What's the difference between the original EU AI Act and the May 2026 Omnibus?

The original EU AI Act (entered force August 2024) staged compliance: Article 5 prohibitions February 2025, GPAI obligations August 2025, Annex III high-risk obligations August 2026, embedded high-risk August 2027. The May 7, 2026 Omnibus (provisional political agreement) keeps the Act's core but (1) delays Annex III high-risk to December 2, 2027 — 16 extra months, (2) delays embedded high-risk to August 2, 2028, (3) adds a new Article 5 prohibition on non-consensual sexual / CSAM AI from December 2, 2026, (4) compresses watermarking grace from 6 to 3 months (December 2, 2026), (5) reinstates 'strict necessity' for sensitive data in bias work, (6) postpones regulatory sandboxes to August 2, 2027, and (7) clarifies Machinery Regulation interplay.

Did the Omnibus weaken the EU AI Act?

Mixed. It weakened high-risk timelines (16-month delay for Annex III) but strengthened the consumer-protection front (new Article 5 ban on non-consensual sexual AI, faster watermarking). Industry won breathing room on the most contested compliance obligations. Civil society won a new prohibition class and the retention of Annex VIII Section B registration that the Commission had proposed deleting. GPAI obligations from August 2025 are unchanged — so foundation model providers (OpenAI, Anthropic, Google, Mistral, Meta) still face the same documentation, copyright opt-out, training-data summary, and systemic-risk obligations. The honest read: it's a compromise, not a gutting.

What's still on the same timeline (not delayed)?

Several things. (1) Article 5 prohibitions on social scoring, untargeted biometric scraping, emotion recognition in workplace / school, and predictive policing — already in force from February 2025. (2) GPAI (general-purpose AI model) obligations from August 2, 2025. (3) AI literacy obligations from February 2025. (4) Penalties — up to 7% of global turnover for prohibited practices, up to 3% for high-risk non-compliance, up to 1% for incorrect information. (5) The new Article 5 ban on non-consensual sexual / CSAM AI from December 2, 2026 (NEW, not delayed). (6) Compressed Article 50(2) watermarking from December 2, 2026 (NEW, faster than original).

How should compliance teams plan for the next 18 months?

Three priorities. (1) Move on December 2, 2026 obligations now — this is 7 months out. Watermarking (C2PA, SynthID), CSAM / non-consensual sexual AI safeguards, transparency UX. Don't wait for the formal Omnibus adoption. (2) Use the December 2, 2027 Annex III runway productively — finalize conformity assessment processes, align with harmonized standards as they ship, build technical documentation, deploy per-agent identity infrastructure. (3) Watch for formal Council and Parliament adoption in summer 2026 — minor language changes possible, but no surprises. The provisional deal is operative for planning.

Quick Answer

EU AI Act Omnibus vs Original AI Act: What Changed (May 2026)

Published: May 8, 2026

EU AI Act Omnibus vs Original AI Act: What Changed (May 2026)

The May 7, 2026 EU AI Act Omnibus is a provisional political agreement that amends the original 2024 EU AI Act. It’s a compromise — industry gets a 16-month delay on high-risk obligations, civil society gets a new ban class and faster watermarking, regulators get streamlined enforcement. Here’s the full side-by-side.

Last verified: May 8, 2026

The 2024 baseline (original EU AI Act)

The EU AI Act entered force August 1, 2024 with staged compliance:

Date	Obligation
February 2, 2025	Article 5 prohibitions (social scoring, biometric scraping, emotion recognition in workplace / school, predictive policing) + AI literacy obligations
August 2, 2025	GPAI (general-purpose AI model) obligations: documentation, copyright, training-data summary, systemic-risk for ≥10²⁵ FLOPs models
August 2, 2026	Annex III high-risk AI obligations (employment, education, credit, biometrics, critical infrastructure, law enforcement, justice, migration)
August 2, 2027	Embedded high-risk in regulated Annex I products (medical devices, machinery, toys, lifts, watercraft)

The May 7, 2026 Omnibus changes

Delayed timelines

Obligation	Original	Omnibus
Annex III standalone high-risk	August 2, 2026	December 2, 2027 (+16 months)
Annex I embedded high-risk	August 2, 2027	August 2, 2028 (+12 months)
Regulatory sandboxes	August 2, 2026	August 2, 2027 (+12 months)

NEW obligations and accelerations

Obligation	New date	Notes
Article 5 ban on non-consensual sexual / CSAM AI (NEW class)	December 2, 2026	Includes “nudifier” apps; safe harbor for systems with effective preventive safeguards
Article 50(2) watermarking grace	December 2, 2026	Compressed from 6 months to 3 months

Retained vs. proposed deletion

Item	Commission proposal	Omnibus result
Annex VIII Section B registration (self-assessed non-high-risk Annex III-adjacent)	Delete	Retained, streamlined form

Substantive clarifications

Bias detection and correction: “Strict necessity” reinstated for processing special categories of personal data — sensitive data CAN be used for bias detection and correction across all AI systems, with safeguards. (Significant practical win for fairness work.)
Machinery Regulation interplay: Clarified to avoid duplication. Machinery generally exempt from direct AI Act applicability where overlap exists; AI-specific health and safety handled through Machinery Regulation. “Safety component” definition narrowed.
SME support: Existing SME privileges (reduced fees, sandbox priority) extended to small mid-cap companies.

