AI Act Digital Omnibus Deal: High-Risk Deferred to 2 December 2027, Transparency Stays 2 August 2026

Where the file sat in early May 2026 (historical, superseded by the 7 May agreement)

The Cypriot Council Presidency is trying to close the file before its term ends 30 June 2026. If it fails, Lithuania takes over 1 July. If the Omnibus is not formally adopted before 2 August 2026, the original AI Act provisions take effect on that date as written. That includes the full Article 6 high-risk obligations and the Article 99 penalty regime.

The Parliament negotiation is led by Arba Kokalari (EPP, Sweden) and Michael McNamara (Renew, Ireland). Beyond the postponement question, Parliament has tabled two additional measures: a targeted ban on AI nudification systems, and a shortened watermarking grace period landing on 2 November 2026.

On enforcement readiness, only 8 of 27 EU Member States have designated their national competent authorities so far. The remaining 19 will need to do so before the date the Omnibus does not move.

Four scenarios as they looked in early May 2026 (historical)

Legal analyses published this week converge on roughly four outcomes. The probability estimates below are taken from those analyses, not from Fontvera. They are a planning frame, not a forecast:

The advice from every major law firm covering this file is the same: continue planning against 2 August 2026 as the real deadline. Three of the four scenarios above either preserve that date or carry meaningful tail risk that it survives.

What should you do right now?

1. Plan against 2 August 2026. The 7 May agreement is provisional; until the amending regulation is published in the Official Journal, the original dates remain law as written.
2. Map your Article 50 transparency duties to your product surfaces now. The transparency obligations land on the deployer for any AI surface a user actually sees, not on the model vendor. Walk every product surface that emits AI text, image, audio, or video and write down which of the four duties applies.
3. Identify whether your AI systems fall under Annex I or Annex III. Annex III is standalone high-risk. Annex I is AI embedded in regulated products under existing sectoral law. The Omnibus dispute is precisely about the Annex I path. The high-risk classification briefing covers the cut.
4. Run the diagnostic. https://fontvera.eu/diagnostic/ai-act-high-risk. Five minutes, no login, returns the article-specific classification.
5. Read the Article 99 penalty briefing. The fine surface does not move with the Omnibus. Information-request fines (€7.5M or 1%) sit one rung below the high-risk obligations and are easy to trigger by accident.

Frequently asked questions

Has the EU AI Act been delayed?

Provisionally, yes. The trilogue collapsed on 28 April 2026, but negotiators reached a provisional agreement on 7 May 2026 moving Annex III high-risk obligations to 2 December 2027 and Annex I embedded systems to 2 August 2028. Until that text is formally adopted and published in the Official Journal, the original 2 August 2026 date in Article 113 and the Article 99 penalty regime continue to apply as written.

When is the next AI Act Omnibus trilogue?

There is none. The trilogue concluded with the provisional agreement of 7 May 2026. The remaining steps are formal endorsement by Parliament and Council, legal-linguistic revision, and publication in the Official Journal, which the institutions intend to complete before 2 August 2026.

What happens if the Omnibus is not adopted before August 2026?

The original AI Act provisions take effect on 2 August 2026 as written. That includes the full Article 6 high-risk obligations and the Article 99 penalty regime: €35M or 7% for prohibited Article 5 practices, €15M or 3% for high-risk obligations and Article 50 transparency duties, and €7.5M or 1% for information-request failures.

Which EU member states have designated AI Act enforcement authorities?

As of early May 2026, 8 of 27 EU Member States have designated their national competent authorities. The remaining 19 will need to do so before 2 August 2026 if the Omnibus is not adopted in time to push the date.

What happened on 28 April

The Digital Omnibus was the Commission and Council's vehicle to staircase AI Act high-risk enforcement: Annex III systems (employment, education, biometrics, critical infrastructure, essential services) would slip to December 2027; Annex I systems (regulated products — medical devices, machinery, automotive, toys) would slip to August 2028.

Trilogue broke down on the Annex I architecture. Member States wanted the staircase tied to existing sectoral conformity assessment cycles; Parliament negotiators argued that would re-open notified-body designations across MDR, IVDR, and the Machinery Regulation. With no compromise text, the file went to a further round, which was overtaken when negotiators closed a provisional deal on 7 May 2026.

The legal position today is simple: until the amending regulation is published in the Official Journal, the original 2 August 2026 date in Article 113(b) and the Article 99 penalty regime continue to apply as written. No grace period exists in the published text yet.

