27MAY

AI Omnibus deal splits enforcement into two speeds

4 min read

15:19UTC

The Council of the EU and the European Parliament struck a provisional agreement on the Digital Omnibus on AI on Thursday 7 May 2026, moving the Annex III high-risk compliance deadline from 2 August 2026 to 2 December 2027 while leaving GPAI enforcement unchanged at 2 August 2026.

← Back to Brussels slips sovereignty law a third time Jump to analysis ↓

TechnologyDeveloping

Key takeaway

GPAI providers face August 2026; European enterprise-AI deployments in the same verticals get until December 2027.

The Council of the EU and the European Parliament announced on Thursday 7 May 2026 that they had struck a provisional agreement on the Digital Omnibus on AI package, after the first trilogue collapsed on Tuesday 28 April over a clash with machinery regulation ¹. The deal postpones the EU AI Act's Annex III compliance deadline (covering high-risk AI used in justice, employment, education and similar regulated domains) from 2 August 2026 to 2 December 2027, and pushes the Annex I embedded-product deadline (high-risk AI inside machinery, toys and medical devices) to 2 August 2028. General-purpose AI (GPAI, the regulatory category covering foundation models such as ChatGPT, Claude and Gemini) enforcement on 2 August 2026 is unchanged .

The deal landed two days after Mistral AI CEO Arthur Mensch added his name to the seven-chief-executive open letter to Commission President Ursula von der Leyen asking for AI rule simplification. The text agreed on 7 May reads closer to the industry letter's request than to the Commission's January draft. OpenAI, Anthropic and Google face the original GPAI activation date with a fine ceiling of 3 per cent of global turnover, alongside a new Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material taking effect on 2 December 2026. Mistral AI and the merged Cohere-Aleph Alpha entity receive 16 extra months on the high-risk verticals where CAIDA will reserve EU public-sector procurement for European providers.

The AI Office gains supervisory authority over GPAI deployed inside very large online platforms (VLOPs) and very large search engines (VLSEs), an enforcement surface that did not exist in the original AI Act text. SME relief was extended to firms under 750 employees, or with annual turnover under €150m, or balance sheet under €129m, folding most European AI deployers below mandatory compliance. Aura Salla MEP, the rapporteur who chaired the collapsed 28 April trilogue and co-negotiated the 7 May deal, has not made a public statement on either outcome since her Sovereign Tech Europe panel appearance on 23 April . The procedural sequence of CEO letter, trilogue collapse, and reopened deal on more permissive terms reads as a textbook industry-engagement cycle inside a file that names sovereignty as its purpose.

Deep Analysis

In plain English

The EU AI Act classifies AI systems by risk. High-risk ones; like AI used to decide who gets a job, a loan, or access to critical services; face the strictest rules. The original deadline for these rules to apply was August 2026. The new deal pushes that to December 2027 for most businesses. But there is a catch: companies that build and sell the underlying AI models (like OpenAI's GPT or Google's Gemini) still face the original August 2026 deadline. The extra time is for companies that use those models in products, not for the model builders themselves. The idea is to give European businesses breathing room while keeping pressure on the big US AI companies.

Deep Analysis

Root Causes

The Annex III categories; AI in employment decisions, credit scoring, and critical infrastructure; require conformity assessments under harmonised standards that had not been published by the relevant standards bodies by the time the August 2026 deadline was set.

The European Standardisation Organisations, CEN and CENELEC, published only draft standards by Q1 2026. Without harmonised standards, enterprises cannot complete required assessments, making the original deadline structurally unenforceable regardless of political intent.

The GPAI enforcement date was kept at August 2026 because the AI Office's Code of Practice process was already in progress with named providers, and delaying it would have required reopening the Code of Practice procedure and restarting provider engagement. The Code of Practice's existing provider engagement made reopening the GPAI deadline impractical; the Annex III extension was where the political room existed.

What could happen next?

Consequence
US GPAI providers — OpenAI, Google DeepMind, Anthropic — face AI Office scrutiny from 2 August 2026 while their European enterprise customers building on those models get until December 2027, creating a compliance gap that may increase US provider market leverage.
Immediate · 0.8
Risk
Aura Salla's contested appointment as rapporteur (flagged by seven NGOs including Corporate Europe Observatory) creates a procedural challenge risk: if the European Ombudsman finds a conflict of interest, the Omnibus provisional agreement could be reopened in Parliament.
Short term · 0.35
Opportunity
The AI Office's new supervisory authority over GPAI deployed inside very large online platforms and very large search engines (VLOPs and VLSEs) gives Brussels a new enforcement surface that did not exist in the original AI Act text.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU's General Data Protection Regulation (GDPR) included a two-year implementation grace period from adoption to enforcement (May 2016 to May 2018) specifically to allow SMEs and non-US companies to build compliance infrastructure before enforcement began. The GDPR grace period is the direct template for the Annex III delay, with the difference that GDPR extended the same deadline to all actors, while the AI Omnibus creates differential timelines by actor type.

