EU AI Act Delayed: The Digital Omnibus Deal of 7 May 2026

After the collapse of the 28 April trilogue and weeks of legal uncertainty, EU co-legislators closed a deal in the small hours of Thursday, 7 May 2026. The Cypriot Presidency of the Council and the European Parliament agreed on a revised package amending Regulation (EU) 2024/1689 — the EU AI Act — as part of the seventh omnibus package on simplification (the “Digital Omnibus on AI”). The deal still requires formal adoption by both institutions and publication in the Official Journal. Until then, the original timeline of the AI Act remains the law on the books. But for compliance planning, the new dates are now the operative baseline.

What Was Agreed: The New Application Dates

The headline change is the postponement of the EU AI Act’s most demanding obligations. The provisional agreement sets two fixed application dates that replace the original 2 August 2026 deadline for high-risk systems:

2 December 2027 — for stand-alone high-risk AI systems listed in Annex III. This includes biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential services (credit scoring, insurance, social benefits), law enforcement, migration and border control, and administration of justice.

2 August 2028 — for high-risk AI systems embedded as safety components in products covered by EU sectoral safety legislation listed in Annex I, such as medical devices, machinery, toys, lifts, and watercraft.

Two further timing changes deserve attention. The deadline for Member States to establish national AI regulatory sandboxes under Article 57 has been postponed to 2 August 2027. And the grace period for providers to implement transparency measures for AI-generated content under Article 50 has been shortened from six months to three months, with a new deadline of 2 December 2026. This is the only requirement in the package that became more restrictive, not less.

The New Article 5 Prohibition: Nudifiers and AI-Generated CSAM

The co-legislators added a new prohibited AI practice that was not in the original 2024 text. The Digital Omnibus inserts into Article 5 a ban on AI systems that generate, manipulate, or reproduce non-consensual sexually explicit content of identifiable persons (commonly known as “nudifier” applications) and AI systems that generate child sexual abuse material. The prohibition applies from 2 December 2026.

The ban does not apply to AI systems that have effective safety measures preventing users from creating such content. For US companies, this means any provider or deployer of generative AI tools whose outputs reach EU individuals must verify whether their models can produce such content and, if so, implement and document robust safety measures before December 2026. Article 5 violations carry the highest tier of fines under Article 99: up to €35 million or 7% of total worldwide annual turnover.

What Did Not Change: The Obligations Already in Force

The Omnibus does not pause the obligations that are already enforceable. US companies operating in scope of Article 2(1)(c) must continue to comply with:

The original Article 5 prohibitions — in force since 2 February 2025. Social scoring, untargeted biometric scraping, real-time remote biometric identification in public spaces (with limited law enforcement exceptions), emotion recognition in workplaces and educational institutions, and predictive policing based solely on profiling all remain prohibited. Violations of these practices already trigger Tier 1 fines today.

Article 4 AI literacy obligations — in force since 2 February 2025. Providers and deployers of any AI system, regardless of risk level, must take measures to ensure their staff and other persons dealing with the operation and use of AI systems have a sufficient level of AI literacy. This applies to every US company with EU-facing AI deployments, not just those handling high-risk systems.

GPAI obligations under Chapter V — in force since 2 August 2025. Providers of general-purpose AI models, including those established in third countries, must comply with transparency, documentation, and copyright-related obligations. The Omnibus clarifies the supervisory architecture by listing exceptions where national authorities (rather than the AI Office) remain competent for downstream systems based on a provider’s own GPAI models, including law enforcement, border management, judicial authorities, and financial institutions.

Other Substantive Changes for US Companies

Narrower safety component concept. The agreement introduces a causal test for what qualifies as a “safety component” under Annex I. Products with AI functions that only assist users or optimise performance will not automatically face high-risk obligations if their failure or malfunction does not create health or safety risks. This narrows the high-risk scope for some industrial and consumer products.

Equivalence clause for machinery and similar regulated products. Where sectoral EU product safety law (Annex I Section A) already imposes AI-specific requirements equivalent to the AI Act, the AI Act’s application is limited through implementing acts. The objective is to remove double regulation. Machinery products, in particular, are now largely outside the AI Act’s direct scope where sectoral rules apply.

Bias detection legal basis. The agreement creates a new legal basis under EU data protection law allowing providers and deployers to process special categories of personal data (Article 9 GDPR data) where strictly necessary to detect and correct biases in high-risk and non-high-risk AI systems, subject to safeguards. This addresses a long-standing tension between the AI Act’s bias-mitigation obligations and the GDPR.

