EU AI Act "Breathing Space" Confirmed: High-Risk Deadlines Pushed to End of 2027

The August 2026 Panic Button Just Got Pushed — For Most of You

If you run an SME that uses high-risk AI systems, your calendar just got meaningfully lighter. On May 7, 2026, EU legislators announced a provisional agreement on the so-called "AI Omnibus": a targeted amendment package that postpones the bulk of the AI Act's high-risk obligations from their original August 2, 2026 deadline to December 2, 2027.^[2]

That is 16 extra months. For most SMEs, this is the single most commercially significant development in the AI Act since the regulation entered into force in August 2024.

But before you shelve your compliance work entirely — read the fine print on the two deadlines that are not moving.

What Exactly Got Pushed Back?

The AI Act's high-risk obligations under Annex III — which covers biometrics, AI used in employment and worker management, AI in education, law enforcement, critical infrastructure, and border management — now have a new go-live date of December 2, 2027 instead of August 2, 2026.^[3]

Annex I systems — high-risk AI embedded in products already covered by existing EU sectoral safety legislation, like the Machinery Regulation — get an even longer extension, pushed to August 2, 2028.^[3]

The old conditional trigger mechanism — where the Commission would have decided whether to pull the implementation date based on standards readiness — is gone. The new dates are fixed. Companies can plan to them with more confidence.^[2]

The Two December 2026 Deadlines That Are Not Moving

Here is the part that often gets missed in the relief coverage. The Omnibus agreement preserves two December 2026 deadlines that are already baked in and will not shift:^[3]

1. Watermarking obligation (Article 50(2)): If you are a generative AI provider with systems already on the EU market before August 2, 2026, you must comply with the content-marking requirement — labelling synthetic audio, image, video, and text as machine-readable — by December 2, 2026. This is earlier than the Commission originally proposed (February 2027), reflecting Parliament's push for a tighter timeline.^[2]

2. New Article 5 prohibition on CSAM and NCII: The Omnibus introduces a brand-new absolute prohibition on AI systems that generate child sexual abuse material or non-consensual intimate imagery (the so-called "nudifier" apps). Affected providers and deployers have until December 2, 2026 to bring any systems within scope into compliance.^[3]

This matters practically: if you are a SaaS company that offers any kind of image or video generation capability, you need to audit whether your system could — even in edge cases — produce non-consensual intimate imagery. The prohibition covers systems placed on the market for that purpose, and systems where such outputs are "reasonably foreseeable" without adequate safeguards.

SME Relief Extended to Small Mid-Caps

One welcome addition for scaling companies: the Omnibus extends the AI Act's SME-targeted exemptions to a newly defined category of "small mid-cap enterprises" — companies with up to 750 employees and annual turnover of up to €150 million (or balance sheet total up to €129 million).^[3]

These companies now qualify for simplified technical documentation templates, more proportionate quality-management expectations, priority access to regulatory sandboxes, and more tailored penalty caps.

The national sandbox deadline has also been pushed back — Member States now have until August 2, 2027 to have at least one operational national AI regulatory sandbox. An EU-level sandbox operated by the AI Office is being created in parallel, with priority access for SMEs, start-ups, and small mid-caps.

What Has Not Changed

The risk-based structure of the AI Act remains intact. Prohibited practices under Article 5 — including social scoring, real-time remote biometric identification in public spaces by law enforcement, and the subliminal manipulation techniques — have been banned since February 2, 2025. Those are not moving.

The August 2, 2026 date for general transparency obligations under Article 50 — disclosure when AI interacts with humans, disclosure when AI-generated content is presented — also remains in place.^[3] Only the content-watermarking piece got the December 2026 extension.

The Catch: The Omnibus Is Not Law Yet

Here is the honest caveat: the provisional agreement must still be formally endorsed by the Council and the European Parliament, undergo legal-linguistic revision, and be published in the Official Journal of the European Union before August 2, 2026 for the amendments to take effect on the stated timelines.^[1]

That is a tight window — under three months from the May 7 agreement. Legislative process slippage is always possible. But the political signal is clear, and the practical reality is that businesses should treat December 2, 2027 as the new planning baseline for Annex III high-risk compliance.

What SMEs Should Do Right Now

Do not use the delay as an excuse to do nothing. Use it to work smarter.

First, audit what you actually have running. If you deploy Annex III systems — particularly in HR, education, or safety-critical infrastructure — map them now. The compliance work is not going away; it is just getting a schedule extension.

Second, check your generative AI stack for the December 2026 watermarking deadline. If you are a provider with systems already on the market, this is a hard date, not a soft one.

Third, if you are a small mid-cap that thought SME exemptions did not apply to you — re-read the employment figures. Up to 750 employees and €150M turnover puts a significant number of scaling companies squarely in scope for relief they may not have factored in.

The AI Act is not going away. But for the first time since the regulation passed, the timeline just became genuinely manageable for the SMEs that make up the vast majority of EU businesses using AI.

This article is for informational purposes only and does not constitute legal advice.