EU AI Act Omnibus Agreement: What Changed for AI Compliance - SWT3

Audience: CISOs, compliance officers, Notified Body assessors, AI system providers, GPAI model providers, deployers of high-risk AI systems in EU jurisdictions, and legal teams evaluating AI Act implementation timelines.

At a glance: The Omnibus extended high-risk AI deadlines by 16-24 months. It did not change GPAI obligations (August 2, 2026), prohibited practices (February 2, 2025), or general GPAI model rules (August 2, 2025). If you provide a general-purpose AI model, your deadline is unchanged. If you build high-risk AI systems, you gained time -- but starting now is still the correct strategy.

1. What is the AI Omnibus?

On May 7, 2026, the European Parliament and Council reached a political agreement on an amendment to Regulation (EU) 2024/1689 -- the EU AI Act. This amendment, commonly referred to as the "AI Omnibus" or "Digital Omnibus on AI," modifies the implementation timeline and introduces several targeted changes.

The Omnibus is not a new regulation. It amends the existing AI Act. The core requirements -- prohibited practices, GPAI obligations, high-risk system rules, transparency provisions -- remain substantively unchanged. The primary effect is to give high-risk AI system providers additional time to prepare for conformity assessments while keeping GPAI and prohibition deadlines intact.

Status: Political agreement reached May 7, 2026. Formal adoption and publication in the Official Journal expected Q3-Q4 2026. The modified deadlines take effect upon formal adoption.

2. Timeline: Before and After

The following table compares original EU AI Act enforcement dates with the Omnibus modifications.

Obligation	Original Date	Omnibus Date	Status
Prohibited AI practices (Art. 5)	February 2, 2025	February 2, 2025	Unchanged
GPAI model obligations (Art. 53)	August 2, 2025	August 2, 2025	Unchanged
GPAI transparency (Art. 50, 53)	August 2, 2026	August 2, 2026	Unchanged
High-risk standalone AI (Annex III categories: biometrics, critical infrastructure, education, employment, migration)	August 2, 2026	December 2, 2027	Delayed 16 months
High-risk embedded AI (Annex I products: lifts, toys, machinery, medical devices, vehicles)	August 2, 2026	August 2, 2028	Delayed 24 months

Do not conflate the high-risk delay with the GPAI deadline. The Omnibus extended zero GPAI deadlines. If you provide a general-purpose AI model, August 2, 2026 is your compliance date. That is 66 days from the date of this publication.

3. What Changed

3.1 High-Risk Standalone AI Deadlines

Articles 6-15 -- Annex III Categories

Enforcement delayed to December 2, 2027

High-risk AI systems in the following categories received a 16-month extension:

Biometric identification and categorization (Annex III, category 1)
Critical infrastructure management (category 2)
Education and vocational training (category 3)
Employment, worker management, access to self-employment (category 4)
Access to essential private and public services (category 5)
Law enforcement (category 6)
Migration, asylum, and border control (category 7)
Administration of justice and democratic processes (category 8)

Practical impact: Providers of standalone high-risk AI systems now have until December 2, 2027 to complete conformity assessments, register in the EU database, implement risk management systems (Art. 9), and establish post-market monitoring (Art. 72).

3.2 High-Risk Embedded Products

Annex I -- EU Harmonization Legislation

Enforcement delayed to August 2, 2028

AI systems embedded in products covered by existing EU product safety legislation received a 24-month extension. Affected product categories include:

Machinery and lifts (Machinery Regulation)
Toys (Toy Safety Directive)
Radio equipment (Radio Equipment Directive)
Medical devices and in-vitro diagnostics
Civil aviation safety
Motor vehicles and their components
Marine equipment

Rationale: The extended timeline aligns AI Act enforcement with ongoing revisions to EU product safety regulations, preventing duplication between sectoral and AI-specific requirements. The Omnibus also clarified the interplay between the AI Act and the Machinery Regulation.

3.3 New Prohibition: Non-Consensual Intimate Imagery

Article 5 -- Prohibited Practices (Amendment)

AI nudification and CSAM generation banned

The Omnibus adds a new prohibited practice: AI systems that generate non-consensual sexually explicit or intimate content, including child sexual abuse material. This prohibition takes effect upon formal adoption of the Omnibus (expected Q3-Q4 2026).

SWT3 relevance: AI-GRD.1 and AI-GRD.2 witness guardrail presence and content safety filter activation. Organizations deploying generative AI should ensure content safety filters are active and witnessed.

3.4 SME and Small Mid-Cap Relief

SME/SMC Provisions

Simplified requirements extended to small mid-cap companies

Regulatory relief previously available only to small and medium-sized enterprises (SMEs) now extends to small mid-cap companies. This includes reduced technical documentation requirements and expanded access to regulatory sandboxes.

