Monday, 18 May 2026
AI Daily
Front Page
EU AIFriday, 08 May 2026 · 4 min read

EU AI Act Omnibus Deal Sealed: High-Risk Deadline Pushed to 2027

After all-night negotiations, EU co-legislators sealed a provisional deal on 7 May 2026 that delays high-risk AI obligations to December 2027 and adds a new ban on AI-generated non-consensual intimate imagery.

Graphic marking the EU AI Act omnibus deal reached by Council and Parliament on 7 May 2026
Source: modulos.ai

At 4:30 in the morning on 7 May 2026, negotiators from the European Parliament and the Council of the EU emerged from trilogue with a provisional political agreement on the Digital Omnibus on AI — a package that reshapes, slims, and in several places delays the enforcement calendar of the EU AI Act, while adding one genuinely new prohibition into the law.

What Was Actually Agreed

The headline change is a substantial delay to the compliance timeline for high-risk AI systems. Under the original AI Act, operators of high-risk systems explicitly listed under Annex III — those deployed in employment, education, credit scoring, law enforcement, and similar sensitive contexts — faced a hard deadline of 2 August 2026. That date is now pushed to 2 December 2027, adding sixteen months of runway. High-risk AI systems embedded in regulated products, such as medical devices, machinery, and connected vehicles, receive an even longer extension: obligations for those systems will not bite until 2 August 2028.

The industry lobbying behind these deferrals was never especially subtle. Mario Draghi's 2025 EU competitiveness report had already warned that only four of the world's fifty largest technology companies are European, and German Chancellor Merz personally engaged with the negotiations seeking industry-friendly outcomes. The result, for large operators, is substantial breathing room.

Yet the deal was not a wholesale capitulation to deregulatory pressure. The Parliament entered negotiations hoping to carve out as many as twelve sectors from the AI Act's framework, arguing that existing sectoral laws should govern AI in those industries. In the end, only one sector — machinery — received a direct exemption from AI Act applicability. All other regulated industries remain inside the Act's scope, though a new mechanism allows the Commission to limit AI Act requirements through implementing acts where sectoral legislation already imposes equivalent AI governance obligations.

The standard for processing special categories of personal data in bias-detection activities was also defended. The Commission had proposed softening the threshold to a general "necessary" test; both the Parliament and Council held firm on retaining the stricter "strictly necessary" standard, a meaningful check on sensitive data flows.

On the registration side, the Commission's original omnibus proposal had sought to delete the Article 6(3) requirement that providers register even self-assessed non-high-risk systems in the EU database. That deletion did not survive the trilogue; mandatory registration endures.

The New Prohibition

One unambiguous addition in the deal is a new prohibited practice targeting AI systems designed or used to generate non-consensual sexual or intimate imagery of identifiable individuals — including applications commonly described as nudification tools — as well as AI-generated child sexual abuse material. The prohibition will take effect on 2 December 2026.

The catalyst was visible. During the winter of 2025–2026, Grok, the AI system built by xAI, generated what negotiators described as millions of non-consensual intimate images. Co-rapporteur Michael McNamara acknowledged the definitional complexity the ban required: "We have drawn up a list of the parts of the body that should be considered intimate, but it is in the preamble." The ban covers images, video, and audio, with liability attaching both where a system is designed for such generation and where a provider fails to implement effective preventive safeguards.

Who Remains Dissatisfied

Neither side of the debate left the table fully satisfied. For civil society and digital rights groups, the sixteen-month delay to high-risk enforcement represents a concrete weakening of citizen protections during a period of rapid AI deployment. The compromise also expanded, slightly, the circumstances under which AI providers and deployers may use sensitive personal data for bias correction — though the "strictly necessary" standard was preserved.

For the technology industry, the deal fell short of the sweeping sectoral carve-outs that groups like DIGITALEUROPE had sought. The machinery exemption is meaningful for that industry, but medtech, automotive, and financial services operators remain subject to the Act's horizontal requirements alongside their existing sectoral rules.

European Commission President Ursula von der Leyen described the outcome as providing "a simple, innovation-friendly environment for our European AI ecosystem to grow" while "strengthening protections for our citizens" — language that accurately captures the deal's attempt to hold two competing objectives simultaneously.

What Comes Next

The provisional agreement is political, not legally binding. Both institutions must formally adopt the text, a process expected to conclude in June 2026, with publication in the Official Journal targeted before end of July. Once published, the new compliance calendar becomes law.

For compliance teams, the immediate priority shifts to the timeline that was not extended: the AI Act's transparency obligations under Article 50 — watermarking, synthetic content disclosure, and chatbot identification — remain on track for August 2026, and the omnibus deal actually tightened one of those windows. That story runs separately.

The deal also leaves open questions about enforcement architecture. National authorities retain supervisory jurisdiction over AI systems deployed in law enforcement, border management, judicial proceedings, and financial institutions — domains where the EU AI Office's role is explicitly carved out. How that division of competence plays out in practice will be one of the key governance tests of the next two years.

#EU AI Act#omnibus#high-risk AI#regulation#deepfakes#CSAM

Sources

More from EU AI

See all