EU AI Act Omnibus May 7: New Deepfake Prohibitions, SMC Relief, and What Actually Changed

What the May 7 Agreement Actually Changed

The EU AI Act’s enforcement timeline was already among the most complex regulatory calendars in tech history. The May 7, 2026 Digital Omnibus political agreement — reached between the Council and European Parliament — rewrote that calendar in three directions simultaneously: it tightened certain prohibitions (new deepfake rules), extended compliance timelines for high-risk systems, and widened the group of companies that benefit from simplified obligations.

The rationale for the changes was publicly stated: technical standards and guidance documents were not ready for the original August 2026 timeline, creating genuine compliance uncertainty for operators who had no authoritative interpretation of what “high-risk AI” governance actually required in practice. Rather than force compliance against ambiguous standards, the EU extended deadlines and simultaneously added clearer prohibitions in areas where the harm model is unambiguous.

The agreement must still be formally adopted by the European Parliament and the Council. Formal adoption is expected by July 2026, with entry into force shortly thereafter. The substantive provisions below are considered locked — political trilogue agreements are not reversed at formal adoption.

The New Prohibitions: What Is Now Banned by December 2026

The Omnibus deal added two new prohibited AI practices to Article 5 of the AI Act, with a compliance deadline of December 2, 2026 — significantly earlier than the extended high-risk deadlines.

Prohibition 1: Non-Consensual Intimate Imagery (“Nudification”)

AI systems that generate or manipulate sexually explicit or intimate images, video, or audio of real individuals without their explicit consent are now prohibited across the EU. This covers so-called “nudifier” applications — tools that generate sexualized depictions of real people from ordinary images. Per the Dastra EU AI Act analysis, providers and deployers may not use or place on the EU market AI systems designed to create intimate deepfakes, or systems that lack reasonable safeguards against such use. Violations carry fines of up to €35 million or 7% of annual worldwide turnover, whichever is higher.

Prohibition 2: AI-Generated Child Sexual Abuse Material (CSAM)

AI systems designed to generate child sexual abuse material are banned with the same fine structure. This prohibition was less controversial — it codifies into the AI Act what was already prohibited under criminal law in EU member states — but the AI Act’s administrative enforcement mechanism (the AI Office and national market surveillance authorities) adds a regulatory layer on top of existing criminal penalties.

Both prohibitions apply to developers placing systems on the EU market and to deployers using such systems in the EU, regardless of where the system was built.

The Deadline Extensions: Updated Compliance Calendar

The original AI Act enforcement calendar had two critical August 2026 dates. Both have moved:

| Obligation | Original Deadline | New Deadline |

|————|——————|————-|

| High-risk AI systems (Annex III — standalone) | August 2, 2026 | December 2, 2027 |

| High-risk AI in regulated products (Annex I) | August 2, 2027 | August 2, 2028 |

| AI-generated content watermarking | August 2026 | December 2, 2026 |

The 16-month extension for Annex III high-risk systems is the most commercially significant. It covers AI used in critical infrastructure, education, employment, essential services, law enforcement, migration management, and administration of justice — the domains with the most complex governance requirements and the least mature technical standard guidance.

Companies that had accelerated their Annex III compliance programs to meet August 2026 now have additional runway. Latham & Watkins’s AI Act update advises that the extension should be used to build robust compliance infrastructure rather than to delay — audits will begin when new deadlines arrive, and regulators have indicated they will assess whether companies used the extension time meaningfully.

What Actually Changed for What Product Teams Should Do

1. Audit Your Product Against the New December 2026 Prohibition Deadlines

Any AI product that generates, manipulates, or could plausibly be used to generate intimate imagery of real individuals needs immediate legal and product review. The prohibition is not limited to “nudifier” apps explicitly designed for this purpose — it extends to AI systems that lack “reasonable safeguards” against such use. Generative image models, video generation tools, and avatar creation systems all need a safeguard assessment documented before December 2, 2026. Inside Privacy’s EU AI Act analysis provides the specific legal standard for what “reasonable safeguards” means in the Commission’s interpretation.

2. Reassess Your SMC/SME Classification — The Threshold Moved

The Omnibus deal expanded simplified compliance benefits from traditional SMEs to “small-and-medium-cap companies” (SMCs) defined as: up to 750 employees and €150 million in annual revenue. This is a significant jump from the original SME threshold (250 employees, €50 million revenue). SMC benefits include simplified guidance, reduced fines, regulatory sandbox access, and standardized documentation templates. If your company previously assessed itself as above the SME threshold and was building full enterprise-scale compliance programs, reassess immediately — you may qualify for the substantially lighter SMC track.

3. Update Your High-Risk AI Compliance Roadmap for December 2027

The 16-month extension applies to your compliance program, not to your product development. Use it to build proper compliance infrastructure: establish your internal AI governance function, map your AI systems against Annex III categories with documented reasoning, and begin engaging with the technical standard process through CEN-CENELEC (the EU standards body developing AI Act harmonized standards). Companies that show evidence of substantive progress when December 2027 arrives will face significantly lower regulatory risk than those that wait until mid-2027 to begin.

The Structural Lesson: Prohibition Narrows, Permission Widens

The EU AI Act’s May 2026 evolution reveals a clear regulatory logic: prohibitions are getting sharper and earlier (December 2026 for deepfakes), while permission frameworks are getting wider and later (December 2027 for high-risk governance). This is not a contradiction — it reflects the EU’s calibration that certain harms are clear enough to prohibit immediately, while governance frameworks for complex high-risk systems need more time to be technically meaningful.

For product leaders, this means two different compliance postures are required simultaneously. The prohibition audit is urgent and binary — you are either compliant or not. The high-risk governance program is long-term and iterative — start now, build incrementally, demonstrate progress. ResultSense’s EU AI Act Omnibus analysis notes that the AI Office’s enhanced enforcement powers under the Omnibus also increase the probability of enforcement actions against clear violations before the formal deadline — meaning the extended deadlines are not safe harbors for knowingly non-compliant products.

Frequently Asked Questions

Sources & Further Reading

• Council and Parliament Agree to Simplify and Streamline AI Rules — Council of the EU
• Simpler, Safer, Stricter Where It Counts: Inside the EU AI Omnibus Deal — Dastra
• EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions — Inside Privacy
• AI Act Update: EU Resolves to Change Rules and Extend Deadlines — Latham & Watkins
• Digital Omnibus on AI Provisional Agreement — Bird & Bird
• EU AI Act Omnibus Extends High-Risk Deadlines, Widens SME Relief — ResultSense