European companies building AI tools for hiring, healthcare, and education gained a 16-month extension on their most demanding compliance obligations on May 7, 2026, when EU legislators agreed to the first formal amendments to the EU AI Act since it was adopted in June 2024. But the relief is split: a new prohibition on AI-generated non-consensual intimate imagery — a direct response to the Grok scandal that produced an estimated 3 million sexualized images in eleven days — takes effect December 2, 2026, with the same hard deadline applying to watermarking rules for generative AI systems. Companies that were counting on a longer runway on both fronts will not get one.

The provisional agreement, reached at 4:30 a.m. on May 7 by negotiators from the European Parliament, the Council of the EU, and the European Commission, is known formally as the Digital Omnibus on AI. A detailed compliance analysis published today by Covington & Burling's Data Privacy and Cyber Security Practice unpacks the practical stakes for every technology company operating in Europe.

High-Risk AI Deadline Pushed to December 2027 — but Standards Were Never Ready

The most consequential change is a staggered deferral of obligations for high-risk AI systems. Obligations for Annex III systems — those covering employment, education, and access to public and private services, such as résumé-screening tools, student assessment platforms, and health-insurance underwriting algorithms — are postponed from August 2, 2026 to December 2, 2027, a deferral of 16 months. AI systems embedded in regulated products under Annex I, covering items such as medical devices, radio equipment, and elevators, receive a 12-month extension, pushing their deadline from August 2027 to August 2028.

The extension exists because regulators were not ready either. The CEN-CENELEC Joint Technical Committee 21, which is responsible for developing the harmonized European standards that serve as the practical backbone for AI Act compliance, missed its own August 2025 target for completing those standards. In October 2025, CEN-CENELEC adopted exceptional accelerated procedures — including skipping the normal Formal Vote stage for standards that pass public inquiry — in an attempt to have key drafts available by the end of 2026. Without those standards, companies building high-risk AI systems have no clear technical benchmark to demonstrate conformity against.

MEP Michael McNamara, one of the co-rapporteurs on the AI Omnibus in the European Parliament, acknowledged the logic of the restructuring but warned that routing AI governance through sector-specific legislation — a major structural change made for machinery and proposed for medical devices — could end up being "deregulatory rather than simplifying." More than 40 civil society organizations raised the same concern during negotiations, according to analysis by Laura Caroli at Tech Policy Press.

Watermarking Arrives December 2026 — No Long Runway for Foundation Models

Companies hoping for a longer grace period on synthetic content disclosure will not get one. For generative AI systems already on the EU market before August 2, 2026, the obligation under Article 50(2) of the AI Act — requiring that outputs be marked in a machine-readable format and detectable as artificially generated — is deferred only four months, to December 2, 2026. Systems entering the EU market on or after August 2, 2026 must comply from the date they are placed into service.

That asymmetry is significant for foundation model providers including OpenAI, Anthropic, Google, and Meta, all of which serve EU consumers. They cannot rely on the 16-month reprieve granted to high-risk enterprise AI. The watermarking gap closes in seven months from today.

Nudifier Apps Face EU-Wide Ban After Grok Generated Millions of Sexual Images

The most politically charged addition to the Omnibus is a new category of prohibited AI practices. The provisional agreement amends Article 5 of the AI Act to ban the placing on the market, putting into service, or use of AI systems that generate or manipulate realistic depictions of an identifiable person's intimate parts or of an identifiable person engaged in sexually explicit activities, without that person's freely given, specific, informed, unambiguous, and explicit consent. A parallel prohibition covers AI systems that generate or manipulate child sexual abuse material. Both prohibitions take effect December 2, 2026.

The provision was not in the European Commission's original Omnibus proposal. It was added during negotiations by a coalition of lawmakers responding directly to the Grok scandal of late 2025 and early 2026. Between December 29, 2025 and January 8, 2026, Grok — the AI chatbot operated by xAI and integrated into Elon Musk's X platform — generated an estimated 3 million sexualized images, including approximately 23,000 appearing to depict children, according to research by the Center for Countering Digital Hate. The incident triggered formal investigations by Ireland's Data Protection Commission, the European Commission under the Digital Services Act, and national authorities in France, Germany, and the United Kingdom. In March 2026, an Amsterdam District Court ordered xAI to stop generating non-consensual intimate imagery of people residing in the Netherlands, imposing a penalty of €100,000 per day for non-compliance — Europe's first binding injunction against an AI image generator, as reported by Tech Policy Press. American civil suits followed, including claims filed by three Tennessee teenagers and the city of Baltimore.

The final ban language places a clear burden on model providers, not just users. For providers, the prohibition applies where generating such content is the system's intended purpose, or where such output is a reasonably foreseeable and reproducible outcome and the provider has not implemented reasonable and adequate technical safety measures to reliably prevent it. For deployers, the prohibition is narrower: it applies only where they actively use a system to generate prohibited material, including by circumventing the provider's safeguards. Accidental generation is expressly excluded.

The AI Office Takes Over Enforcement for Platform Giants

The Omnibus also reorganizes which regulator supervises whom. The EU AI Office now has exclusive supervisory and enforcement authority over two categories: first, AI systems built on general-purpose AI models where the model and system are developed by the same provider or within the same company — covering integrated stacks like those operated by OpenAI, Google, and Meta; and second, AI systems that constitute or are integrated into very large online platforms or very large online search engines as defined under the Digital Services Act.

For the second category, the Digital Services Act's existing risk assessment, mitigation, and audit obligations serve as the initial compliance checkpoint. The AI Office is then empowered to investigate and enforce AI Act violations after the fact. In practical terms, if a company is already under DSA scrutiny as a major platform, the AI Office is now its primary AI regulator — with authority to issue binding commitments, conduct on-site inspections, and impose substantial fines.

Supply Chain Obligations Sharpened — With Fines That Now Match

The amendments also tighten obligations across the AI value chain. Under revised Article 25, an initial provider whose AI system is substantially modified or repurposed by a downstream actor must now provide technical documentation sufficient for compliance assessment, disclose known limitations and failure modes, and offer targeted technical access to the system for testing and validation.

The financial stakes for failing to share that information were elevated significantly. Breaches of these information-sharing obligations now fall in the same fine band as breaches of core high-risk AI provider obligations: up to 3% of worldwide annual turnover or €15 million, whichever is higher. At the top end, violations of prohibited practices provisions — including the new nudifier ban — can reach €35 million or 7% of global turnover.

What Did Not Change

The Digital Omnibus does not alter the AI Act's core architecture. Prohibited practices that have been in force since February 2, 2025 — including social scoring, subliminal manipulation, and real-time biometric remote identification in public spaces — remain in effect and enforceable. The obligation to register high-risk AI systems in the EU database is preserved. AI literacy requirements survive, though the standard was softened: providers and deployers are now required to "take measures to support the development of" AI literacy among staff, rather than to "ensure" it — a shift from a strict obligation of result to one of means.

What Comes Next

The provisional agreement must be formally adopted by the European Parliament and the Council — a step expected to conclude by late June, with publication in the Official Journal of the European Union anticipated in July 2026. Once published, the amendments enter into force three days later and are directly applicable across all EU member states without further national implementation. The formal adoption must precede August 2, 2026 — the date on which the original high-risk AI obligations would otherwise take effect.

The 11-week window that remains is shorter than it looks. Companies that suspended compliance preparations in anticipation of the Omnibus are advised against treating the new December 2027 deadline as the starting gun. The Covington analysis warns that harmonized standards and guidance needed for practical implementation may not be published until close to the new deadlines, leaving limited time to adapt once they arrive.