17MAY

AI Omnibus deal splits enforcement into two speeds

4 min read

14:28UTC

The Council of the EU and the European Parliament struck a provisional agreement on the Digital Omnibus on AI on Thursday 7 May 2026, moving the Annex III high-risk compliance deadline from 2 August 2026 to 2 December 2027 while leaving GPAI enforcement unchanged at 2 August 2026.

← Back to Brussels' 27 May package, two days before G7 Jump to analysis ↓

TechnologyDeveloping

Key takeaway

GPAI providers face August 2026; European enterprise-AI deployments in the same verticals get until December 2027.

The Council of the EU and the European Parliament announced on Thursday 7 May 2026 that they had struck a provisional agreement on the Digital Omnibus on AI package, after the first trilogue collapsed on Tuesday 28 April over a clash with machinery regulation ¹. The deal postpones the EU AI Act's Annex III compliance deadline (covering high-risk AI used in justice, employment, education and similar regulated domains) from 2 August 2026 to 2 December 2027, and pushes the Annex I embedded-product deadline (high-risk AI inside machinery, toys and medical devices) to 2 August 2028. General-purpose AI (GPAI, the regulatory category covering foundation models such as ChatGPT, Claude and Gemini) enforcement on 2 August 2026 is unchanged .

The deal landed two days after Mistral AI CEO Arthur Mensch added his name to the seven-chief-executive open letter to Commission President Ursula von der Leyen asking for AI rule simplification. The text agreed on 7 May reads closer to the industry letter's request than to the Commission's January draft. OpenAI, Anthropic and Google face the original GPAI activation date with a fine ceiling of 3 per cent of global turnover, alongside a new Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material taking effect on 2 December 2026. Mistral AI and the merged Cohere-Aleph Alpha entity receive 16 extra months on the high-risk verticals where CAIDA will reserve EU public-sector procurement for European providers.

The AI Office gains supervisory authority over GPAI deployed inside very large online platforms (VLOPs) and very large search engines (VLSEs), an enforcement surface that did not exist in the original AI Act text. SME relief was extended to firms under 750 employees, or with annual turnover under €150m, or balance sheet under €129m, folding most European AI deployers below mandatory compliance. Aura Salla MEP, the rapporteur who chaired the collapsed 28 April trilogue and co-negotiated the 7 May deal, has not made a public statement on either outcome since her Sovereign Tech Europe panel appearance on 23 April . The procedural sequence of CEO letter, trilogue collapse, and reopened deal on more permissive terms reads as a textbook industry-engagement cycle inside a file that names sovereignty as its purpose.

Deep Analysis

In plain English

The EU AI Act classifies AI systems by risk. High-risk ones; like AI used to decide who gets a job, a loan, or access to critical services; face the strictest rules. The original deadline for these rules to apply was August 2026. The new deal pushes that to December 2027 for most businesses. But there is a catch: companies that build and sell the underlying AI models (like OpenAI's GPT or Google's Gemini) still face the original August 2026 deadline. The extra time is for companies that use those models in products, not for the model builders themselves. The idea is to give European businesses breathing room while keeping pressure on the big US AI companies.

Deep Analysis

Root Causes

The Annex III categories; AI in employment decisions, credit scoring, and critical infrastructure; require conformity assessments under harmonised standards that had not been published by the relevant standards bodies by the time the August 2026 deadline was set.

The European Standardisation Organisations, CEN and CENELEC, published only draft standards by Q1 2026. Without harmonised standards, enterprises cannot complete required assessments, making the original deadline structurally unenforceable regardless of political intent.

The GPAI enforcement date was kept at August 2026 because the AI Office's Code of Practice process was already in progress with named providers, and delaying it would have required reopening the Code of Practice procedure and restarting provider engagement. The Code of Practice's existing provider engagement made reopening the GPAI deadline impractical; the Annex III extension was where the political room existed.

What could happen next?

Consequence
US GPAI providers — OpenAI, Google DeepMind, Anthropic — face AI Office scrutiny from 2 August 2026 while their European enterprise customers building on those models get until December 2027, creating a compliance gap that may increase US provider market leverage.
Immediate · 0.8
Risk
Aura Salla's contested appointment as rapporteur (flagged by seven NGOs including Corporate Europe Observatory) creates a procedural challenge risk: if the European Ombudsman finds a conflict of interest, the Omnibus provisional agreement could be reopened in Parliament.
Short term · 0.35
Opportunity
The AI Office's new supervisory authority over GPAI deployed inside very large online platforms and very large search engines (VLOPs and VLSEs) gives Brussels a new enforcement surface that did not exist in the original AI Act text.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU's General Data Protection Regulation (GDPR) included a two-year implementation grace period from adoption to enforcement (May 2016 to May 2018) specifically to allow SMEs and non-US companies to build compliance infrastructure before enforcement began. The GDPR grace period is the direct template for the Annex III delay, with the difference that GDPR extended the same deadline to all actors, while the AI Omnibus creates differential timelines by actor type.

