The EU AI Act Omnibus Deadlines Are Now Fixed
On 16 June 2026 the European Parliament gave its final approval to the digital omnibus on AI, the package of targeted amendments to the EU AI Act that the co-legislators had first agreed on 7 May, carrying it by 423 votes to 57 with 174 abstentions. Only one formal step now remains, adoption by the Council, and because the member states' ambassadors had already cleared the deal in Coreper on 13 May, that step is the kind of formality the Council settles without reopening anything, which means the compliance calendar can now be treated as settled.
If your organisation slowed its preparation in the expectation that Brussels would keep moving the goalposts, the goalposts have stopped, because the high-risk obligations land on 2 December 2027 and 2 August 2028, the content-labelling transition and a new prohibition both fall due on 2 December 2026, and the political room for a further postponement has been exhausted. What follows sets out the fixed calendar, the changes the omnibus actually made, the two of them that most coverage will misjudge, and the work your AI governance programme should begin now.
What the European Parliament just did
The omnibus forms the AI portion of the European Commission's seventh simplification package, proposed on 19 November 2025, and while it postpones the application of several parts of the EU AI Act, it leaves the structure of the law and its risk-based approach standing. Led through Parliament by the rapporteurs Arba Kokalari of the EPP and Michael McNamara of Renew, the text reached this week's plenary on the strength of the 7 May agreement between the Council and Parliament, and McNamara caught its intent in the debate when he described the result as "establishing legal certainty by extending certain timelines while preserving the AI Act's architecture and strengthening protections where possible." That description holds, because the omnibus buys time on the hardest obligations and removes a handful of genuine overlaps without hollowing out the core of the regime.
The timeline has now moved once, and this is the move worth planning around, for reasons that compound. The dates are fixed in the legal text itself, since the Commission had wanted to tie high-risk application to a future readiness decision and Parliament deleted that trigger in favour of hard dates; the first postponement was justified by the absence of harmonised standards and of competent-authority capacity, and the 2027 and 2028 dates were negotiated precisely to absorb that gap, so the same argument cannot be made a second time without discrediting it; and reopening the file would force the institutions to concede that their simplification flagship had failed, an admission no incoming Council Presidency wishes to inherit. The practical consequence is that 2 December 2027 should be treated as a hard date, and the colleague who has been deferring governance investment on the assumption of indefinite delay now needs a different conversation.
The EU AI Act deadline calendar after the omnibus
The compliance calendar rests on a short sequence of dates, of which the general application date remains 2 August 2026 while the nearest omnibus-specific deadline falls on 2 December 2026, comfortably ahead of the high-risk dates that arrive in 2027 and 2028.
| Date | Obligation |
|---|---|
| Already in force | Article 5 prohibitions, Article 4 AI literacy, Chapter V obligations for general-purpose AI models |
| 2 August 2026 | Most EU AI Act provisions begin to apply, including Article 50(2) transparency for newly placed systems |
| 2 December 2026 | Article 50(2) labelling for systems on the market before 2 August 2026, and the new ban on nudifier and CSAM-generating systems |
| 2 December 2027 | High-risk obligations apply to stand-alone Annex III systems |
| 2 August 2028 | High-risk obligations apply to AI embedded in Annex I regulated products |
The transparency rule on AI-generated content under Article 50(2) applies from 2 August 2026 to systems newly placed on the market, while systems already on the market before that date are given until 2 December 2026 to comply, and the new prohibition on nudifying tools shares that December deadline, so the work it demands is engineering against a fixed date, and the teams that mistake December 2026 for a 2027 problem will find themselves short.
What the omnibus actually changed
Nine changes matter. Four require action now: the fixed dates, the labelling deadline, the new Article 5 prohibition, and the registration obligation. The rest narrow scope at the edges or ease documentation.
- High-risk dates are now fixed. Stand-alone Annex III systems apply from 2 December 2027, and AI embedded as a safety component in regulated Annex I products applies from 2 August 2028. The Commission had proposed tying these to a future decision confirming that compliance support was available, with those dates as a backstop. Parliament deleted the conditional mechanism and fixed the dates outright, and the final deal kept them fixed.
- Content labelling moves to 2 December 2026. Providers of systems generating synthetic audio, image, video or text placed on the market before 2 August 2026 must meet the Article 50(2) transparency obligation by that date.
