EU AI Act Omnibus deal explained: new high-risk deadlines for 2027 and 2028

On 7 May 2026 the EU Council and the European Parliament reached a provisional agreement to delay the high-risk AI deadlines. Annex III standalone systems now apply from 2 December 2027 (originally 2 August 2026). Annex I embedded high-risk AI applies from 2 August 2028. Article 4 AI literacy and Article 5 prohibited practices, both live since 2 February 2025, were not changed and remain enforceable today.

What just happened

On 7 May 2026 the Council presidency and the European Parliament negotiators announced a provisional political agreement on the Digital Omnibus on AI, a targeted amendment to Regulation (EU) 2024/1689. The agreement is the headline output of the Commission's late-2025 Digital Omnibus initiative, which proposed simplifying and streamlining EU digital regulation across several files. For the AI Act specifically, the political deal does two big things and a number of smaller ones.

First, the headline change: the high-risk AI deadlines move. Article 6 + Annex III standalone high-risk systems used to apply from 2 August 2026. Under the Omnibus deal, they now apply from 2 December 2027, a 16-month shift. High-risk AI embedded in regulated products under Article 6 + Annex I (lifts, toys, medical devices, machinery, vehicles) applies from 2 August 2028 instead of 2 August 2026.

Second, the architectural change: the previous trigger-based mechanism, which would have flexed the dates based on when the Commission approved harmonised technical standards, is replaced with fixed dates that give industry certainty. This was explicitly requested by industry groups during the consultation phase.

What did not change

The Omnibus deal is narrow. Several core obligations are untouched and continue on the original timeline.

Article 4 AI literacy obligations

Article 4 requires every organisation deploying AI in the EU to ensure their staff has a level of AI literacy proportionate to role and risk. The obligation became enforceable on 2 February 2025. It remains live, fully enforceable, and binds every organisation regardless of which Annex III or Annex I category their AI systems fall into. Article 4 has no carve-out for low-volume or experimental AI use.

Article 5 prohibited practices

Article 5 bans social scoring by public authorities, manipulative AI, untargeted facial-image scraping, emotion recognition in workplaces and schools, real-time biometric mass surveillance in public spaces (with narrow law-enforcement exceptions), predictive policing based solely on profiling, and biometric categorisation for sensitive characteristics. These bans entered into force on 2 February 2025 and are unaffected by the Omnibus deal. Violations carry the Tier 1 ceiling of Article 99: up to EUR 35 million or 7% of global annual turnover.

GPAI provider obligations

The general-purpose AI provider regime under Articles 50 to 55 became enforceable on 2 August 2025 and continues on that schedule. GPAI providers remain subject to documentation, copyright disclosure, and transparency obligations; systemic-risk GPAI under Article 55 has additional safety and incident reporting via Article 55(1)(c).

Article 99 penalty regime

The full Article 99 fine structure is enforceable today for any violation that falls within the in-force obligations. Tier 1 (Article 5 prohibited): EUR 35 million or 7%. Tier 2 (high-risk obligations, when in force): EUR 15 million or 3%. Tier 3 (incorrect information): EUR 7.5 million or 1%. Article 101 GPAI providers: EUR 15 million or 3%. SME relief under Article 99(6) applies; the Omnibus extends that relief to small mid-caps.

What else the Omnibus changed

Beyond the deadline shift, the deal introduced several substantive amendments that matter operationally.

SME relaxations extended to small mid-caps (SMCs)

Most of the simplifications previously available only to SMEs, such as simplified technical documentation under Article 11, proportionate penalty caps under Article 99(6), less prescriptive quality management under Article 17, are now extended to small mid-cap enterprises (SMCs). The exact SMC definition will be confirmed in the final text but the Commission proposal uses the standard EU SMC threshold: 250 to 750 employees, turnover up to EUR 100M.

