The EU AI Act's moving deadline: what the Digital Omnibus actually changes — and what it doesn't

On 7 May 2026, negotiators from the European Parliament, the Council of the EU, and the European Commission reached a provisional political agreement on what is being called the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since it entered into force in August 2024. For compliance and engineering teams at SaaS companies, the announcement landed with the force of a long-awaited reprieve: high-risk AI deadlines pushed back, scope narrowed, SME thresholds raised.

The temptation to close the compliance tracker and exhale is understandable. You should resist it.

This piece unpacks what the Digital Omnibus actually changed, what it did not change, why the legal status of the agreement matters more than the headlines suggest, and what a sensible planning posture looks like for a SaaS company that uses or ships AI features today.

What the Omnibus actually agreed

The provisional agreement touches four areas.

Extended deadlines for high-risk AI systems. Under the original AI Act, Annex III high-risk systems (AI used in employment decisions, credit scoring, education, critical infrastructure, and similar high-stakes contexts) were required to meet full conformity obligations by 2 August 2026. Under the Omnibus agreement, that deadline moves to 2 December 2027. For high-risk AI embedded in regulated products under Annex I, including machinery, medical devices, and vehicles, the deadline extends further still, to 2 August 2028.

A new prohibition, sooner. The agreement adds an outright ban on AI systems that generate non-consensual intimate imagery — so-called nudifier applications. That prohibition takes effect 2 December 2026, before most of the extended high-risk obligations apply. Violations carry fines of up to €35 million or 7 per cent of global annual turnover.

Narrowed scope for regulated products. Industrial AI applications already governed by the Machinery Regulation are now exempted from the AI Act's additional requirements. The definition of "safety component" has been tightened, removing several categories from the high-risk classification. This matters for teams building AI features into physical or industrial products, where double regulation had been a significant concern.

Expanded SME protections. The simplified compliance framework previously available to small and medium enterprises now extends to companies with up to 750 employees and annual revenue of up to €150 million. That covers a large portion of the European SaaS market and most funded scale-ups.

What the Omnibus did not change

Several obligations that are already in force remain untouched.

The GPAI obligations. Organisations that release general-purpose AI models have been subject to transparency, documentation, and copyright compliance requirements since 2 August 2025. Those obligations did not move. If you release a model, you are already in scope.

AI literacy requirements. Since 2 February 2025, organisations that deploy or use AI systems have been required to ensure their staff have a sufficient level of AI literacy. This is not a heavy compliance burden in practice, but it is already enforceable.

Transparency obligations for chatbots. Article 50 requires disclosure to users that they are interacting with an AI system, and it applies from 2 August 2026. The Omnibus did not defer this. If you ship a conversational AI product, disclosure obligations will be live in around ten weeks from now.

The prohibition list. Unacceptable-risk AI systems have been prohibited since 2 February 2025. Social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and systems that exploit psychological vulnerabilities to influence behaviour — these bans are already in effect and the Omnibus did not alter them.

The legal status problem

Here is the issue that most coverage glosses over: the provisional political agreement of 7 May 2026 is not law.

A trilogue agreement in the European legislative system is a negotiated political deal between institutions. Before it becomes binding, it must pass through several further steps: legal-linguistic revision to finalise the text in all official EU languages, formal endorsement by the relevant European Parliament committee, a plenary vote in Parliament, formal adoption by the Council, and publication in the Official Journal of the European Union. Only after publication does the amended regulation enter into force.

The Commission has not yet published the agreed text. Formal adoption is expected before August 2026, but the timeline is subject to procedural risk. If any of those steps stall and the amended text is not published before 2 August 2026, the original AI Act applies in full from that date, including the high-risk obligations.

This is not an abstract concern. Organisations that treat December 2027 as their operative compliance date are, as one law firm analysis noted, accepting the risk that formal adoption may not complete in time. The new deadline only protects you if it becomes law before the old deadline arrives.

How to plan when the deadline is uncertain

The right planning posture is not binary. It does not require you to either treat August 2026 as certain or bet on December 2027. A practical approach for most SaaS companies runs as follows.

Complete your AI system inventory regardless. Classification is the prerequisite for everything else. You cannot assess whether your systems fall under high-risk, limited-risk, or minimal-risk categories without first knowing what you have. This work takes time, it does not become redundant if the Omnibus passes, and it is the single most-asked-for deliverable in enterprise procurement conversations right now. Do it in the next four to six weeks.

Treat August 2026 as live for what it already covers. Chatbot disclosure, AI literacy documentation, and the GPAI obligations if relevant are not deferred by the Omnibus. If you ship a chatbot, you need an Article 50-compliant disclosure flow by August. That is ten weeks away.

Build your documentation architecture now. Even if December 2027 is your operative deadline for high-risk conformity, the documentation required, including risk management systems, quality management systems, technical specifications, and data governance records, takes months to build correctly. Starting now gives you a usable foundation either way. Starting in late 2027 does not.

Apply for a regulatory sandbox if you qualify. The Omnibus expands access to national and EU-level testing environments. For companies operating in regulated verticals such as health, financial services, or recruitment, getting sandbox access is worth the process. It gives you direct dialogue with supervisory authorities and provides a degree of safe harbour during the period of legal uncertainty.

Watch the Official Journal. The moment the amended text is published, the December 2027 deadline becomes legally certain. Until then, keep August 2026 in your risk register. Assign someone to monitor the EU's legislative tracking tools and set an alert.

What changes for different company types

The risk profile varies considerably depending on what you build.

Purely horizontal SaaS. If you offer productivity tools, project management, or analytics with no employment or credit decisions involved, your AI features very likely do not meet the Annex III high-risk threshold. Your near-term obligations are Article 50 disclosure if you have conversational AI, and AI literacy documentation for your team. The Omnibus changes very little for you in practice.

Recruitment and HR technology. AI systems used in hiring, promotion, or workforce monitoring fall under Annex III. You are in scope for high-risk obligations. The Omnibus extension gives you more runway, but the documentation and conformity assessment requirements are substantial. Start now.

Credit, lending, and financial services. The position is the same as recruitment. AI used in credit decisions and risk assessments is Annex III high-risk. The extension helps, but the volume of required documentation means you should already have a working group in place.

AI tooling and developer platforms. If you provide tools that allow other companies to build AI applications, your obligations depend on whether you are a provider of a GPAI model (subject to GPAI rules, already in force) or a deployer building on top of existing models (subject to deployer obligations, including high-risk rules where applicable). The distinction matters significantly.

Medical devices and industrial products. The Annex I extension to August 2028 is genuinely significant relief, given the existing conformity assessment burdens under sector-specific regulation. The AI Act's requirements layer on top of existing product safety law, with the Machinery Regulation exemption notwithstanding.

The one thing worth taking from the Omnibus

The most useful signal in the Digital Omnibus agreement is not the extended deadline. It is the direction of travel. The Commission's willingness to narrow scope, reduce regulatory overlap with product safety law, and extend SME protections suggests that enforcement philosophy will prioritise genuine risk reduction over administrative completeness.

That matters for how you prioritise compliance spend. Obsessing over documentation format when you have not yet classified your systems is the wrong order of operations. Investing in AI governance infrastructure — clear ownership, documented classification decisions, human oversight mechanisms in high-stakes workflows — is the approach that serves you regardless of which deadline is binding.

The AI Act is already in force. Obligations are already accruing. The Omnibus agreement buys more time for some of them. But waiting for the formal text before starting work is not a compliance strategy; it is a gamble on a legislative calendar that has already slipped once.