EU Reaches Provisional Agreement on "Digital Omnibus on AI": Staggering High-Risk AI Deadlines and Sharpening Value Chain Liability
On May 7, 2026, negotiators from the European Parliament, the Council of the European Union, and the European Commission reached a provisional agreement on the Digital Omnibus on AI. This package represents the first major set of amendments to the landmark EU AI Act since its adoption in June 2024. Driven by heavy pressure from member states (particularly Germany) and industry groups concerned about duplicative compliance burdens, the Omnibus introduces a pragmatic delay of core timelines, targeted simplification for industrial embedded systems, a new prohibited practice, and a sharp escalation of liability for value-chain information sharing.
The formal adoption of these amendments is expected in June or July 2026, ensuring they enter into force before the original August 2026 milestones.
1. Staggered Deferral of High-Risk AI Deadlines
The most significant relief for enterprises is the postponement of compliance deadlines for High-Risk AI Systems (HRAIS):
- Annex III HRAIS (Use-based, including employment, biometrics, education, and critical infrastructure): The compliance deadline is postponed by 16 months, moving from August 2, 2026, to December 2, 2027. This gives employers using AI for hiring or workforce management much-needed breathing room.
- Annex I HRAIS (Product-regulated, including medical devices, machinery, and connected vehicles): The deadline is postponed by one year, from August 2, 2027, to August 2, 2028.
- Article 50(2) Transparency (Synthetic Content Watermarking): The deadline for marking and detecting AI-generated content for systems placed on the market before August 2, 2026, is extended from August 2, 2026, to December 2, 2026.
These delays reflect the operational challenges of establishing third-party conformity assessments, harmonized standards (from bodies like CEN-CENELEC), and national regulatory sandboxes (which are also delayed by one year to August 2, 2027).
2. Sharpened Information Sharing and Escalated Fines (Article 25)
While the Omnibus delays deadlines, it significantly tightens the screw on value-chain liability. When a downstream developer repurposes or substantially modifies an AI system and becomes the "provider" of a high-risk system under Article 25(1), the initial provider now faces explicit and strict information-sharing mandates.
Under the newly amended Article 25(2), the initial provider must:
- Provide technical documentation sufficient for the downstream provider to prove compliance.
- Disclose all known limitations and failure modes of the AI system.
- Grant targeted technical access to the AI system for testing and validation.
Crucially, Article 25(4) adds "AI models" to the list of components that must be governed by a written agreement detailing these capabilities. To enforce this, Article 99(4) was amended to classify breaches of Article 25(2) or 25(4) as first-tier infringements—carrying severe fines of up to 3% of worldwide annual turnover or €15 million. This places value-chain information sharing on the same legal and risk tier as core provider and deployer high-risk compliance.
3. Realignment with Sectoral Rules and Tightened Definitions
- Machinery Regulation Shift: AI-enabled machinery (subject to Regulation (EU) 2023/1230) has been moved from Annex I Section A to Section B. This eliminates a dual-compliance model. Machinery will now be governed primarily by sector-specific laws, with the Commission incorporating AI-specific safety requirements via delegated acts by August 2, 2028.
- Tightened "Safety Component" Definition: AI systems used solely for user assistance, performance optimization, efficiency, or quality control will not automatically trigger high-risk status under Article 6(1) unless their failure directly endangers health or safety.
4. New Prohibition: Non-Consensual Intimate Imagery and CSAM
In response to public outcry over "nudifier" apps, the Omnibus introduces a new prohibited AI practice under Article 5, effective December 2, 2026. It bans the placing on the market, putting into service, or use of AI systems designed to generate or manipulate realistic depictions of an identifiable person's intimate parts or sexually explicit activities without explicit consent, as well as child sexual abuse material (CSAM).
Providers are liable if generating such material is the intended purpose, or if it is a "reasonably foreseeable and reproducible outcome" and they failed to implement adequate technical safety measures. Deployers are liable if they actively use systems to generate this material or circumvent safety filters.
Verbatim Quotes
"The initial provider to the downstream provider must now be responsible for the following, where relevant to the downstream provider’s compliance with the AI Act: making available technical documentation... informing the new provider about known limitations and failure modes... and providing the new provider with targeted technical access... Article 99(4) —which establishes the 3% of worldwide annual turnover / €15 million first-tier fine—has been amended to add a new category of infringement for breaches of Article 25(2) or (4)."
From EU Overhauls AI Act Just Before Key Deadline (Fisher Phillips / JD Supra):
"The biggest change for employers pushes back enforcement of rules covering high-risk AI systems in areas such as employment, biometrics, critical infrastructure, education, migration, and border control until December 2, 2027 – a 16-month delay from the previous August 2, 2026, deadline. For AI systems that qualify as regulated products or safety components, the deadline is extended to August 2, 2028."