Side-by-side: original vs Omnibus, by obligation type

Prohibited practices (Article 5)

	Original	Omnibus
Social scoring, biometric scraping, etc.	Feb 2, 2025	Unchanged
Non-consensual sexual / CSAM AI	(not in original)	NEW — Dec 2, 2026

GPAI obligations

	Original	Omnibus
Documentation, copyright, training-data summary	Aug 2, 2025	Unchanged
Systemic-risk obligations (≥10²⁵ FLOPs)	Aug 2, 2025	Unchanged

Transparency (Article 50)

	Original	Omnibus
Article 50(1) deepfake disclosure	Aug 2, 2026	Unchanged
Article 50(2) watermarking grace	6 months	3 months — Dec 2, 2026

High-risk obligations

	Original	Omnibus
Annex III standalone	Aug 2, 2026	Dec 2, 2027
Annex I embedded	Aug 2, 2027	Aug 2, 2028
Conformity assessment, technical doc, post-market monitoring	Same as above	Pushed accordingly

Governance and enforcement

	Original	Omnibus
Penalties: 7% / 3% / 1% of global turnover	(in original)	Unchanged
Regulatory sandboxes	Aug 2, 2026	Aug 2, 2027
Annex VIII registration	(in original)	Retained, streamlined
AI Office and Board governance	(in original)	Unchanged

What this means by stakeholder

Foundation model providers (OpenAI, Anthropic, Google, Mistral, Meta)

No relief from Omnibus. GPAI obligations from August 2025 are unchanged. Documentation, copyright opt-out, training-data summary, and systemic-risk obligations all still apply on the original timeline.

The Mexico water utility attack (Dragos, May 6-7, 2026) and the IMF financial-stability warning (May 7) are likely to drive enforcement priority on GPAI misuse provisions through 2026-2027 — particularly around abuse monitoring and red-team disclosure for systemic-risk models.

Annex III high-risk AI providers (employment, credit, biometrics, etc.)

16-month buffer. Use it for:

Conformity assessment processes (third-party CABs are still ramping up).
Alignment with harmonized standards as they ship through 2026-2027.
Technical documentation and post-market monitoring infrastructure.
Per-agent identity (Microsoft Entra, AWS IAM context keys, Google Workspace service identities) for traceability.

AI-generated content providers

Faster, not slower. December 2, 2026 watermarking deadline is 7 months out. C2PA, SynthID, and Microsoft’s content provenance approach are now production-required, not experimental.

Consumer-facing image / video AI providers

New December 2, 2026 obligation. Article 5 ban on non-consensual sexual / CSAM AI requires “effective preventive safeguards” — NSFW classifiers, age detection, prompt filtering, reporting pipelines. Safe harbor available, but you have to demonstrate you actually built the safeguards.

Bias / fairness teams

Material practical win. Reinstating “strict necessity” for special-category data processing means you CAN use sensitive data (race, health, sexual orientation, etc.) for bias detection and correction with safeguards. This makes effective fairness work legally feasible across all AI systems, not just high-risk.

Machinery and product safety industries

Cleanup. Machinery Regulation deconfliction means fewer overlapping obligations. Narrower “safety component” definition reduces over-classification of components as AI Act-regulated.

EU SMEs and small mid-caps

Support extended. Reduced fees, sandbox priority, and other privileges now reach small mid-caps, not just SMEs.

What’s still uncertain

1. Formal adoption. The May 7 deal is a provisional political agreement. Formal Council and Parliament adoption is expected through summer 2026. Minor language changes possible. A surprise rejection by either body would reset everything.

2. National implementation. The AI Act is an EU regulation (directly applicable) but national authorities matter for sandboxes, designated regulators, and enforcement priorities. Watch national AI Office establishment through 2026.

3. Harmonized standards. Compliance practicality depends on harmonized standards under Article 40 actually shipping. CEN-CENELEC JTC 21 is the main venue. Watch standard publication through 2026-2027.

4. Conformity assessment ecosystem. Third-party Conformity Assessment Bodies (CABs) for high-risk AI need accreditation and capacity. The 16-month delay should help, but the ecosystem is still thin.

5. UK and US interplay. The UK’s AI Bill is moving more slowly. The US has no comprehensive federal AI law, but state laws (Connecticut, Iowa, Colorado, Alabama as of May 2026) are creating a patchwork. Multinational AI providers need to plan for divergent regimes.

Compliance team checklist (May 2026)

By December 2, 2026 (7 months out):

Watermarking / provenance pipeline live (C2PA, SynthID, etc.).
Article 50 transparency UX deployed (deepfake disclosure, AI-generated content labels).
CSAM / non-consensual sexual AI safeguards in place if you operate consumer image / video generation.

By December 2, 2027 (19 months out):

Annex III high-risk conformity assessment processes complete.
Technical documentation per Annex IV.
Post-market monitoring infrastructure live.
Per-agent identity adopted for AI agents in scope.
Harmonized standards alignment confirmed.

By August 2, 2028 (~27 months out):

Annex I embedded high-risk in regulated products complete.
Machinery Regulation alignment with narrowed safety component definition.

Bottom line

In May 2026, the EU AI Act Omnibus is a compromise that buys industry breathing room on Annex III high-risk while strengthening consumer protections through new bans and faster watermarking. Foundation model providers see no relief — GPAI obligations from August 2025 are unchanged and likely to face stricter enforcement after the Dragos and IMF disclosures the same week. Annex III providers get 16 extra months — use them for conformity assessment, harmonized standards alignment, and per-agent identity deployment. Consumer-facing image / video AI providers get a new December 2026 obligation that requires real safeguards. The deal is provisional but operative — plan accordingly and don’t wait for formal adoption.

Sources: European Commission “MEX 26 1030” press corner (May 7, 2026), Tech Policy Press “What the EU AI Omnibus deal changes for the AI Act and what lies ahead” (May 8, 2026), IAPP “EU agrees to amend AI Act, clarifies overlap with machinery rules” (May 2026), Bristows “AI Act Omnibus — EU institutions agree political deal” (May 2026), Modulos AI “EU AI Act Omnibus deal” (May 2026), Insurance Journal coverage (May 7, 2026).