EU AI Act Omnibus 2026: High-Risk AI Deadline Extended to December 2027

SME Exemptions Extended to Mid-Cap Companies

The original AI Act included simplified requirements for small and medium-sized enterprises, recognizing that compliance costs proportionate for a large technology company can be prohibitive for a smaller one. The omnibus deal extends those exemptions to small mid-cap companies (SMCs) — companies with up to 500 employees, up from the standard EU SME ceiling of 250 employees.

The simplified requirements available to SMEs and SMCs under the Act include:

• Simplified technical documentation: Reduced scope and detail requirements compared to what large enterprises must produce for conformity assessments and market surveillance purposes.
• Priority regulatory sandbox access: Preferential access to national AI regulatory sandboxes, where organizations can test AI systems under supervised conditions before full market deployment without triggering full compliance requirements.
• Reduced conformity assessment fees: Lower fees for notified body assessments — which can otherwise represent a significant fixed cost for smaller organizations developing high-risk AI systems.

The omnibus also extends the ability to process sensitive personal data for bias detection and mitigation purposes. This is a practically important carve-out for AI teams conducting fairness audits. Testing whether an AI system produces discriminatory outcomes across protected characteristics — age, ethnicity, gender, disability status — often requires processing the very categories of sensitive data that would otherwise be restricted under the General Data Protection Regulation.

Content Labeling: The Deadline That Got Shorter

Not every change in the omnibus deal is an extension. One deadline moved in the opposite direction — tighter, not looser.

Under the original AI Act, obligations to mark AI-generated content in a machine-readable format were subject to a six-month grace period from August 2, 2026. The omnibus shortens that grace period to three months. The new deadline for AI-generated content labeling is December 2, 2026.

This transparency obligation affects any organization that:

• Operates consumer-facing generative AI systems deployed to EU users — chatbots, image generators, writing assistants, synthetic voice tools
• Generates AI content for commercial distribution in the EU — marketing copy, synthetic media, automated journalism outputs
• Provides AI content generation as a service to EU-based business customers

The machine-readable marking requirement is technically distinct from the user-facing disclosure obligation (the requirement to tell users they are interacting with AI, which applies from August 2, 2026). Machine-readable marking must be embedded in the content artifact itself — in metadata, watermarks, or cryptographic signatures — in a format that automated detection and provenance systems can parse. The Commission is still finalizing the specific technical standards for this format, with C2PA (Coalition for Content Provenance and Authenticity) the leading candidate for technical implementation. December 2, 2026 is seven months from today. Organizations that generate AI content at scale need to begin evaluating implementation options now, before the Commission’s implementing acts on format requirements are published, to avoid a compressed implementation window later this year.

What Still Applies on August 2, 2026

The omnibus deal is substantial, but it does not push everything back. Several EU AI Act obligations remain on their original August 2026 schedule.

Prohibited AI systems remain banned as planned. The unacceptable risk tier — AI systems that are not permitted in the EU regardless of safeguards — is not affected by the omnibus. This includes systems using real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement), AI-based social scoring by public authorities, and subliminal manipulation techniques designed to bypass rational agency. The omnibus adds to this list: AI systems that generate child sexual abuse material, and AI systems that create non-consensual intimate imagery of identifiable real people (colloquially, nudification apps), are explicitly banned under the provisional agreement.

GPAI model obligations are already in effect. General-purpose AI model requirements — which apply to foundation model providers deploying models for use in the EU — entered into force from August 2025. The omnibus does not alter this timeline. If you provide a general-purpose AI model, your obligations under Title IX of the AI Act are already live. This covers technical documentation, copyright compliance policies, incident reporting for systemic risk models, and adversarial testing requirements for models with significant compute thresholds.

User-facing transparency disclosures for new products. From August 2, 2026, new AI systems deployed to EU users where the AI nature is not obvious from context must include disclosure. Organizations launching AI-powered products or features to EU users after August 2 must build disclosure into their user experience from launch day. This obligation is not affected by the omnibus.

Regulatory Supervision: Clarity Between the AI Office and National Authorities

The provisional agreement also clarifies a structural question that had created compliance uncertainty: who supervises what, and which regulator organizations are ultimately accountable to.

