3JUN

AI Omnibus deal splits enforcement into two speeds

4 min read

10:43UTC

The Council of the EU and the European Parliament struck a provisional agreement on the Digital Omnibus on AI on Thursday 7 May 2026, moving the Annex III high-risk compliance deadline from 2 August 2026 to 2 December 2027 while leaving GPAI enforcement unchanged at 2 August 2026.

← Back to Sovereignty arrives, minus Brussels Jump to analysis ↓

TechnologyDeveloping

Key takeaway

GPAI providers face August 2026; European enterprise-AI deployments in the same verticals get until December 2027.

The Council of the EU and the European Parliament announced on Thursday 7 May 2026 that they had struck a provisional agreement on the Digital Omnibus on AI package, after the first trilogue collapsed on Tuesday 28 April over a clash with machinery regulation ¹. The deal postpones the EU AI Act's Annex III compliance deadline (covering high-risk AI used in justice, employment, education and similar regulated domains) from 2 August 2026 to 2 December 2027, and pushes the Annex I embedded-product deadline (high-risk AI inside machinery, toys and medical devices) to 2 August 2028. General-purpose AI (GPAI, the regulatory category covering foundation models such as ChatGPT, Claude and Gemini) enforcement on 2 August 2026 is unchanged .

The deal landed two days after Mistral AI CEO Arthur Mensch added his name to the seven-chief-executive open letter to Commission President Ursula von der Leyen asking for AI rule simplification. The text agreed on 7 May reads closer to the industry letter's request than to the Commission's January draft. OpenAI, Anthropic and Google face the original GPAI activation date with a fine ceiling of 3 per cent of global turnover, alongside a new Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material taking effect on 2 December 2026. Mistral AI and the merged Cohere-Aleph Alpha entity receive 16 extra months on the high-risk verticals where CAIDA will reserve EU public-sector procurement for European providers.

The AI Office gains supervisory authority over GPAI deployed inside very large online platforms (VLOPs) and very large search engines (VLSEs), an enforcement surface that did not exist in the original AI Act text. SME relief was extended to firms under 750 employees, or with annual turnover under €150m, or balance sheet under €129m, folding most European AI deployers below mandatory compliance. Aura Salla MEP, the rapporteur who chaired the collapsed 28 April trilogue and co-negotiated the 7 May deal, has not made a public statement on either outcome since her Sovereign Tech Europe panel appearance on 23 April . The procedural sequence of CEO letter, trilogue collapse, and reopened deal on more permissive terms reads as a textbook industry-engagement cycle inside a file that names sovereignty as its purpose.

Deep Analysis

In plain English

The EU AI Act classifies AI systems by risk. High-risk ones; like AI used to decide who gets a job, a loan, or access to critical services; face the strictest rules. The original deadline for these rules to apply was August 2026. The new deal pushes that to December 2027 for most businesses. But there is a catch: companies that build and sell the underlying AI models (like OpenAI's GPT or Google's Gemini) still face the original August 2026 deadline. The extra time is for companies that use those models in products, not for the model builders themselves. The idea is to give European businesses breathing room while keeping pressure on the big US AI companies.

Deep Analysis

Root Causes

The Annex III categories; AI in employment decisions, credit scoring, and critical infrastructure; require conformity assessments under harmonised standards that had not been published by the relevant standards bodies by the time the August 2026 deadline was set.

The European Standardisation Organisations, CEN and CENELEC, published only draft standards by Q1 2026. Without harmonised standards, enterprises cannot complete required assessments, making the original deadline structurally unenforceable regardless of political intent.

The GPAI enforcement date was kept at August 2026 because the AI Office's Code of Practice process was already in progress with named providers, and delaying it would have required reopening the Code of Practice procedure and restarting provider engagement. The Code of Practice's existing provider engagement made reopening the GPAI deadline impractical; the Annex III extension was where the political room existed.

What could happen next?

Consequence
US GPAI providers — OpenAI, Google DeepMind, Anthropic — face AI Office scrutiny from 2 August 2026 while their European enterprise customers building on those models get until December 2027, creating a compliance gap that may increase US provider market leverage.
Immediate · 0.8
Risk
Aura Salla's contested appointment as rapporteur (flagged by seven NGOs including Corporate Europe Observatory) creates a procedural challenge risk: if the European Ombudsman finds a conflict of interest, the Omnibus provisional agreement could be reopened in Parliament.
Short term · 0.35
Opportunity
The AI Office's new supervisory authority over GPAI deployed inside very large online platforms and very large search engines (VLOPs and VLSEs) gives Brussels a new enforcement surface that did not exist in the original AI Act text.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU's General Data Protection Regulation (GDPR) included a two-year implementation grace period from adoption to enforcement (May 2016 to May 2018) specifically to allow SMEs and non-US companies to build compliance infrastructure before enforcement began. The GDPR grace period is the direct template for the Annex III delay, with the difference that GDPR extended the same deadline to all actors, while the AI Omnibus creates differential timelines by actor type.

