EU AI Act Digital Omnibus: Three-Deadline Compliance Map After Political Agreement

May 9, 2026 3 min read Wilson Sonsini Goodrich & Rosati Partial Very Weak

Tech Jacks Solutions AI News Coverage

EU legislators have reached a political agreement on the Digital Omnibus package amending the EU AI Act, reportedly extending key high-risk compliance deadlines while new prohibitions on AI nudification apps take effect. The agreement is not yet binding law, Official Journal publication remains the legal trigger.

GPAI models above threshold, 30+

Key Takeaways

EU legislators reached a political agreement on the Digital Omnibus amending the EU AI Act, not yet binding law; Official Journal publication is the legal trigger
Annex III high-risk AI compliance reportedly moves to December 2, 2027; Annex I embedded systems to
August 2, 2028, both per T2 legal analysis, pending OJ confirmation
Transparency/watermarking deadline direction is unconfirmed, some analysis suggests it may have shortened to December 2026, which would tighten near-term obligations for GenAI providers
Epoch AI tracking (May 8) shows 30+ models now above the EU AI Act's 10^25 FLOP systemic risk threshold, up from approximately 12 in late April, the GPAI registry pressure point is accelerating

Timeline

2026-05-08 Political agreement reached on Digital Omnibus (not yet binding)

2026-12-02 Transparency/watermarking deadline, reported, direction UNCONFIRMED

2027-12-02 Annex III high-risk AI compliance, reported, pending OJ

2028-08-02 Annex I embedded product AI compliance, reported, pending OJ

Warning

These deadlines reflect reported terms of a political agreement. They are not yet binding law. The EU Official Journal publication is the legal trigger. Consult the official text and qualified legal counsel before adjusting compliance programs.

Verification

Partial T2 law firm analysis (Wilson Sonsini, DLA Piper, isms.online) Deadlines sourced from legal analysis, not primary EU Official Journal text. Transparency deadline direction (shortened vs. extended) could not be verified, treat as unconfirmed.

The political agreement is done. The law is not.

EU legislators have agreed on the Digital Omnibus package amending the EU AI Act, according to legal analysis from Wilson Sonsini Goodrich & Rosati and DLA Piper. The deal restructures compliance timelines for two categories of high-risk AI systems and confirms explicit prohibitions on AI nudification applications and tools that generate child sexual abuse material. But the agreement is a political one. The binding legal trigger is publication in the EU Official Journal, and that publication has not been confirmed as of this reporting date.

That distinction matters. Compliance teams who treat the political agreement as enacted law may mistime their programs. Those who ignore it entirely face the same risk from the opposite direction.

What the agreement reportedly changes:

Stand-alone high-risk AI systems, Annex III systems covering recruitment tools, biometric identification, access to essential services, critical infrastructure, and law enforcement applications – reportedly move to a compliance deadline of December 2, 2027, according to analysis from Wilson Sonsini and isms.online’s compliance guidance. The prior operative deadline was August 2, 2026. If confirmed, that’s roughly 16 additional months for organizations deploying standalone high-risk systems.

Who This Affects

Annex III Compliance Teams (Recruitment, Biometrics, Critical Infrastructure)

Reported deadline moves to December 2, 2027, use the runway for risk assessments and technical documentation, not to delay. Do not reschedule conformity assessment appointments until OJ publication is confirmed.

Annex I Embedded Product Teams (Medical Devices, Machinery)

Reported deadline is August 2, 2028, hardware certification dependency planning can proceed, but legal basis is not yet confirmed.

GenAI Providers (Transparency and Watermarking)

The watermarking deadline direction is unconfirmed. Treat the prior August 2026 provisions as operative until OJ publication confirms otherwise. If the shortened December 2026 date proves accurate, near-term obligations are tighter than the Annex III extension suggests.

Models above EU AI Act 10^25 FLOP systemic risk threshold

30+

Up from approximately 12 in late April 2026, per Epoch AI tracking (May 8, 2026)

+150%

AI systems embedded in regulated products, Annex I systems covering medical devices, machinery, civil aviation equipment, and similar hardware-integrated applications, reportedly move to August 2, 2028, per DLA Piper’s analysis. Embedded systems have always had the longest runway given their hardware certification dependencies. This deadline reflects that complexity.

The nudification prohibition and the CSAM generation ban were previously covered here on May 7. The Omnibus agreement confirms those prohibitions. They are not new introductions in this cycle.

The transparency deadline question:

Some analyses suggest the transparency and watermarking deadline, governing AI-generated content labeling, may have been shortened to December 2, 2026. This could not be independently confirmed against primary EU text. The claim derives from secondary analysis that could not be verified for this report. Compliance teams should treat the previously published August 2026 watermarking provisions as operative until Official Journal publication is confirmed. If the December 2026 date proves accurate, GenAI providers in EU scope will have less runway than previously assumed, not more.

The compute pressure context:

Epoch AI’s compute tracking as of May 8 shows more than 30 models now exceed the 10^25 FLOP threshold the EU AI Act uses to define systemic risk for general-purpose AI. That count was approximately 12 as recently as late April. The extended Annex III deadline gives compliance teams more time on high-risk system certification. It gives the EU AI Office less time to administer a GPAI registry that is growing faster than the original timeline anticipated.

What to watch:

Official Journal publication is the event that matters. That’s when these deadlines become law. Watch for the EU Commission’s press release confirming OJ publication and the accompanying entry into force date. Compliance teams should not restructure programs around reported deadline dates until that confirmation arrives. The second thing to watch: the transparency deadline direction. If primary EU text confirms a shortened watermarking window, GenAI providers face a tighter near-term obligation than the Annex III extension suggests.

TJS synthesis:

The Omnibus deal gives most compliance teams the runway extension they needed for high-risk certification, but it does so in a political-agreement form that creates its own compliance risk. Acting too early on unconfirmed deadlines is almost as costly as acting too late. The useful question isn’t “what are the new deadlines?” It’s “what can we complete before OJ publication that holds value regardless of which deadline proves accurate?” Risk assessments, technical documentation drafts, and vendor questionnaires all qualify. Conformity assessment scheduling does not.

More coverage of European Union

Regulation Deep Dive May 9

EU AI Act Digital Omnibus: What Compliance Teams Must Do Differently Across Three Deadline...

View Source

More Regulation intelligence

View all Regulation

Deep Dive Available EU AI Act Digital Omnibus: What Compliance Teams Must Do Differently Across...

Gallery

Contacts