EU AI Act Omnibus extends high-risk deadlines to 2027, widens SME relief

TL;DR:

• The EU’s AI Act Omnibus political agreement of 7 May 2026 extends compliance deadlines for stand-alone high-risk AI systems (HRAIS) to 2 December 2027, with regulated-product safety components now running to 2 August 2028.
• The agreement preserves the AI Act’s risk-based architecture but introduces a new prohibition on “nudifier” applications generating intimate content or CSAM, with fines up to €35 million or 7% of worldwide turnover.
• SME compliance simplifications now extend to companies with up to 750 employees and €150 million revenue — a meaningful UK relevance point given how many UK mid-cap firms operate in the EU.

The Omnibus is the most substantive amendment package to the AI Act since it entered force. The headline change is the deadline extension for HRAIS — driven by the Commission’s failure to publish harmonised standards in time — but the package also clarifies scope, removes certain industrial applications, and streamlines the bias-detection process. Companies offering or using AI systems in the EU should expect formal adoption by July 2026 ahead of the original August 2026 HRAIS effective date.

What changes operationally

The HRAIS extension to December 2027 gives stand-alone-system operators an additional year to finalise risk classifications, build governance frameworks and prepare technical documentation. Regulated-product safety components — including medical devices, vehicles and toys — get until August 2028. Critically, AI systems placed on the EU market before these dates are not subject to HRAIS requirements unless they undergo substantial modification. That grandfathering provision is the most material new commercial planning lever.

The transparency obligations under Article 50 still take effect 2 August 2026: chatbot disclosure, emotion recognition and deepfake labelling. A new grandfathering rule defers watermarking requirements for generative AI systems already in service until 2 December 2026. Fines for transparency breaches are up to €15 million or 3% of worldwide turnover.

UK angle: mid-cap relief and a sharper EU/UK divergence

The SME simplification extension to mid-caps up to 750 employees and €150 million revenue is the under-noticed UK-relevance point. Many UK businesses operating across the EU sit in that band and have been pricing in the original SME-only relief as not applying to them. The new framework — simplified guidance, reduced fines, sandbox access, standardised templates — meaningfully reduces their compliance load.

The wider story is regulatory divergence. The King’s Speech this week set out a Regulating for Growth Bill that takes the UK in a structurally different direction: sectoral regulators rather than a prescriptive horizontal framework. UK firms with EU exposure now face two distinct AI compliance regimes converging on similar outcomes through different machinery. Latham & Watkins flag GDPR enforcement — already active in AI contexts — as the binding constraint companies should not let the deadline extensions distract from.

Looking forward

Formal Council and Parliament adoption is expected by July. Companies should not pause governance work: harmonised standards may not be published until close to the new deadlines, and AI Act readiness is increasingly cited as a competitive credential in the European market. UK CIOs — 62% of whom told Logicalis this week they are not fully prepared for the AI Act — have a slightly longer runway but no excuse to slow down.