Regulatory update - EU extends the high-risk AI enforcement deadlines

EU governments and the European Parliament reached a provisional Digital Omnibus agreement in the early hours of 7 May 2026, after nine hours of overnight negotiation. Three things changed: (i) two high-risk implementation deadlines moved later; (ii) AI embedded in machinery sits outside the AI Act; and (iii) two new prohibitions were added. The deal recovers ground lost when trilogues collapsed on 28 April over machinery scope. It remains provisional pending formal endorsement.

Organisations building/deploying/using AI should treat these new dates as the planning baseline. This deal was brokered under sustained Council Presidency pressure, with Draghi-style competitiveness framing as cover. It will not be reopened in the next mandate.

The substantive changes

These negotiations provided three substantial changes to the EU AI Act, each of which is discussed below in turn.

1. Implementation timeline

Two deadlines moved. Both are now hard-fixed, replacing the Commission's earlier conditional grace period tied to harmonised-standards readiness.

For context, Annex III tracked the Act's general date of application and Annex I had its own three-year clock under Article 113(c). Annex III covers biometric ID, critical infrastructure, employment, education, law enforcement, migration and the administration of justice. Annex I covers AI inside products already under EU sectoral safety law (medical devices, IVDs, motor vehicles, civil aviation, rail). The extended enforcement timeline was agreed earlier in the negotiations, while the latest wrangling was on how the AI Act covers machinery.

2. Machinery

Industry argued that AI embedded in industrial equipment is already governed by the Machinery Regulation (EU) 2023/1230 and that a parallel AI Act layer would duplicate conformity assessment without proportionate gain. The May resolution accepts that argument: AI embedded in machinery within Regulation 2023/1230's scope is excluded from the AI Act.

However, this carve-out is narrow. It does not cover worker-management AI on factory floors, biometric components, or agentic systems used to operate machinery; those still fall under Annex III on their own facts.

By way of example, take an industrial vision-inspection AI inside a CE-marked machine. It now sits under the Machinery Regulation rather than the AI Act, but the obligations move with it. The Machinery Regulation has its own essential health-and-safety requirements, conformity assessment route and technical documentation duties. Drift detection and human-oversight design will still apply because Annex III requires lifecycle safety performance for self-evolving machinery and operator override of automated functions. Medical-device AI under MDR is related but not identical - it stays inside Annex I, with the AI Act layering on top of MDR rather than yielding to it.

3. Two new prohibitions, both effective 2 December 2026

Parliament needed concrete additions to point to as proof the Act had not been gutted, and they got two.

1. Non-consensual AI-generated sexual imagery is banned. The provision responds to the same policy concern as recent deepfake controversies (including content from xAI's Grok chatbot) and to the intimate-image-abuse provisions of the UK Online Safety Act. Precise placement is expected to be confirmed in the consolidated text.

2. Watermarking of AI-generated output becomes mandatory for providers. Images, audio and video are in scope; synthetic text is the open question for the implementing acts (see Bird & Bird and AOShearman). The C2PA Content Credentials standard is the most likely reference point but not yet confirmed. This goes further than the Article 50(2) marking duty by prescribing the technical mechanism rather than leaving it to providers.

The second addition has the broadest impact, and it is something that most providers and deployers have not yet built in to their engineering workflows.

What didn't move with the deadlines

The Omnibus moved the regulatory floor by sixteen months in one place and twelve in another. It moved nothing above the floor, and the ceiling has kept moving on its own. Insurance underwriting, board oversight, ISO/IEC 42001 and customer procurement attestations are tightening on their own clock; underwriter questionnaires now routinely ask for evidence of inventory maintenance and risk classification. Bojana Bellamy's framing on Episode 15 of the AI Governance Podcast is the shorthand: compliance is the floor, accountability everything above it.

Read the deal purely as a deadline shift and you will deprioritise the wrong workstreams. The obligations most likely to attract regulator attention during the deferral are already in force. Article 4 AI literacy leads the list and is a live budget line item this quarter. Article 5 prohibitions and Article 50 transparency duties continue, as do GPAI obligations under the Code of Practice. The AI Office is still building central capacity, Article 70 designations are still bedding in, and the structural enforcement gap Sophie in 't Veld set out on our podcast in February has not closed. The requirements under sectoral safety law in financial services, medical devices and automotive functional safety remain unaffected.

As Bellamy put it: the shift in enlightened organizations is from worrying about the four percent fine to worrying about the loss of opportunity from not deploying AI well, not building products customers trust.

Five things to do this week

We set out five actions below that you can take today to prepare, ordered by time-sensitivity. The first two protect work that should already be in flight at your organization, and the last three reset planning before the new dates harden.

1. Don't pause your AI inventory build. 

Annex III obligations will apply from December 2027 instead of August 2026, but the work to build and maintain your inventory is not trivial. Use the extra sixteen months to reach completeness across business units, agentic systems and shadow AI deployments. The procurement, board and insurer signals that demanded the inventory in 2025 have not reweighted.

2. Scope a watermarking proof-of-concept against C2PA before September.

The framework binds from 2 December 2026 (seven months); the technical spec follows via implementing acts. If structured properly, engineering should own the build, the governance team should review the output-class scoping (image, audio, video, possibly text) and legal should track the consultation.