SME exemptions extended to small mid-caps. Certain regulatory privileges previously available only to small and medium-sized enterprises are extended to a new category, “small mid-cap enterprises” (SMCs), as defined by Commission Recommendation (EU) 2025/1099. SMCs benefit from modulated penalties and lighter procedural burdens. Most US companies in scope are well above this threshold and will not benefit from the SMC carve-out, but US subsidiaries of larger groups should map their EU entities carefully.

Reinforced AI Office powers. The agreement centralises supervision of certain GPAI-based downstream systems within the AI Office, while preserving national competence for the sectoral exceptions noted above. This affects the enforcement entry point for US providers of GPAI models whose outputs feed downstream EU deployers.

The Legal Status of the Deal: Provisional, Not Final

The 7 May agreement is a provisional political agreement reached in trilogue. It is not yet positive law. To become binding, the text must be formally adopted by the European Parliament in plenary and by the Council, and then published in the Official Journal of the European Union. Until that publication, the AI Act remains in force in its original 2024 wording, and 2 August 2026 remains the legally binding date for Annex III high-risk obligations.

This creates a two-track planning situation that compliance professionals should keep distinct. The first track is lex lata — the law as it currently stands. Under that law, Annex III high-risk obligations apply from 2 August 2026. The second track is lex ferenda — the law as it is being made. Under the political agreement, those obligations will apply from 2 December 2027, but only once the amending regulation is formally adopted and published.

Organisations that decide to plan against the new 2027 date are accepting the residual risk that formal adoption may not be completed in time, or that the final text may contain modifications relative to the political deal of 7 May. That risk is now low but not zero. Both the Council and Parliament have indicated that adoption is expected before the end of June 2026, with publication in the Official Journal before the end of July 2026, that is, before the original August 2026 deadline.

What This Means for US Companies

The delay is real, but it is breathing space, not a reset. Three practical implications follow.

This is almost certainly the only delay you will get. The Digital Omnibus took eight months of negotiation, two failed trilogues, heavy lobbying from industry and Member State capitals, and a marathon final session to close. The political appetite for further postponement is exhausted. US companies that had paused AI Act preparation on the assumption that Brussels would keep moving the goalposts should treat the new dates as firm.

The compliance work itself does not change. The substantive obligations for high-risk AI systems — risk management system (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), conformity assessment (Article 43), EU database registration (Article 71), and post-market monitoring (Article 72) — remain unchanged. The only thing that changed is when these obligations bite. Conformity assessment, technical documentation, and EU database registration for complex AI systems typically require twelve to eighteen months of preparation. The new deadline of 2 December 2027 is roughly nineteen months away.

The Article 4 AI literacy and Article 5 prohibition obligations are already enforceable, and the new Article 5 nudifier prohibition kicks in 2 December 2026. US companies should not let the high-risk delay create a false sense of security about the obligations that already apply or that will apply within seven months.

Recommended Action Items

Update your AI Act compliance calendar. Replace 2 August 2026 with 2 December 2027 for stand-alone Annex III high-risk systems and 2 August 2028 for Annex I embedded systems. Add 2 December 2026 for the new Article 5 nudifier prohibition and the shortened Article 50 transparency grace period.

Re-classify systems under the narrower safety component test. Products with AI components that only assist users or optimise performance, without creating health or safety risks on failure, may now fall outside the high-risk perimeter. Document the classification rationale.

Map your machinery and Annex I exposure. If your product falls under EU sectoral safety law, assess whether the equivalence clause applies and whether your obligations are now governed solely by sectoral rules.

Audit generative AI tools for Article 5 nudifier exposure. Any provider or deployer of generative AI whose outputs reach EU individuals must verify safety measures against non-consensual intimate content and CSAM generation by 2 December 2026.

Continue building the high-risk compliance infrastructure now. The delay buys time, not exemption. Risk management systems, technical documentation, and EU database registration take many months to build properly. Use the additional sixteen months for quality, not for postponement.

Monitor the formal adoption process. Until publication in the Official Journal, the new dates are political commitments, not law. Track Council and Parliament adoption votes through June 2026.

Lexara Advisory LLC — AI governance consulting, not legal practice. This article provides general compliance information based on the provisional political agreement of 7 May 2026 and does not constitute legal advice. Regulation references: EU AI Act (Regulation (EU) 2024/1689), Official Journal of the EU, 12 July 2024; Commission proposal COM(2025) 836 final on the simplification of the implementation of harmonized rules on artificial intelligence (Digital Omnibus on AI), 19 November 2025; provisional agreement of the Council presidency and European Parliament, 7 May 2026. The amending regulation is not yet formally adopted and the original AI Act timeline remains binding until publication of the Omnibus in the Official Journal.