Counter-parallel: The EU's NIS2 Directive gave member states until October 2024 to transpose into national law, then immediately saw 15 of 27 member states fail to meet that transposition deadline. The Omnibus extension pattern may therefore simply defer rather than reduce non-compliance, as enforcement capacity in EU member states has not grown proportionally with regulatory obligations.

The 750-employee threshold for SME relief excludes most of the European scale-up ecosystem from the heaviest Annex III compliance costs. For companies above that threshold deploying high-risk AI systems, the 16-month extension avoids a conformity-assessment spend estimated by Gartner at €200,000-€500,000 per system for full Annex III certification.

The 3 per cent global turnover fine ceiling for GPAI non-compliance creates an asymmetric financial exposure: for OpenAI with estimated 2025 revenue of $3.7bn, the maximum fine is approximately $111m per violation. For a hypothetical €100bn annual-turnover European industrial deployer of high-risk AI, the same 3 per cent ceiling implies a €3bn maximum, suggesting the fine architecture was calibrated for foundation model providers rather than application-layer users.

Consensus view: The Centre for European Policy Studies (CEPS) and Orrick's regulatory practice group assess that the Annex III delay is a genuine structural relief for European enterprise software vendors: the original August 2026 deadline would have required compliance documentation for AI in HR, lending, and critical infrastructure decisions before any test guidance existed, creating unquantifiable liability.

Counter-view: The AI Now Institute in New York argues the split-speed enforcement creates a perverse incentive: US GPAI providers face faster scrutiny than European application-layer firms, which will push European enterprises to deploy GPAI-based products faster before the stricter GPAI rules tighten further, accelerating rather than reducing reliance on US foundation models.

Key tension: Whether the 16-month extension gives European AI companies time to build competitive Annex III-compliant alternatives, or whether it simply delays enforcement without changing the underlying market structure.

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

European Council· 17 May 2026

Read original →

Causes and effects

Caused by

Seven CEOs ask Brussels for less

The seven-CEO letter (ID:3070) co-signed by Mensch on 5 May preceded the 7 May AI Omnibus deal, which landed on terms closer to industry's request than to the Commission's January draft.

Occurred 5 May 2026

Read story →

This Event

AI Omnibus deal splits enforcement into two speeds

The deal creates an enforcement asymmetry that gives European enterprise-AI deployments 16 extra months in the same verticals CAIDA targets for European providers.

Led to

Mistral buys into the industrial stack

The AI Omnibus two-speed enforcement deal (ID:3370) gave Mistral the Annex III breathing room that enabled the M&A pivot.

Occurred 19 May 2026

Read story →

Different Perspectives

ASML / European tech industry

ASML's Q2 2026 guidance came in €300m below consensus as China DUV revenue collapsed 17 percentage points; the company's CEO wrote US export-control outcomes directly into 2026 guidance. European tech firms named on the USTR retaliation list alongside SAP, Siemens and Spotify face the same calculus: US trade exposure constrains what Brussels can legislate on their behalf.

France / Anne Le Henanff

Le Henanff chaired the G7 Digital Ministerial at Bercy on 29 May with CAIDA off the agenda, pivoting France's presidency to AI safety principles it had not designed the week around. France backs CAIDA but cannot override Berlin's tariff calculus, so the ministerial produced no new French-led commitment.

Germany / Federal government

Berlin's automotive sector faces up to $200bn in threatened US tariffs, a commercial exposure that dwarfs any benefit CAIDA's public-sector cloud rules would deliver to German digital firms. Federal silence inside the College of Commissioners functions as a block under consensus adoption rules without requiring a formal veto.

USTR / Ambassador Andrew Puzder

Puzder's public warning on 25 May that CAIDA is inconsistent with the EU-US trade framework was the first time Washington made its bilateral pressure visible before a Commission adoption vote rather than after. The USTR Section 301 determination on 24 July provides the enforcement backstop.

European Commission / Henna Virkkunen

Virkkunen framed the third slip as a procedural delay in finalising a 400-page text without addressing Puzder's trade-framework red line publicly. The Commission enforces existing law against Google while losing the legislative timeline on CAIDA, exposing an asymmetric position: enforcement holds; new sovereignty legislation does not.

OpenForum Europe / open-source community

The EUR 350m Sovereign Tech Fund has no Commission host, no budget line, and no commissioner's name attached six weeks after the April conference, while Germany is already paying maintainers to staff international standards bodies. The CRA open-source guidance resolves contributor liability but leaves the financial-donations grey area open with the 11 September reporting clock running.