In brief
- On 7 May 2026, the Council of the EU announced that a provisional political agreement had been reached with the European Parliament on the “AI Omnibus” (part of the EU’s Digital Omnibus simplification agenda) to streamline parts of the EU AI Act ahead of key compliance deadlines.
- The text still requires formal adoption by the Parliament and Council and publication in the Official Journal before it becomes law. This is expected before 2 August 2026.
- The agreement simplifies parts of the EU AI Act by:
- extending key compliance deadlines for high-risk AI systems;
- adding new prohibitions on AI-generated non-consensual intimate imagery and child sexual abuse material;
- reducing regulatory duplication for AI embedded in industrial products;
- clarifying the supervisory role of the AI Office; and
- introducing tailored accommodations for SMEs and small mid-cap enterprises.
Context and changes to the EU AI Act's timeline
The EU AI Act entered into force in August 2024 as the world's most comprehensive cross-sector AI legislation. Two years later, it has become a leading target of the EU's own competitiveness agenda, partly driven by sustained industry pressure. The Omnibus is the result: it is a targeted recalibration, rather than an entire change of heart, on the EU's regulatory approach to AI (which UK businesses that offer AI systems for use in the EU will still need to comply with). The risk-based framework and its core obligations remain intact, but businesses that lobbied hard for simplification now have more time to prepare, and a somewhat narrower compliance perimeter.
The provisional agreement reached between the Council and Parliament revises the key high-risk deadlines as follows:
- 2 December 2027: implementation of provisions relating to standalone high-risk AI systems listed in Annex III of the Act (for example, those used in employment, education, biometrics, critical infrastructure, and migration and border contexts).
- 2 August 2028: implementation of provisions relating to high-risk AI systems embedded in products covered by EU product-safety regimes listed in Annex I.
The extended compliance deadlines are significant. Many providers and deployers were not on course to meet the 2 August 2026 deadline, and the harmonised standards needed to support conformity assessments were not yet in place. Regulators are likely to treat the extended deadlines as an opportunity for businesses to build structured compliance programmes, rather than as permission to defer action. Meanwhile, the Commission has only recently published for consultation draft guidelines on the classification of high-risk systems under the Act.
The Act's requirements on synthetic-content marking and labelling (Article 50) have also been extended, but in a limited and targeted way. Providers of generative AI systems who placed their systems on the market before 2 August 2026 have until 2 December 2026 to comply with those watermarking obligations. Systems placed on the market on or after 2 August 2026 must still comply from that date. Other transparency obligations in Article 50 also continue to apply from 2 August 2026. Again, the guidelines relating to transparency and the Code of Practice on marking and labelling remain to be finalised.
“Nudifiers” and AI-assisted child sexual abuse material (CSAM) explicitly prohibited
The co-legislators have added a new prohibition to Article 5 of the Act targeting AI systems used to generate non-consensual sexual or intimate images of real identifiable persons (commonly referred to as "nudification" or "deepfake-nude" tools) and AI systems used to generate child sexual abuse material (CSAM). This prohibition will apply from 2 December 2026.
The prohibition operates in two ways: it applies to systems where generation of such content is the intended purpose, as well as systems where that generation is a reasonably foreseeable and reproducible outcome and the provider has not put in place reasonable and adequate technical safety measures to prevent these outputs. Deployers are prohibited from using any AI system for the purpose of generating or manipulating such material.
This is a clear enforcement signal, particularly for multimodal and image-editing tools. If your products involve image generation or content editing, assess your systems against both limbs of the prohibition and document your controls now rather than waiting for the December deadline. Violations of the Act's prohibited-practice provisions can attract fines of up to €35 million or 7% of total worldwide annual turnover, whichever is higher.
Streamlined regulation for industrial and product AI (especially machinery)
A core political contest – how the AI Act interacts with sectoral product-safety law – has landed on a pragmatic compromise.
First, AI systems in machinery will now primarily be governed by sectoral rules rather than the full AI Act high-risk regime (which will be achieved by moving the Machinery Regulation (EU) 2023/1230 from Section A to Section B of Annex I). To avoid a protection gap, the Commission must adopt delegated acts amending Annex III of the Machinery Regulation to reflect the relevant AI Act requirements, applicable by 2 August 2028. In the interim, manufacturers may rely on harmonised standards or common specifications adopted under the AI Act for a presumption of conformity.
Second, the Commission, via delegated acts (to be adopted by 2 August 2027), will be able to disapply specific AI Act requirements where EU harmonisation legislation listed in Annex I already provides an equivalent or higher level of protection for health, safety or fundamental rights, provided the overall level of protection under the AI Act is not reduced.
