On May 7, 2026, in a provisional agreement reached at 4:30 a.m., the European Union formally amended the compliance timeline for its landmark AI Act. Known as the Digital Omnibus on AI, the agreement sends a dual message to the market: while developers of high-risk systems have been given some breathing room, providers and deployers of generative AI models face stricter and more immediate compliance pressures. This dichotomy fundamentally reshapes corporate AI strategies and risk management plans.
A Breather for High-Risk Systems: Gained Time or Prolonged Uncertainty?
The most significant change is that European companies building AI tools for hiring, healthcare, and education have gained a 16-month extension on their most demanding compliance obligations. The deadline for so-called high-risk systems listed in Annex III of the AI Act is postponed from August 2, 2026, to December 2, 2027. Similarly, AI systems embedded in regulated products under Annex I receive a 12-month extension, pushing their deadline from August 2027 to August 2028.
Do you have a question about AI security? You can reach us here:
The reason for the deferral is practical: the CEN-CENELEC Joint Technical Committee 21, responsible for developing harmonized European standards, missed its own August 2025 target. Although exceptional accelerated procedures were adopted in October 2025, the delay in standards created market uncertainty.
From an AIQ standpoint, this is a pragmatic but double-edged decision. Companies gain valuable time to prepare, compile documentation, and thoroughly test their systems. However, the prolonged uncertainty due to the lack of standards makes it difficult to plan specific technical and organizational measures. In a corporate context, this means the extra time should not be for relaxation, but for proactive risk analysis, strengthening defenses against OWASP LLM Top 10 vulnerabilities, and developing a flexible compliance strategy. The role of audits and red teaming becomes even more critical, as they help uncover hidden risks that future standards will likely address.
Generative AI: The Grace Period is Over
While high-risk systems received an extension, the EU has clearly opted for swift and strict action in the realm of generative AI. A hard deadline of December 2, 2026, has been introduced for two key areas:
- Watermarking Obligation: Generative AI systems must clearly indicate when content is artificially generated. This rule also applies to systems that were already on the market before August 2, 2026.
- Prohibition on Non-Consensual Intimate Imagery: Amending Article 5 of the AI Act, AI systems that generate or manipulate realistic depictions of a person’s intimate parts or sexually explicit activities without consent are explicitly banned. A parallel prohibition covers the generation of child sexual abuse material.
This regulatory tightening is no accident. It is a direct response to incidents like the Grok scandal, where the model generated an estimated 3 million sexualized images between December 29, 2025, and January 8, 2026. The incident triggered formal investigations by Ireland’s Data Protection Commission and the European Commission under the Digital Services Act, and in March 2026, an Amsterdam court ordered xAI to stop generating such imagery, imposing a penalty of €100,000 per day for non-compliance.
In a corporate context, this means companies using or developing generative AI must act immediately. Compliance is no longer just about model accuracy but about actively preventing malicious use. This directly relates to several points in the OWASP LLM Top 10, particularly LLM04: Model Denial of Service (generating harmful content can lead to service suspension) and LLM09: Overreliance (relying on a model without proper safeguards). Audits must now extend to the effectiveness of content filtering mechanisms, prompt moderation, and logging systems.
A New Dimension of Supply Chain Liability and Harsh Fines
Another critical element of the amendment is the strengthening of the liability chain. Under the revised Article 25, if an AI system from an initial provider is substantially modified or repurposed by a downstream actor, the original provider must now provide technical documentation sufficient for a compliance assessment. A breach of this information-sharing obligation now falls into the highest fine category: up to €15 million or 3% of worldwide annual turnover.
For violations of prohibited practices (such as social scoring or subliminal manipulation, which have been in force since February 2, 2025), the penalty is even more severe: up to €35 million or 7% of global turnover. This definitively elevates AI compliance to a C-level and board-level responsibility.
From an AIQ standpoint, this change brings GDPR principles, especially accountability, into the world of AI. It’s no longer enough for companies to have their own house in order; they must also audit their suppliers and partners. Alongside the ‘security-by-design’ principle, ‘compliance-by-design’ becomes a fundamental requirement, where technical documentation and transparency are integral parts of product development.
In summary, the AI Act amendment sets a clear direction. The market must adapt to a two-speed regulation: developers of high-risk systems have gained time to prepare, but for those deploying generative AI, the countdown has already begun. Proactive audits, red teaming, and robust internal governance are no longer just recommendations but are essential for survival in the new European AI era, an era defined by the threat of crippling fines.