AI systems generating non-consensual intimate imagery will be prohibited across the EU from December 2026 — one of the sharper edges of a provisional political agreement reached on 7 May 2026 that also extends high-risk AI compliance deadlines by different margins depending on the system category. The deal is not yet law: formal adoption by the European Parliament and Council is expected in July 2026, before the original August 2026 trigger dates arrive.

What the Omnibus Deal Actually Changes

The EU Council and European Parliament reached a provisional agreement on targeted amendments to the EU Artificial Intelligence Act — the first substantial revision since the regulation entered into force in 2024. The deal adjusts timelines, expands who benefits from lighter compliance rules, and adds a category of outright prohibition. It does not rewrite the Act's core architecture.

The extensions apply differently across the two high-risk categories. Annex III standalone high-risk AI systems — covering AI used in employment, education, biometrics, critical infrastructure, and migration — get 16 additional months: the original application date of 2 August 2026 moves to 2 December 2027. Annex I systems, meaning AI embedded in regulated products such as medical devices and lifts, get 12 months: their existing deadline of 2 August 2027 shifts to 2 August 2028. National regulatory AI sandboxes, originally due by 2 August 2026, are similarly pushed back 12 months to 2 August 2027.

2 Dec 2027New Annex III standalone high-risk AI deadline (was 2 Aug 2026 — 16 months later)
2 Aug 2028New Annex I product-embedded AI deadline (was 2 Aug 2027 — 12 months later)
2 Dec 2026Nudifier ban effective + watermarking compliance due
750 / €150MNew SME-equivalent threshold (employees / revenue)

The Nudifier Ban: A New Floor for EU Law

The most immediately consequential addition sits in Article 5 — the Act's list of prohibited AI practices. The Omnibus inserts a ban on AI systems generating or manipulating sexually explicit or intimate images, video, or audio without the subject's consent. The prohibition extends to systems where such output is a reasonably foreseeable outcome, not only those explicitly designed for it. AI-generated child sexual abuse material falls under the same prohibition. Both are effective 2 December 2026.

Penalties match the Act's top tier: fines of up to €35 million or 7% of annual worldwide turnover, whichever is higher. A safe-harbour provision exists for systems with effective preventive safeguards built into their design — a clause that will likely become a focal point for compliance teams and, eventually, enforcement disputes.

Watermarking: The Trilogue Compressed the Window

While headline attention goes to deadline extensions, one obligation tightens. The European Commission's draft proposal had offered a six-month grace period for watermarking and synthetic-content disclosure under Article 50(2) for generative AI systems already on the market before 2 August 2026. The European Parliament pushed for three months. The trilogue compromise, confirmed by William Fry and Gibson Dunn, landed at four months — meaning these systems must comply by 2 December 2026. Any product team with a generative feature touching EU users should treat December 2026 as a hard engineering deadline, not a placeholder.

Broader Scope for Mid-Sized Companies

The Act's simplified compliance framework — lighter documentation, reduced fines, regulatory sandbox access — previously applied only to SMEs by the standard EU definition. The Omnibus extends these benefits to small mid-cap companies: up to 750 employees and €150 million in annual revenue. A broader tier of European tech firms, including mid-sized SaaS and enterprise AI vendors, now qualifies for the lighter-touch regime.

Regulators' Warning: Speed Costs

The European Data Protection Board and European Data Protection Supervisor issued Joint Opinion 1/2026 in January 2026 — a response to the Commission's draft proposal, published before the 7 May political agreement was reached. The bodies supported streamlining in principle but warned that delaying essential requirements for high-risk systems risks leaving people unprotected during one of the fastest periods of AI deployment on record. Specific concerns included proposals to lower the threshold for processing special-category data and to weaken mandatory AI literacy obligations, and opposition to deleting mandatory registration for self-assessed non-high-risk systems. The final deal appears to have preserved the registration obligation — a point the co-legislators had resisted removing despite the Commission's proposal — though the full consolidated text will confirm the extent to which other EDPB recommendations were reflected.