On April 28, 2026, after twelve hours of negotiation in Brussels, the second political trilogue on the Digital Omnibus on AI ended without agreement. The European Parliament, the Council of the EU, and the European Commission walked out without a deal — and rescheduled the next round for May 13, 2026.
For SMEs that had been counting on the December 2027 high-risk deadline as a fait accompli, the message is unambiguous: the original 2 August 2026 deadline remains the only legally binding date until an amending regulation is published in the Official Journal. A delay is still likely. It is no longer certain. And it will not happen by default.
This is a sharp reversal from the optimism that followed the Council's negotiating mandate on March 13 and the Parliament's plenary vote on March 26. Both institutions had aligned on the headline numbers. Trilogue was supposed to be procedural. Instead, a fundamental fight broke out — and there are now only weeks to resolve it before the original deadline starts to bite.
Where the institutions agree
Despite the breakdown, the trilogue did confirm convergence on the most important number: the new high-risk deadlines.
| AI System Type | Original Deadline | Trilogue Convergence |
|---|---|---|
| Stand-alone high-risk AI (Annex III) | August 2, 2026 | December 2, 2027 |
| Product-embedded high-risk AI (Annex I) | August 2, 2027 | August 2, 2028 |
This is not in dispute. Both the Council and the Parliament accept these dates. The fight is not about whether to delay, or by how much — it is about a much narrower, much trickier question.
Where they broke down
The session collapsed on the question of sectoral overlap.
A growing share of high-risk AI under the Act is embedded in products that are already regulated by existing EU sectoral safety legislation: medical devices, in-vitro diagnostics, industrial machinery, toys, connected cars, lifts, marine equipment, civil aviation. For these products, two regimes now apply — the sector-specific safety rules (which require their own conformity assessments, technical files, and notified-body involvement) and the AI Act's Annex I obligations on top.
The European Parliament pushed hard for a carve-out: where a product is already governed by a mature sectoral regime, the AI Act's additional Annex I requirements should be considered satisfied or relaxed, to avoid duplicative documentation and double conformity assessment.
The Council and the Commission did not accept this. Their position: the AI Act adds AI-specific safeguards (data governance, human oversight, robustness testing) that sectoral regimes were not designed to cover, and removing those safeguards would gut the Act's effect on the products where AI risk is highest.
After twelve hours, neither side moved. The talks were suspended.
What is legally enforceable today
Here is what every SME should be clear on, regardless of how the May 13 trilogue ends:
- Article 5 prohibited practices — in force since February 2, 2025. Includes social scoring, untargeted scraping of facial images, real-time biometric ID in public spaces (with narrow exceptions), and emotion recognition at work or in education. Non-compliance: up to €35M or 7% of global turnover.
- Article 4 AI literacy — in force since February 2, 2025. Every organisation that puts AI systems into use must ensure staff have appropriate AI literacy.
- GPAI model obligations (Articles 51-56) — in force since August 2, 2025 for new models. AI Office enforcement powers activate August 2, 2026.
- Article 50 transparency — deadline August 2, 2026. Disclosure that a person is interacting with AI; labelling of AI-generated content; deepfake marking; emotion-recognition notification. Not affected by the Omnibus.
- Watermarking technical compliance — deadline November 2, 2026. Machine-readable marking for AI-generated audio, image, video, and text.
- High-risk Annex III obligations — deadline August 2, 2026 unless and until the Omnibus is published in the Official Journal moving it to December 2, 2027.
The first four are unaffected by the Omnibus, full stop. The fifth is the one in flux.
May 13 scenarios
The next political trilogue is scheduled for May 13, 2026. Here is what each plausible outcome looks like for SMEs.
| Scenario | What Happens | What It Means for You |
|---|---|---|
| Best case — deal lands | Parliament concedes on the carve-out (or accepts a narrowed version), Council moves on adjacent issues. Final text agreed mid-May. Formal Parliament vote and Council endorsement in June. Publication in Official Journal in July. | August 2, 2026 high-risk deadline is replaced by December 2, 2027. You gain ~16 months — but Article 50 transparency, AI literacy, and the GPAI deadline are unchanged. |
| Middle case — talks slip into June | A third or fourth trilogue extends negotiations into late May or June. Agreement still possible before August. | High uncertainty. SMEs in regulated sectors plan for both timelines. |
| Worst case — no agreement before July | Sectoral carve-out remains deadlocked. The original August 2, 2026 deadline becomes legally enforceable. Regulators may exercise forbearance — but forbearance is a political expectation, not a legal defence. | You must be ready for high-risk obligations to apply on August 2 — including risk management systems, data governance, technical documentation, human oversight, and registration in the EU database. |
The worst case is not the most likely outcome — but it is no longer the unlikely outcome. As of late April, several Council member states were privately signalling they would rather see the original deadline stand than concede the carve-out.
What this means for SMEs
The pragmatic response is the same regardless of which scenario plays out: keep building, do not gamble on forbearance, prepare for both timelines.
Do not slow down on inventory. If you have not built a formal AI system inventory yet, this is the work to do this month. List every AI system you use, develop, or deploy — including third-party tools embedded in your stack. Document purpose, data inputs, affected persons, and your initial risk classification. Most of the August 2 obligations are downstream of a complete inventory.
Treat Article 50 transparency as the binding August deadline. It does not move. Customer-facing AI features must disclose AI involvement; AI-generated content must be labelled; deepfakes must be marked as artificially generated; biometric and emotion recognition uses must inform affected persons. If these are missing, you have ~3 months to add them.
Confirm AI literacy training is in place. Article 4 has been in force since February 2025. Free guidance: see the AI literacy checklist.
If you operate in a regulated sector (medical, automotive, machinery, toys), plan for both outcomes. The carve-out fight directly affects you. Map which of your products are governed by sectoral safety legislation, and prepare two compliance scenarios: one where Annex I obligations apply on August 2, 2027, and one where the carve-out reduces them. Do not commit irreversibly to either path until the Omnibus is published.
Document your risk classification rationale per AI system. This is the single most defensible artefact you can produce. Even if the deadline moves to December 2027, regulators in 2027 will want to see when you reached your classification — and a dated written rationale shows good-faith compliance from day one.
The bottom line
April 28 changed the political calculus, not the legal one. The legal deadline of August 2, 2026 is unchanged for high-risk obligations. The Omnibus is now genuinely uncertain — not in its broad direction, but in whether it can land before the original deadline overtakes it.
For SMEs, the discipline is unchanged: build real compliance capability, not a gambled holiday. The companies that come out of August 2026 in the strongest position will be the ones that did the inventory work, the literacy work, and the transparency work this spring — regardless of what the Official Journal eventually says about Annex III.
If May 13 produces a deal, your work is still useful. If May 13 fails, your work is the difference between forbearance and a fine.
Not sure how the trilogue outcome affects your AI systems? Take the free ClearAct risk assessment quiz — it takes 2 minutes and tells you exactly which risk tier you fall into. You can also check whether you are a provider or deployer under the regulation, or estimate your potential fine exposure.