The European Council and Parliament reached a provisional agreement on the Digital Omnibus on May 7, the first formal amendments to the EU AI Act since the Act’s adoption in June 2024. The deal extends compliance deadlines for high-risk AI systems and introduces two new Article 5 prohibitions that take effect December 2, 2026. For generative AI product teams serving European users, the deadline extensions create room to breathe on most obligations but a seven-month sprint on one specific class of content.

The extended deadlines are the headline. Stand-alone high-risk AI systems now have until December 2, 2027 to comply with the Act’s high-risk obligations, and product-embedded high-risk systems have until August 2, 2028. National-level regulatory sandboxes are pushed to August 2027. The grace period for AI-generated content transparency labeling drops from six months to three months, which tightens that single timeline rather than relaxing it.

The new prohibitions are not negotiable and not deferred. The Article 5 list now bans the use of AI to generate or manipulate child sexual abuse material and non-consensual intimate imagery. Both prohibitions take effect December 2, 2026, with no transition window for existing products. Detailed analysis from Inside Privacy and White & Case confirms the prohibitions cover both the creation and the distribution of such content through AI systems.

For builders, the operational reading depends on what the product does. Generic productivity AI shipping into Europe gets meaningful runway: the high-risk obligations that everyone assumed would land in 2025 now land in late 2027 or 2028. Any product offering generative image or video capability to European users faces a different timeline. The CSAM and NCII prohibitions require pre-deployment safety architecture, not after-the-fact filtering. Treating it as a content-moderation problem rather than a system-design problem will not satisfy the requirement.

Two compliance details worth tracking. First, the prohibition language covers “use of AI” to generate the content, which Inside Privacy reads as applying to both the developer of the model and the operator of the product. Liability is distributed across the stack, not concentrated at the model provider. Second, the three-month transparency labeling window for AI-generated content is shorter than industry guidance assumed. Teams currently relying on metadata-only watermarking should evaluate whether their approach satisfies the Article 50 disclosure requirement under the compressed timeline.

The political context matters. The Omnibus deal followed sustained lobbying from European industry associations arguing that the original 2025 and 2026 deadlines were unachievable for product-embedded high-risk systems. The deal’s defenders, including the Council’s official press release, frame the extensions as a simplification rather than a weakening. The two new Article 5 prohibitions were added during the negotiation to maintain political balance: industry got runway on high-risk obligations, and civil-society advocates got hard prohibitions on the most contested generative outputs.

The international comparison sharpens. The US has no equivalent federal regulation in 2026, and the most recent executive actions have prioritized industry deference. China’s generative AI rules are stricter on content provenance but lighter on liability allocation. The EU now sits in the middle: longer runway than Chinese rules in most categories, more enforceable specifics than the US approach, and a content-prohibition layer that is uniquely strict. Companies serving EU users will continue to set their global compliance posture by Brussels, not Washington.

For any product team shipping generative image or video into Europe, the next 90 days should include a compliance review against the December 2 prohibitions, with focus on whether existing filters reliably prevent the prohibited categories before any output reaches a user. Companies relying on prompt-level filtering as the only line of defense will not be compliant on December 2.

Originally published by the Council of the European Union in its May 7, 2026 press release on the Digital Omnibus agreement.