← Back to Blog
Policy Updates
4 min read25 April 2026

The EU AI Omnibus Deal Is Almost Done — and It Probably Saves You 16 Months

With a political trilogue scheduled for April 28, both the Council and Parliament have independently settled on the same new high-risk deadlines: December 2, 2027 for standalone Annex III AI systems and August 2, 2028 for AI embedded in regulated products. The original August 2, 2026 deadline is very likely to move. Here is what that means for your compliance planning.

Why April 28 Is the Most Important Date in Your Compliance Calendar

The European Union is 98 days away from the date that has been on every AI compliance professional's calendar for two years: August 2, 2026. That is when the EU AI Act's high-risk system obligations were supposed to kick in. And according to multiple sources tracking the ongoing Digital Omnibus trilogue negotiations, that date is very likely about to change.[2]

A political trilogue is scheduled for April 28 — just three days from now. Both the Council of the European Union and the European Parliament have independently converged on the same fixed postponement dates, which makes a deal at that meeting increasingly likely.[1] If the timeline holds, the AI Omnibus could be formally published in the Official Journal in July 2026 — landing just before the original deadline.[1]

What the New Deadlines Look Like

Both institutions have rejected the European Commission's conditional mechanism — a flexible timeline that would have shifted based on how implementation was progressing — and replaced it with hard dates:[1]

  • December 2, 2027 — for stand-alone high-risk AI systems classified under Annex III of the EU AI Act. That is approximately 16 months after the original August 2, 2026 date.
  • August 2, 2028 — for AI systems embedded in regulated products under Annex I (machinery, medical devices, toys, radio equipment, and similar categories). That is two years after the original deadline.

The Council and Parliament arrived at these dates independently, which is significant. When both institutions land on the same negotiating position before trilogue even begins, it is a strong signal that those positions will survive into the final text.[3]

What This Means for SME Compliance Planning

Before you do anything else: do not cancel your compliance work. The AI Omnibus is not law yet. It is still in trilogue, and anything can change before formal adoption. The safest course of action is to continue preparing against the August 2, 2026 deadline — especially since many of the obligations that apply before the high-risk system deadline are already in force.[1]

But if you have been putting off certain high-risk compliance investments because the deadline felt too tight — and if the April 28 trilogue produces the expected deal — you will have more time than you thought. Here is what that looks like in practice:

  • Conformity assessments for stand-alone Annex III high-risk AI systems now have until December 2, 2027, instead of August 2, 2026. That is a material difference for companies that have not yet engaged a notified body or begun the technical documentation process.
  • AI embedded in products (Annex I categories) gets the longer extension — until August 2, 2028. This reflects the reality that conformity assessments for AI-enabled products are more complex, involving both the AI Act and existing sectoral legislation.
  • Prohibited AI systems (Article 5) and GPAI obligations are not changing. The prohibitions on subliminal manipulation, emotion inference in workplaces, and social scoring remain in force. GPAI provider obligations under Chapter V are already active.
  • The August 2, 2026 date still matters for other obligations. Article 72 post-market monitoring obligations already apply as of April 2026.[4] Transparency obligations, human oversight requirements, and the general obligations for high-risk systems under Chapter III are already in force.

The GDPR Changes Are Also on the Table

The AI Omnibus is not only about the AI Act. It includes a parallel data track that affects GDPR compliance — and some of those changes could be just as significant for SMEs.[3]

The most notable is a proposed shift in how personal data is defined. The Omnibus would introduce a so-called "relative approach" to personal data — meaning a dataset could be considered personal for one controller but not another, depending on the means reasonably available to each.[3] The goal is to unblock data-sharing deadlocks under the Data Act. The practical effect: businesses would need documented deidentification narratives rather than simple assertions that data is anonymous. If you have been assuming your anonymisation is sufficient for GDPR purposes, this change may require you to document your reasoning more rigorously.

The Omnibus also proposes a single EU-wide DPIA template replacing the current 27 national versions. The EDPB is already consulting on this template — with a deadline of June 9, 2026[3] — which means the template is far along in development. When it lands, it will be the authoritative reference for both GDPR and AI Act DPIA requirements.

