On 7 May 2026, the Council presidency and European Parliament negotiators reached a provisional political agreement on “Omnibus VII” — the EU’s regulatory-simplification package that amends the AI Act (Regulation (EU) 2024/1689). The headline: high-risk AI rules slip 16 months. Stand-alone high-risk systems now apply from 2 December 2027 (was 2 August 2026); high-risk AI embedded in regulated products applies from 2 August 2028. The deferral is conditional on the European Commission confirming harmonised standards and conformity-assessment tools are available. Most teams read the headline on Friday morning and exhaled. They missed three less-reported clauses that move the work the other direction: the grace period for transparency labelling of AI-generated content shrinks from 6 months to 3, with a hard new deadline of 2 December 2026; SME exemptions extend to small mid-cap companies (SMCs), rewiring vendor diligence overnight; and a new outright prohibition on AI-generated non-consensual sexual or intimate content and CSAM lands with no transitional period at all. Regulators delayed the parts industry lobbied hardest against. They accelerated the parts civil society lobbied hardest for. That is the standard shape of late-stage regulatory negotiation. Read the headline only and you will misallocate compliance budget. The right CTO response is the opposite of what the headline suggests: take the breathing room on high-risk to do the work properly, and pull forward the transparency labelling and prohibition compliance into this year’s roadmap.
The Omnibus VII deal is the EU AI Act’s first material rewrite since the Regulation passed in 2024. It moved through Council presidency and Parliament negotiators in a single political agreement on 7 May 2026, as part of the broader EU regulatory-simplification agenda. Two threads run through the package, and they pull in opposite directions. The first thread is delay: stand-alone high-risk AI systems — biometrics, law enforcement, border control, critical infrastructure, employment screening, and the other Annex III categories — have their application deadline moved from 2 August 2026 to 2 December 2027, conditional on the Commission confirming the required harmonised standards and conformity-assessment tools. High-risk AI embedded in regulated products slips a further eight months to 2 August 2028. The deadline for member states to establish AI regulatory sandboxes slips to 2 August 2027. That is the part the headline got right. The second thread is acceleration and tightening, and it is the part most teams read past. The grace period for transparency obligations on AI-generated content shrinks from six months to three, with a hard deadline of 2 December 2026 for providers placing systems on the EU market. SME exemptions extend to small mid-cap companies (SMCs), which redefines which vendors can claim reduced obligations and rewires every procurement playbook that scored vendors on an SME/large-enterprise binary. And a new outright prohibition on AI-generated non-consensual sexual or intimate content and CSAM lands with no transitional period — from the date of formal adoption, this is non-negotiable. The provisional agreement must still be endorsed by Council and Parliament before adoption, which is procedurally typical and not the part to plan against. The part to plan against is the asymmetry: the rules industry lobbied hardest against got the relief; the rules civil society lobbied hardest for got the acceleration. The next paragraphs are the three traps inside the headline, the three workstreams every EU-touching team should accelerate this quarter, and the procurement and vendor-diligence reset that follows from the SME-to-SMC change.
Article 50 of the AI Act — the one most operators have not yet read in detail — sets the disclosure obligations for AI-generated content. Chatbots have to surface that they are AI to the user. AI-generated text published in the public interest has to be labelled. Synthetic image, audio, and video have to be marked as artificial in a machine-readable way. Deepfakes have to be disclosed as such. The original deadline included a six-month grace period after the Act’s application date. Omnibus VII shortened the grace period to three months and anchored it to a hard 2 December 2026 deadline. For any provider placing a generative system on the EU market, that is a calendar date inside this year’s roadmap, not next year’s.
The operational implication is concrete and most teams are not ready. Disclosure UX is not yet a default in consumer-facing generative-AI products: the “you are talking to an AI” banner is implied rather than persistent, the “this image was generated” watermark is absent or trivial to crop, and the machine-readable provenance metadata (C2PA, IPTC AI labels, equivalent) is not embedded by the model vendor by default. The provider on the EU market — not the model vendor — is the entity that carries the disclosure obligation. Your team owns the UX and the metadata pipeline, even if you did not train the model.
The work to close the gap is unglamorous and largely product-side: write the disclosure language into the user-facing surface, embed the provenance metadata into every generated asset (the C2PA toolchain is the most mature option in 2026), publish a public-facing AI-transparency statement that names the model, the use, and the controls. Six months is enough to do this properly if the work starts now. Three months is enough if the work starts in September; less if it starts in November.
