EU AI Act Omnibus: New Nudification Ban, SME Relief, and Deadline Extensions — What Changed in May 2026

What the Omnibus Deal Actually Changed

The EU AI Act entered into force in August 2024, with a staged compliance timeline that had high-risk system providers scrambling toward an August 2026 deadline. The May 7 Omnibus agreement renegotiates that timeline substantially — but it also adds new obligations that take effect sooner. The net result is not a simple extension; it is a restructured compliance calendar with tighter prohibitions and longer windows for complex implementation work.

The deal, reached as a political agreement between the Council and Parliament, still requires formal adoption, but both institutions have confirmed the core terms. Euronews reported on the agreement as a recalibration driven by both industry lobbying and a genuine recognition that the AI Act’s original scope was creating overlapping compliance burdens with sector-specific regulations.

Here are the five structural changes every compliance team needs to internalize:

1. High-Risk Annex III (Use-Based) Deadline Moved to December 2, 2027. Systems listed in Annex III — AI in employment decisions, credit scoring, biometric identification in public spaces, education access, critical infrastructure — had a compliance deadline of August 2, 2026. That deadline has been pushed to December 2, 2027: a 16-month extension. For compliance teams that have been building conformity assessment processes, this is breathing room. For those that haven’t started, it is not permission to delay — it is extra time to do the work correctly.

2. High-Risk Annex I (Product-Safety) Deadline Moved to August 2, 2028. AI embedded in physical products governed by existing EU product safety legislation (medical devices, machinery, vehicles) originally faced an August 2027 deadline. That has been pushed to August 2028. The machinery regulation was also restructured from Annex I Section A to Section B, reducing dual-compliance burdens for manufacturers — a significant win for industrial AI applications.

3. New Prohibition: AI-Generated NCII, Effective December 2, 2026. The Omnibus introduces a full ban on AI systems whose primary intended purpose — or a reasonably foreseeable outcome without adequate safety measures — is generating non-consensual intimate imagery or child sexual abuse material. The ban applies to providers immediately; for deployers, liability requires demonstrating deliberate use for prohibited purposes. InsidePrivacy’s detailed analysis confirms the deadline is December 2, 2026, meaning platforms currently offering such tools have approximately six months to shut them down.

4. SME Relief Extended to 750-Employee Mid-Caps. The original AI Act’s simplified compliance provisions applied to small and micro enterprises. The Omnibus expands the threshold to companies with up to 750 employees and €150 million in annual revenue. Benefits include simplified technical documentation requirements, extended access to regulatory sandboxes for testing under relaxed conditions, reduced fines for first violations, and standardized documentation templates. This change is meaningful for the broad middle tier of AI companies — Series B and C startups, national tech champions, specialist AI tool providers — that fall between micro-enterprise and large enterprise.

5. Article 25 Strengthened: Information-Sharing Along the Supply Chain. Providers of AI components must now furnish downstream deployers with technical documentation, known limitations, and system access for testing. Breaches of Article 25 carry fines of up to 3% of worldwide annual turnover — matching the penalty level for high-risk system violations. This is a significant development for enterprise AI buyers: if your vendor’s AI component lacks adequate documentation of limitations, the vendor is now subject to meaningful penalty, not just moral pressure.

What Did Not Change — and Why That Matters

The Omnibus is a recalibration, not a retreat. The AI Act’s foundational architecture — prohibited applications, transparency requirements, GPAI model obligations — remains intact. The prohibition categories in Annex II (social scoring by public authorities, exploitation of vulnerable groups, real-time biometric surveillance) were not loosened. The GPAI obligations for providers of general-purpose AI models above the 10^25 FLOP training threshold remain unchanged.

MEP Sergey Lagodinsky’s warning after the agreement is worth noting: “We cannot constantly reopen the legislative process and try to take shortcuts.” The Commission has signaled that the Omnibus is a one-time recalibration, not an open invitation for further deadline renegotiation. Organizations that treat the new 2027-2028 deadlines as permanent should plan accordingly.

