The provisional agreement is signed. The amending text is published. What hasn’t happened yet, for most compliance teams, is the unglamorous work of mapping those amendments against the specific obligations in their existing programs.
That’s the gap this piece addresses.
The EU AI Act’s Digital Omnibus amendment package, reached by EU institutions around May 27, 2026, restructures the regulation across three dimensions: deadline extensions for high-risk system obligations, reduction of overlap with existing sectoral legislation, and new Article 5 prohibitions on non-consensual AI-generated content. The hub’s coverage from May 22 through May 30 tracked those changes as they developed, the provisional agreement, the amending text publication, the sectoral relief detail. What that coverage didn’t do, because it was tracking a moving target, is stop and build a static compliance map: which specific obligations now look different, for which organization types.
That’s what this piece is.
How the Omnibus Splits the Compliance Landscape
The EU AI Act was never a single compliance program. It was always three compliance tracks that happened to live in one regulation.
The first track covers general-purpose AI models, the large foundation models and model families that GPAI providers offer through APIs or integrated products. The EU Commission’s regulatory framework has consistently treated GPAI obligations as distinct from the high-risk system requirements that dominate most compliance conversations. The Digital Omnibus affects this track primarily through sectoral realignment: reducing the overlap between AI Act GPAI obligations and existing frameworks, including GDPR data processing requirements and sector-specific rules in financial services and healthcare. What that realignment means in practice is that GPAI providers operating across regulated sectors can stop trying to reconcile conflicting documentation requirements between the AI Act and those sectoral frameworks, the omnibus created alignment. But it didn’t eliminate GPAI-specific obligations. Article 50 transparency requirements and the GPAI code of practice remain operative.
The second track covers high-risk AI system deployers, organizations using Annex III systems in employment screening, credit assessment, educational access, law enforcement support, or other designated high-risk domains. This is the track where the omnibus deadline extensions land hardest. According to legal analysis from Latham & Watkins, EU lawmakers agreed to extend these deadlines as part of the omnibus package. What the specific new dates are couldn’t be confirmed from source content available to this package, that information requires retrieval of the full Latham & Watkins analysis and the Inside Global Tech coverage from May 28, 2026. [HOLD SECTION, specific amended deadline dates to be inserted here once confirmed by operator.] What is confirmed: extensions were agreed. High-risk deployers should not assume the original timeline holds until they’ve verified their specific obligation dates against the amending text.
The third track covers organizations building or deploying applications with content generation capabilities, the broadest track, encompassing providers far outside the traditional “high-risk” designation. The Article 5 prohibitions are where the omnibus touches this track. The hub covered the finalization of Article 5 prohibitions on May 27: EU AI Act Article 5 nudifier and CSAM bans are finalized. These prohibitions, on AI-generated nudification tools and child sexual abuse material generation, apply regardless of whether the application is classified as high-risk. A limited-risk chatbot that includes image generation functionality is within scope if that functionality could produce prohibited content.
The GPAI Track After the Omnibus
GPAI providers face a restructured documentation landscape. The sectoral realignment reduces compliance friction for providers whose models touch regulated domains, but it doesn’t simplify the GPAI-specific framework.
The GPAI code of practice, which the hub has covered across multiple briefs in May 2026, remains the practical compliance anchor for this track. The omnibus didn’t dissolve the code of practice obligation; it changed the context in which that obligation operates. GPAI providers who built compliance programs around managing AI Act obligations alongside GDPR and sector-specific requirements should revisit their documentation architecture. Some of the parallel workstreams they were running may now be collapsible.
Pre-August 2 Compliance Audit Checklist
- Retrieve and review official amending text (not law firm summaries) for your applicable track
- Map Digital Omnibus changes against your existing compliance documentation by obligation type
- Update Article 5 scope assessment, confirm content generation capabilities are reviewed against amended prohibited-practices list
- For GPAI providers: review sectoral realignment to identify collapsible parallel compliance workstreams
- For high-risk deployers: verify amended deadline dates from official text before updating compliance calendar
- Monitor GPAI code of practice finalization timeline relative to August 2 deadline
Unanswered Questions
- What are the specific amended deadline dates for Annex III high-risk obligations, and has your compliance calendar been updated to reflect them?
- Does your organization operate across more than one compliance track (GPAI + high-risk, or GPAI + content generation)? If so, have you scoped all three revision exercises separately?
- If the GPAI code of practice finalizes after August 2, what interim compliance documentation will satisfy Article 50 obligations during the gap?