Important: Substantive compliance requirements for deployed high-risk systems are not reduced. The relief applies to documentation burden and sandbox access, not to the safety and transparency requirements themselves.

3.5 AI Office Powers Reinforced

Governance Structure

Centralized oversight for GPAI models

The Omnibus reinforces the European AI Office's authority over GPAI model oversight. The AI Office can request documentation directly from GPAI providers and coordinate enforcement across Member States. This reduces governance fragmentation -- providers deal with one central authority for GPAI compliance rather than 27 national authorities.

SWT3 relevance: The export_evidence() method and the auditor portal support on-demand documentation requests. When the AI Office requests evidence, the same export pipeline used for Notified Body assessments applies.

3.6 Regulatory Sandbox Expansion

Innovation Support

New EU-level sandbox and expanded access

The Omnibus creates a new EU-level regulatory sandbox in addition to existing national sandboxes. More innovators gain participation rights, allowing them to test AI solutions in real-world conditions with structured compliance guidance from regulators.

SWT3 relevance: Clearing level 0 (Analytics) is designed for sandbox and pre-deployment environments where full transparency is acceptable. Organizations can adopt SWT3 in sandbox mode with zero cost (Open tier) and graduate to production clearing levels when deploying.

4. What Did NOT Change

Three critical deadlines remain exactly as originally enacted. Organizations targeting GPAI compliance have zero additional time. Organizations subject to prohibited practices have been subject to enforcement since February 2025.

Already in effect -- February 2, 2025

Prohibited AI Practices (Article 5)

The following remain banned and enforceable: social scoring systems, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), emotion recognition in workplace and education contexts, untargeted facial image scraping for database creation, and subliminal manipulation techniques.

SWT3 procedures: AI-FAIR.1, AI-FAIR.2, AI-FAIR.3 witness bias assessment and fairness metrics.

Already in effect -- August 2, 2025

General GPAI Model Obligations (Article 53)

GPAI model providers must maintain and provide: model card documentation, training data summaries and copyright compliance evidence, and technical documentation per Annex XI. These obligations are active now.

SWT3 procedures: AI-MDL.1, AI-MDL.2, AI-DATA.1, AI-DATA.2, AI-DATA.3, AI-DATA.4.

66 days away -- August 2, 2026

GPAI Transparency Obligations (Articles 50, 53)

AI-generated content marking (Art. 50), Code of Practice compliance (Art. 53), and systemic risk provisions (Art. 55) become enforceable. The GPAI Code of Practice final draft is expected June 2026.

SWT3 procedures: AI-INF.1, AI-INF.2, AI-MARK.1, AI-MDL.5, AI-MDL.6, AI-MDL.7, AI-SEC.1, AI-GRD.1, AI-GRD.2, AI-GRD.3.

See GPAI Code of Practice Mapping for detailed procedure-to-obligation analysis.

5. Impact on SWT3 Compliance Strategy

Strategy

More Time Does Not Mean Start Later

The 16-24 month extension for high-risk systems benefits organizations that start now, not organizations that wait. SWT3 continuous witnessing builds a compliance history over time. Every inference witnessed today becomes part of the evidence record for a future conformity assessment.

An organization that begins witnessing in June 2026 will have 18 months of continuous evidence by the December 2027 deadline. An organization that begins witnessing in November 2027 will have 30 days. Notified Bodies and the AI Office will notice the difference.

Sequencing

GPAI First, High-Risk Second

Organizations with both GPAI and high-risk AI obligations should sequence their compliance work:

Now through August 2026: GPAI transparency procedures -- AI-INF.1, AI-INF.2, AI-MDL.1, AI-GRD.1, AI-MARK.1
August 2026 through December 2027: High-risk system procedures -- AI-HITL.1, AI-HITL.2, AI-FAIR.1, AI-EXPL.1, AI-SEC.1, AI-DATA.1
Ongoing: Chain witnessing (AI-CHAIN.1, AI-CHAIN.2) for multi-system deployments

SWT3 supports incremental procedure adoption. Start with the immediate GPAI obligations and expand coverage as high-risk deadlines approach.

Product Safety

Embedded AI Gets Separate Treatment

Product manufacturers embedding AI have until August 2, 2028. However, if the AI component also operates as a standalone system (e.g., a medical AI that also provides general diagnostic recommendations), the December 2, 2027 deadline may apply to the standalone function.

SWT3 chain witnessing (AI-CHAIN.1, AI-CHAIN.2) proves compliance across product integration boundaries, documenting which system component triggered which inference and under which regulatory regime.

6. Stakeholder-Specific Recommendations

6.1 GPAI Model Providers

Deadline: August 2, 2026 (unchanged). Your compliance date was not extended. Priority procedures: AI-INF.1, AI-INF.2, AI-MDL.1, AI-MDL.2, AI-MDL.5, AI-MDL.6, AI-MDL.7, AI-MARK.1. Integrate the SWT3 SDK now and build witness history before enforcement. See the GPAI Code of Practice Mapping for detailed procedure analysis.