Key definitional clarifications
AI systems that solely assist users or optimise performance will not automatically trigger high-risk treatment where their failure would not create health or safety risks. If you are in manufacturing or product design, review your existing high-risk classifications against this clarification.
Although the Commission's original proposal to exempt certain lower-risk systems from having to be registered in a publicly accessible EU database under Article 49(2) of the Act was not adopted, the burden of registration information has been reduced, with points 7 and 9 of Section B of Annex VIII having been deleted.
Bias testing: using sensitive data processing
The provisional agreement extends the right to process special-category personal data for bias detection and correction to providers and deployers of all AI systems, not only high-risk ones.
The conditions are strict: processing must be strictly necessary and cannot be achieved by other means including synthetic or anonymised data; the data must not be transmitted, transferred or otherwise accessed by third parties; appropriate technical security and access controls must be in place; and records must document why processing was strictly necessary and why the objective could not be achieved otherwise. Legal, data protection, and technical teams will need to work together to make practical use of this.
Governance and sandboxes
The agreement gives the AI Office a significantly expanded enforcement toolkit. Originally, the AI Office had a general ability to request information, conduct evaluations, and request measures. The new provisions add: on-site and remote inspection powers; the power to launch formal investigations; the ability to accept binding commitments; authority to issue non-compliance decisions; and the power to impose fines and periodic penalties, with standard procedural safeguards for those subject to investigation.
The AI Office will also now have exclusive competence over AI systems where the same provider, or providers forming part of the same undertaking, develops both a general-purpose AI model and a downstream system built on it. The "same undertaking" limb is new and commercially significant: within corporate groups where model development and system deployment sit in different subsidiaries, the AI Office holds exclusive supervisory competence. National competent authorities retain oversight in specific regulated sectors, including law enforcement, financial services, and border management.
The deadline for Member States to establish national AI regulatory sandboxes is pushed back to 2 August 2027. An EU-level sandbox is also being created, with priority access for SMEs (including start-ups) and small mid-cap enterprises (SMCs).
New definitions of SMEs and SMCs
The agreement introduces formal definitions for SMEs and SMCs into the AI Act and extends a range of accommodations to both categories, including simplified technical documentation, proportionate quality-management-system requirements, reduced fine caps, and priority access to AI regulatory sandboxes.
AI literacy obligation softened
The Omnibus text rewrites Article 4, replacing an outcome-based duty to "ensure a sufficient level" of AI literacy with a softer obligation to "take measures to support the development of" literacy, without mandating any specific level of competence. The change reflects sustained pressure from smaller businesses, which argued that a uniform, enforceable literacy standard was disproportionately burdensome given the wide variation in how different organisations use AI. Recital 5 of the agreed text acknowledges that a one-size-fits-all approach was "not suitable for all types of providers and deployers" and that imposing it risked creating compliance costs without meaningfully advancing the underlying goal.
Interestingly, the official press release does not mention this change at all. Yet Recital 5 of the agreed text states that "AI literacy should be a strategic priority, regardless of regulatory obligations and potential sanctions". In other words, while the legal standard may have been lowered, the regulatory expectation has not. Providers and deployers that treat the revised wording as permission to do nothing will be exposed: where an AI system causes harm and an investigation reveals that staff lacked the basic understanding to operate it safely, the absence of any structured literacy programme will be difficult to defend.
Businesses should therefore document the measures they have taken, tie literacy initiatives to the specific AI systems their staff actually use, and ensure that training records are maintained. The Commission and Member States are required to support these efforts, including by publishing practical examples on the AI Act's single information platform.
Key next steps
- Use the extra time for 'high-risk' compliance wisely. Although the Omnibus delays the high-risk obligations, it does not remove the need to build system inventories, risk-classification logic, supplier due diligence, and evidence packs. The additional time will likely raise the bar for what regulators consider reasonable preparedness.
- Prioritise transparency now. Many organisations are already in scope for Article 50 because they run chatbots, generate content at scale, or publish AI-assisted materials, well before the high-risk rules apply. Providers of systems on the market before 2 August 2026 have until 2 December 2026 to comply with rules around marking and labelling of artificially generated or manipulated content (but all other transparency rules apply from 2 August).
- Reassess content-safety controls and map product AI overlaps. The new prohibited-practice provisions on non-consensual intimate imagery and CSAM carry some of the highest penalty exposure in the Act and should prompt an immediate review of safeguards across image-generation and content-editing pipelines. Separately, if you are in product AI, start mapping overlaps with the machinery and sectoral regimes now rather than waiting for delegated acts to materialise.
Note that, until the agreement is formally adopted and published in the Official Journal (intended to happen before 2 August 2026), the original implementation date of 2 August 2026 remains in place, rather than any of the proposed extended deadlines.
For further insights and practical guidance on all things AI (including governance and compliance frameworks), visit our AI resource centre.