The European Parliament’s press release on postponement confirms that MEPs voted in March 2026 to support the deadline deferral specifically because conformity assessment infrastructure was not yet ready to absorb simultaneous compliance submissions from thousands of high-risk AI providers.

The Lewis Silkin analysis of the deal notes that the scope narrowing for “high-risk” AI definitions — only systems whose failure creates genuine health or safety risks now face full compliance obligations — provides meaningful relief for performance optimization and assistant tools that had been ambiguously categorized.

What AI Providers and Deployers Should Do Now

1. Rebuild Your Compliance Calendar Around the New Dates

Three dates now govern EU AI Act compliance: December 2, 2026 (NCII ban + watermarking for legacy systems), December 2, 2027 (Annex III high-risk), August 2, 2028 (Annex I product-embedded). If your compliance team has been working against August 2026, rebuild the roadmap immediately. The 16-month extension is real, but conformity assessments, notified body engagements, and technical documentation for complex high-risk systems still require 12-18 months of substantive work — there is no slack for organizations that restart from zero.

2. Assess Whether You Fall Into the New “High-Risk” Scope After Narrowing

The definition change means not all AI systems that were previously in scope remain in scope. Specifically, assistant tools and performance optimization features that do not create genuine health or safety risks on failure no longer automatically trigger full compliance obligations. Before investing further in conformity assessment processes for these systems, verify whether the narrowed definition still captures them. If your legal team determined high-risk status based on the original broad definition, the analysis should be redone under the Omnibus language.

3. Act on the NCII Prohibition Timeline Immediately — It Is the Nearest Deadline

December 2, 2026 is less than seven months away. If your product includes any feature that could generate intimate imagery of real individuals, evaluate whether it meets the prohibition threshold: is generating such content the “intended purpose” or a “reasonably foreseeable and reproducible outcome” without adequate safety measures? The deployer-side prohibition is narrower (requires deliberate use), but the provider-side prohibition is broad. Products in the gray zone need legal assessment now, not in November.

4. Use the Sandbox Extension Strategically for High-Risk System Development

The expansion of regulatory sandbox access to 750-employee companies, plus the one-year delay in national sandbox establishment obligations (now August 2027), means more companies can access supervised testing environments before full compliance requirements bite. If you are developing a high-risk system (Annex III) and have not explored sandbox participation, this is the time to engage your national competent authority. Sandbox testing generates documentation that strengthens your conformity assessment and reduces notified body costs.

The Bigger Picture

The EU AI Act Omnibus reflects a tension that every major AI governance framework will eventually face: the gap between the pace of regulatory drafting and the pace of technological deployment. The original AI Act timeline assumed that high-risk AI providers had 24 months after entry into force to build compliance infrastructure — a reasonable assumption in 2024. By 2026, it had become clear that the conformity assessment infrastructure (notified bodies, harmonized standards, technical documentation templates) was not ready to receive 24 months of compressed compliance work simultaneously.

The Omnibus does not resolve this structural tension — it defers it by 16 months for most use cases. What it does establish is a clearer set of priorities: NCII prohibition is immediate and non-negotiable, supply chain documentation is being enforced with real penalties, and the SME tier has been given enough oxygen to do the work without being crushed by large-enterprise compliance overhead.

For organizations outside the EU, the AI Act’s extraterritorial reach — it applies to any AI system whose output is used within the EU, regardless of where the provider is incorporated — means the Omnibus changes matter even for companies headquartered in Algiers, Lagos, Singapore, or Chicago. The practical implication is the same: update your compliance calendar, assess scope under the narrowed high-risk definition, and prioritize the NCII prohibition timeline.

Frequently Asked Questions

Sources & Further Reading

• EU AI Act Omnibus: Deadline Extensions and SME Relief — Resultsense
• AI Act Update: EU Resolves to Change Rules — Latham & Watkins
• The Council and Parliament Agree to Slim Down AI Act — Lewis Silkin
• EU AI Act Update: Timeline Relief and New Prohibitions — InsidePrivacy
• The EU Simplified Its Toughest AI Law — Euronews
• MEPs Support Postponement of AI Rules — European Parliament