EU policy has long distinguished between SMEs (companies under approximately 250 employees and either €50M turnover or €43M balance-sheet total) and large enterprises. Omnibus VII introduces an intermediate category — small mid-cap companies (SMCs) — into the AI Act’s exemption framework, broadening the population that can claim reduced obligations. The SMC band typically covers companies in the 250–1,500-employee range, with corresponding revenue thresholds.
The practical consequence runs through procurement. Most enterprise vendor-diligence playbooks score AI vendors against an SME-or-large binary. Under the SMC change, a vendor in the 250–1,500-employee range can plausibly operate under exemption regimes that were previously reserved for much smaller firms. The vendor’s AI Act compliance posture may be lighter than the buyer had assumed when the diligence template was written. The trust burden shifts to the buyer.
The diligence rewrite is two paragraphs of work but most teams have not done it yet. Update the vendor-diligence questionnaire to ask not whether the vendor is SME or not, but which AI Act obligations the vendor accepts in writing and which it claims exemption from, citing the exemption category. For an SMC operating under reduced obligations, the buyer’s own compliance posture has to absorb the gap — logging, risk assessment, and conformity work that the vendor would have done in the absence of the exemption is now the buyer’s responsibility, contractually. Price it in or push back at procurement time, not at audit time.
Omnibus VII adds an outright prohibition on AI-generated non-consensual sexual or intimate content and on child sexual abuse material. There is no transitional period and no exemption category. From the date of formal adoption, any platform that ships generative image or video features to EU users without category-level safety classifiers in front of model output is operating outside the law.
This is not a 2027 problem. It is a “before your next release” problem. The technical work is well-understood — CLIP-based safety classifiers, NSFW filters at the generation step, output post-processing — but the implementation, the procurement of the classifier vendor where you don’t build in-house, and the auditing of false-negative rates are the parts that take real engineering time. Most platforms with user-generated AI image or video features have some classifier in front of output today. Few can produce, in writing, the false-negative rate, the audit cadence, and the incident response procedure for the prohibition categories. The regulator will ask for those artefacts.
Build the artefact before the regulator asks. Document the classifier vendor or model, the recall and precision against the prohibition categories on a labelled evaluation set, the threshold settings in production, the cadence of re-evaluation, and the incident-response runbook if a false negative is reported. One page. Keep it current. The cost of not having it is not the fine; it is the inability to defend a posture under scrutiny, which lengthens every conversation with a regulator or a buyer’s legal team.
The Omnibus deal restructures the order of work, not the amount of it. The total compliance burden has not shrunk; it has shifted — some forward, some back. The teams that internalise the shift and re-sequence the roadmap will be ahead of the deadlines that actually bite. Three workstreams to pull into the current quarter.
Workstream 1 — Transparency labelling, end-to-end. Audit every user-facing surface where AI output reaches an EU user. Write the disclosure language into every chatbot, every assistant, every generative tool. Embed C2PA (or equivalent) provenance metadata into every generated image, audio, and video asset. Publish the public-facing AI-transparency statement. Treat 2 December 2026 as the production deadline; treat 1 November 2026 as the soft-launch deadline; treat the next two months as the design and build window. The first audit will surface more disclosure surfaces than the team expected. Surveying the surfaces is the work; the disclosure itself is the easy part.
Workstream 2 — Prohibition compliance and classifier audit. For every generative product that touches EU users, document the safety classifier in front of output, its recall and precision on the prohibition categories against a labelled evaluation set, and the runbook for false-negative incidents. If the classifier is third-party, negotiate the SLA on update cadence and audit access. If it is in-house, name the owner and the re-evaluation schedule. The document is one page; the underlying work is several sprints if the classifier posture is currently informal.
Workstream 3 — Procurement diligence rewrite around the SMC change. Update the AI vendor-diligence questionnaire to ask, for each vendor, which AI Act obligations the vendor accepts contractually and which it claims exemption from. For SMC vendors operating under reduced obligations, document the compensating controls on the buyer side — logging, risk assessment, conformity, depending on the use case — and price the work into the engagement. The diligence template change is fifteen minutes. Operationalising it through the procurement workflow is the rest of the quarter.