Counter-parallel: The EU's NIS2 Directive gave member states until October 2024 to transpose into national law, then immediately saw 15 of 27 member states fail to meet that transposition deadline. The Omnibus extension pattern may therefore simply defer rather than reduce non-compliance, as enforcement capacity in EU member states has not grown proportionally with regulatory obligations.

The 750-employee threshold for SME relief excludes most of the European scale-up ecosystem from the heaviest Annex III compliance costs. For companies above that threshold deploying high-risk AI systems, the 16-month extension avoids a conformity-assessment spend estimated by Gartner at €200,000-€500,000 per system for full Annex III certification.

The 3 per cent global turnover fine ceiling for GPAI non-compliance creates an asymmetric financial exposure: for OpenAI with estimated 2025 revenue of $3.7bn, the maximum fine is approximately $111m per violation. For a hypothetical €100bn annual-turnover European industrial deployer of high-risk AI, the same 3 per cent ceiling implies a €3bn maximum, suggesting the fine architecture was calibrated for foundation model providers rather than application-layer users.

Consensus view: The Centre for European Policy Studies (CEPS) and Orrick's regulatory practice group assess that the Annex III delay is a genuine structural relief for European enterprise software vendors: the original August 2026 deadline would have required compliance documentation for AI in HR, lending, and critical infrastructure decisions before any test guidance existed, creating unquantifiable liability.

Counter-view: The AI Now Institute in New York argues the split-speed enforcement creates a perverse incentive: US GPAI providers face faster scrutiny than European application-layer firms, which will push European enterprises to deploy GPAI-based products faster before the stricter GPAI rules tighten further, accelerating rather than reducing reliance on US foundation models.

Key tension: Whether the 16-month extension gives European AI companies time to build competitive Annex III-compliant alternatives, or whether it simply delays enforcement without changing the underlying market structure.

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

European Council· 17 May 2026

Read original →

Causes and effects

Caused by

Seven CEOs ask Brussels for less

The seven-CEO letter (ID:3070) co-signed by Mensch on 5 May preceded the 7 May AI Omnibus deal, which landed on terms closer to industry's request than to the Commission's January draft.

Occurred 5 May 2026

Read story →

This Event

AI Omnibus deal splits enforcement into two speeds

The deal creates an enforcement asymmetry that gives European enterprise-AI deployments 16 extra months in the same verticals CAIDA targets for European providers.

Led to

Mistral buys into the industrial stack

The AI Omnibus two-speed enforcement deal (ID:3370) gave Mistral the Annex III breathing room that enabled the M&A pivot.

Occurred 19 May 2026

Read story →

Different Perspectives

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.

United States (Ambassador Andrew Puzder / Steptoe LLP)

Puzder named CAIDA a red line inconsistent with the EU-US trade framework on 25 May; Steptoe warns US firms spend up to USD 50bn a year on DMA and DSA compliance and that CAIDA's Buy European tilt threatens the Turnberry truce. The Google fine delay is read in Washington as evidence that Commission enforcement bends to diplomatic pressure.

France (G7 chair and Mistral AI)

France chaired the 29 May G7 Bercy ministerial and produced a communique that omitted cloud sovereignty entirely, while its national AI champion Mistral won five-year Airbus and BMW engineering contracts commercially the day before. Paris is advancing sovereignty through the market and retreating on it at every multilateral table.

Germany (federal government)

Berlin maintained College silence that forced CAIDA's scope to public-sector tenders, protecting the automotive sector from a US Section 301 claim while simultaneously allowing BMW to contract Mistral for safety-critical crash-simulation work. German corporate procurement and German trade policy are running in opposite directions.

Netherlands (minister Willemijn Aerdts)

Aerdts blocked Kyndryl's EUR 100m Solvinity acquisition on 26 May, the first US deal ever stopped under Dutch screening, on the specific ground that the US CLOUD Act could compel disclosure of DigiD and MijnOverheid data. The decision is a direct demonstration that national screening achieves CAIDA's public-sector objective without waiting for EU law.

European Commission

The Commission is presenting CAIDA adoption on its fourth scheduled date as a sovereignty milestone, with Henna Virkkunen due to brief the Telecom Council on 9 June. The narrowed public-sector-only scope is the concession written in to secure adoption; whether the Commission presents it as a floor or a ceiling for future revision is the open question.