Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
17MAY

AI Omnibus deal splits enforcement into two speeds

4 min read
14:28UTC

The Council of the EU and the European Parliament struck a provisional agreement on the Digital Omnibus on AI on Thursday 7 May 2026, moving the Annex III high-risk compliance deadline from 2 August 2026 to 2 December 2027 while leaving GPAI enforcement unchanged at 2 August 2026.

TechnologyDeveloping
Key takeaway

GPAI providers face August 2026; European enterprise-AI deployments in the same verticals get until December 2027.

The Council of the EU and the European Parliament announced on Thursday 7 May 2026 that they had struck a provisional agreement on the Digital Omnibus on AI package, after the first trilogue collapsed on Tuesday 28 April over a clash with machinery regulation 1. The deal postpones the EU AI Act's Annex III compliance deadline (covering high-risk AI used in justice, employment, education and similar regulated domains) from 2 August 2026 to 2 December 2027, and pushes the Annex I embedded-product deadline (high-risk AI inside machinery, toys and medical devices) to 2 August 2028. General-purpose AI (GPAI, the regulatory category covering foundation models such as ChatGPT, Claude and Gemini) enforcement on 2 August 2026 is unchanged .

The deal landed two days after Mistral AI CEO Arthur Mensch added his name to the seven-chief-executive open letter to Commission President Ursula von der Leyen asking for AI rule simplification. The text agreed on 7 May reads closer to the industry letter's request than to The Commission's January draft. OpenAI, Anthropic and Google face the original GPAI activation date with a fine ceiling of 3 per cent of global turnover, alongside a new Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material taking effect on 2 December 2026. Mistral AI and the merged Cohere-Aleph Alpha entity receive 16 extra months on the high-risk verticals where CAIDA will reserve EU public-sector procurement for European providers.

The AI Office gains supervisory authority over GPAI deployed inside very large online platforms (VLOPs) and very large search engines (VLSEs), an enforcement surface that did not exist in the original AI Act text. SME relief was extended to firms under 750 employees, or with annual turnover under €150m, or balance sheet under €129m, folding most European AI deployers below mandatory compliance. Aura Salla MEP, the rapporteur who chaired the collapsed 28 April trilogue and co-negotiated the 7 May deal, has not made a public statement on either outcome since her Sovereign Tech Europe panel appearance on 23 April . The procedural sequence of CEO letter, trilogue collapse, and reopened deal on more permissive terms reads as a textbook industry-engagement cycle inside a file that names sovereignty as its purpose.

Deep Analysis

In plain English

The EU AI Act classifies AI systems by risk. High-risk ones; like AI used to decide who gets a job, a loan, or access to critical services; face the strictest rules. The original deadline for these rules to apply was August 2026. The new deal pushes that to December 2027 for most businesses. But there is a catch: companies that build and sell the underlying AI models (like OpenAI's GPT or Google's Gemini) still face the original August 2026 deadline. The extra time is for companies that use those models in products, not for the model builders themselves. The idea is to give European businesses breathing room while keeping pressure on the big US AI companies.

Deep Analysis
Root Causes

The Annex III categories; AI in employment decisions, credit scoring, and critical infrastructure; require conformity assessments under harmonised standards that had not been published by the relevant standards bodies by the time the August 2026 deadline was set.

The European Standardisation Organisations, CEN and CENELEC, published only draft standards by Q1 2026. Without harmonised standards, enterprises cannot complete required assessments, making the original deadline structurally unenforceable regardless of political intent.

The GPAI enforcement date was kept at August 2026 because the AI Office's Code of Practice process was already in progress with named providers, and delaying it would have required reopening the Code of Practice procedure and restarting provider engagement. The Code of Practice's existing provider engagement made reopening the GPAI deadline impractical; the Annex III extension was where the political room existed.

What could happen next?
  • Consequence

    US GPAI providers — OpenAI, Google DeepMind, Anthropic — face AI Office scrutiny from 2 August 2026 while their European enterprise customers building on those models get until December 2027, creating a compliance gap that may increase US provider market leverage.

    Immediate · 0.8
  • Risk

    Aura Salla's contested appointment as rapporteur (flagged by seven NGOs including Corporate Europe Observatory) creates a procedural challenge risk: if the European Ombudsman finds a conflict of interest, the Omnibus provisional agreement could be reopened in Parliament.

    Short term · 0.35
  • Opportunity

    The AI Office's new supervisory authority over GPAI deployed inside very large online platforms and very large search engines (VLOPs and VLSEs) gives Brussels a new enforcement surface that did not exist in the original AI Act text.

    Immediate · 0.85
First Reported In

Update #5 · Brussels' 27 May package, two days before G7

European Council· 17 May 2026
Read original
Different Perspectives
United States (Google/Alphabet)
United States (Google/Alphabet)
Alphabet lost its final Android appeal on 2 July with no further court to hear it, a result its Computer and Communications Industry Association allies frame as precedent, not deterrence, since the €4.1bn fine changed nothing about Google's Play Store terms across eight years of litigation.
UK Department for Science, Innovation and Technology
UK Department for Science, Innovation and Technology
DSIT opened its £96m second Sovereign AI wave on 3 July, switching from April's equity stakes to fixed-price contracts because Britain has no domestic hyperscaler or Bpifrance-style lender to fund capacity another way. It is betting on buying outcomes it controls alone rather than joining an EU-wide framework.
German federal government
German federal government
Berlin backed both German deliverables this week, Infineon's fab and Aleph Alpha's merger, but is finding one far harder to close than the other. It wants enforceable protective rights inside Cohere's cap table before the merger closes, a legal instrument the Bundeskartellamt has no filing to review yet.
European Commission
European Commission
The Commission banked a clean CJEU win on the eight-year Android case on 2 July, removing Google's last comparator argument before President von der Leyen rules on the far larger DMA self-preferencing fine due 27 July. Brussels treats Infineon's early Dresden delivery as proof the Chips Act mechanism works, at the node Europe already led.
Bruegel (EU industry sceptics)
Bruegel (EU industry sceptics)
Bruegel economist Mario Mariniello argued the EU sovereignty package mimics US and Chinese strategy while EU cloud providers hold roughly 15% of their home market; using nationality as a proxy for security without fixing the underlying capital and energy gaps that drive the dependency creates €86bn of migration cost without the security benefit it is sold as delivering.
France
France
France published a joint sovereignty definition with Germany at VivaTech and mobilised €13bn under Tibi Phase 3, placing SAP's partnership with Mistral as the working proof that a German enterprise-software giant running a French sovereign model inside public administration is what digital sovereignty looks like in practice.