EU AI regulation

EU's Digital Omnibus Defers High-Risk AI Deadline to December 2027 and Adds a Categorical Ban on Nudifier Tools

Parliament voted 423-57 on June 16, extending the high-risk compliance deadline to December 2027 and banning nudifier tools under Article 5.

People of Internet Research Team · 2026-06-26
EU AI Act: Digital Omnibus at a Glance People of Internet Research · EU 423–57 Parliament Vote Margin In favour vs. against on June 16, … 16 months High-Risk Deadline Deferred Annex III standalone systems pushe… Dec 2026 Nudifier Ban Deadline Providers must comply with new Art… 174 MEPs Who Abstained Over a quarter of Parliament decli… peopleofinternet.com

Key Takeaways

Parliament Votes, Deadlines Shift

On June 16, 2026, the European Parliament voted 423 to 57 — with 174 abstentions — to approve the Digital Omnibus on AI, the first formal amendment to the EU AI Act (Regulation 2024/1689) since the law entered into force in August 2024. The margin was decisive, but 174 abstentions representing more than a quarter of Parliament signal residual unease about both the pace and substance of the revision.

The headline change is a 16-month deferral. Standalone high-risk AI systems governed by Annex III of the Act — covering employment decisions, credit scoring, critical infrastructure, and law enforcement tools — now have until December 2, 2027 to comply with full obligations, rather than August 2, 2026. AI systems embedded as safety components in regulated products under Annex I (CE-marked medical devices, industrial machinery) gain further time to August 2, 2028. The Council of the EU is expected to formally adopt the text on June 29, ahead of publication in the Official Journal.

The Strongest Case for Critics

The criticism deserves a fair hearing before being weighed. Civil liberties organisations, most prominently Liberties EU, argue the Omnibus was rushed through a seven-month process without a mandatory impact assessment — an ironic procedural shortcut for a regulation designed to impose procedural rigour on AI providers. More pointedly: the high-risk rules being deferred hadn't even taken effect yet. Amending a regulation before its main provisions are tested isn't adaptive governance; it is preemptive capitulation, and that reading isn't obviously wrong. The 174-vote abstention bloc in Parliament likely shares some of it. Regulators who accept that framing have a legitimate concern: a precedent of pre-emptive delay before implementation even begins weakens the credibility of every subsequent deadline.

Why the Extension Is Nevertheless Defensible

The pragmatic case for delay rests on infrastructure, not ambition. High-risk compliance under the AI Act requires conformity with harmonised technical standards being developed by CEN-CENELEC, the EU's standards bodies. Those standards were not finalised before August 2026. Building compliance pipelines against unfinished standards produces exactly the kind of procedural box-ticking the regulation was designed to prevent: paperwork audits that satisfy the form of the law while doing nothing for its substance.

The EU AI Office, which gained reinforced enforcement powers under the Omnibus, similarly needs this window to operationalise its supervisory capacity. One coherent compliance framework with a realistic timeline beats multiple overlapping half-measures rushed to deadline. The GDPR is instructive: enforcement improved substantially as data protection authority guidance matured between 2018 and 2022. The AI Act requires the same institutional maturation period.

What Wasn't Delayed: Article 50 Stays On Schedule

The most important signal in the Omnibus may be what was not postponed. Article 50 transparency requirements — mandating disclosure when users interact with AI systems — remain on schedule for August 2, 2026. The watermarking obligation on AI-generated content under Article 50(2) is pushed only to December 2, 2026, and only for systems already placed on the market before August. This graduated approach reveals deliberate calibration: obligations requiring technical standards infrastructure were deferred; obligations implementable via software update were not. The legislation has more structural coherence than critics acknowledge.

The More Consequential Addition: Banning Nudifier Tools

The deferral dominates headlines, but the more significant legal development is an addition, not a delay. The Digital Omnibus inserts a new prohibition into Article 5 — the AI Act's absolute ban list — covering AI systems that generate non-consensual intimate imagery (nudifier tools) and child sexual abuse material. For providers, the ban applies where generating such content is the system's intended purpose, or where such output is a reasonably foreseeable and reproducible outcome without significant technical modification and adequate safeguards are absent. Providers of general-purpose image and video-generation tools must actively assess foreseeable misuse risks at design and deployment stages. Compliance is required by December 2, 2026.

This matters structurally. Nudifier applications have proliferated not as a byproduct of general-purpose image models but as purpose-built commercial products marketed explicitly for the purpose. Existing legal remedies — national criminal law, fragmented GDPR interpretations, platform content policies — were reactive and inconsistent across jurisdictions. Placing these tools in Article 5 removes proportionality balancing from the equation. There is no 'compliant nudifier.' For once, the EU has drawn a line that is genuinely categorical rather than contingent on risk-benefit analysis.

Machinery Carve-Out and AI Literacy

Two secondary changes warrant attention. AI embedded in machinery products will be governed primarily by the Machinery Regulation when obligations overlap, rather than falling under the AI Act directly. Critics read this as a response to manufacturing-sector lobbying; supporters argue removing duplicate compliance burdens redirects investment toward actual safety engineering. The Commission must credibly demonstrate that the Machinery Regulation is enforced to an equivalent standard — a claim that will be tested when industrial AI incidents eventually arise.

The AI literacy obligation was also softened, from a hard duty for providers to ensure staff competence to a softer obligation to support the development of such competence. This kind of drafting retreat rarely generates headlines but can substantially hollow out enforcement when national authorities assess real-world compliance.

The Standards Test

The Digital Omnibus is ultimately a wager: that CEN-CENELEC and the AI Office will use the 16-month window productively, and that December 2027 will bring genuine enforcement rather than yet another deferral. That wager is not reckless — the EU has navigated comparable implementation ramp-ups before. But the compressed Omnibus legislative process should not become the template for future AI Act revisions. Constant amendment in response to industry pressure erodes both the legal certainty companies need to invest in compliance and the public trust that makes the regulatory project legitimate.

The Parliament's 423-57 vote buys the time to get this right. Whether the Commission treats the extension as a reprieve or a free pass will become clear in December 2027.

Sources & Citations

  1. European Parliament — Digital Omnibus on AI Legislative Train
  2. European Commission — AI Act Regulatory Framework
  3. Liberties EU — AI Omnibus: Fast-Tracking Deregulation, Weakening Digital Rights
  4. Gibson Dunn — EU AI Act Omnibus: Postponed Deadlines and Key Changes
  5. Inside Privacy — EU AI Act: Timeline Relief and New Prohibitions