- A new Article 5 prohibition bans AI systems that generate child sexual abuse material or non-consensual intimate and sexual imagery of an identifiable person, with a compliance deadline of 2 December 2026.
- Machinery products leave the AI Act high-risk track. AI-enabled machinery now complies with the Machinery Regulation alone, at an equivalent level of health and safety. The Commission must add the AI-specific health and safety requirements through delegated acts amending the Machinery Regulation's own annex.
- The "safety component" definition is tighter. AI that only assists a user or optimises performance is no longer automatically high-risk where its failure or malfunction poses no risk to health or safety.
- Bias correction has a clearer legal basis. Providers and deployers may process special categories of personal data where strictly necessary to detect and correct bias, with safeguards, in both high-risk and non-high-risk systems.
- Relief extends to small mid-caps. SME exemptions and the simplified documentation process now reach small mid-cap enterprises alongside SMEs.
- The registration obligation survives in streamlined form for self-assessed non-high-risk systems, with reduced content under Section B of Annex VIII. The next section returns to it, because it is the change most coverage gets wrong.
- General-purpose AI enforcement is streamlined. Enforcement of certain general-purpose AI systems is streamlined within the AI Office, and the general-purpose AI model obligations are otherwise unchanged.
To the question every reader asks first, whether the high-risk scope has shrunk, the honest answer is that it has, though by less than the headlines imply, since the machinery carve-out and the narrower safety-component test move some product AI out of automatic classification while every stand-alone Annex III category, from employment and education through credit, biometrics, critical infrastructure, law enforcement, justice and migration, stays exactly where it was. If your system is a stand-alone Annex III use case, then, nothing about your classification has changed; if instead you build AI-enabled regulated products, your conformity path for machinery now runs through sectoral law and through delegated acts that do not yet exist, which is reason enough to open the conversation with the relevant Directorate-General now.
What most coverage will get wrong
Two facts sit beneath the "EU simplifies the AI Act" headline, and both run against the prevailing story of relief. The first concerns registration, where the Commission's proposal would have deleted the obligation to enter self-assessed non-high-risk systems in the EU database, and where several summaries have duly reported that deletion as the outcome; that, however, is a description of the Commission's proposal, and the adopted text does the opposite, because Parliament struck the deletion and kept the obligation, streamlining the content required under Section B of Annex VIII, and the final deal preserved it. Parliament's own wording is unambiguous, holding that "it remains crucial for effective market surveillance and public accountability that such AI systems are registered in the EU database", and the effect is to turn a private classification decision into a registered one, so that a provider who concludes its HR, credit, education or biometric-adjacent system falls outside high-risk under Article 6(3) must file that conclusion in a database where the national authorities and the AI Office can see it, and the quiet strategy of classifying out of scope and saying nothing no longer functions.
The second fact concerns the labelling deadline, which the Commission had wanted to push out to 2 February 2027 and which the adopted compromise instead brings forward to 2 December 2026, fully two months ahead of the proposal on the table, so that a package sold as simplification has in this instance tightened a deadline, and anyone who treats "simplification" as additional time to label AI output has the timing backwards.
The nudifier ban and the new transparency clock
The new Article 5 prohibition belongs to the most severe category the EU AI Act recognises, the tier of prohibited practices, and it shares its 2 December 2026 deadline with the content-labelling rule. It reaches AI systems that generate child sexual abuse material, together with systems that create images, video or audio depicting an identifiable person's intimate parts or sexual activities without that person's consent, and it binds providers and deployers alike, a breadth McNamara underlined in the debate when he observed that these systems "impact real people, overwhelmingly women."
The prohibition is not without limit, since it does not reach providers or deployers who have put effective safety measures in place to prevent such output and to forestall misuse on a continuing basis, and it leaves providers free to develop legitimate capabilities; the implication for any team that builds, fine-tunes, hosts or deploys generative image, video or audio models is therefore direct, in that a plausible route to this kind of output, unaccompanied by effective preventive controls, is exposure at the highest penalty tier, which runs to €35 million or 7% of total worldwide annual turnover, whichever is greater, and the sensible response is to audit input and output filtering, abuse-prevention controls and misuse monitoring against the safe-harbour standard, and to document that work, well before 2 December 2026.
