EU open source AI regulation

The EU Delayed Almost Everything in the AI Act — Except the Rules That Matter Most for Open Source

The 7 May Digital Omnibus deal pushed back high-risk and deepfake deadlines but left the GPAI regime and its open-source carve-out fully intact ahead of August enforcement.

People of Internet Research Team · 2026-05-31
What the Digital Omnibus Moved — and What It Didn't People of Internet Research · EU 2 Aug 2026 GPAI enforcement begins AI Office fining powers for GPAI s… to Dec 2027 High-risk rules deferred Annex III obligations slip 16 mont… to Dec 2026 Synthetic-content labels delayed Article 50 deepfake and AI-text ma… €15M / 3% Max GPAI fine Penalty ceiling for breaching GPAI… peopleofinternet.com

Key Takeaways

On 7 May 2026, EU negotiators reached a provisional political agreement on the 'Digital Omnibus on AI' — a package the Commission frames as simplification and critics call deregulation. Either way, one fact is now unavoidable for anyone building on open models: of all the AI Act deadlines the deal moved, the one regime it pointedly left alone is the one that governs general-purpose AI (GPAI) and contains the open-source exemption. That regime becomes fully enforceable on 2 August 2026.

What moved, and what didn't

The Omnibus is, on its face, a calendar exercise. According to a detailed analysis by Covington's Inside Privacy team, obligations for Annex III 'use-based' high-risk systems slide from 2 August 2026 to 2 December 2027 — a 16-month reprieve justified by the absence of finished technical standards. Annex I product-embedded high-risk systems move to 2 August 2028. The Article 50 synthetic-content marking rules — the deepfake and AI-text labelling obligations — slip from August to 2 December 2026. National regulatory sandboxes get an extra year, to 2 August 2027.

The deal also adds something: a new Article 5 prohibition on AI systems whose intended purpose or reasonably foreseeable use is generating non-consensual intimate imagery or CSAM — the 'nudifier' apps. That ban takes effect 2 December 2026. This is the part of the package that even sceptics of the AI Act should welcome: it is narrow, targets a genuine and demonstrable harm, and bans a use rather than a technology.

But the GPAI chapter — Articles 51 to 55, the obligations on foundation-model providers and the carve-outs for open-source releases — was not reopened. The Commission's own GPAI guidance confirms the unchanged timeline: provider obligations have applied since 2 August 2025, and the AI Office's enforcement powers — including fines — switch on 2 August 2026. The Omnibus did nothing to push that date.

Why the open-source exemption is now load-bearing

This matters more than it sounds. Strip away the delayed high-risk rules and the postponed transparency labels, and the GPAI regime is the part of the AI Act that most directly shapes whether Europe's open-model ecosystem — Mistral, Aleph Alpha, the dozens of fine-tuners and downstream deployers — can operate without legal-team overhead that only incumbents can afford.

The exemption is real but conditional. Free and open-source GPAI providers are relieved of most of the technical-documentation and authorised-representative burdens. But, as Latham & Watkins notes, two obligations survive for everyone: publishing a sufficiently detailed summary of training data and complying with EU copyright law, including text-and-data-mining opt-outs. And the exemption evaporates entirely the moment a model is deemed to pose 'systemic risk' — at which point the full battery of evaluation, red-teaming and incident-reporting duties applies, backed by fines of up to €15 million or 3% of global turnover.

Steelman the regulators

There is a serious case for keeping GPAI untouched. The Omnibus is a fast-tracked political deal struck weeks before a hard deadline; reopening the most technically contested chapter of the Act would have invited months of fresh trilogue fighting and regulatory limbo for the very labs that most need certainty. Civil-society groups such as EDRi argue the broader Omnibus already concedes too much, warning that letting providers self-exempt from core rules turns the Act into a 'carte blanche.' From a fundamental-rights standpoint, holding the line on the GPAI chapter — the only place the Act grips frontier models — is defensible. Leaving the open-source carve-out alone is, in their telling, a feature.

Where the line should actually sit

We think the regulators got the direction right and the definition wrong. Holding GPAI enforcement to 2 August 2026 while delaying everything else is coherent: foundation models are where capability — and genuine risk — concentrates, and the open-source exemption rightly keeps documentation theatre off the backs of small releasers. The proportionate move is to keep that exemption and let it carry weight.

The unresolved problem is the trigger. 'Systemic risk' currently rests heavily on a compute proxy, and compute is a crude stand-in for danger: a model can cross a training-FLOP line while posing no novel harm, and a smaller, heavily fine-tuned model can be more dangerous in deployment. If the open-source exemption is going to be the AI Act's main concession to European AI competitiveness — and after 7 May, it is — then the classification that switches it off needs to track demonstrated capability and misuse potential, not headline training budgets. Otherwise the carve-out becomes a cliff that the next genuinely useful European open model walks straight off.

The Omnibus bought industry time on the peripheral rules. It bought open source nothing. For the open-model builders Europe says it wants, 2 August 2026 is still the only date that counts.

Sources & Citations

  1. European Commission — GPAI provider guidelines
  2. European Commission — Digital Omnibus on AI proposal
  3. Covington / Inside Privacy — AI Act timeline relief & new prohibitions
  4. Latham & Watkins — GPAI obligations in force & Code of Practice
  5. EDRi — The Digital Omnibus: a step back from the brink