The deal is done. Under the political agreement reached on May 7, 2026, the EU’s Digital Omnibus restructures the AI Act compliance timeline into three tiers, and the tier that gets the least attention carries the earliest deadline.
Per coverage from IAPP, the agreement is now pending Official Journal publication before it becomes enacted law. That distinction matters. What compliance teams are working from right now is a political agreement, not a finalized legislative text, and the OJ publication timeline introduces real uncertainty into any planning process.
Here’s what the agreement provides for, pending that publication.
GenAI providers face two obligations with a December 2, 2026 effective date. The first is a requirement to mark AI-generated content (watermarking). The second is a prohibition on AI systems designed to generate non-consensual intimate imagery (NCIM) and child sexual abuse material. Under Wilson Sonsini’s analysis of the agreement, these two obligations arrive before most GenAI providers had scoped them into their 2026 compliance roadmaps.
That’s the planning problem.
Timeline
Organizations deploying standalone high-risk AI systems under Annex III get more runway. Under the agreement, that deadline moves to December 2, 2027, extended from the previously anticipated August 2026 date. High-risk AI embedded in regulated products under Annex I gets even more time: August 2, 2028.
The practical effect is a compliance calendar that now looks nothing like what teams were working from six months ago.
Why it matters depends on which tier you’re in. If your system falls under Annex III standalone, the December 2027 extension is welcome news, but it doesn’t mean you stop work. Documentation, conformity assessments, and risk management systems don’t assemble themselves in the final months. Analysis from Travers Smith suggests that the extension changes the delivery date, not the volume of work required.
If you’re a GenAI provider, the December 2026 obligations demand immediate attention. The watermarking requirement in particular may require technical implementation work that has a long lead time.
The OJ caveat isn’t a loophole. The political agreement reflects the consensus text. Significant changes before formal publication are possible but not historically common at this stage. Planning against these dates now is the prudent path, while flagging that the operative legal obligations don’t exist until the Official Journal publishes. Don’t expect that to change quickly.
Unanswered Questions
- Has the EU AI Office confirmed its enforcement readiness for the December 2, 2026 deadline?
- Will the Official Journal publication date shift any of these deadlines before they become law?
- Does the NCIM prohibition cover AI tools that could generate such imagery as a secondary capability, or only systems designed for that purpose?
Prior TJS coverage on the August 2026 deadline shift documented the earlier uncertainty around Annex III timelines. The May 7 agreement resolves that uncertainty, and replaces it with a new one for GenAI providers who now own the earliest hard date in the structure. It isn’t subtle.
The real question is whether the EU AI Office can actually stand up enforcement infrastructure for the December 2026 obligations in seven months. That question doesn’t have a public answer yet. That’s the shift.
Don’t expect the compliance calendar to stabilize further before OJ publication. Watch for the Official Journal date as the trigger for finalizing any internal compliance roadmap that depends on these deadlines.