6.2 High-Risk AI System Providers

Deadline: December 2, 2027 (standalone) or August 2, 2028 (embedded). You have additional time, but conformity assessment preparation takes 12-18 months. Begin procedure adoption now and target full coverage at least 6 months before your enforcement date. Priority procedures: AI-HITL.1, AI-HITL.2, AI-GRD.1, AI-GRD.2, AI-GRD.3, AI-FAIR.1, AI-EXPL.1, AI-SEC.1. See the FRIA + DPIA Integration guide for risk assessment evidence mapping.

6.3 SMEs and Startups

The expanded sandbox access and simplified documentation requirements lower your entry barrier. Use the SWT3 Open tier (free, full protocol access) to begin witnessing immediately. Start with python -m swt3_ai.demo or npx swt3-demo for a zero-friction proof of concept. Clearing level 0 (Analytics) is appropriate for sandbox environments. Graduate to production clearing levels when deploying to customers.

6.4 Notified Bodies and Assessors

High-risk conformity assessments must begin no later than mid-2027 to meet the December 2, 2027 deadline. When evaluating AI system providers, look for continuous witness evidence rather than point-in-time documentation. SWT3 produces tamper-evident anchors at every inference -- the auditor portal and evidence export pipeline provide assessment-ready artifacts. See the Notified Body Pilot Overview for assessment workflow details.

7. SWT3 Procedure Coverage Table

Omnibus Area	Article(s)	Enforcement	SWT3 Procedure(s)	Coverage
GPAI transparency	Art. 50, 53	Aug 2, 2026	`AI-INF.1`, `AI-INF.2`, `AI-MDL.1`, `AI-MDL.2`	Full
GPAI systemic risk	Art. 55	Aug 2, 2026	`AI-SEC.1`, `AI-GRD.1`-`GRD.3`, ChainEnforcer	Full
AI content marking	Art. 50(2)	Aug 2, 2026	`AI-MARK.1`, `AI-INF.1`	Full
Model documentation	Art. 53(1)(a)	Aug 2, 2026	`AI-MDL.5`, `AI-MDL.6`, `AI-MDL.7`	Full
10-year retention	Art. 53(1)(c)	Aug 2, 2026	WAL + Merkle Rollups + Clearing Levels	Full
Human oversight	Art. 14	Dec 2, 2027	`AI-HITL.1`, `AI-HITL.2`	Full
Risk management	Art. 9	Dec 2, 2027	`AI-SEC.1`, `AI-FAIR.1`, `AI-FAIR.2`, `AI-FAIR.3`	Full
Data governance	Art. 10	Dec 2, 2027	`AI-DATA.1`-`DATA.4`, `AI-RAG.1`, `AI-RAG.2`	Full
Accuracy and robustness	Art. 15	Dec 2, 2027	`AI-INF.2`, `AI-GRD.1`, `AI-BASE.1`	Full
Transparency (high-risk)	Art. 13	Dec 2, 2027	`AI-EXPL.1`, `AI-EXPL.2`	Full
Nudification ban	Art. 5 (new)	Formal adoption	`AI-GRD.1`, `AI-GRD.2`	Partial
Product safety alignment	Annex I	Aug 2, 2028	`AI-CHAIN.1`, `AI-CHAIN.2`	Full

Coverage key: Full = SWT3 procedure directly addresses the requirement with automated evidence. Partial = SWT3 provides supporting evidence; additional organizational measures needed (e.g., content safety filter selection is an organizational decision; SWT3 witnesses filter activation).

8. References

EU Digital Strategy -- Regulatory Framework for AI (source for Omnibus agreement details)
Regulation (EU) 2024/1689 -- the AI Act (original text)

Related SWT3 Guides

GPAI Code of Practice Mapping -- detailed procedure coverage for GPAI transparency obligations
FRIA + DPIA Integration -- evidence mapping for fundamental rights and data protection impact assessments
Five Eyes Agentic AI Overlay -- CISA/NSA guidance mapped to SWT3 procedures
SWT3 Protocol Specification -- formal specification with ABNF grammar
NSA MCP Security Mapping -- NSA AISC recommendations mapped to SWT3
Design Rationale -- why every protocol decision was made
Live Demo Audit Portal -- interactive compliance evidence for EU AI Act

Neutrality statement: TeNova Axiom is an independent evidence platform. It does not grant certifications, issue conformity assessments, or replace the professional judgment of a Notified Body. Scores and recommended outcomes are computed deterministically from machine-gathered evidence and are provided for informational purposes. The final authority on conformity rests with the designated assessment body.