IT Get in touch

AI Act: the Digital Omnibus postpones high-risk rules and adds new prohibitions

On 7 May 2026 the European Parliament and Council reached a provisional political agreement on the Digital Omnibus on AI: high-risk stand-alone systems pushed to 2 December 2027, exemptions extended to small mid-caps (up to 500 employees), new ban on non-consensual sexual deepfakes and CSAM.

AIComplianceGovernance
AIComplianceGovernance EU AI ActAI GovernanceComplianceDeepfakeCSAMSMEDigital Omnibus
Artificial Intelligence

Artificial Intelligence

EU AI Act consulting: system classification, policies, AI governance, training.

Discover → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

What happened

On 7 May 2026, after overnight negotiations, the European Parliament and the Council of the EU reached a provisional political agreement on the Digital Omnibus on AI: a targeted amendment package to Regulation (EU) 2024/1689 — the AI Act — that postpones the most pressing deadlines originally scheduled for August 2026 and introduces new prohibitions.

The deal comes less than three months before the original application date for high-risk AI systems (2 August 2026), under pressure from industry, national authorities and consumer organisations who flagged the impossibility of completing compliance pathways on time.

It is not yet the final text: formal adoption requires a Parliament plenary vote and a Council adoption. The substantive changes — barring technical legal scrubbing — are however the ones announced.

The new timelines

The Omnibus introduces a fixed, differentiated timeline for the application of high-risk AI rules:

  • 2 December 2027 — high-risk stand-alone AI systems (Annex III: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration management, administration of justice, democratic processes).
  • 2 August 2028 — high-risk AI systems embedded in products already subject to EU safety legislation (Annex I: medical devices, machinery, automotive, toys, radio equipment, lifts, personal protective equipment, and so on).
  • 2 August 2027 — deadline for the establishment of regulatory sandboxes at national level by competent authorities.
  • 2 December 2026 — deadline for providers to implement transparency solutions for AI-generated content (watermarks, provenance metadata). The grace period was reduced from 6 to 3 months compared to the initial proposal.

For many European companies — especially SMEs deploying AI in healthcare, infrastructure or public administration — the postponement provides an additional 16-18 months to build technical documentation, complete risk management under ISO 14971 and ISO/IEC 23894, and implement the required organisational controls.

The new prohibitions

Among the most relevant additions is the explicit prohibition of two categories of AI-generated content:

  1. Non-consensual sexual and intimate content — so-called pornographic deepfakes produced without the consent of the depicted person. The rule fills a gap in the original text, which only banned specific manipulative uses without explicitly covering this abuse.
  2. AI-generated CSAM (Child Sexual Abuse Material) — even when the image does not correspond to a real existing person, generation through AI is absolutely prohibited.

Both prohibitions fall under prohibited AI practices (Article 5 of the AI Act), and are subject to the highest sanctions provided by the Regulation — up to €35 million or 7% of global annual turnover, whichever is higher.

Exemptions extended to small mid-caps

The Omnibus package introduces a new legal concept: the small mid-cap (SMC), defined as an enterprise of up to 500 employees. This extends the traditional SME perimeter to include European companies in their scale-up phase that, while no longer fitting the SME definition (250 employees), do not yet have the compliance resources of a large multinational.

For SMCs, the compliance exemptions already granted to SMEs are extended, in particular:

  • Simplified technical documentation — the option to adopt streamlined formats proportionate to the organisation’s size, retaining the essential content required by Annex IV.
  • Reduced fees for participating in national regulatory sandboxes.
  • Accelerated procedures for dialogue with supervisory authorities.

The SMC definition is consistent with the Digital Services Act framing of “very large online platforms” and with the Commission’s new Industrial Strategy, which aims to support the growth of European businesses past the SME threshold without burdening them prematurely with obligations designed for big tech.

Registration obligation reinstated

One of the most debated proposals in previous months was the elimination of the EU database registration obligation for AI systems that the provider deems exempt from high-risk classification (Article 6.3 of the AI Act).

The Omnibus confirms the registration obligation: even for systems that the provider considers not high-risk, the system must be registered in the EU database, with the exemption motivated. A choice in favour of transparency and accountability, championed in particular by the Parliament against more deregulatory positions held by some Member States.

What it means for companies

For European companies with AI systems in production or on the roadmap, the post-Omnibus framework requires:

  • Revisiting the compliance roadmap considering the new dates — the 2 August 2026 deadline had been treated as maximum pressure; with the postponement, there is room for more substantial, less emergency-driven programmes.
  • Verifying organisational size against the new SMC threshold (500 employees) — many medium-sized European companies fall into this category and can benefit from the exemptions.
  • Updating internal content generation policies to reflect the new prohibitions on non-consensual deepfakes and CSAM, including in automated moderation scenarios.
  • Maintaining AI system registration in the EU database as planned — high-risk pre-screening does not remove the transparency obligation toward authorities.
  • Implementing transparency solutions for AI-generated content by 2 December 2026 (watermarks, provenance metadata such as C2PA or equivalent).

For organisations operating in NIS2-covered sectors (energy, healthcare, transport, public administration, digital infrastructure), the integration between AI Act and NIS2 remains an area where security and AI governance requirements must be coordinated: a cross-regulation gap analysis between the two frameworks is a practice noze adopts in every active compliance project.

Next steps

The 7 May provisional agreement will go through:

  1. Parliament vote (in plenary) expected by summer 2026.
  2. Formal adoption by the Council.
  3. Publication in the EU Official Journal and entry into force on the standard timeline (20 days after publication).

The technical application deadlines remain as announced by the Omnibus: 2 December 2026 for transparency, 2 August 2027 for sandboxes, 2 December 2027 and 2 August 2028 for high-risk.

References

Need support? Under attack? Service Status
Need support? Under attack? Service Status