How the omnibus fits ISO 42001 and NIST AI RMF
The dates have moved, yet the governance work beneath them has not, because risk management, data governance, technical documentation, record-keeping, human oversight and post-market monitoring are the substance of Articles 9 to 15 and Article 72 of the EU AI Act, and they map without much friction onto an ISO 42001 management system and the functions of the NIST AI RMF; none of that is reset when a deadline shifts, so a programme anchored to ISO 42001 will hold whatever clock the institutions eventually settle on, and it will already be producing the evidence that a conformity assessment demands.
That evidence base travels well beyond the Union, since a programme built for the EU covers most of what US state regimes such as Colorado's SB 189 expect, and since the EU AI Act reaches providers and deployers established outside the Union wherever the output of their AI is used inside it, which makes the exposure real even for an organisation with no European establishment. Consolidating the evidence for the EU AI Act, ISO 42001, the NIST AI RMF, NIS2 and DORA into a single pipeline is, on any reasonable accounting, more efficient than maintaining several in parallel, and where procurement is already under way, the question worth putting to any platform is whether it can serve all of these regimes from one evidence pipeline, a comparison we set out in our overview of the best AI governance platforms.
What to do this week, this month, this quarter
This week, re-anchor the programme to 2 December 2027 for Annex III and to 2 August 2028 for Annex I, put a single accountable owner in writing, confirm the provider and deployer roles for every system in scope, and, for any system you might be minded to self-assess as non-high-risk, document the reasoning to the standard you would be willing to file in the EU registration database, since that is now the standard against which it will be judged.
This month, run a gap assessment against Articles 9 to 15 for the systems classified as high-risk, begin the synthetic-content engineering that Article 50(2) requires from 2 August 2026 for new systems and from 2 December 2026 for those already on the market, covering machine-readable provenance and watermark metadata, visible labelling in the interface and detection tooling, audit your generative image, video and audio products against the new Article 5 safe harbour with documented input and output filters, adversarial abuse cases and misuse monitoring, and engage the notified-body queue for any Annex I products, because the overlap has shrunk while the conformity assessment itself has not gone away.
This quarter, stand up the streamlined registration pipeline for Annex VIII Section B, map each of your Article 9 to 15 controls onto the corresponding ISO 42001 clauses and assign an evidence owner to each, and consolidate the multi-framework evidence into a single source of truth, so that the next change of deadline is met with a reconfiguration instead of a rebuild.
The bottom line
The EU AI Act has been delayed once, and on any basis worth planning around it will not be delayed again, which leaves a fixed calendar of 2 December 2026 for the content-labelling transition and the nudifier ban, 2 December 2027 for stand-alone high-risk systems, and 2 August 2028 for high-risk AI embedded in regulated products. The governance work is the same as it was on 6 May, and the only thing that has changed is that the clock is now binding.
Modulos builds AI governance programmes that deliver EU AI Act readiness against these dates while holding across ISO 42001, the NIST AI RMF, NIS2 and DORA in a single evidence pipeline, and if you would like to map your AI inventory against the new calendar and the obligations that follow from it, request a demo and we will walk you through it.
Frequently asked questions
Has the EU AI Act been delayed again? It has been delayed once, through this omnibus, and that single postponement is the one to plan against, because Parliament adopted the text on 16 June 2026 and set high-risk application at 2 December 2027 for stand-alone Annex III systems and at 2 August 2028 for AI embedded in regulated products, leaving only the Council's formal adoption outstanding while the dates already serve as the operative planning baseline.
When do EU AI Act high-risk rules apply now? Stand-alone high-risk systems under Annex III apply from 2 December 2027, AI embedded as a safety component in products under Annex I applies from 2 August 2028, and most of the remaining provisions continue to apply from 2 August 2026.
Did the omnibus delete the registration obligation for non-high-risk systems? It did not, for although the Commission proposed deleting the obligation, Parliament kept it and merely streamlined the content required under Section B of Annex VIII, with the result that a provider who self-assesses an Annex III-adjacent system as non-high-risk must still register it and stand behind that classification.
What is the EU AI Act nudifier ban? It is a new prohibition under Article 5 that reaches AI systems generating child sexual abuse material, along with systems that create images, video or audio depicting an identifiable person's intimate parts or sexual activities without consent, and it binds providers and deployers, carries a safe harbour for systems with effective preventive safeguards, and applies from 2 December 2026.
Ready to Transform Your AI Governance?
Discover how Modulos can help your organization build compliant and trustworthy AI systems.