Why this matters — by the numbers Fontvera tracks

The 7 May 2026 deal defers when these obligations bite, not what they require. Here is the obligation surface still live in the law as written, measured against Fontvera's structured corpus:

• 743 AI Act obligations mapped across 42 sectors.
• 3,247 obligations tracked across the nine EU horizontal regulations the AI Act collides with.
• 41 cross-regulatory references involve the AI Act: 22 overlaps, 15 gaps, 4 hard conflicts.
• AI Act ↔ GDPR has the densest interaction: 4 overlaps, 2 conflicts, 2 gaps (8 collisions in total).
• AI Act ↔ NIS2: 5 collisions. AI Act ↔ DORA: 5. AI Act ↔ DMA: 6. AI Act ↔ DSA: 5. AI Act ↔ ePrivacy: 4.
• Underlying corpus: 312,758 current regulatory documents from 130 sources across 96 jurisdictions; 33,602 documents have full structured extraction.

None of that surface area shrinks because the dates move. The Omnibus changes when obligations bite, not what they require.

The four hard AI Act conflicts that did not get resolved

These are conflicts the extra time could let Member States and the AI Office fix. The Omnibus changes application dates, not the underlying texts, so the collisions remain. Each was extracted from primary text by Fontvera and is in the corpus today:

What's at stake — the five highest-penalty obligations

From Fontvera's 743 mapped AI Act obligations, sorted by Article 99 penalty tier:

1. Article 5 — Prohibited AI practices. Up to €35,000,000 or 7% of worldwide annual turnover, whichever is higher. Covers eight prohibited categories including subliminal manipulation, exploitation of vulnerabilities, social scoring, predictive policing, untargeted facial-image scraping, emotion inference at workplace and school, biometric categorisation by sensitive attributes, and real-time remote biometric identification in public spaces by law enforcement.
2. Article 16 — Provider obligations for high-risk AI. Up to €15,000,000 or 3%. Covers conformity assessment, registration in the EU database, post-market monitoring, technical documentation, transparency to deployers and the Article 9 risk management system.
3. Article 26 — Deployer obligations for high-risk AI. Up to €15,000,000 or 3%. Use the system per provider instructions, ensure human oversight, monitor operation, retain logs, and conduct fundamental rights impact assessments where Article 27 applies.
4. Article 50 — Transparency obligations. Up to €15,000,000 or 3%. Disclose AI interaction to natural persons; label generative AI output as artificially generated; mark deepfakes; inform users of emotion recognition and biometric categorisation.
5. Article 9 — Risk management system. Enforced through Article 16 at €15,000,000 or 3%. A continuous, iterative process across the entire lifecycle: hazard identification, residual-risk evaluation, mitigation testing, and updates from post-market monitoring.

Authorised representatives, importers, distributors and notified bodies sit on the same €15M / 3% tier under Articles 22, 23, 24 and 31/33 respectively. Supplying incorrect, incomplete or misleading information to authorities sits one rung lower at €7,500,000 or 1%.

What companies should actually do in the next 49 days

The work doesn't change because the deal is still provisional. It just doesn't get optional any more. In order:

1. Classify your systems against Article 5 and Annex III. Run Fontvera's free AI Act high-risk diagnostic to get a defensible classification with the specific articles that apply.
2. Lock the four hard conflicts above into legal review now. They will not be resolved by 2 August. Decisions on log retention, special-category processing and deepfake disclosure should be made and documented before, not during, an enforcement inquiry.
3. Pull your obligation list against the 743 we have mapped. Fontvera links every obligation to its source article, the obligated entity and the penalty tier. Search the corpus for your sector and entity role at the homepage.
4. If you are a deployer relying on a non-EU provider: Article 22 means you may inherit authorised representative obligations. This is one of the four "high severity" gaps in the cross-regulatory register and is not waiting for the trilogue.
5. Treat the 7 May provisional agreement as direction, not law. It still has to clear plenary and Council and reach the Official Journal before any deadline shifts. Plan against the 2 August date as written.

Why this page is harder to copy than it looks

The "plan against 2 August" message is on every newsletter. The numbers above are not. They come from 312,758 current documents, 33,602 with full structured extraction, 743 AI Act obligations, 219 cross-regulatory references and 41 AI-Act-specific collisions sitting in Fontvera's production database. We track them because the corpus is built to answer cross-border regulatory questions in seconds, and we expose them here because the gap between a provisional deal and live law is exactly the moment the surface becomes operational risk.

If your team is mapping AI Act exposure for 2 August, the obligation register, conflict descriptions and penalty tiers above are the inputs you need — and they are what the homepage search returns.

Run your free AI Act compliance diagnostic

Five minutes. No login. Returns your classification (Prohibited, High-Risk Annex III, High-Risk Annex I, Limited-Risk or Minimal-Risk) and the specific articles that apply.

→ Run the AI Act diagnostic

Search 316,000+ regulatory documents

The corpus that produced these numbers is searchable from the homepage. Cross-border, cross-regulation, cross-jurisdiction.

→ Search Fontvera

Fontvera also analyses closely related obligations, including AI Act deadline extension digital omnibus, AI Act penalties FAQ, and AI Act high risk systems examples.