnibus extends this deadline to December 2, 2026.
The four-month extension is modest and should not prompt organizations to deprioritize watermarking implementation. The technical infrastructure required for reliable AI content labeling requires significant development lead time, and December 2026 is approximately six months away as of publication.
4. AI Office Powers Reinforced
The agreement strengthens the powers of the EU AI Office, the centralized body responsible for oversight of general-purpose AI models and coordination across member states. This includes expanded enforcement authority and clearer mechanisms for the AI Office to investigate and act on violations of the GPAI model rules, which became applicable on August 2, 2025.
Organizations deploying general-purpose AI models in the EU should note that GPAI obligations are not affected by the omnibusโs deadline extensions โ those rules are already in force.
The New Prohibition: Non-Consensual Intimate Imagery AI Systems
The omnibus agreementโs most immediately enforceable new provision is a prohibition on AI systems designed to generate or manipulate non-consensual intimate imagery (NCII). This prohibition is effective December 2, 2026, making it one of the earliest hard deadlines in the revised AI Act timeline.
The prohibition covers:
- AI systems that generate sexually explicit or intimate images, video, or audio of real individuals without their explicit consent (so-called โnudifierโ applications)
- AI systems that create child sexual abuse material (CSAM)
- AI systems that lack reasonable safeguards against being used for either of the above purposes
Providers and deployers of AI systems falling within this prohibition may not place such systems on the EU market or use them in the EU as of December 2, 2026. Fines for violations reach โฌ35 million or 7% of worldwide annual turnover, whichever is higher โ among the highest penalty levels in the AI Act framework.
Why This Matters Beyond the Obvious
The initial reaction to this provision is that it obviously applies to applications explicitly designed to create NCII โ โnudifierโ tools that are built specifically to generate intimate imagery without consent. That class of application is clearly prohibited, and most enterprise compliance programs are not deploying anything of that nature.
The harder compliance question is the middle category: AI systems that lack reasonable safeguards against being used for NCII generation. This language captures general-purpose image and video generation models that have not implemented adequate content safeguards, as well as multimodal AI systems deployed in ways that could be repurposed for NCII generation.
For enterprise AI governance programs, this creates several practical obligations:
Foundation model providers offering image or video generation: Must evaluate whether their safeguard implementations meet the โreasonable safeguardsโ standard. This is not a bright-line test; it will require documented assessment of the technical measures in place and their effectiveness against known misuse vectors.
Enterprises deploying image/video generation in products: Must assess whether the AI systems they are integrating have adequate safeguards and whether their own deployment context introduces additional NCII risk. A general-purpose image generation API integrated into a product without content filtering may create exposure.
B2B platform providers: Organizations that provide platforms on which third parties build AI-powered applications must consider whether their acceptable use policies and technical controls are sufficient to prevent NCII-generating applications from being built on their infrastructure.
The enforcement posture of the EU AI Office and member state authorities on NCII prohibition violations is likely to be aggressive. This is not an area where regulatory discretion and extended transition periods are expected.
What the Omnibus Did Not Change
GPAI Obligations Remain In Force
General-purpose AI model obligations under Chapter V of the AI Act became applicable on August 2, 2025. The omnibus did not modify these provisions or extend their deadlines. Organizations that train or deploy GPAI models โ including large language models, foundation models, and multimodal models โ with more than 10^25 floating point operations (FLOPs) of training compute face the full set of GPAI obligations, including:
- Technical documentation requirements
- Transparency and copyright compliance measures
- Adversarial testing (red-teaming)
- Incident reporting to the AI Office
- Additional systemic risk obligations for models at the frontier
If your organization is subject to GPAI obligations, those compliance requirements are not deferred by the omnibus.
Prohibited Applications List
The list of AI applications that are prohibited outright under Article 5 of the AI Act โ cognitive behavioral manipulation, social scoring, real-time remote biometric identification in public spaces, and others โ was not substantively modified by the omnibus (the NCII addition being the notable exception). These prohibitions have been in force since February 2, 2026. Organizations that have not completed their internal assessments to confirm they are not deploying prohibited applications are already overdue.
Transparency Obligations for Certain AI Interactions
AI systems designed to interact with humans must disclose their AI nature, with exceptions for obvious artistic or creative contexts. These transparency obligations have been in force since August 2, 2025. The omnibus did not extend these deadlines.
