Digital Omnibus: What the May 2026 Agreement Changes for the EU AI Act
On 7 May 2026, the European Parliament and Council reached a provisional agreement on the Digital Omnibus package. The AI Act is directly amended: high-risk deadlines postponed, a new Article 5 prohibition added, SME rules eased. Here's what changes in practice.
Last updated: July 2026 · Reading time: 7 minutes
On 7 May 2026, the European Parliament and the Council presidency reached a provisional agreement on the AI component of the Digital Omnibus package (Omnibus VII). The Parliament formally endorsed the agreement on 16 June 2026. Official adoption and publication in the EU Official Journal are expected in July 2026, ahead of the 2 August deadline.
This is not merely a political signal: the agreement directly amends the text of the AI Act. Here is what changes.
1. High-risk deadlines postponed: the most structural change
This is the most anticipated change for businesses. Obligations applicable to high-risk AI systems are deferred depending on the type of system:
| Category | Original deadline | New deadline | Extension |
|---|---|---|---|
| Standalone high-risk AI systems (Annex III) | 2 August 2026 | 2 December 2027 | +16 months |
| High-risk AI systems embedded in regulated products (Annex I) | 2 August 2027 | 2 August 2028 | +12 months |
Annex III systems include AI used in education, recruitment, credit scoring, access to essential services, biometrics, critical infrastructure, and law enforcement.
Annex I systems are those integrated into products already subject to sector-specific regulation (medical devices, radio equipment, lifts, etc.).
What this changes in practice: organisations that had not yet finalised their high-risk compliance file (Annex IV documentation, FRIA, EU Declaration of Conformity) have 16 additional months for standalone systems. This is not an invitation to stop work — it is a window to build solid compliance rather than a rushed one.
2. Article 5: a new prohibition added
The agreement introduces a ninth prohibition into Article 5 of the AI Act, which previously contained eight. Now also banned:
- "Nudifier" AI systems — which generate or manipulate sexually explicit or intimate images, video, or audio without the explicit consent of the person depicted
- Systems generating AI-produced child sexual abuse material (CSAM)
This new prohibition is subject to a transitional period until 2 December 2026, giving market actors time to come into compliance.
The prohibition operates at two levels:
- Provider level: placing on the market or putting into service a system is prohibited where this is its intended purpose, or where it is a reasonably foreseeable and reproducible outcome without significant technical modification and the system lacks adequate technical safeguards to reliably prevent it. This directly affects providers of general-purpose image or video generation tools.
- Deployer level: using such a system to generate the prohibited content is prohibited, regardless of the system's original design.
Note: the existing Article 5 prohibitions (subliminal manipulation, social scoring, real-time RBI in public spaces, etc.) are not modified and have been in force since 2 February 2025.
3. Synthetic content transparency: a targeted delay
For AI systems that generate or manipulate synthetic content (covered by Article 50 on machine-readable marking and watermarking), systems already on the market before 2 August 2026 receive a short extension: the machine-readable marking obligation is deferred from 2 August 2026 to 2 December 2026.
New systems placed on the market after 2 August 2026 remain subject to the original date.
4. SME simplification and new lightened categories
The agreement extends the existing exemptions granted to SMEs to small mid-caps (SMCs), defined as companies with between 250 and 750 employees. Concretely:
- Facilitated access to regulatory sandboxes
- Reduced documentation obligations in specific areas
- Expanded access to support from national authorities
5. Sensitive data for bias detection: expanded legal basis
The agreement extends the legal basis for processing special-category personal data (sensitive data under GDPR) for bias detection and correction purposes.
Previously, this was limited to providers of high-risk systems. It is now open to all AI systems and GPAI models, subject to a strict necessity standard.
What the Omnibus does not change
Existing Article 5 prohibitions: in force since 2 February 2025, they are not modified. Subliminal manipulation, social scoring, real-time RBI in public spaces — these remain fully in force.
GPAI obligations (Articles 51–55): which entered into force on 2 August 2025, are not deferred by the agreement. Model providers not yet compliant are already behind.
The regulation's architecture: the Omnibus does not rewrite the AI Act. It adjusts deadlines and adds one prohibition. The risk-based tiering, documentation obligations, and AI Office powers all remain unchanged.
Legislative status as of 28 June 2026
| Step | Date |
|---|---|
| Provisional Council–Parliament agreement | 7 May 2026 |
| Formal vote of the European Parliament | 16 June 2026 |
| Formal Council adoption | Expected late June 2026 |
| Publication in Official Journal | Expected July 2026 |
| Entry into force | Immediate upon publication (for deferrals) |
What you should do now
If you work on high-risk systems (Annex III): the deferral to December 2027 gives you room, but don't use it to stop all work. Organisations that use this window to build structured compliance will be in a much stronger position than those that wait until the last quarter of 2027.
If you develop a GPAI model: no deferral. Article 53 obligations (technical documentation, downstream documentation, copyright policy, public summary) have been in force since August 2025.
If you use or develop potential "nudifier" systems: the new Article 5 prohibition applies no later than 2 December 2026. Review of your systems must start now.
FAQ
Does the high-risk deferral apply to systems already on the market or only to new ones? It applies to all high-risk systems covered by Annex III, whether already on the market or under development.
Are GPAI obligations deferred by the Omnibus? No. The May 2026 agreement does not modify Articles 51–55 deadlines. GPAI obligations have been in force since August 2025.
Does the new nudifier prohibition apply to existing systems too? Yes, but with a transitional period until 2 December 2026 to come into compliance.
Is the Omnibus text definitively adopted? The Parliament voted on 16 June 2026. Formal Council adoption and publication in the Official Journal are expected in July 2026. The text has legal force from the date of publication.
Start your AI Act compliance
DILAIG automates audit, classification, and documentation generation — with updated deadlines.
→ Start the free audit — 20 minutes, no credit card required.
See all features → · Pricing →
Further reading
- EU AI Act Timeline: Key Dates
- Prohibited AI Practices Under Article 5: The Complete List
- What Is a GPAI Model? Articles 51–55 Explained
- High-Risk Deployer Checklist
Not sure if this applies to you? Check in 2 minutes, no account needed.
Am I a GPAI provider? → · Is my AI prohibited under Article 5? →
Take action
Is your AI system compliant?
Free audit in 20 minutes. Detailed report, no commitment.
Start the audit →Keep reading
Practical guides, regulatory analysis, DILAIG news.