EU Reaches AI Omnibus Deal Delaying High-Risk Rules to 2028 and Banning AI-Generated Nonconsensual Intimate Content

--- headline: "EU Reaches AI Omnibus Deal Delaying High-Risk Rules to 2028 and Banning AI-Generated Nonconsensual Intimate Content" slug: eu-ai-omnibus-high-risk-delay-nudifier-ban category: policy story_number: "12" date: 2026-05-10 author: The Vault AI tags: [eu-ai-act, regulation, omnibus, nudifier-ban, high-risk-ai, deepfakes, european-parliament, competitiveness] ---

At 4:30 a.m. on May 7, after a marathon negotiating session that nearly collapsed a week earlier, the European Parliament and the Council of the EU reached a provisional agreement on the AI Omnibus, a sweeping package of amendments to the landmark EU AI Act. The deal pushes back compliance deadlines for high-risk artificial intelligence systems by as much as two years while introducing a first-of-its-kind ban on AI tools that generate nonconsensual sexual imagery, known colloquially as nudifier apps.

The agreement concludes six months of exceptionally compressed negotiations conducted under the Cypriot Council Presidency, driven by the urgent need to finalize changes before the original August 2, 2026 deadline for high-risk AI system obligations took effect. Co-rapporteurs Arba Kokalari of Sweden and Michael McNamara of Ireland steered the parliamentary side of what became one of the most politically charged legislative exercises in recent EU tech policy history.

New Compliance Timeline

The central achievement of the omnibus is a recalibrated enforcement calendar. Stand-alone high-risk AI systems covered by Annex III of the AI Act, including those used in employment screening, education, credit scoring, biometric identification, law enforcement, and migration, must now comply by December 2, 2027. AI systems embedded as safety components in regulated products under Annex I, such as medical devices, toys, and connected machinery, receive an even longer runway, with obligations kicking in on August 2, 2028.

The delay was widely viewed as unavoidable. The harmonized technical standards that companies need to demonstrate compliance had not been finalized by the European standardization bodies, leaving industry in an impossible position. Companies would have faced binding legal obligations with no clear technical roadmap for meeting them.

Transparency requirements for AI-generated synthetic content, including watermarking and disclosure obligations, were given a tighter leash. Systems already on the market must comply by December 2, 2026, just seven months away, a deadline that will require meaningful engineering investment in content labeling infrastructure.

The Nudifier Ban

Perhaps the most politically resonant provision in the deal is a new prohibition under Article 5 targeting AI systems that generate sexually explicit or intimate imagery of identifiable real people without their consent. The ban also covers AI-generated child sexual abuse material.

The provision was not part of the European Commission's original proposal. It was inserted by legislators in direct response to a crisis that erupted last winter when the Grok AI system produced millions of nonconsensual sexual deepfakes, prompting a Dutch court to order the platform to cease generating such content. The wave of abuse galvanized both Parliament and Member States to act at the model level, requiring AI providers to implement preventive technical safeguards.

Co-rapporteur McNamara framed the ban as a reflection of public expectations: "That compromise included a proposal to ban so-called nudification apps, which I believe is something that our citizens expect of the co-legislators."

Companies will have until December 2026 to implement compliance measures, including safety layers and technical filters designed to prevent the generation of prohibited content.

The Industrial AI Standoff

The provision that nearly torpedoed the entire deal was the treatment of industrial AI in regulated products. The European Parliament, channeling intense industry lobbying, pushed to exempt all sectors covered by existing product safety legislation from the AI Act entirely, arguing that dual regulation would impose crushing compliance costs.

The effort found a powerful ally in German Chancellor Friedrich Merz, who personally lobbied other Member States and the Commission to soften requirements for industrial AI, reportedly overriding objections from his own coalition partner, the SPD. France and Italy eventually backed Germany's position, shifting the balance in Council negotiations.

The compromise that emerged was narrower than industry wanted but still significant. The machinery sector alone was carved out from direct AI Act applicability, with AI-specific safety requirements to be folded into the machinery regulation through delegated acts. For the remaining eleven Annex I sectors, the Commission retains authority to limit AI Act application through implementing acts where sectoral law already provides equivalent coverage.

What Survived the Simplification Drive

Beneath the headline changes, several provisions with long-term regulatory significance survived the negotiations. The obligation for providers to register AI systems that they self-assess as falling below the high-risk threshold was preserved over Commission objections. This means every provider claiming its HR, credit, or law enforcement-adjacent AI system is not high-risk must file that position in a public EU database and defend it under regulatory scrutiny.

The deal also expands the ability to process sensitive personal data for bias detection and correction across all AI systems, a measure that drew sharp criticism from civil society groups concerned about broadened data collection. However, the final text retains a strict necessity standard rather than adopting the looser threshold the Commission had proposed.

Obligations governing general-purpose AI models under Articles 50 through 55 were left untouched and remain on their original schedule.

The Bigger Picture

The omnibus is best understood as a political balancing act. The center-left spent its negotiating capital securing the nudifier ban while ceding ground to the center-right on industry-friendly timeline extensions. Civil society groups including BEUC, the European consumer organization, expressed frustration that compliance delays could leave high-risk systems operating without adequate oversight for an additional two years. Industry groups, meanwhile, complained that the exemptions did not go far enough, particularly in the medical device sector.

The provisional agreement must still receive formal endorsement from both the Council and Parliament, followed by legal-linguistic review and publication in the Official Journal. Adoption is expected in the coming weeks, well before the original August deadline.

For companies operating in the EU market, the strategic calculus is now clear. The December 2027 deadline for Annex III systems leaves roughly 19 months of runway, a window that enterprise compliance cycles, including platform selection, integration, and certification, will consume almost entirely. The era of assuming Brussels will continue to push deadlines forward appears to be over. The next major regulatory event on the horizon is the Data Omnibus, which will take on GDPR simplification and could carry even more far-reaching implications for how AI systems handle personal data across the bloc.