EU AI Act Omnibus Agreement: Definitive High-Risk Deferral, Strict Bias Screening, and Expanded AI Office Powers Enacted

In a major regulatory recalibration, the European Union institutions reached a provisional political agreement on the "Digital Omnibus on AI" on May 7, 2026, which was subsequently confirmed by Member State representatives in the Council on May 13, 2026. This package provides critical compliance relief for enterprises by postponing the applicability dates for high-risk AI systems (HRAIS) by over a year, while simultaneously introducing strict new prohibitions, rolling back earlier proposals that would have relaxed bias-screening rules, and expanding the enforcement powers of the central EU AI Office.

While the core architecture of the EU AI Act remains intact, the Omnibus represents a pragmatic adjustment to the fact that the technical standards and regulatory infrastructure required to make the Act operable have not materialized on the original schedule.

1. The Postponed HRAIS Compliance Timeline

The Omnibus replaces the European Commission's originally proposed conditional trigger mechanism with fixed, deferred deadlines:

• Annex III Stand-alone HRAIS (Recruitment, Credit Scoring, Education, Law Enforcement): Applicability is postponed by 16 months to December 2, 2027 (originally August 2, 2026).
• Annex I Embedded HRAIS (Medical Devices, Toys, Machinery, Vehicles): Applicability is postponed by 12 months to August 2, 2028 (originally August 2, 2027).

Importantly, August 2, 2026, remains a live compliance date for Article 50 transparency obligations (e.g., disclosing AI interaction), though existing systems receive a four-month grace period (until December 2, 2026) to implement watermarking under Article 50(2).

2. Key Substantive Overhauls and Compromises

• Strict Bias Screening Standards: In a major reversal of earlier drafts that proposed more flexible rules for processing special category personal data for bias detection, the final agreement reinstates a strict necessity standard.
• Registration of Exempted High-Risk Systems: Providers seeking to carve out their systems from high-risk classification under Article 6(3) (narrow procedural/refinement tasks) will still be required to register them in the EU database, reversing previous proposals that would have exempted them.
• New Article 5 Prohibition ("Nudifiers" and CSAM): The agreement bans AI systems designed to generate or manipulate non-consensual sexually explicit/intimate content or child sexual abuse material (CSAM). Providers of general-purpose image/video tools must actively prevent these foreseeable outcomes, subject to a transitional period ending December 2, 2026.
• Relief for Small Mid-Cap Companies (SMCs): Regulatory relaxations previously restricted to SMEs—such as simplified technical documentation, proportionate penalties, and less prescriptive quality management systems—are now extended to SMCs.
• Industrial and Machinery Carve-out: Embedded AI subject to the Machinery Regulation is removed from the direct application of the AI Act; safety measures will instead be managed via delegated acts under that regulation.
• Reinforced EU AI Office Powers: The AI Office is granted exclusive competence over AI systems built on General-Purpose AI (GPAI) models where the model and system are developed by the same provider. It is equipped with new enforcement tools, including powers to conduct investigations, perform on-site inspections, accept binding commitments, and issue fines.

Verbatim Quotes

From the Gibson Dunn Client Alert:

"High-risk obligations for stand-alone Annex III systems are deferred to 2 December 2027; for AI embedded in regulated products under Annex I, to 2 August 2028." "The agreed text replaces the Commission’s originally proposed conditional trigger mechanism with these fixed dates." "The agreement extends the existing legal basis for processing special-category personal data for bias detection and correction — previously limited to providers of high-risk systems — to all AI systems and general-purpose AI models, subject to a strict necessity standard..."

From the Travers Smith Briefing:

"Providers seeking exemption from high-risk classification for certain systems (e.g. systems limited to performing a narrow procedural task or refining the results of tasks previously completed by a human) will still need to register them in the EU database for high-risk systems, albeit with reduced information requirements. This represents a reversal from earlier drafts..." "Processing special category data for the purpose of bias detection and correction returns to a strict necessity test, requiring providers to demonstrate that no less intrusive means exist to achieve the same objective."

Enterprise Risk Management Implications

For corporate legal and risk teams, this agreement shifts the compliance timeline but does not relax the eventual standards:

1. Prepare for August 2, 2026 Transparency: Do not let the HRAIS delay distract from the fact that transparency and disclosure requirements under Article 50 are still active for August 2026.
2. Review Bias-Correction Data Practices: The rollback to a "strict necessity" test means enterprises cannot easily process special category data (like race or gender) for bias testing without proving that no alternative, less intrusive methods exist.
3. Establish SMC Compliance Pathways: Medium-sized enterprises should assess if they qualify as Small Mid-Caps to take advantage of the simplified documentation and proportionate penalty structures.