The 16-month deferral on stand-alone high-risk systems and the 24-month deferral on embedded high-risk is genuinely useful. It is the breathing room the harmonised-standards process needs to catch up. The European Commission has been racing CEN/CENELEC and the AI Office to publish the harmonised technical standards that operationalise the high-risk obligations; the delay is conditioned on those standards being in place. Without the deferral, the high-risk obligations would have applied against standards that did not yet exist — an impossible compliance position.
The trap inside the breathing room is the temptation to pause the high-risk workstream entirely. Most of the work that high-risk classification requires is durable engineering discipline that pays for itself before the deadline arrives: a written risk-management system, a data-governance regime, technical documentation in the form Annex IV anticipates, post-market monitoring, human-oversight architecture, accuracy/robustness/cybersecurity testing artefacts, conformity-assessment readiness. None of this work is wasted if the deadline moves. All of it is harder to do in a hurry if the deadline does land in December 2027 as planned.
The mature read is to use the breathing room to ship the high-risk compliance work as a thirty-month programme rather than a twelve-month sprint, with a written internal milestone every quarter. The teams that do that arrive at December 2027 with the conformity-assessment artefacts in working order. The teams that pause arrive at June 2027 with eighteen months of compressed work and a board that has forgotten the deadline ever existed.
Don’t pause your governance workstream because Brussels paused theirs. The delay is on the high-risk classification rules, not on the underlying discipline. The discipline is durable. The deadline that arrives first is closer, not further.
Don’t internalise the wrong headline. “EU delays high-risk AI rules to 2027” is the read on Friday. The read on Monday should be “transparency labelling deadline pulled to 2 December 2026, prohibition lands with no grace period, vendor diligence has to be rewritten this quarter.” The Monday read is the one that drives the roadmap.
Don’t treat the SMC change as a vendor problem. Under reduced obligations on the vendor, the compensating controls land with the buyer. Pricing it in at procurement time is cheap; absorbing it at audit time is expensive.
Don’t treat the prohibition as a content-moderation problem. The prohibition has no exemption category and no grace period. The classifier posture must be documented, audited, and updated on a written cadence. The regulator will treat absence of documentation as evidence of an inadequate control, regardless of how good the classifier itself is.
The transparency-labelling workstream is in build, with the disclosure language live on every user-facing surface and C2PA provenance metadata embedded in every generated asset by 1 November 2026 at the latest. The public-facing AI-transparency statement is published. The classifier posture for the prohibition categories is documented — vendor or model, recall and precision against a labelled evaluation set, threshold, re-evaluation cadence, incident runbook — on one page that the legal team and the engineering team have both signed off. The vendor-diligence questionnaire has been rewritten around the SMC change; every active AI vendor has been scored against the new questionnaire and the compensating controls for SMC vendors are documented in writing. The high-risk workstream is running as a thirty-month programme with quarterly milestones, not as a paused project. The CTO can answer, in writing, “what does our team need to ship by 2 December 2026 to satisfy the EU AI Act,” in two paragraphs. Most CTOs cannot today. The ones who can are the ones who will not be writing emergency briefings to their boards in October about deadlines that landed faster than the headline suggested.
Omnibus VII is the cleanest example I have seen this year of a regulatory deal where the headline and the obligation move in opposite directions. The lesson is structural: when a regulator simplifies, read past the simplification to find the part that was tightened in exchange. The transparency-labelling deadline of 2 December 2026 is the deadline that bites first; the prohibition with no grace period is the obligation that bites the second the deal is adopted; the SMC change is the procurement rewrite that the buyer absorbs even though the vendor benefits. The high-risk breathing room is real, but it is breathing room to do the work properly — not breathing room to put the workstream into a drawer. The CTOs who treat the May headline as a pause will discover, in October, that the December deadline has been quietly closing for five months. The CTOs who treat the May headline as a re-sequence will arrive in December with the disclosure live, the prohibition controls documented, the vendor diligence updated, and the high-risk programme on track. The deadline that arrives first is the deadline that decides the year.
Indica Tech’s two-week EU AI Act readiness audit produces the surface inventory for every disclosure obligation, drafts the C2PA provenance pipeline against your generative stack, documents the prohibition-category classifier posture in the form a regulator expects, rewrites the vendor-diligence questionnaire around the SMC change, and gives you a 90-day roadmap aligned to the December 2026 transparency deadline and the longer-arc high-risk programme. Fixed price £3,500. Written report. Whether you hire us for the remediation or not.
See the audit engagement →