On 7 May 2026, the Council of the European Union and the European Parliament reached provisional political agreement on the Digital Omnibus on AI. The deal restructures the application timeline of the AI Act, settles the long-running question of how the Act interacts with existing sectoral product legislation, retains the registration obligation that the Commission had proposed to delete, adds a new prohibited practice for AI-generated non-consensual intimate content, and compresses the grace period for synthetic content marking under Article 50(2).
The provisional agreement still needs formal endorsement by both institutions and publication in the Official Journal. The Council and Parliament have stated the intention to complete adoption before 2 August 2026, the date the original high-risk obligations were due to apply. The political agreement is now the operative planning baseline.
This article walks through what the Omnibus changes, what stays the same, and how AI providers and deployers should respond.
The New Application Dates
The agreement separates the application of high-risk obligations into two distinct dates.
Stand-alone high-risk AI systems under Annex III, covering employment, education, credit, biometrics, critical infrastructure, law enforcement, justice, migration and essential services, will apply from 2 December 2027. This is a sixteen-month postponement from the original 2 August 2026 date.
AI systems embedded as safety components in products covered by Annex I sectoral safety law (machinery, toys, lifts, radio equipment, watercraft, medical devices, in vitro diagnostics, and other regulated product categories) will apply from 2 August 2028. This is a two-year postponement.
The political language around the deal frames it as the first deliverable of the Cypriot Presidency’s “One Europe, One Market” roadmap. The case for a second postponement, should one be sought in future, faces significantly higher political hurdles. The institutions have used the delay argument once. Providers and deployers should plan on the basis that the new dates hold.
The Article 4 AI literacy obligation, the Article 5 prohibitions and the Articles 50 to 55 obligations governing general-purpose AI models continue to apply on their existing schedule. The Omnibus does not reopen those.
The Annex I Compromise
The most contested element of the negotiations was the interaction between the AI Act and existing sectoral product safety law. The outcome is a two-tier compromise that treats different sectors differently.
The Machinery Regulation (Regulation (EU) 2023/1230) is exempted from direct AI Act applicability. Health and safety requirements for high-risk AI systems used in machinery products are added through delegated acts adopted under the Machinery Regulation itself. The Commission is empowered to draft those acts. The practical effect is that machinery manufacturers face one conformity assessment regime under sectoral law, with AI-specific requirements layered into that regime. This is the clean carve-out the machinery industry had pushed for.
For other Annex I sectors, the agreement takes a different approach. Connected vehicles, toys, lifts, radio equipment, watercraft, medical devices, in vitro diagnostics and the remaining Annex I product categories are not directly carved out. Instead, the Commission is given the power to use implementing acts to limit AI Act application in specific cases where sectoral law already covers similar AI-specific requirements. The Commission is also placed under an obligation to publish guidance helping economic operators of high-risk AI systems covered by sectoral harmonisation legislation comply with the AI Act in a way that minimises overlap.
Industry reactions to this asymmetry have been split. DIGITALEUROPE welcomed the machinery carve-out but criticised the deal for leaving other Annex I sectors with a less favourable mechanism. The Computer & Communications Industry Association characterised the broader package as a “missed opportunity” providing only “the bare minimum” in simplification. BEUC, the European Consumer Organisation, took the opposite view, warning that the package “rolls back key consumer protections” through “dangerous loopholes” for delegated and implementing acts.
The architecture of dual sectoral and AI Act compliance has been preserved for most Annex I product categories. The scope of any practical overlap reduction depends on Commission action that has yet to be taken. The implementing acts that will limit AI Act application in specific sectors do not yet exist. Engaging with the relevant Directorate-General early, while the implementing acts are still being drafted, is likely to produce a better outcome than reading them cold in 2027.
Article 50(2): A Tighter Grace Period
For providers of generative AI systems already on the market before 2 August 2026, the Omnibus introduces a transitional period to bring those systems into conformity with the synthetic content marking and detection obligation in Article 50(2). The Commission’s original proposal envisaged a six-month grace period. The Council and Parliament agreed to compress it to three.
The effective compliance date for existing generative AI systems is 2 December 2026. New AI systems placed on the market or put into service from 2 August 2026 onwards must comply from the date of placement on the market.
For providers of generative AI of any kind (image, video, audio or text generation, synthetic media, generative chat, AI-assisted creation tools, agentic AI producing perceptible outputs), the 2 December 2026 date should be read as a hard engineering deadline. The Commission’s draft guidelines on Article 50, published in May 2026, confirm that the marking and detection obligation requires technical solutions that are effective, interoperable, robust and reliable. No single technique (watermarks, metadata, cryptographic provenance, logging, fingerprints) meets all four quality requirements at the current state of the art. Most providers will need a combination of techniques. Seven months is a short window for production deployment.
Article 6(3) Registration Survives
The Commission’s original Omnibus proposal would have deleted the obligation, under Article 6(3) of the AI Act, to register AI systems that providers self-assess as not meeting the Annex III high-risk threshold. Both the Council and the Parliament rejected the deletion. The agreement reinstates the registration obligation with streamlined Annex VIII Section B content.
This is operationally consequential for any provider operating in or adjacent to an Annex III area: employment, education, credit, biometrics, critical infrastructure, law enforcement, justice, migration or essential services. A self-assessment that a system does not meet the high-risk threshold will become a public entry in the EU database. National competent authorities, the AI Office, journalists, customers and litigants will have access to that entry. Self-assessment moves from a private internal memo to a public artefact.
Classification reasoning therefore needs to be documented to enforcement-grade evidentiary standards before the registration database goes live, not after. The “wait, classify out of scope, hope no one notices” posture that some industry advisors quietly recommended is now operationally untenable.