Article 10 data governance amended

Article 10 data governance is amended to explicitly allow processing of special-category personal data (race, ethnicity, health, biometrics) for the purpose of bias detection and mitigation in high-risk AI training datasets. This closes a long-running tension between Article 10 + GDPR Article 9, where fairness testing was technically blocked by data protection rules.

AI Office powers reinforced

The AI Office's enforcement and oversight powers are reinforced, particularly around GPAI provider monitoring and cross-border high-risk system supervision. The aim is to reduce governance fragmentation across the 27 Member State market surveillance authorities.

Nudification ban added

A new prohibition on “nudification” apps, AI tools that generate sexualised images of identifiable people without consent, is being added to the Article 5 prohibited practices list. This responds to widespread concern about AI-driven non-consensual intimate imagery.

Conformity assessment fee reductions

Conformity assessment fees under Article 63 are reduced for SMEs and SMCs, with regular Commission review to ensure compliance costs do not become a barrier to market entry.

Why the delay happened

Two reasons sit behind the deferral.

First, the technical standards. The CEN/CENELEC harmonised standards that providers and deployers need to demonstrate conformity with Articles 8 to 15 were not ready in time. Without harmonised standards, every operator would have had to make individual conformity assessment judgments, which is what conformity standards exist to avoid. The Commission's standards request to CEN/CENELEC was issued in 2023; the timeline for stable, citable harmonised standards extended into 2026 and beyond. The original August 2026 deadline assumed faster standardisation than turned out to be possible.

Second, industry pressure. SME associations, large enterprises, and several Member State governments argued they needed more preparation time to implement Article 8-49 controls, particularly the Article 27 fundamental rights impact assessment and the Article 9 risk management system. The compressed timeline (the AI Act was published in July 2024, with Annex III obligations applying from August 2026, leaving roughly 25 months) was viewed as insufficient for organisations that had not started preparation in 2024.

The Commission's response was to propose fixed, longer dates rather than a flexible trigger-based mechanism. This gives industry certainty about the schedule and gives standards bodies clear time to deliver.

What to do now

The temptation after a deadline delay is to relax. That would be a mistake for three reasons.

Article 4 and Article 5 are still live

The most-frequently violated obligations are not the high-risk ones that just got delayed. They are Article 4 AI literacy and Article 5 prohibited practices, both live since 2 February 2025. A company using ChatGPT for customer service without staff training is in violation of Article 4 today. A company using emotion recognition in workplace performance reviews is in violation of Article 5 today. The fines are real, the enforcement is ramping up, and neither was touched by the Omnibus.

Compliance ramps are slow

Inventorying every AI system, classifying each one, designating governance, conducting FRIAs for high-risk systems, updating vendor contracts, delivering role-based training, building documentation and monitoring loops: this is a 6 to 12 month programme for a typical SME and longer for enterprises. The Omnibus moved the high-risk deadline from August 2026 to December 2027, but the operational reality is that organisations starting now will finish comfortably. Organisations starting in 2027 will be flat-footed.

The deal is still provisional

The 7 May 2026 agreement is a provisional political deal. Formal adoption requires a Parliament plenary vote and Council adoption, both expected in the second half of 2026 but neither guaranteed. Any procedural disruption (a Parliament committee referral back to negotiation, a Council blocking minority, an Court of Justice referral on the SMC scope) could re-tighten the schedule. Treating the new dates as banked time rather than risk margin is poor planning.

Updated EU AI Act timeline

Tools that reflect the new timeline

Six free tools on this site are kept up to date with the post-Omnibus timeline. Use them to translate the dates into a working compliance programme.

Sources

• Council of the EU press release, 7 May 2026: AI: Council and Parliament agree to simplify and streamline rules
• European Commission press release: EU agrees to simplify AI rules
• Digital Omnibus on AI Regulation Proposal (Commission text)
• Regulation (EU) 2024/1689 (consolidated) on EUR-Lex
• Article 4, Article 5, Article 6, Article 10, Article 99

Frequently asked questions