3. Build a transfer-of-evidence checklist between the AI Act and Machinery Regulation conformity routes. 

For each system in Regulation 2023/1230's scope, identify what transfers (risk management files, post-market monitoring, parts of the technical documentation), what needs rework (harmonised-standards reference set, essential health-and-safety requirements), and which competent authority you report to. Make this a joint workstream with product safety because gaps usually sit in documentation handover.

4. Re-run Annex III classifications for any system that touches machinery scope. 

The overall classification logic in Article 6 is unchanged however the scope will now expand. Document the rationale and the patterns most likely to flip: AI features inside CE-marked machinery (now Machinery Regulation), worker-management AI on industrial sites (still Annex III), biometric components inside otherwise-excluded equipment (still Annex III).

5. Write the leadership talk-track. 

To keep the c-suite informed, here’s the four points you want to cover in an executive briefing:

• The enforcement deadlines have moved. Board, customer and insurer expectations did not.

• Article 4 literacy is in force and the most likely enforcement target during the deferral.

• Watermarking is now both a compliance obligation and an engineering build. The new framework binds from December 2026 and the technical spec will follow thereafter. Stand the pipeline up now, while tracking the consultation in parallel.

• ISO 42001, sectoral safety law and procurement attestations run on their own clock, and the work you’ve been doing on the inventory underpins all of them.

What we're watching next

There are still a few steps to go before the position in the Digital Omnibus is final. While that shouldn’t delay your planning, as the hard work has now been done on the regulatory side, there are a few dates and updates to keep an eye on:

• Council and Parliament formal endorsement votes, expected before 30 June.

• Implementing acts for watermarking, especially the synthetic-text scope question; first signal likely a public consultation.

• Sectoral guidance on AI in machinery from DG GROW and Member State product authorities.

• AI Office pre-implementation guidance, plus Member State choices in France, Germany and the Netherlands, where national guidance has historically appeared first.

Where Enzai fits

Inventory continuity is the operational thread through this deal. Deadlines moved; the inventory obligation didn't, and most of what sits above the floor (board oversight, insurer evidence, ISO 42001, procurement attestations) runs through it. Enzai's AI inventory keeps the register current as systems move between the AI Act, Machinery Regulation and sectoral safety law, and surfaces the watermarking-readiness signal action 2 depends on.

References

Primary legislation and official sources

• Regulation (EU) 2024/1689, the AI Act: https://eur-lex.europa.eu/eli/reg/2024/1689/oj

• Regulation (EU) 2023/1230, the Machinery Regulation: https://eur-lex.europa.eu/eli/reg/2023/1230/oj

• European Commission, AI Office: https://digital-strategy.ec.europa.eu/en/policies/ai-office

• GPAI Code of Practice: https://digital-strategy.ec.europa.eu/en/policies/ai-code-practice

• AI Act Article 4 (AI literacy): https://artificialintelligenceact.eu/article/4/

• AI Act Article 5 (prohibited practices): https://artificialintelligenceact.eu/article/5/

• AI Act Article 6 (high-risk classification): https://artificialintelligenceact.eu/article/6/

• AI Act Article 50 (transparency): https://artificialintelligenceact.eu/article/50/

• AI Act Annex I (regulated products): https://artificialintelligenceact.eu/annex/1/

• AI Act Annex III (high-risk categories): https://artificialintelligenceact.eu/annex/3/

Standards

• ISO/IEC 42001:2023, AI management systems: https://www.iso.org/standard/42001

• C2PA Content Credentials: https://c2pa.org/

News and analysis

• Reuters / Free Malaysia Today, "EU countries, lawmakers clinch provisional deal on watered-down AI rules", 7 May 2026: https://www.freemalaysiatoday.com/category/world/2026/05/07/eu-countries-lawmakers-clinch-provisional-deal-on-watered-down-ai-rules

• IAPP, "AI Act Omnibus: What just happened and what comes next?": https://iapp.org/news/a/ai-act-omnibus-what-just-happened-and-what-comes-next

• Cyprus Mail, "EU lawmakers back softer AI Act after pressure from industry", 7 May 2026: https://cyprus-mail.com/2026/05/07/eu-lawmakers-back-softer-ai-act-after-pressure-from-industry

• Bird & Bird, "Digital Omnibus on AI Trilogue Stalls Ahead of the AI Act Deadline": https://www.twobirds.com/en/insights/2026/germany/digital-omnibus-on-ai-trilogue-stalls-ahead-of-the-ai-act-deadline

• AOShearman, "Digital Omnibus on AI: what is really on the table as trilogues begin": https://www.aoshearman.com/en/insights/digital-omnibus-on-ai-what-is-really-on-the-table-as-trilogues-begin

Background

• Mario Draghi, The future of European competitiveness, September 2024: https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en

• UK Online Safety Act: https://www.gov.uk/government/collections/online-safety-act

• AI Governance Podcast EP15, Compliance vs. Accountability with Bojana Bellamy: https://www.enz.ai/ai-governance-podcast-compliance-vs-accountability-with-bojana-bellamy

• AI Governance Podcast EP14, Sophie in 't Veld: https://www.enz.ai/ai-governance-podcast-fundamental-rights-and-digital-law-with-sophie-in-t-veld