A New Article 5 Prohibition
The agreement adds a new entry to Article 5 prohibiting the use of AI systems that generate non-consensual intimate imagery and child sexual abuse material, including so-called nudifier applications. The prohibition is subject to a safe harbour for systems that implement effective preventive safeguards.
Compliance with the new prohibition starts on 2 December 2026, on the same date as the Article 50(2) grace period ends for existing generative AI systems.
For generative AI providers operating in adjacent territory (image generation, body modification, identity transformation, virtual avatar creation), the design of preventive safeguards is now a regulatory question rather than a content moderation one. The contours of the safe harbour will be sharpened through Commission guidance and enforcement practice in due course.
Bias Correction and Special Category Data
The agreement preserves the higher threshold for processing special categories of personal data for the purpose of bias detection and correction. The standard remains “strictly necessary”, as in the original AI Act text, rather than the looser “necessary” the Commission had proposed.
This applies to both high-risk and non-high-risk systems, with appropriate safeguards. The practical effect is that providers seeking to use sensitive personal data to test and correct algorithmic bias must continue to demonstrate that the processing meets the strictly necessary threshold under the AI Act in addition to any GDPR lawful basis.
Regulatory Sandboxes and SME Extensions
Member States now have until 2 August 2027 to establish national AI regulatory sandboxes, a one-year postponement from the original deadline.
The agreement also extends certain regulatory exemptions originally provided to small and medium-sized enterprises to small mid-cap companies (SMCs). The detail of the exemptions extended will be confirmed in the final legal text, but the direction is towards reducing administrative burden for organisations in the 250 to roughly 500 headcount range that would previously have been treated as fully regulated incumbents.
What Did Not Change
The general-purpose AI rules under Articles 50 to 55 are substantively unchanged. The transparency obligations in Article 50 continue to apply from 2 August 2026 to all in-scope systems other than those benefitting from the new 2 December 2026 grace period under Article 50(2). The draft guidelines on Article 50 published by the Commission in May 2026 remain the operative interpretive document.
The Article 4 AI literacy obligation continues to apply across all providers and deployers.
The penalty framework is unchanged. Non-compliance with the prohibitions in Article 5 attracts fines of up to EUR 35 million or 7 per cent of worldwide annual turnover. Non-compliance with high-risk obligations and with Article 50 attracts fines of up to EUR 15 million or 3 per cent. Supplying incorrect, incomplete or misleading information to authorities attracts fines of up to EUR 7.5 million or 1 per cent.
What Providers and Deployers Should Do Now
The Omnibus changes timelines and clarifies overlap with sectoral law, but the substantive obligations have not been narrowed in any material way. The work that needs to be done is largely the work that was already required, anchored against the new dates.
Re-anchor your readiness programme against the new dates. For Annex III stand-alone high-risk systems, the binding date is 2 December 2027. For AI embedded in Annex I regulated products, the binding date is 2 August 2028. Treat both as hard ceilings. The implementation cycle for enterprise AI governance, including evidence pipelines, technical documentation, conformity assessment and notified body engagement where relevant, runs twelve to eighteen months in practice. Starting an RFP in Q1 2027 for a December 2027 go-live is too late.
Address Article 50(2) as the nearest live obligation. For generative AI systems on the market before 2 August 2026, the synthetic content marking and detection deadline is 2 December 2026. For systems placed on the market from 2 August 2026 onwards, the obligation is immediate. Technical solutions need to be designed, integrated and validated, not bolted on. The four quality requirements (effectiveness, interoperability, robustness, reliability) need to be met through a combination of techniques.
Document Article 6(3) classification reasoning to public-artefact standard. A self-assessment that an Annex III-adjacent system does not meet the high-risk threshold will become a public entry in the EU database. The reasoning needs to be defensible under scrutiny from competent authorities, the AI Office, journalists, customers and litigants.
Engage sectoral implementing-act planning early if you operate in Annex I. Connected vehicle, toy, lift, radio equipment, watercraft, medical device, in vitro diagnostic and other Annex I product manufacturers will be affected by Commission implementing acts that limit AI Act application where sectoral law covers similar ground. The scope of those reductions will only become clear when the acts are drafted. Constructive engagement with the relevant Directorate-General now is more efficient than reading the acts cold in 2027.
Build governance maturity that holds across regimes. ISO/IEC 42001 is becoming a procurement gate for certain enterprise buyers. The AI Act, NIST AI RMF, NIS2 and DORA each have evidence requirements that overlap heavily. Consolidating evidence into a single source of truth materially reduces effort. Disclaimer: 42001 is not going to meet the Act’s QMS requirements, but is a high-level governance standard that can be implemented similarly to your ISO 27001. See our article on this topic.
Track the formal adoption process. The agreement is provisional. Formal endorsement and Official Journal publication are expected before 2 August 2026, but the text is subject to legal and linguistic revision. Final wording on the Annex I implementing-acts mechanism, the new Article 5 prohibition and the SME-to-SMC extension will repay close reading when published.
Where Blue Arrow Can Help
The Omnibus is a recalibration of timing and a clarification of sectoral overlap and certainly not a relaxation of the substance. For most providers and deployers, the question is whether existing readiness work is on the right trajectory against the new timeline and whether classification, registration, transparency and conformity assessment plans take full account of what the Omnibus changes and what it leaves untouched.
If you would like to walk through what the AI Omnibus means specifically for your AI systems, your classification position, your transparency obligations or your sectoral overlap, we can help. Book a call with the team and we will work through it together.
