The waiting is over. After a failed first attempt, the European Parliament and Council reached agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. On 13 May, the member states in the Council (COREPER) confirmed the deal. This settles what had been in limbo for months: the core high-risk obligations of the EU AI Act are being postponed.
For thousands of companies that have been planning under the shadow of 2 August 2026 for months, this is significant news. But the postponement isn't the end of preparation, it's an extension of the time window. And it comes with a series of new obligations that often got lost in the debate about the deadlines.
This article explains exactly what was decided, which new deadlines now apply, what additional provisions the package contains, and what companies should take away from the agreement.
The road to agreement
The agreement was not a given. The first political trilogue on 28 April 2026 collapsed after roughly twelve hours of negotiation. Notably, the sticking point wasn't the prominent deadline postponement, but the conformity assessment architecture for AI systems embedded in regulated products (Annex I).
19 November 2025
Commission tables the Digital Omnibus on AI proposal, initially with a flexible mechanism rather than fixed dates.
13 and 18 March 2026
Council adopts its general approach, Parliament committees adopt their joint report. Both want fixed dates.
26 March 2026
Plenary vote in Parliament (569 to 45), start of trilogue negotiations.
28 April 2026: First trilogue fails
After twelve hours without agreement, blocked on the conformity assessment for Annex I products.
7 May 2026: Agreement reached
Parliament and Council reach a provisional political agreement in the early hours. The Annex I dispute is resolved.
13 May 2026: Confirmation by COREPER
Member states in the Council confirm the agreement. Formal adoption and publication in the Official Journal expected before 2 August 2026.
The new deadlines at a glance
The centerpiece of the agreement is the postponement of high-risk obligations to fixed dates. The Commission's originally proposed flexible mechanism, under which application would have depended on a decision about standards readiness, was dropped.
The most important caveat: The new dates only apply once the Omnibus is formally adopted and published in the Official Journal. Until then, 2 August 2026 remains legally binding. Formal adoption is expected before that date but is not yet complete. Companies should only rely on the new deadlines once publication has occurred.
What else was decided beyond the deadline shift
The deadline postponement was the headline, but the package contains several other substantial changes.
New ban: CSAM and non-consensual intimate content
A new prohibition in Article 5 bans AI systems that generate child sexual abuse material (CSAM) or non-consensual intimate images, video, or audio. The ban applies in three configurations: placing such systems on the market with that purpose, placing them on the market without reasonable safety measures against such use, and deployers using them for that purpose. Affected existing systems must be taken off the market or adjusted by 2 December 2026.
AI literacy obligation (Art. 4) softened
The AI literacy obligation in force since February 2025 is softened in wording. Providers and deployers will need to "support" the development of their staff's AI literacy, rather than guarantee a specific level of competence. The Commission and member states are to support these efforts, for example by publishing practical examples on the AI Act information platform. Important: the obligation doesn't disappear, it's reformulated.
Registration requirement for exempt systems stays
The proposal to drop the registration requirement for systems classified as non-high-risk under Article 6(3) was not adopted. These systems must therefore still be registered in the EU database. This was a central demand of consumer advocates, who had feared a lack of transparency without registration.
Watermarking transitional period (Art. 50(2))
For the obligation to label AI-generated content (synthetic images, video, audio, text), there is a transitional arrangement for systems already on the market before 2 August 2026. These must be compliant by 2 December 2026.
EU sandbox and relief for SMEs
In addition to the national sandboxes, an EU-wide sandbox is created, operated by the AI Office, with priority access for SMEs, startups, and small mid-caps. There are also simplified documentation processes and adjusted penalty rules for smaller companies.
Less double regulation for products
The sticking point that had caused the first trilogue to fail was resolved: AI embedded in products already subject to sectoral safety rules is to be relieved of double regulation. Providers of AI-enabled machinery are explicitly exempted from certain obligations.
What did NOT change
Just as important as the changes is what stays the same. These obligations continue on the original timeline:
Prohibited practices (Art. 5): In force since 2 February 2025 and remain unchanged. The new CSAM/NCII ban is added but replaces nothing.
AI literacy obligation (Art. 4): Remains in place, albeit softened in wording. The obligation to train staff doesn't disappear.
GPAI rules: In force since 2 August 2025 and unaffected by the Omnibus.
Transparency obligations (Art. 50): For chatbots, deepfakes, and AI-generated content, transparency obligations continue to apply. Only labeling (watermarking) has the transitional period mentioned above.
The reactions: relief and criticism
The agreement is assessed differently across the board. Industry associations particularly welcome the planning certainty from fixed dates and the relief from double regulation. Many had considered the original deadline practically impossible to meet because the necessary harmonized standards weren't ready in time.
Civil society organizations view the postponement more critically. They warn that any delay defers the fundamental rights protection the AI Act is meant to ensure, precisely in the high-risk areas (employment, law enforcement, migration). At the same time, the new CSAM and NCII ban is widely seen as a positive signal that the EU uses AI regulation to protect individuals too, especially women and children, who are disproportionately affected by such content.
What companies should do now
The key message from all major advisory firms is uniform: the extra time is no reason to pause preparation. Quite the opposite.
The extra time raises expectations. With the postponement to December 2027, the bar for what authorities consider reasonable preparedness rises rather than falls. Anyone still standing in 2027 without an AI inventory and risk classification will find it harder to justify than someone who narrowly missed the original deadline.
1. Transparency obligations take priority. Many companies already fall under Article 50 because they run chatbots, generate AI content at scale, or publish AI-assisted materials. These obligations apply regardless of the high-risk postponement.
2. The preparation work stays the same. AI inventory, risk classification logic, supplier due diligence, and evidence packs need to be built regardless. The postponement gives more time, it doesn't remove the work.
3. Tie AI literacy to specific systems. Even in its softened form, the training obligation remains. Companies should document their training measures and tie them to the AI systems their staff actually use.
4. Check the new CSAM/NCII ban. Companies that provide or deploy generative AI systems should check whether their systems could fall under the new ban and what safety measures are required. The 2 December 2026 deadline is closer than the high-risk deadlines.
Summary
With the agreement of 7 May 2026, the months-long uncertainty over the high-risk deadlines is over. The core obligations shift to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). The package also contains a new ban on CSAM and non-consensual intimate content, a softened AI literacy obligation, a retained registration requirement, and relief for SMEs.
For companies, the timeline changes, not the substance. The prohibited practices, the AI literacy obligation, and the transparency obligations continue to apply. And the extra time should be used to build preparation properly, rather than to defer it. Because when December 2027 arrives, the expectation of preparedness will be higher, not lower.
Put the extra time to good use
SimpleAct helps you build preparation with structure now, instead of deferring it. AI inventory, risk classification, transparency obligations, audit trail. All in one place.
Get started for free →This article is for general information purposes only and does not constitute legal advice. The political agreement of 7 May 2026 has not yet been formally adopted. Until publication in the Official Journal, the original deadlines remain legally binding. Last updated: June 2026.
About SimpleAct: SimpleAct is a German compliance platform that helps companies structurally document their AI systems in accordance with the EU AI Act. From registration to risk assessment to exportable audit reports. All in one place.
Tags
Yannick | SimpleAct Team
Author · SimpleAct Team
