What happened

On 7 May 2026, the European Parliament, the Council and the European Commission reached a political agreement on the so-called "Digital Omnibus" — the first set of amendments to the EU AI Act since its adoption in June 2024. The stated goal: simplify the rules and reduce the burden on businesses, particularly SMEs.

The centrepiece of the deal is the postponement of obligations for high-risk AI systems, which were due on 2 August 2026.

Important: this is not yet law. It is a provisional political agreement that still requires formal approval by Parliament and the Council. Final adoption is expected before 2 August 2026. The dates below reflect the text agreed in May and may be adjusted in the final vote.

What was delayed

  • 2 DECEMBER 2026 Watermarking of AI-generated content. Transparency obligations for AI-generated content move from August to December 2026.
  • 2 DECEMBER 2027 High-risk AI systems under Annex III. The big deadline — AI used in recruitment, credit scoring, education and more — moves from August 2026 to December 2027. A postponement of roughly 16 months.
  • 2 AUGUST 2028 High-risk AI embedded in regulated products (Annex I). When the AI system is part of a product already covered by EU safety legislation, the deadline extends to August 2028.

What does NOT change — and still applies to your SME

This is the point most companies will misread. The delay is for high-risk rules. The obligations already in force remain intact:

  • AI literacy (Article 4) — mandatory since 2 February 2025. Any company using AI tools must ensure its staff can use them competently. This was not delayed. (See: what Article 4 requires.)
  • Prohibited AI practices (Article 5) — in force since 2 February 2025.
  • General-purpose AI models (GPAI) — obligations in force since 2 August 2025. Covers providers of models like ChatGPT, Gemini or Claude.
  • Fines — up to €35 million or 7% of global annual turnover, whichever is higher. Steeper than the GDPR.

The good news for SMEs

The Digital Omnibus is not only about delay. It brings two changes that directly favour smaller businesses:

Simplified regime widened

The simplified compliance regime no longer covers only micro and small enterprises — it extends to so-called "small mid-caps": companies with up to 750 employees and €150 million in annual turnover.

"Safety component" clarified

AI systems that merely assist the user or optimise performance — and whose failure does not create a health or safety risk — are no longer automatically treated as high-risk.

And new prohibitions

Running counter to the simplification, the deal adds new prohibitions: AI generation of non-consensual intimate imagery ("nudifiers") and of child sexual abuse material becomes explicitly banned.

What your SME should do now

1. Don't drop your guard on literacy

The delay is easy to read as "so nothing needs doing after all". Wrong. The obligation most likely to apply to an SME — the Article 4 AI literacy duty — is already in force and was left untouched. If your team uses AI, the obligation exists today.

2. Use the extra time to map, not to postpone

The first compliance step is still knowing which AI tools the company uses and at what risk. The delay gives more time to do it well — not to ignore it.

3. Treat 2027 as an advantage, not slack

The cost of implementing AI properly doesn't disappear with the delay. Companies that use this time to prepare processes and people reach 2027 ahead of those who leave everything to the last minute — and, along the way, find automation opportunities that pay for the effort.

In short: the high-risk deadline got breathing room until December 2027. AI literacy, prohibited practices and general-purpose model rules remain in force. For the vast majority of SMEs, today's practical obligation hasn't changed.

Want to know what applies to your case?

D'One helps you map AI usage across your company, assess the real risk and prepare your team for the EU AI Act — no scaremongering, no generic slides.

Get in touch