The updated EU AI Act timeline: what the May 2026 Omnibus changes

On 7 May 2026, the European Parliament and Council reached a provisional agreement on the Digital Omnibus on AI — a set of targeted amendments to the EU AI Act that materially changes the compliance timeline. This is the most significant development in EU AI Act implementation since the regulation entered into force in August 2024.

The headline change: high-risk AI system obligations under Annex III (standalone systems covering employment, credit, biometrics, education, law enforcement, and critical infrastructure) are deferred from the original 2 August 2026 deadline to 2 December 2027. That is a 16-month extension. For AI systems embedded in regulated products under Annex I (medical devices, machinery, toys, lifts), the new deadline is 2 August 2028.

The Omnibus does not change the core architecture of the EU AI Act. Risk classification, provider and operator obligations, technical documentation requirements, and conformity assessment processes all remain. What changed is when those obligations must be met for high-risk systems — not what must be done.

What is still in force: August 2026 obligations unchanged

The Omnibus extends high-risk AI deadlines. It does not extend everything. Several obligations remain firmly on the August 2026 timeline:

AI transparency obligations (Article 50): Deployers of AI systems that interact with natural persons must disclose that the person is interacting with an AI. This applies to chatbots, virtual assistants, and AI-generated content systems. No extension. From 2 August 2026, chatbot disclosure is a legal requirement for any organisation with EU users.

GPAI model obligations (Articles 50-55): Requirements for providers of general-purpose AI models (large foundation models) have been in force since 2 August 2025 and are not changed by the Omnibus.

Prohibited AI practices: The prohibition on banned AI applications (social scoring, subliminal manipulation, certain biometric uses) has been in force since February 2025. The Omnibus adds a new prohibition on AI systems that generate non-consensual intimate imagery (nudifiers, CSAM-generating AI), effective 2 December 2026.

AI-generated content watermarking (Article 50(2)): The Omnibus extends this from August 2026 to 2 December 2026 — a three-month grace period. Generative AI content labelling and watermarking obligations apply from December 2026.

Who the EU AI Act applies to

The extraterritorial scope of the EU AI Act is one of its most important features. The Act applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of where the provider is established; deployers who use AI systems in a professional context in the EU, regardless of where the deployer is headquartered; and providers and deployers outside the EU whose AI systems' outputs are used in the EU.

This means an Australian company using AI to screen job applications from EU-based candidates is a deployer. A US company selling an AI credit scoring product to EU financial institutions is a provider. A Singapore company whose AI generates recommendations affecting EU consumers is within scope. Brexit did not exempt UK organisations from this extraterritorial reach.

The revised full timeline

February 2025: Prohibited AI practices — already in force. Violations are already illegal.

August 2025: GPAI model obligations (Articles 50-55) — already in force for foundation model providers.

August 2026: Transparency obligations (Article 50 — chatbot disclosure, AI interaction disclosure) — in force as originally planned.

December 2026: AI-generated content watermarking (Article 50(2)) — three-month grace period under Omnibus.

December 2027: Full high-risk AI obligations for Annex III standalone systems — employment, credit, biometrics, education, law enforcement, critical infrastructure, essential services.

August 2028: Full high-risk AI obligations for Annex I embedded systems — AI in medical devices, machinery, toys, lifts, radio equipment.

What organisations should do now

The Omnibus extension provides additional time for high-risk AI compliance. It does not eliminate the work required. Technical documentation, conformity assessment preparation, human oversight mechanism design, and AI risk management system architecture all require 12-18 months of substantive effort. Starting an implementation programme in Q1 2027 for a December 2027 deadline is too late. The organisations that will be best positioned are those using the extension strategically to build robust governance, not to postpone starting.

The August 2026 chatbot disclosure obligation is not extended. If you deploy AI systems that interact with EU users, transparent disclosure of AI interaction is legally required from August 2026. This is the most immediate compliance obligation for most consumer-facing organisations.