Twelve models. That’s the number Epoch AI’s compute tracking puts above the EU AI Act’s systemic risk FLOP threshold right now. And per the Omnibus political agreement, those models just got their compliance clock confirmed: December 2, 2027 for Annex III high-risk obligations, per the political agreement’s text as analyzed by legal counsel tracking the deal.
The Omnibus didn’t remove the requirement. It set the date.
That distinction matters for planning. The original August 2026 deadline left compliance teams in a holding pattern, the political agreement was in flux, the Annex III scope was disputed, and the Conformity Assessment requirements hadn’t been finalized. None of that uncertainty justified inaction, but it did justify deferring some program architecture decisions. With December 2, 2027 now the working deadline per the agreement, those deferrals have a shelf life.
Two deadlines, not one, define the Omnibus compliance structure. The first is sooner. Per law firm analysis of the agreement, watermarking requirements for AI-generated content are expected to apply from December 2, 2026, roughly 18 months from now, targeting providers of general-purpose AI systems whose outputs reach consumers. The prohibition on “nudifier” applications generating non-consensual intimate imagery carries the same expected effective date, per analysis of the agreement’s prohibited practices provisions. Neither deadline has the force of final published law yet; both should be treated as working targets for compliance planning purposes.
The 18-month window for Annex III looks workable until you list what it covers: conformity assessments, technical documentation, post-market monitoring systems, human oversight mechanisms, and EU database registration for high-risk systems across categories including biometrics, education, employment, law enforcement, and critical infrastructure. For a well-resourced compliance team starting today, that’s tight. For a team that’s been waiting for the final text, it’s genuinely short.
The catch is that the Omnibus is still a political agreement, not a published regulation. Formal entry into force follows a separate legislative process, and the text remains subject to final refinement. Compliance teams that treat December 2, 2027 as a hard deadline for program completion won’t regret it. Teams that use the pending final text as a reason to wait may find the runway considerably shorter than it appears today.
Verification
Partial Law firm analysis of Omnibus political agreement (Latham & Watkins); Epoch AI compute tracking Deadline dates are per political agreement, not yet final published law. 12-model count sourced to Epoch AI blog. Treat as working compliance targets pending official text.Who This Affects
The Epoch AI figure anchors the compliance urgency to something concrete. Twelve models above the systemic risk threshold means twelve sets of providers, and potentially far more deployers, who’ll need to comply with the GPAI systemic risk framework regardless of Annex III’s exact scope. The political agreement creates two distinct compliance tracks on two distinct timelines, and the organizations in both tracks are already identifiable.
The real question is whether compliance teams treat the confirmed timeline as the starting gun or the finish line. The ones treating it as a finish line are behind.