Three deadlines came out of the EU AI Act Digital Omnibus political agreement reached on or around May 7, 2026. Most compliance teams are focused on the two high-risk system deadlines. The one that requires action first is the one covering prohibitions.
According to structured compliance reporting, the prohibition on nudification applications, AI tools that generate non-consensual sexualized deepfake imagery, and AI-generated child sexual abuse material carries a reported enforcement date of December 2, 2026. That’s six months out. It’s the earliest of the three Omnibus deadlines, and it applies to a broad category of GenAI providers, not just specialized bad actors. Compliance teams should verify this date against the EU Official Journal entry once it’s published, as it hasn’t yet been confirmed against the final text.
The other two deadlines follow at longer intervals. High-risk AI systems covered under Annex III, biometrics, education, employment, critical infrastructure, must reach full compliance by December 2, 2027, per reporting corroborated by the European institutions. AI embedded in safety-regulated products, medical devices, industrial machinery, toys, gets additional runway to August 2, 2028, according to IAPP’s analysis of the agreement.
The December 2026 deadline is distinct from those two. It doesn’t require conformity assessments, risk classifications, or technical documentation packages. It requires that prohibited applications not exist in the EU market. For GenAI providers offering image or video generation capabilities, that means the relevant question isn’t classification, it’s whether any product surface or API endpoint can produce the prohibited outputs.
Who This Affects
The Omnibus also reportedly expands the EU AI Office’s oversight role over general-purpose AI model providers. The specific enforcement mechanisms are pending publication of the full technical annex, so compliance teams can’t yet map the precise obligations. What’s clear from the agreement’s structure is that foundation model providers, companies whose models power downstream applications, are now within the AI Office’s direct regulatory sight line, not just the sight line of the national authorities overseeing deployers.
That’s a shift worth tracking. Before the Omnibus, the primary enforcement pressure on GenAI providers flowed through their deployer customers. The AI Office’s new GPAI-specific powers create a direct regulatory relationship between the Office and model providers, regardless of how many layers of deployment sit between the model and the end user.
Legal commentary has noted that the nudification prohibition is the first instance of a named AI application being explicitly banned under EU law, not regulated, not restricted, banned. The enforcement architecture to match that ban is what the next six months should build.
Verification
Partial Registry-corroborated reporting, Europa.eu, IAPP, JD Supra December 2, 2026 enforcement date not yet confirmed against EU Official Journal. Full technical annex pending publication. AI Office GPAI enforcement mechanisms unspecified until annex released.Don’t expect the full technical annex to resolve every open question before Q3. The AI Office will need to issue guidance on what constitutes a nudification application at the API level, whether fine-tuned models trained on general image data are covered, and what evidence of compliance looks like. Those answers will arrive unevenly.
The real question is whether GenAI providers with EU market exposure have already run an internal audit of their generation capabilities against the prohibition’s scope. Six months moves fast when the answer to that audit requires product changes.