Monday, 18 May 2026
AI Daily
Front Page
EU AIFriday, 15 May 2026 · 4 min read

EU AI Act Omnibus: Nudifier Ban and Grandfathering Provisions

EU AI Act Omnibus bans nudifier apps from December 2026 and grants pre-August AI systems a four-month watermarking and labelling grace period under Article 50.

European Union flag representing EU AI Act regulatory framework
Source: Wikimedia Commons

The political agreement on the EU AI Act Omnibus package, struck on May 7, has drawn most attention for its headline timeline extensions and the political agreement that ended months of uncertainty over the Act's broader reform trajectory. But two specific provisions buried in the legal analysis have significant practical implications: a new prohibition targeting AI "nudifier" applications, and a grandfathering clause that reshapes compliance obligations for generative AI systems already deployed before August 2, 2026.

Legal commentary published this week by CMS Law, Latham & Watkins, and Slaughter and May breaks down how these provisions interact with the existing Article 50 timeline and what they mean for providers planning near-term deployments.

The Nudifier Prohibition

The Omnibus adds "creating non-consensual intimate images" to the list of prohibited AI practices. The prohibition covers AI systems that can generate or manipulate images to depict real, identifiable individuals in a state of nudity or sexual activity without their consent — the class of applications commonly known as nudifiers or deepfake intimate image generators.

The prohibition takes effect on December 2, 2026, giving the Commission six months after the Omnibus political agreement to finalise the delegated acts and guidance needed to implement it. The December date aligns with the watermarking obligations deadline under Article 50, creating a cluster of enforcement moments at year-end 2026.

The framing of the prohibition is notable. Earlier drafts of the AI Act focused on "deepfake pornography" as a category, but the final Omnibus language covers non-consensual intimate images more broadly — capturing not just fully synthetic images but also manipulated or composited content where a real person's likeness is placed into intimate contexts. Legal analysts at JD Supra note this is the first time the AI Act explicitly addresses a category of harmful content generation rather than a deployment context or risk class.

Enforcement will sit primarily with national competent authorities rather than the European AI Office, which retains oversight of general-purpose AI models rather than downstream applications. That means implementation consistency across member states is not guaranteed, and advocacy groups have already indicated they will push for a harmonised enforcement approach.

The Grandfathering Clause: What It Actually Says

The more commercially significant provision for most providers is the grandfathering clause for generative AI systems. Under the Omnibus agreement, AI systems placed on the market or put into service before August 2, 2026 have until December 2, 2026 to comply with the watermarking and AI-generated content labelling obligations under Article 50.

This represents a four-month grace period beyond the primary August 2 deadline — but only for systems already deployed. New deployments after August 2 must comply immediately.

The clause creates a meaningful compliance incentive to deploy before the August deadline. Providers who can reach the market before August 2 effectively gain an additional four months to implement the more technically demanding text and audio watermarking requirements, while still being able to operate and generate revenue. This is not a loophole — the Commission published guidance making clear the intention is to avoid disrupting established deployments rather than to delay compliance for new entrants — but it is a genuine legal distinction that deployment timelines should account for.

Timeline Extensions for High-Risk Systems

The broader Omnibus also includes extended compliance timelines for high-risk AI systems. Public authorities using high-risk AI systems have until August 2030 to comply fully — a four-year extension reflecting the complexity of public procurement and the breadth of government AI use cases affected. High-risk AI systems in standalone products have until December 2027; those embedded in regulated products (medical devices, machinery, toys) have until August 2028.

The Commission also has the authority, under the Omnibus, to issue delegated acts by August 2027 reducing compliance burdens in sectors already governed by sector-specific regulation — financial services, healthcare, transport — where separate rules may already satisfy AI Act objectives. That delegated act power could significantly reduce the compliance surface for AI used within existing MiFID II, MDR, or GDPR frameworks.

Interaction With Article 50 Guidelines

The Omnibus grandfathering clause creates a complication for the Article 50 transparency guidelines published on May 8 — one day before the Omnibus political agreement. The guidelines as drafted do not account for the four-month extension, meaning the final version will need to be revised to reflect the two-track compliance timeline.

Latham & Watkins has flagged that providers should not assume the grandfathering clause automatically extends all Article 50 obligations. The clause is specifically written to apply to watermarking and labelling requirements under Article 50(2) and 50(3) — the provisions governing AI-generated content marking. The chatbot disclosure obligation under Article 50(1) and the emotion recognition disclosure under Article 50(4) are not covered by the extension and remain subject to the August 2 deadline regardless of when the system was deployed.

That distinction matters for any provider operating a chatbot service. Deploying before August 2 does not buy additional time for chatbot disclosure compliance — only for the more complex content marking requirements.

#eu-ai-act#omnibus#nudifier#generative-ai#watermarking#compliance

Sources

More from EU AI

See all