The cliffhanger is resolved. After the April 28 trilogue collapsed and put the original deadline back in play, negotiators returned to the table and reached a provisional agreement on the Digital Omnibus on AI in early May. The Council's Permanent Representatives Committee (COREPER) confirmed the deal on May 13, 2026. Formal adoption and publication in the Official Journal are expected over the summer.
So the delay is real after all. High-risk obligations move to 2027 and 2028. But here is the part that is being lost in the relief: the August 2, 2026 deadline did not go away. It still applies — in full — to general-purpose AI (GPAI) enforcement and to Article 50 transparency. The Omnibus did not touch either.
With roughly seven weeks until August 2, the most dangerous thing an SME can do right now is assume "everything was postponed." It was not.
What the Omnibus actually delayed
The agreement confirmed the high-risk timeline that the institutions had converged on back in March, and resolved the sectoral-overlap fight that broke the April trilogue.
| AI System Type | Original Deadline | New Deadline |
|---|---|---|
| Stand-alone high-risk AI (Annex III) | August 2, 2026 | December 2, 2027 |
| Product-embedded high-risk AI (Annex I) | August 2, 2027 | August 2, 2028 |
Annex III covers the categories most SMEs worry about: recruitment and HR tools, credit scoring, education and exam systems, and access to essential services. Annex I covers AI embedded in already-regulated products — medical devices, machinery, vehicles. If your AI falls into one of those buckets, you genuinely gained 16 months or more.
That is meaningful relief. But it is narrow relief: it applies only to the high-risk obligations. Everything else on the August 2 calendar is unchanged.
What August 2, 2026 still triggers
These dates were never part of the Omnibus negotiation, and they are now locked in:
- GPAI enforcement powers go live. GPAI model obligations have applied to new models since August 2, 2025. From August 2, 2026, the AI Office can actually enforce them — including fines.
- Article 50 transparency becomes binding. Disclosure of AI interaction, labelling of AI-generated content, deepfake marking, and emotion-recognition notification all apply from August 2, 2026.
- Penalties become real. Information and transparency violations carry fines up to €7.5M or 1% of global turnover; GPAI and high-risk violations up to €15M or 3%; prohibited practices up to €35M or 7%.
And two more dates sit just behind August 2:
- November 2, 2026 — watermarking: machine-readable marking for AI-generated audio, image, video, and text.
- December 2, 2026 — a new prohibition (see below).
The transparency rules that hit you (Article 50)
For the typical SME, Article 50 is the August 2 obligation that actually applies to you. It is not about being a "high-risk" operator — it applies to ordinary, customer-facing AI use.
In practice it means:
- If users interact with a chatbot or AI assistant, they must be told they are dealing with AI.
- If you publish AI-generated or AI-manipulated content — text, images, audio, video — it must be labelled as artificially generated.
- Deepfakes must be marked. Emotion-recognition and biometric-categorisation uses must inform the affected person.
The Commission is finalising the detail right now. Its public consultation on the transparency guidelines closed on June 3, 2026, and the final Code of Practice on marking and labelling AI-generated content is due in June 2026 — exactly the guidance you will want to follow before the deadline. Watch for it.
GPAI enforcement: provider vs deployer
This is where most SME anxiety is misplaced. The heavy GPAI obligations — model documentation, copyright policy, systemic-risk testing — fall on the providers of the models: OpenAI, Anthropic, Google, and the like.
If you are an SME using ChatGPT, Claude, or Gemini through an API or a subscription, you are a deployer, not a provider. You do not inherit the provider's GPAI obligations — we broke this down in detail in what SME deployers need to know about GPAI enforcement. What you owe is narrower and centres on Article 50 transparency, AI literacy, and documenting your own use.
The one GPAI-specific task worth doing before August 2 is vendor due diligence: confirm your model provider is meeting its obligations (most major providers have signed the GPAI Code of Practice), and keep that confirmation on file. Not sure which side of the line you are on? Our provider or deployer checker settles it in four questions.
The new prohibition you might have missed
The Omnibus deal also expanded Article 5's prohibited practices. Effective December 2, 2026, the Act bans AI systems that generate child sexual abuse material, and so-called "nudifier" applications — AI that creates or manipulates sexually explicit or intimate images, video, or audio of a person without their consent.
For most SMEs this is not a compliance burden, but if you build or deploy any image- or video-generation feature, confirm now that it cannot be used this way.
What this means for SMEs
The headline delay is good news. The risk is that it breeds complacency about the deadline that did not move. Here is the seven-week to-do list:
Do not assume everything was postponed. Only high-risk Annex III and Annex I obligations moved. GPAI enforcement and Article 50 transparency still apply on August 2, 2026.
Add Article 50 transparency to every customer-facing AI feature. Disclose AI interaction, label AI-generated content, mark deepfakes. This is the single most common gap — and the cheapest to close. Start before the August deadline, then align with the Code of Practice when it lands.
Run vendor due diligence on your GPAI tools. Confirm your provider (OpenAI, Anthropic, Google, etc.) is a GPAI Code of Practice signatory, and keep the record. You are a deployer — your job is to choose compliant vendors, not to replicate their obligations.
Confirm AI literacy training is in place. Article 4 has been in force since February 2, 2025 — it is already enforceable, with no delay. See our Article 4 AI literacy guide for what "appropriate literacy" actually requires, or jump straight to the AI literacy checklist.
Document every AI use case. Purpose, inputs, affected users, and your risk classification. Even with the high-risk delay, a dated written rationale is your strongest evidence of good-faith compliance — and the foundation for the 2027 obligations.
If you generate images or video, check the new Article 5 prohibition. The nudifier/CSAM ban takes effect December 2, 2026. Make sure your features cannot be misused.
The bottom line
May 13 turned a "likely" delay into a confirmed one — and that is genuine relief for high-risk operators. But the relief is narrow. August 2, 2026 remains a hard deadline for GPAI enforcement and Article 50 transparency, and the penalties behind it are real money.
The companies that come out of August 2 in the strongest position will not be the ones that read "delay" and stopped. They will be the ones that used these seven weeks to close the transparency gaps, run vendor due diligence, and finish the AI literacy and documentation work — the obligations that were never on the table in Brussels.
The high-risk clock now runs to December 2027. The transparency clock runs to August 2. Do not confuse the two.
Not sure which August 2 obligations apply to you? Take the free ClearAct risk assessment quiz — two minutes, and you will know exactly which tier and which deadlines you face. You can also confirm whether you are a provider or deployer, or run through the AI literacy checklist to close the Article 4 gap that is already in force.