EU AI Act Omnibus: What the New Deadlines Mean for Your Compliance Plan

On 7 May 2026, the EU Council and Parliament reached political agreement on the Digital Omnibus Act, which amends the AI Act (Regulation (EU) 2024/1689) alongside several other digital regulations. The headline change: high-risk system deadlines have been pushed back by up to 16 months. The obligations themselves are unchanged.

Note: The agreement is subject to formal adoption by both institutions. We will update this article when the final text is published in the Official Journal.

Revised High-Risk Deadlines

The Omnibus agreement defers the two main high-risk compliance dates:

Alongside the deferrals, two new obligations have been introduced:

• New prohibitions covering non-consensual intimate imagery and child sexual abuse material (CSAM): effective 2 December 2026
• Transparency solutions for AI-generated content: the implementation period has been shortened from six months to three months, with a new deadline of 2 December 2026

What Hasn't Changed

The Omnibus does not affect the first two phases of the AI Act rollout. These obligations are already in force and remain untouched:

• Prohibited practices (Article 5): in force since 2 February 2025
• General-purpose AI (GPAI) model obligations: in force since 2 August 2025

If your organisation deploys or provides AI systems that fall under these categories, compliance is already required. The Omnibus deferrals do not retroactively extend these dates.

Simplification Measures

Beyond the timeline changes, the Omnibus agreement introduces several measures aimed at reducing regulatory burden:

• Extended SME exemptions: Lighter-touch provisions previously available only to SMEs have been extended to small mid-cap companies
• Sectoral overlap provisions: The Commission can disapply overlapping AI Act requirements where existing sectoral legislation already covers the same ground
• Machinery Regulation carve-out: AI systems embedded in products already governed by the Machinery Regulation have been removed from direct AI Act application
• Simplified certification: Reduced conformity assessment procedures for certain categories
• EU-level regulatory sandbox: A new EU-wide sandbox framework to support compliant innovation

What This Means for UK Companies

The AI Act's extraterritorial provisions (Article 2(1)) are unchanged by the Omnibus. UK companies that place AI systems on the EU market, whose EU deployers use UK-built AI, or whose AI output affects EU persons remain in scope.

The practical effect is more time: UK organisations caught by the high-risk obligations now have until December 2027 (standalone Annex III systems) or August 2028 (product-embedded Annex I systems) rather than the original 2026 and 2027 dates.

The deferral is not a reason to delay preparation. The obligations have not changed, only the enforcement date. Conformity assessments, technical documentation, risk management systems, data governance frameworks, human oversight mechanisms and post-market monitoring all still need to be built, tested and embedded in operational processes. Organisations that begin now will be ready. Organisations that wait until late 2027 will face the same compressed timeline that the Omnibus was partly designed to prevent.

Updated Timeline Summary

• 2 February 2025: Prohibited practices in force
• 2 August 2025: GPAI model obligations in force
• 2 December 2026: New prohibitions (non-consensual intimate imagery, CSAM) + transparency solutions for AI-generated content
• 2 December 2027: Standalone Annex III high-risk system obligations
• 2 August 2028: Product-embedded Annex I high-risk system obligations

Source: Council of the EU press release, 7 May 2026.

Part of our guide: EU AI Act compliance for UK organisations.