Counter-parallel: The EU's NIS2 Directive gave member states until October 2024 to transpose into national law, then immediately saw 15 of 27 member states fail to meet that transposition deadline. The Omnibus extension pattern may therefore simply defer rather than reduce non-compliance, as enforcement capacity in EU member states has not grown proportionally with regulatory obligations.

The 750-employee threshold for SME relief excludes most of the European scale-up ecosystem from the heaviest Annex III compliance costs. For companies above that threshold deploying high-risk AI systems, the 16-month extension avoids a conformity-assessment spend estimated by Gartner at €200,000-€500,000 per system for full Annex III certification.

The 3 per cent global turnover fine ceiling for GPAI non-compliance creates an asymmetric financial exposure: for OpenAI with estimated 2025 revenue of $3.7bn, the maximum fine is approximately $111m per violation. For a hypothetical €100bn annual-turnover European industrial deployer of high-risk AI, the same 3 per cent ceiling implies a €3bn maximum, suggesting the fine architecture was calibrated for foundation model providers rather than application-layer users.

Consensus view: The Centre for European Policy Studies (CEPS) and Orrick's regulatory practice group assess that the Annex III delay is a genuine structural relief for European enterprise software vendors: the original August 2026 deadline would have required compliance documentation for AI in HR, lending, and critical infrastructure decisions before any test guidance existed, creating unquantifiable liability.

Counter-view: The AI Now Institute in New York argues the split-speed enforcement creates a perverse incentive: US GPAI providers face faster scrutiny than European application-layer firms, which will push European enterprises to deploy GPAI-based products faster before the stricter GPAI rules tighten further, accelerating rather than reducing reliance on US foundation models.

Key tension: Whether the 16-month extension gives European AI companies time to build competitive Annex III-compliant alternatives, or whether it simply delays enforcement without changing the underlying market structure.

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

European Council· 17 May 2026

Read original →

Causes and effects

Caused by

Seven CEOs ask Brussels for less

The seven-CEO letter (ID:3070) co-signed by Mensch on 5 May preceded the 7 May AI Omnibus deal, which landed on terms closer to industry's request than to the Commission's January draft.

Occurred 5 May 2026

Read story →

This Event

AI Omnibus deal splits enforcement into two speeds

The deal creates an enforcement asymmetry that gives European enterprise-AI deployments 16 extra months in the same verticals CAIDA targets for European providers.

Different Perspectives

OpenForum Europe / open-source community

The EUR 350m Sovereign Tech Fund has no Commission host, no budget line, and no commissioner's name attached six weeks after the April conference, while Germany is already paying maintainers to staff international standards bodies. The CRA open-source guidance resolves contributor liability but leaves the financial-donations grey area open with the 11 September reporting clock running.

ASML / Christophe Fouquet

ASML's Q2 guidance miss of roughly EUR 300m below consensus reflects DUV revenue compression set by US export controls, not European policy. Fouquet said 2026 guidance accommodates potential outcomes of ongoing US-China trade discussions; a bipartisan US bill to tighten DUV sales further would accelerate the cross-subsidy thinning Chips Act II's equity authority is designed to address.

Anne Le Henanff / French G7 Presidency

Le Henanff chairs the 29 May Bercy ministerial two days after Brussels adopts the Tech Sovereignty Package, making the G7 communique the first international read of the Omnibus enforcement split and CAIDA's scope. France's Cloud au Centre doctrine is already operational via the Scaleway Health Data Hub contract.

German federal government

Berlin operationalises sovereignty through procurement mandates (the ODF requirement and the Sovereign Tech Standards programme) rather than waiting for Commission legislation. The Bundeskartellamt has still not received the Cohere-Aleph Alpha merger filing, leaving Germany's flagship AI champion in structural limbo six weeks after the deal resolved.

US Trade Representative

The USTR Section 301 investigation into EU digital rules closes with a 24 July 2026 final determination. CAIDA's public-sector cloud restriction sits within the criteria that triggered the 2020 Section 301 action against France's digital services tax, and the US has not signalled whether the Thales-Google S3NS arrangement resolves CLOUD Act jurisdiction concerns.

CISPE / Valentina Mingorance

CISPE shipped its own pass-fail sovereignty badge in April to establish an industry-auditable floor the Commission could adopt. Whether CAIDA inherits the CISPE binary or the multi-tier SEAL approach will determine whether certification is enforceable by public contracting authorities or requires Commission discretion.