What the omnibus didn’t resolve for GPAI providers: the marking and labeling obligations under Article 50(2), the question of how synthetic content labeling interacts with platform-level transparency requirements, and the systemic-risk designation threshold for the most capable models. Those remain open items. The Article 50(2) consultation, which closed June 3 per the hub’s May 18 coverage, was one mechanism for addressing the labeling questions, but the consultation’s outputs aren’t yet formalized.
The High-Risk Track After the Omnibus, Pending Confirmation
[HOLD, This section requires specific amended deadline dates confirmed via human retrieval of lw.com and insideglobaltech.com source articles. Draft structure:
1. State the confirmed extended deadline dates by obligation type (conformity assessment, technical documentation, registration, post-market monitoring) 2. Map which Annex III categories face which specific revised timelines 3. Flag where the omnibus created ambiguity rather than clarity (grandfathering provisions for systems already in deployment) 4. Note the registry coverage from hub brief 20260527 “EU AI Act Grandfathering Gap”, this is the central unanswered question for high-risk deployers with legacy systems
Pending data: specific date values. The structural analysis (mapping by Annex III category) can be built once dates are confirmed.]
The Article 5 Track: Who’s Actually Affected
Three categories of organizations need to update their Article 5 compliance documentation regardless of their risk track.
The first is providers of image or video generation systems. The Article 5 prohibition on nudification tools targets AI systems capable of generating realistic depictions of real individuals in sexual contexts without consent. This isn’t limited to systems marketed for that purpose, it covers systems whose capabilities include that output even if the primary function is different.
The second is developers building on top of GPAI foundation models. If your application uses a foundation model’s image generation capability, and that capability could produce prohibited content, your application is within scope. The prohibition operates at the output level, not the architecture level.
The third is organizations in the CSAM-adjacent technology space. This prohibition is categorical, no use case, context, or research exemption applies. Organizations that handle content moderation, law enforcement support, or digital forensics using AI systems need explicit documentation confirming those systems don’t generate CSAM, not just that they don’t intend to.
Warning
The Digital Omnibus created a compliance gap for organizations that built programs before the amending text. Good-faith transition efforts are unlikely to be priority enforcement targets, but that interpretation isn't formalized. Any organization mid-revision on August 2 should document that revision process explicitly, including the specific date the organization obtained and reviewed the official amending text.
Verification
Partial Latham & Watkins legal analysis (search-retrieved); EU Commission T1 (confirmed); registry-corroborated hub coverage Specific amended deadline dates for high-risk obligations not confirmed from source content available to this package. Section on high-risk track timelines is held pending human retrieval of source articles. Do not treat deadline statements in this brief as confirmed without checking the official amending text.The catch is that “finalized” prohibitions don’t mean “self-executing compliance.” An organization whose content policy predates the omnibus has a gap between what its policy says and what the amended Article 5 requires. Closing that gap before August 2 means updating the policy documentation, not just reading the new prohibition text.
What to Watch Before August 2
Three things that should be on every compliance team’s radar in the next 62 days:
First, the official amending text. Not a law firm’s summary, the text itself. The Digital Omnibus changed specific provisions, and the difference between a source and the T1 official text matters for conformity assessment documentation. The EU Commission’s regulatory framework page is the starting point.
Second, the GPAI code of practice finalization timeline. The code of practice process was ongoing as of the hub’s May 2026 coverage. If finalization slips past August 2, GPAI providers face a gap between the general applicability deadline and the practical guidance they need for compliance. That gap needs to be managed, not ignored.
Third, enforcement stance on amendment transition. The omnibus creates a window where organizations built their programs on the original text but are now obligated under the amended text. How EU member state authorities treat good-faith compliance gaps during the transition hasn’t been formally addressed. Legal analysis suggests regulators are unlikely to prioritize enforcement against organizations demonstrably mid-revision, but that’s an interpretation, not a guarantee.
TJS Synthesis
The Digital Omnibus was framed publicly as simplification. For compliance teams, it’s actually three separate revision exercises that happen to share a name. GPAI providers revise documentation architecture. High-risk deployers revise timelines. Content generation providers revise Article 5 scope assessments. Organizations in more than one of those categories run all three. The August 2 deadline doesn’t distinguish between them. By mid-July, the organizations that’ve mapped the omnibus against their specific track, rather than waiting for a consolidated guidance document that may not arrive before the deadline, will be ahead of those that haven’t. That gap will widen if member state authorities start issuing transition-period enforcement signals in the next four weeks.