European Parliament and Council negotiators reached a provisional political agreement on the Digital Omnibus on AI on Wednesday, 7 May 2026, recasting the timelines that have hung over Europe's flagship AI rulebook for the past year. The deal pushes the bulk of high-risk obligations into 2027 and 2028, narrows what counts as a 'safety component,' and quietly adds a new prohibition aimed at AI systems used to fabricate non-consensual sexual imagery.
Arba Kokalari, the European Parliament Internal Market Committee rapporteur who steered the file, framed the package as a tidy-up rather than a retreat. 'We are not weakening any safety rules; we are clarifying the rules for companies in Europe,' she said, adding that 'companies should not be regulated twice for one thing.'
A new compliance calendar
The headline change is the timeline. Stand-alone Annex III high-risk systems — the ones used in employment, education, credit scoring, biometrics, critical infrastructure, law enforcement, justice and migration — now apply from 2 December 2027. AI embedded in regulated Annex I products, including medical devices, machinery, toys, lifts and watercraft, gets a longer runway, with obligations starting 2 August 2028.
The watermarking requirement on artificially generated content also moved, but in the opposite direction: providers must label AI-generated audio, images, video and text by 2 December 2026, rather than the 2 February 2027 date in the Commission's original proposal.
For machinery products specifically, the omnibus shifts conformity assessment toward sectoral-only regulation, with an 'equivalence clause' meant to ensure health and safety protections remain comparable to the AI Act's. AI functions limited to user support or performance optimisation were narrowed, requiring a causal test relative to harm to qualify as safety components.
Nudification apps drawn into Article 5
The deal expands the AI Act's list of prohibited practices. Article 5 now bans AI systems that generate non-consensual sexual or intimate content, with an explicit reach into 'images, video and audio,' alongside child sexual abuse material. A safe-harbour exists for systems with effective preventive safeguards, and the compliance deadline for the new prohibition is 2 December 2026.
Michael McNamara, a Renew Europe lawmaker involved in the talks, stressed that the rules apply to content depicting real people — photos exposing a person's 'intimate parts' — rather than synthetic characters.
Smaller relief, broader scope
The omnibus also extends SME exemptions to small mid-cap enterprises, opens an EU-level regulatory sandbox for pre-market testing, streamlines enforcement of general-purpose AI systems, and permits personal data processing for bias detection under strict safeguards.
What still has to happen
The agreement is provisional. Both the European Parliament and the Council must formally adopt it, and they intend to do so before 2 August 2026 — the start date for the current high-risk system rules that are now being pushed back. Until that ratification lands, companies are operating against two calendars at once: the original AI Act schedule and the omnibus schedule that is supposed to replace parts of it.
For builders, the practical message is that the December 2027 and August 2028 dates only become real once Parliament and Council sign off in the next three months. For watermarking, the December 2026 deadline is the more immediate planning anchor — and it now applies to text generation as well as media.