New Bans on "Nudifier" AI Are Likely to Survive

Both the Council and Parliament have independently introduced new Article 5 prohibitions targeting AI systems capable of generating, manipulating, or reproducing non-consensual intimate images (NCII) and child sexual abuse material (CSAM).[1] The prohibition applies where the tool is specifically designed for that purpose or where the misuse is reasonably foreseeable given the system's capabilities and insufficient guardrails.

This is not a SME-focused provision — the companies building generative AI tools that could fall into this category are primarily large model providers. But if you are building or deploying any generative AI tool that handles image generation, the scope of these prohibitions is worth understanding before you ship anything in the EU.

Proportionality Measures for SMEs Are Also Part of the Deal

All three EU institutions have aligned on extending proportionality measures specifically for small and micro companies:[1]

  • Simplified technical documentation — high-risk system documentation requirements scaled to the actual risk profile and size of the deployment
  • Proportional quality management systems — full QMS requirements replaced with simplified alternatives appropriate for smaller operators
  • Reduced penalty structures — fines for non-compliance calibrated to company size and turnover, not just the flat AI Act maximums

These are meaningful concessions for SMEs. The original AI Act's penalty framework — up to €30 million or 6% of global turnover — is designed for large technology companies. The Omnibus proportionality measures acknowledge that a €30 million fine would be disproportionate for a 50-person company using a single high-risk AI system. The specific implementation details of how these reduced penalties are calculated will matter once the final text is published.

What to Do Right Now

Based on where the trilogue stands today, here is a practical course of action:

  • Continue your August 2, 2026 compliance preparations — do not stop. The Omnibus is not law yet, and stopping work based on a likely deal is premature. The prohibitions and GPAI obligations are already active regardless.
  • Watch for the April 28 trilogue outcome — if a political agreement is announced, that is the signal to begin adjusting your implementation timeline for the confirmed new deadlines. We will publish an analysis as soon as the outcome is public.
  • If you are an SME, look closely at the proportionality measures — the simplified documentation, scaled QMS, and reduced penalty structures are the parts of the Omnibus most directly relevant to small businesses. Understanding exactly how they apply to your situation will be important once the text is final.
  • Start reviewing your deidentification practices — if the "relative approach" to personal data makes it into the final text, your GDPR anonymisation documentation will need to be more rigorous. Begin building the documented rationale for your deidentification claims now, even if the change is not yet in force.
  • Monitor the EDPB DPIA template consultation — closing June 9, 2026. When the template drops, it will be the authoritative reference for both GDPR and AI Act data protection impact assessments. Being ahead of that release means you can adopt it immediately rather than rebuilding your DPIA from scratch.

The Bottom Line

The AI Omnibus is close. Both the Council and Parliament have independently settled on the same new timelines, the April 28 political trilogue is three days away, and the institutional momentum is clearly behind a deal before the summer.[1][2]

If you are an SME that has been struggling to get ready for August 2, 2026 — and especially if you have been making difficult investment decisions about conformity assessments, legal counsel, and technical documentation — the likely outcome is good news: you will have more time. Not indefinitely, but materially more time.

Use it. The 16-month extension for Annex III stand-alone high-risk systems is not an excuse to slow down — it is an opportunity to do the work more carefully, more correctly, and with less last-minute pressure. The companies that use the extra time well will be in a stronger position than the ones that treat it as a postponement rather than a grace period.

We will have a full analysis of the final trilogue outcome — whichever direction it goes — as soon as the April 28 meeting concludes.

This article is for informational purposes only and does not constitute legal advice.

Sources

  1. [1]A&O Shearman — EU AI Omnibus: Key Issues as Trilogue Negotiations Begin (April 25, 2026)
  2. [2]Ropes & Gray — AI Omnibus trilogue: what to expect as negotiations progress (April 25, 2026)
  3. [3]iubenda — AI Omnibus trilogue: what's on the table (April 22, 2026)
  4. [4]asanify — AI News Digest, April 23 (April 23, 2026)

Know your EU AI Act risk level in 10 minutes

Our free audit classifies every AI system you use and tells you exactly what to do before August 2, 2026.

Start Free Audit →
← Back to all articles