The AI Office — the EU-level supervisory body established under the Commission — has primary competence over GPAI models and GPAI model providers. National competent authorities retain competence in specific domains including law enforcement, border management, judicial authorities, and financial institutions. The omnibus tightens the jurisdictional boundary between these two tracks to reduce situations where organizations face overlapping demands from both the AI Office and a national authority simultaneously over the same system.

For most developers building AI applications on top of GPAI foundation models, this means your compliance relationship for application-level obligations is with your national authority, while your model provider’s relationship with the AI Office is a separate supervisory track. This separation was implicit in the original Act; the omnibus makes it explicit and operationally clearer.

What Developers and Compliance Teams Should Do Now

The formal adoption vote is still ahead, but the provisional agreement is stable enough to act on. Here is a practical checklist for the next 90 days:

1. Triage your AI system inventory by risk classification. The timeline extensions only apply to high-risk systems under Annex III and safety component systems. Identify which of your AI systems are potentially in scope for high-risk classification and which fall into limited risk or minimal risk tiers. Many AI products — productivity tools, recommendation systems, content generation tools without consequential decision-making — do not carry high-risk obligations at all.
2. Check your organization size against the 500-employee SMC threshold. If your company has under 500 employees, you now qualify for simplified technical documentation under the extended SMC exemption. Your compliance workload for any high-risk systems you do operate may be substantially lighter than your current plan assumed. Review the specific documentation simplifications that apply and revise your roadmap accordingly.
3. Begin content labeling scoping by October 2026. If you generate AI content for EU users, December 2, 2026 is your deadline for machine-readable marking. Evaluate current content provenance standards (C2PA in particular), assess what changes are needed to your generation pipeline, and reserve engineering capacity for implementation after the Commission publishes format requirements in implementing acts. Starting scoping now gives you execution runway rather than a last-minute scramble.
4. Build disclosure into August 2026 product launches. If you are launching any AI-powered products or features to EU users after August 2, the user-facing transparency disclosure requirement applies from day one. Build it into your design and legal review process for anything scheduled to launch in the second half of 2026.
5. Track formal adoption through July 2026. Monitor the European Parliament and Council legislative calendars for the formal adoption vote. The omnibus timeline extensions only take legal effect on formal adoption. The co-legislators intend to adopt before August 2, but monitor for schedule changes.

The Bigger Picture: What the Omnibus Signals for EU AI Policy

The EU AI Act Omnibus reflects a broader recalibration of EU technology regulation that has been building since late 2025. The Commission’s digital omnibus initiative — covering the AI Act, elements of the Digital Markets Act, and other digital frameworks — is explicitly aimed at reducing compliance friction and making the EU a more competitive environment for technology development. The Council’s March 2026 position statement included language that “companies should not be regulated twice,” a phrase that captured the political direction before the May 7 provisional agreement formalized it.

The extension of high-risk AI deadlines is pragmatic, not a weakening of the law’s substance. The obligations themselves remain unchanged; only the timeline has moved. Organizations that use the additional runway to build genuinely robust compliance programs — risk management systems that reflect real operational practice, technical documentation that would survive regulatory scrutiny, human oversight mechanisms that engineers and compliance teams actually use — will be better positioned than those that treat the extensions as permission to defer planning until the new deadlines approach.

The December 2026 content labeling deadline, which moved in the opposite direction, is worth particular attention. It signals that the Commission views AI-generated content transparency as a near-term priority rather than a long-term aspiration. The technical infrastructure for content provenance is being built now, and organizations generating AI content at scale have a narrower window to implement than they did under the original schedule.

The Bottom Line

The EU AI Act Omnibus deal reached on May 7, 2026 is the most significant update to EU AI regulation since the Act entered into force — and it creates materially different compliance timelines depending on which obligations apply to your organization. High-risk AI deadlines have moved 16 to 24 months. The SMC exemption now covers companies with up to 500 employees. But AI content labeling got a shorter deadline, GPAI model obligations are already live, and August 2, 2026 remains the start date for prohibited system bans and new user-facing transparency requirements. Map your specific product portfolio to the specific obligations that apply, track formal adoption through July, and treat the December 2026 content labeling deadline as your highest-priority near-term compliance action item.