The deadline map is settled. The EU Digital Omnibus political agreement, reached on May 7, established four enforcement dates across three compliance tracks. What hasn’t settled is what compliance teams at SMEs and GPAI providers are actually supposed to do before December 2 – and the clock on that question is ticking faster than most planning timelines assume.
This brief doesn’t re-explain the Omnibus. For background on the full political agreement, see our three-pathway compliance framework and the August 2026 deadline explainer. What this brief covers is narrower: the two provisions that compliance conversations have largely skipped past.
The four-deadline map in brief
Four dates govern EU AI Act enforcement after the Omnibus. December 2, 2026 covers two obligations: the nudifier prohibition (AI systems generating non-consensual intimate images) and the GPAI synthetic content marking requirement for providers who placed systems on the market before August 2, 2026. December 2, 2027 is the Annex III enforcement date – use-based high-risk AI in categories like biometrics, critical infrastructure, employment, and law enforcement. August 2, 2028 covers Annex I product-regulated high-risk systems, the date that rarely appears in compliance briefs and was catalogued as such in our earlier compliance program analysis. The nudifier prohibition has received substantial coverage. The GPAI marking deferral and the SME documentation relief have not.
The SME provision: what reportedly changed
According to the Omnibus text, technical documentation requirements are reportedly simplified for small and mid-cap companies, though the precise scope conditions should be verified against the final published amendment. The EU AI Act’s technical documentation standard – Article 11 and Annex IV – is demanding: providers of high-risk AI systems must maintain documentation covering system architecture, training data, validation procedures, and performance monitoring. For smaller organizations without dedicated compliance infrastructure, that’s a material resource burden.
The Omnibus simplification reportedly reduces what small and mid-cap providers must prepare, but “simplified” isn’t defined by the summary alone. Compliance teams at SMEs should identify now whether they qualify under the EU AI Act’s SME definition (generally, fewer than 250 employees and annual turnover under €50 million, per standard EU SME criteria – though the AI Act’s specific application of these thresholds should be confirmed from the amendment text). If they do qualify, they shouldn’t build a full Annex IV documentation package before confirming what the simplified standard actually requires. That’s not a reason to delay – it’s a reason to read the provision before committing to a documentation scope that may be larger than required.
The catch is that “simplified” documentation isn’t “no” documentation. SME providers who assume the relief eliminates their obligations entirely will find out otherwise when they face a conformity assessment or regulatory inquiry. The Omnibus appears to reduce friction, not remove requirements.
The GPAI marking deferral: who it actually covers
Unanswered Questions
- Does the SME documentation simplification apply to fine-tuned models built on third-party foundations, or only to original-development providers?
- Which technical standard will the EU AI Office designate for Article 50 synthetic content marking, and when will that guidance publish?
- How does the 10²⁵ FLOP threshold apply to providers whose model compute crossed the line after the original market placement date?
The GPAI synthetic content marking requirement is where the planning gap is sharpest. The Omnibus reportedly defers the synthetic content marking obligation to December 2, 2026 for GPAI providers who placed systems on the market before August 2, 2026, per the political agreement text. That framing matters more than it sounds.
Providers who launched GPAI systems – large language models, image generators, multimodal tools – before August 2 are in the deferral window. They don’t face an August 2026 marking obligation. They face a December 2026 one. That’s not a gift; it’s a compressed ramp. Building and deploying synthetic content marking infrastructure – technical watermarking, disclosure labeling, metadata standards – in six months requires planning that should have started already.
What does the marking requirement actually require? The EU AI Act’s transparency obligations for GPAI outputs, under Article 50, require that AI-generated content be marked in a machine-readable format. Approved technical standards for that marking don’t yet exist at the level of specificity needed for implementation. Providers facing the December deadline are building to a requirement whose technical specification is still developing. That’s a real planning constraint, and it’s worth raising with legal counsel and engineering teams now rather than in October.
The Epoch AI dimension
The compute context around the December 2026 GPAI deadline has shifted materially since the original compliance guidance was drafted. Per Epoch AI’s May 7 compute tracking data, the number of models above the EU AI Act’s systemic risk threshold – 10²⁵ floating-point operations – has more than doubled. The threshold matters because it triggers the most demanding GPAI obligations under Article 51: adversarial testing, cybersecurity measures, incident reporting, and energy efficiency reporting.
When the original compliance guidance was written, the population of threshold-crossing models was smaller. It’s not smaller now. GPAI providers who conducted a threshold assessment in early 2025 and concluded they weren’t in scope should run that assessment again. Compute scaling has moved the line.
The implication isn’t abstract. A provider whose most capable model crossed the threshold in the past six months is now subject to systemic risk obligations they weren’t planning for – and the December 2026 date doesn’t give them more time. It gives them the same deadline as providers who’ve been planning since the Act entered force.
What to watch
Omnibus Planning Actions by Provider Type
- GPAI providers: confirm market placement date relative to August 2, 2026 cutoff
- GPAI providers: begin synthetic content marking technical scoping for December 2 deadline
- SME providers: confirm qualification under EU SME definition (under 250 employees, under €50M turnover)
- SME providers: verify simplified documentation scope against published Omnibus amendment text before building full Annex IV package
- All GPAI providers: re-run compute threshold assessment against Epoch AI current data
- Product-regulated providers: integrate August 2, 2028 Annex I date into multi-year compliance roadmap
Verification
Partial EU Digital Omnibus political agreement (europa.eu); Epoch AI compute tracking (May 7, 2026); Latham & Watkins client alert SME documentation simplification scope and GPAI marking pre-launch threshold are characterized from political agreement summaries, verify against final published amendment text before compliance decisionsThree things deserve active monitoring between now and December 2026.
First, the final published Omnibus amendment text. The political agreement is settled; the formal legislative text is the governing document. Compliance programs built on summarized characterizations of the agreement – including this brief – should be reconciled against the actual published language. The europa.eu publication is the authoritative source.
Second, EU AI Office technical guidance on synthetic content marking. The marking requirement exists; the approved technical standard is pending. The AI Office’s guidance publications on Article 50 implementation will determine whether providers can build to a standard now or must wait for specifications to crystallize.
Third, Epoch AI’s compute tracking updates. If the threshold-crossing model count has doubled once, it will cross again. GPAI providers with models approaching 10²⁵ FLOPs should build threshold monitoring into their compliance program, not treat it as a one-time check.
TJS synthesis
The Omnibus gave compliance teams a cleaner calendar. It didn’t give them more time. The December 2026 deadline covers two distinct obligations – nudifier prohibition and GPAI marking – for two distinct provider populations, and the SME relief creates a third planning variable for smaller organizations who need to understand what they’re actually exempt from before they decide what to build. The real question is whether compliance programs are planning to the right version of the deadline map or the simplified version that circulated in the first week after the political agreement. Six months moves faster when technical standards are still being written.