The Sequencing Problem
The omnibus agreementโs deadline extensions were partly justified by a genuine sequencing problem: the technical harmonized standards that organizations need to demonstrate compliance with the AI Actโs high-risk provisions are still being developed by the European standards organizations CEN and CENELEC. The EU Commission has been publishing guidelines, but guidelines are not harmonized standards, and conformity assessments conducted in the absence of approved standards create uncertainty about whether compliance has actually been demonstrated.
This sequencing problem is real, and the extended deadlines provide some relief. But it also means that when December 2027 arrives for Annex III high-risk AI systems, organizations will be expected to have completed conformity assessments, built risk management systems, established quality management frameworks, implemented post-market monitoring, and registered in the EU AI Act database โ and the standards against which those assessments are conducted will be finalized and published by then.
The practical implication: enterprise compliance programs cannot simply pause until standards are finalized. The work required to prepare for conformity assessment โ mapping AI systems to Annex III categories, building risk management documentation, establishing data governance for training data, implementing technical robustness measures โ does not depend on the final version of harmonized standards. That work should be underway now.
What Compliance Programs Must Do Before December 2026
The December 2, 2026 deadline for the NCII prohibition, watermarking obligations, and the nudifier ban creates a concrete near-term compliance milestone regardless of the extended timelines for high-risk AI. Organizations should complete the following before the end of the year:
Audit Deployed AI Systems for NCII Risk
Any AI system in your product portfolio that involves image generation, video generation, voice synthesis, or multimodal content creation should be assessed for NCII risk. This assessment should document:
- Whether the system could be used to generate intimate imagery of real individuals
- What technical safeguards are in place to prevent this use
- Whether the safeguards are adequate to meet the โreasonable safeguardsโ standard
- Whether the assessment has been reviewed by legal and engineering leadership
Systems that present NCII risk without adequate safeguards must either be retrofitted with appropriate controls or withdrawn from the EU market before December 2, 2026.
Complete AI Watermarking Implementation
If your organization generates or provides AI-generated content โ images, video, audio, synthetic text โ the technical infrastructure for watermarking must be operational by December 2, 2026. This requires coordination between engineering (implementing watermarking at the generation layer), legal (understanding what the technical standard requires), and product (managing any user-facing disclosures).
Update AI Governance Inventories
The omnibusโs SME threshold changes may affect your organizationโs compliance tier. Companies that were previously above the SME threshold may now qualify for simplified compliance pathways. Conversely, companies that assumed SME status under the original definition should verify they still qualify under the revised threshold.
AI system inventories should be updated to reflect the revised timelines, current applicability determinations (prohibited, GPAI, high-risk, limited risk, or minimal risk), and assigned compliance owners.
Prepare Contracts and Procurement Processes
High-risk AI systems deployed by enterprises are often built on third-party foundation models or integrated with third-party AI services. The AI Act imposes obligations that run through the supply chain โ deployers of high-risk systems have obligations that depend, in part, on providers having met their own obligations. Enterprise procurement processes should incorporate AI Act compliance requirements into vendor due diligence and contractual representations.
Timeline Reference
| Provision | Deadline |
|---|---|
| GPAI model obligations | In force since August 2, 2025 |
| Prohibited AI applications (Article 5 original) | In force since February 2, 2026 |
| NCII/nudifier prohibition | December 2, 2026 |
| AI content watermarking | December 2, 2026 |
| High-risk AI (Annex III, stand-alone) | December 2, 2027 |
| High-risk AI (Annex I, regulated products) | August 2, 2028 |
Conclusion
The EU AI Act omnibus agreement reduced short-term pressure on organizations developing and deploying high-risk AI by extending key deadlines. But it also added a new prohibited applications category โ the NCII prohibition โ with an end-of-year deadline that applies to a broader category of AI systems than its colloquial โnudifier banโ label suggests.
Enterprise AI governance programs should resist interpreting the extended timelines as permission to slow down. The December 2026 NCII and watermarking deadlines are immediate. The high-risk AI framework, while delayed, requires compliance work that cannot be compressed into the final months before the deadline. And GPAI obligations are already in force and being actively monitored by the EU AI Office.
The omnibus is a recalibration of sequencing, not a reduction in scope. The EU AI Act framework remains comprehensive and enforceable. Organizations that treat the extensions as a reprieve rather than a planning buffer will face the same compliance gaps in late 2027 that they face today โ with less time and less regulatory goodwill.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for guidance on their specific compliance obligations under the EU AI Act.
