EU AI Act omnibus: high-risk deadlines slip to 2027, but the August transparency cliff remains

What the omnibus actually changes

The EU AI Act entered into force in August 2024 with a staggered rollout designed to give providers time to build conformity-assessment pipelines. By late 2025, implementation was visibly behind: technical standards for high-risk systems were incomplete, member states had not finished designating national competent authorities, and industry groups warned that enforcing Annex III rules on schedule would produce paperwork without safety gains. The Commission responded in November 2025 with the Digital Omnibus, initially proposing a conditional delay mechanism. Trilogue talks stalled on 28 April, then resumed; negotiators closed on 6 May, with Council confirmation on 13 May.

The agreed text replaces the conditional trigger with fixed dates. Stand-alone high-risk systems under Annex III — covering biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and democratic processes — must comply by 2 December 2027. AI safety components embedded in products already regulated under EU sectoral law (Annex I: machinery, toys, medical devices, vehicles) shift to 2 August 2028. The deal also:

• Bans “nudifier” apps — AI that generates non-consensual intimate imagery or child sexual abuse material, with a transitional period until 2 December 2026. Providers of general-purpose image and video generators must assess foreseeable misuse at design time, not only when users request harmful outputs.
• Grants a watermarking grace period — systems placed on market before 2 August 2026 get until 2 December 2026 to embed machine-readable markers in AI-generated content under Article 50(2).
• Softens AI literacy rules — providers and deployers must support staff literacy development rather than guarantee a specific competency level.
• Expands EU AI Office powers — exclusive supervision over GPAI-integrated systems from same-provider developers and VLOP-integrated AI; new investigation and fine authority.
• Postpones regulatory sandboxes — member-state sandbox establishment moves from August 2026 to August 2027.

Parliament and Council still need formal adoption and Official Journal publication before amended dates bind legally. Gibson Dunn expects that before 2 August 2026. Until publication, the original statutory dates technically remain on the books — a nuance compliance officers should not treat as permission to stop work.

The August 2026 cliff that did not move

The most under-reported line in Brussels press releases: Article 50 transparency obligations proceed largely as scheduled from 2 August 2026. That means providers must tell users when they are interacting with an AI system (chatbots, deepfake-capable tools, emotion-recognition interfaces) and, for AI-generated text, audio, image, or video meant to inform the public on matters of public interest, disclose synthetic origin. The Commission published draft guidance on these obligations on 7 May, the same day Parliament announced the omnibus deal — signaling that transparency enforcement is not being traded away for political calm on high-risk delays.

For consumer-facing AI products shipping globally, August is the nearer deadline than December 2027. ChatGPT, Gemini, Claude, Copilot, and the Siri reboot Apple is expected to preview at Monday’s WWDC keynote all serve EU users. Labeling AI interactions and marking synthetic media is product work, not a conformity-assessment back-office project. The four-month watermarking grace for legacy systems helps incumbents with large installed bases; new features launched after August still face the full Article 50 stack unless further guidance narrows scope.

The nudifier ban adds a separate front-door prohibition with its own December 2026 transition. Image and video model providers cannot wait for high-risk Annex III clarity; Article 5 unacceptable-risk rules are tightening now. That intersects directly with OpenAI’s Lockdown Mode rollout and enterprise security posture: Brussels is legislating misuse outcomes while vendors ship feature kill-switches for exfiltration risk. Different problems, same quarter.

Why standards delay forced Brussels’ hand

High-risk AI compliance under the EU AI Act was never meant to be self-certification by vibes. Providers need harmonized standards, notified-body capacity, and national authority registration workflows. The Council’s own negotiating document, cited in Gibson Dunn’s alert, acknowledges that delayed preparation of standards and delayed establishment of governance and conformity assessment frameworks created a heavier-than-expected compliance burden without improving safety outcomes. Postponement is an admission that the legislative engine outran the standards bodies — CEN-CENELEC work on AI risk management was not going to finish before factories and HR departments needed audit-ready documentation.

The deferral is pragmatic, not ideological. The risk-based architecture, prohibited practices, GPAI model obligations (already live since August 2025), and governance structure stay intact. EU officials explicitly framed the omnibus as simplification without dismantling, per Parliament’s press release. Compare that to Washington, where the bipartisan Great American AI Act draft would freeze new state AI development laws for three years while mandating semi-annual frontier-model audits. The Atlantic regulatory split is widening in real time: Europe delays operational deadlines while keeping the rulebook; the US debates whether states should write rules at all.

For multinationals, that divergence is expensive. A recruitment-AI vendor might get until late 2027 for full Annex III conformity in the EU while still facing California employment AI transparency rules and federal audit proposals in parallel. Legal teams cannot optimize for one jurisdiction; product and policy teams must map overlapping disclosure, bias-testing, and documentation requirements across both regimes. The omnibus reduces one cliff; it does not simplify the map.

Winners, losers, and the WWDC test case

Winners from the delay: HR-tech and fintech AI vendors with Annex III deployments; medical-device manufacturers embedding AI under Annex I; companies mid-build on risk-management systems who lacked notified-body slots. They gain 16–24 months to align technical documentation with emerging standards rather than shipping placeholder compliance theater in August.

Not off the hook: Any provider shipping chatbots, synthetic media tools, or emotion-recognition features to EU users before August. GPAI model providers already live under Articles 51–56. The EU AI Office’s expanded enforcement toolkit — on-site inspections, binding commitments, fines — targets the foundation-model layer that powers consumer assistants, not just niche B2B verticals.

Apple arrives at WWDC as the live test case. Reporting that Siri will route complex queries through Google Cloud and Nvidia confidential compute raises exactly the data-processing questions EU regulators ask: who is controller, who is processor, where does inference occur, what gets logged. A three-tier privacy story may satisfy Cupertino’s keynote audience; it must also satisfy Article 50 disclosure and, eventually, high-risk assessments if Siri touches employment screening integrations or biometric categorization in enterprise SKUs. The omnibus delay does not delay DMA scrutiny of the Google partnership itself.

OpenAI and Anthropic, both racing toward IPO windows analyzed in our mega-IPO reality-check piece, face S-1 risk-factor sections that must describe EU compliance timelines credibly. Postponed high-risk dates help the narrative; August transparency does not. Investors reading prospectuses this summer should watch whether companies treat the omnibus as “problem solved” or “problem sequenced.”

What to watch through August

Three dates anchor the near-term calendar:

• Before 2 August 2026 — Formal adoption and Official Journal publication of the omnibus. Until then, treat amended dates as politically agreed but not legally operative.
• 2 August 2026 — Article 50 transparency obligations apply for in-scope systems; Commission guidance should be finalized or near-final.
• 2 December 2026 — Watermarking grace ends for pre-August systems; nudifier-ban transitional period ends; new Article 5 prohibition fully effective.

Longer horizon: 2 December 2027 for Annex III high-risk systems; 2 August 2028 for Annex I embedded AI. Organizations that use the delay to pause compliance programs will repeat the 2025–2026 scramble with less sympathy from regulators who already granted an extension once.

The EU AI Act was supposed to be Brussels’ answer to “move fast and break things.” The omnibus proves the law can move — but only on the deadlines implementation could not meet. Transparency in eight weeks is the line Europe did not cross. For anyone building AI that touches European users, that is the deadline that still counts.