On May 7, the EU Council and European Parliament agreed to amend the EU AI Act. The deal, part of a broader simplification package called Omnibus VII, pushes back the compliance deadlines for high-risk AI systems by roughly 16 months. If you've been telling your board that August 2026 is the date to worry about, that date just moved.
But "moved" is doing a lot of work in that sentence. Some deadlines slid back. Others moved forward. And a few new obligations showed up that didn't exist a week ago.
What the Omnibus VII actually does
The EU AI Act entered into force in August 2024. Its provisions have been rolling out in phases since early 2025. The Omnibus doesn't rewrite the law. It adjusts when certain parts kick in and clarifies a few gray areas that were causing problems during implementation.
The original Commission proposal landed in November 2025. The Council agreed its negotiating position in March 2026. Trilogue negotiations wrapped May 7 with a provisional political agreement. Formal adoption is expected before August 2026, but until it's published in the Official Journal, the original dates technically still apply.
The updated timeline
Two categories of obligations are already live. Prohibited AI practices (social scoring, manipulative AI, untargeted facial scraping) took effect February 2, 2025. General-purpose AI model rules (transparency, copyright, safety obligations for providers of models like GPT and Claude) took effect August 2, 2025. None of that changed.
The big one: high-risk standalone AI systems. HR screening, credit scoring, biometric identification, law enforcement, education access, and the rest of the Annex III use cases. The original compliance date was August 2, 2026. It's now December 2, 2027. That's the 16-month delay that made headlines.
High-risk AI embedded in regulated products (medical devices, machinery, toys, lifts) was originally August 2027. Now August 2, 2028.
Transparency obligations for chatbots, deepfakes, and AI-generated content kept the same base date of August 2, 2026, but the grace period for implementing technical watermarking and labeling got cut from six months to four. The Commission originally proposed a six-month grace period (to February 2, 2027), Parliament pushed for three months, and the trilogue compromise landed at four. The practical compliance date is December 2, 2026. This one moved forward.
AI regulatory sandboxes at the national level: one-year extension to August 2, 2027.
New prohibitions nobody expected
The agreement adds a new category of prohibited AI practices: systems used to generate non-consensual sexual or intimate imagery (NCII) and child sexual abuse material (CSAM). This covers "nudifier" apps and similar tools. Penalties follow the same scale as other prohibited practices: up to 35 million euros or 7% of global annual turnover.
The prohibition takes effect December 2, 2026, which means it arrives faster than the high-risk compliance obligations.
The standards gap nobody's talking about
As of May 2026, no harmonized standards for the EU AI Act have been formally published. Zero. CEN-CENELEC JTC 21 is developing them. The first draft, prEN 18286 for AI quality management systems, went through public comment in late 2025. But a published, Official Journal-referenced standard that would give an organization a "presumption of conformity"? Doesn't exist yet.
The implication is uncomfortable: organizations preparing for high-risk compliance can't point to a standard and say "we followed this." They're working from the Articles themselves, referencing international standards like ISO/IEC 42001 and ISO/IEC 23894, and using Article 41 common specifications as a fallback.
The Omnibus delay to December 2027 gives the standards bodies more runway. But it also means organizations that start compliance work now get to shape their approach before the standards lock in, rather than scrambling to retrofit once they're published.
Small and mid-size companies got a break
The Omnibus extends regulatory exemptions that were previously only for SMEs (under 250 employees) to small mid-cap companies (SMCs). Most post-agreement reporting puts the threshold at up to 500 employees, though the Commission's original proposal used a multi-factor definition (fewer than 750 employees, net turnover of €150 million or less, or balance sheet total of €129 million or less, meeting two of three). The final text hasn't been published yet, so the exact definition may shift. Either way: simplified technical documentation requirements, priority access to a new EU-level AI regulatory sandbox run by the AI Office.
If your organization is in that 250-to-500 employee range, this is worth a closer look.
Sectoral overlap is getting sorted out
One of the messier implementation questions has been what happens when the AI Act overlaps with existing product safety regulations. The Omnibus goes at this directly.
The Machinery Regulation gets a full exemption from direct AI Act applicability. The Commission can instead adopt delegated acts under the Machinery Regulation that add AI-specific health and safety requirements. For medical devices, toys, lifts, and watercraft, a new implementing act mechanism can limit the AI Act's application where sectoral law already covers similar ground.
If you're a medical device manufacturer with AI components, you won't face duplicative compliance regimes. The Commission is also now required to publish guidance helping operators navigate the overlap, which is overdue.
The AI Office is getting more power
The Omnibus gives the AI Office (the EU-level supervisory body) jurisdiction over AI systems where the same company developed both the underlying general-purpose model and the downstream product. That's a meaningful scope expansion.
National authorities keep competence for law enforcement, border management, judicial, and financial institution use cases. The AI Office's full enforcement powers for GPAI providers activate August 2, 2026.
Why "wait and see" is the wrong read
It's tempting to treat a 16-month delay as a 16-month vacation. We're already seeing that reaction from some organizations we talk to. It's a mistake.
Two obligations are already live. If you provide a general-purpose AI model in the EU, you should already be compliant with Chapter V requirements. If you deploy any AI system on the prohibited practices list, that's been enforceable since February 2025.
The December 2026 transparency deadline is seven months away. Any organization deploying customer-facing AI (chatbots, content generators, recommendation engines) needs disclosure and labeling mechanisms in place by then.
And this is still a provisional agreement. Formal adoption is expected by August 2026, but legislative timelines shift. Organizations that used the original August 2026 date as motivation to start are in much better shape than those waiting for the final text.
We've been running EU AI Act Readiness Sprints with clients over the past few months. During these three-week engagements, we inventory your AI systems, classify them under the Act's risk tiers, run a gap analysis against Articles 8-15, produce a remediation roadmap. The organizations that went through this before the Omnibus landed didn't waste their effort. They have 16 extra months of runway to execute a plan they already own.
What happens next
The provisional agreement needs formal endorsement by both the Council and Parliament, then legal-linguistic revision and Official Journal publication. That process typically takes weeks to a few months. If everything tracks, the amended AI Act will be formally adopted before August 2, 2026, which is the general application date for most provisions.
The EU AI Act is doing for AI what GDPR did for privacy: setting the template that everyone else copies or reacts to. Whether you have operations in the EU today or just sell to companies that do, these requirements are heading your way in some form. The only variable is whether you're ready when they arrive.
Echelon Risk + Cyber's Risk Advisory & Compliance services help organizations understand their regulatory obligations, assess their current posture, and build a roadmap they can execute before deadlines arrive. If you're not sure where your organization stands, that's the right place to start.