EU AI Act Digital Omnibus May 2026: What Changed and What Did Not
# EU AI Act Digital Omnibus May 2026: What Changed and What Did Not
The May 2026 Digital Omnibus provisional agreement adjusted several EU AI Act deadlines but left GPAI enforcement and prohibited-use bans untouched, and it is not yet in force pending formal adoption by the European Parliament and Council.
---
## What the EU AI Act Says
The EU AI Act (Regulation 2024/1689) was published in the Official Journal on 12 July 2024 and entered into force 20 days later. It applies in phases according to a built-in timeline set out in Article 113.
The Digital Omnibus is a separate legislative instrument, provisionally agreed in May 2026, that amends those Article 113 dates for specific obligations. Until it clears the formal adoption process, the original dates in the AI Act remain the legal baseline. The changes below reflect the provisional agreement and are expected to apply once adoption is complete, which is anticipated before the original Annex III date of August 2 2026.
Key provisions affected by the Omnibus:
- **Annex III (high-risk AI systems):** The application date for most Annex III obligations under Article 6(2) is extended from August 2 2026 to **December 2 2027**.
- **Annex I (AI components in product safety legislation):** The application date is extended from August 2 2026 to **August 2 2028**.
- **Article 50(2) (watermarking and transparency for AI-generated content):** Providers of systems already deployed before August 2 2026 receive a **four-month grace period** before the watermarking obligation applies to those existing systems.
Provisions that the Omnibus **did not change**:
- **Article 5 (prohibited practices):** In force since **February 2 2025**. Bans on real-time biometric identification in public spaces, social scoring, subliminal manipulation, and exploitation of vulnerabilities apply now and were not touched.
- **Articles 51 to 56 (GPAI obligations, Article 53 transparency and documentation requirements):** Apply from **August 2 2026**. No extension was granted. Providers of general-purpose AI models must have technical documentation, copyright summaries, and policies in place by that date.
- **Article 50(1) (disclosure to users that they are interacting with AI):** Also applies August 2 2026, with no extension.
---
## Who This Applies To
The Omnibus changes affect different actors differently.
**Providers** of AI systems placed on the EU market or put into service in the EU are the primary addressees of most obligations. This includes companies headquartered outside the EU if their systems are used by EU-based users.
**Deployers** (organisations that use AI systems in professional contexts) face obligations under Chapter 3 of the Act, but a narrower set than providers.
**GPAI model providers** (companies that train and release foundation models or large language models) face the August 2 2026 deadline regardless of company size or sector. The definition in Article 3(63) covers models trained on broad data with significant generality. There is no SME carve-out for GPAI obligations.
**High-risk system providers** under Annex III (recruitment tools, creditworthiness assessment, biometric categorisation used in employment, education, law enforcement, etc.) now have until December 2 2027. This is the category most affected by the Omnibus extension.
Company size matters at the margins for some procedural obligations (Article 9 risk management systems have proportionality provisions), but not for whether the obligations apply at all.
---
## What the Obligations Actually Require
**By February 2 2025 (already in force):** Stop any use cases that fall under Article 5 prohibited practices. If your product uses real-time biometric identification, social scoring, or infers sensitive attributes from biometric data for prohibited purposes, it must have been modified or discontinued.
**By August 2 2026 (GPAI and Article 50):**
- GPAI model providers must have technical documentation compliant with Annex XI, a copyright transparency summary under Article 53(1)(d), and an acceptable use policy.
- GPAI providers of systemic-risk models (those exceeding 10^25 FLOPs training compute, per Article 51) must additionally conduct adversarial testing and notify serious incidents to the AI Office.
- Providers of any AI system that generates synthetic audio, image, video, or text output must implement machine-readable watermarking or equivalent marking under Article 50(2), unless their system qualifies for a narrow exception (e.g. authorised law enforcement use). Existing deployed systems have a four-month grace window from August 2 2026.
- Any system that interacts with humans must disclose it is an AI, per Article 50(1), unless the user has been explicitly informed and consented.
**By December 2 2027 (Annex III high-risk systems):**
Providers must have in place: a risk management system (Article 9), data governance practices (Article 10), technical documentation (Article 11), logging capabilities (Article 12), transparency information for deployers (Article 13), human oversight measures (Article 14), and accuracy/robustness requirements (Article 15). Registration in the EU database (Article 49) is also required before market placement.
---
## Key Deadlines Summary
| Obligation | Deadline | Omnibus change? |
|---|---|---|
| Article 5 prohibited practices | February 2 2025 | No |
| GPAI (Articles 51-56, Article 53) | August 2 2026 | No |
| Article 50 AI disclosure and watermarking | August 2 2026 | Grace period only for existing systems |
| Annex III high-risk system obligations | December 2 2027 | Yes, extended from Aug 2026 |
| Annex I product safety AI obligations | August 2 2028 | Yes, extended from Aug 2026 |
---
## What Pending Formal Adoption Means for Planning
The Omnibus reached provisional agreement between the European Parliament and Council in May 2026. This is a political agreement, not yet a published regulation. Formal adoption requires a plenary vote in Parliament and a Council decision, followed by publication in the Official Journal.
In practice this means:
- **The original August 2 2026 Annex III date remains the legal baseline until adoption.** If formal adoption slips past August 2, there is a window where the original date would technically apply.
- **Most analysts expect adoption before August 2 2026**, which is why planning around December 2 2027 for Annex III is reasonable. But companies should not treat December 2 2027 as confirmed until the text is published.
- **GPAI obligations are unaffected either way.** August 2 2026 applies regardless of Omnibus status.
- **The four-month Article 50(2) grace period will be counted from the Omnibus publication date** in the Official Journal, not from the provisional agreement. Exact start date will be in the final text.
Do not wait for final adoption to begin preparation. Internal assessments, documentation drafts, and system reviews take months.
---
## What to Do Now
1. **Classify your systems.** Determine whether each AI product you build or deploy falls under GPAI (August 2026), Annex III high-risk (December 2027), both, or neither. Many SaaS products fall into neither category, but you need to confirm this in writing.
2. **Treat GPAI as an immediate priority.** If any model you train or offer via API meets the Article 3(63) definition, your August 2 2026 documentation obligations are eight weeks away as of this writing. Technical documentation and copyright summaries are not trivial to produce.
3. **Do not dismantle Article 5 compliance work.** Those obligations are already in force and were not loosened by the Omnibus.
4. **Start Annex III gap analysis now even with the extension.** December 2027 is 18 months away. Risk management systems, data governance policies, and conformity assessments for high-risk categories typically require 6 to 12 months of internal work. Use the time the Omnibus bought.
5. **Monitor Omnibus formal adoption.** Watch for Official Journal publication, which will confirm the December 2 2027 date, the exact Article 50(2) grace period start, and any last-minute text changes from the final legislative process.
---
## Check Your Obligations
Use the free ActComply risk screener to see which obligations apply to your system: https://www.getactcomply.com/check
The screener maps your product type, use case, and deployment context to specific articles and deadlines, including the GPAI August 2026 requirements, Annex III classification, and Article 5 prohibited practices. It takes under five minutes.