On 7 May 2026, the European Parliament and the Council reached a political agreement on the Digital Omnibus on AI. The Commission called it “simpler, innovation-friendly rules” and noted that the proposal had moved from publication to deal in five months. Henna Virkkunen said it made innovating easier without lowering the bar on safety.
All of that is accurate. None of it is the interesting sentence from this week.
The interesting sentence is from the days before: the talks collapsed.
The Session That Ended Without a Deal
The supposedly final trilogue session ended without agreement. Negotiators from the European Parliament and EU member states parted ways after hours of talks, with no deal and no date set to resume. August 2026, the original AI Act high-risk enforcement date the Omnibus was designed to replace, was still on the calendar.
The sticking point was Annex I-B. The centre-right in Parliament, backed by the German government’s position, wanted products such as industrial machinery and medical devices to comply with sectoral product safety law rather than the AI Act’s horizontal obligations. The AI Act would retain its structure on paper, but embedded AI in regulated products would follow a different compliance path. Several member states and the centre-left bloc opposed it, arguing that moving product-embedded AI to sector-specific rules would fragment the horizontal framework, create diverging standards across 27 national implementations, and ultimately produce less protection rather than simpler regulation. Multiple organisations, including TÜV-Verband, AlgorithmWatch, and ForHumanity, had written the same argument in an open letter weeks earlier.
The German position had an internal fracture. Chancellor Friedrich Merz had been vocal about EU AI rules being a “corset” on industrial AI and had pushed aggressively for the cuts. But the day before the final session, the Social Democrat group in the German Bundestag sent a letter to European lawmakers marked “VERY URGENT! Trilogue on AI Digital Omnibus”, urging opposition to any weakening of the horizontal approach. Merz was not aligned with his own coalition partner. The SPD’s letter warned that the proposed changes would bring significant risks, create inconsistent rules, lead to protection gaps, and ultimately benefit foreign companies more than European ones.
When the session ended without a deal, legal counsel across Europe maintained the same advice they had given since February: treat August 2026 as the operative deadline until there is law confirming otherwise. The compliance clock had not been paused. It was still running.
Six Days Later
On 7 May, the deal closed.
The resolution of the sticking point was architectural rather than principled. Product-embedded AI (machinery, medical devices, lifts, toys) was given a second implementation track: a later application date of 2 August 2028, with the interplay between the AI Act and the Machinery Regulation explicitly clarified to avoid duplicating obligations. The horizontal structure of the AI Act was preserved in name and in substance for most high-risk systems. The practical effect of the EPP’s demand (more time and reduced overlap for industrial AI) was granted through the timeline rather than through the structural carve-out that had broken the session.
The full structure of what was agreed:
From 2 December 2027: high-risk AI systems in biometrics, critical infrastructure, education, employment, migration, asylum, and border control. This is the primary category the paper was tracking when it stated Prediction 2.1. It is the category most organisations in regulated sectors have been preparing for.
From 2 August 2028: AI systems integrated into products regulated under EU product safety law: machinery, medical devices, in vitro diagnostics, radio equipment, lifts, toys. The horizontal debate was not abandoned. It was resolved by giving the contested category a later date and a clearer interoperability clause.
New prohibition: AI systems that generate non-consensual sexually explicit content or child sexual abuse material. The ban had cross-party support throughout the negotiations and is the one new restriction added by the Omnibus in a package that otherwise reduces obligations.
SME provisions extended to small mid-cap companies. Regulatory sandboxes delayed to December 2027, including an EU-level sandbox that does not yet exist. AI Office enforcement powers strengthened, specifically for systems built on general-purpose models and those embedded in very large online platforms and search engines.
And then the item at the bottom of the press release: high-risk classification guidelines described as “upcoming,” to be released alongside the Omnibus entering into force. The guidelines on high-risk classification, the document the Commission missed in February, delayed again in March, and now describes as “upcoming” without a published date, are still not part of the agreement. The deadline moved. The guidance still does not exist.
A note on status: what was reached on 7 May is a political agreement between Parliament and Council. Formal adoption by both institutions still follows, after which the amended text will be published in the Official Journal and enter into force within three days. The Commission expects that process to complete before August 2026. Until formal adoption, the original AI Act deadlines remain technically in force. Legal counsel advising organisations to treat August 2026 as operative until further notice are not wrong.
Prediction 2.1: Confirmed Revised
The paper stated that EU AI Act high-risk obligations would apply from August 2, 2026, with no delay. That prediction has been conditional since Update #5 in March, when the Omnibus proposal was still in trilogue. It is now confirmed in its revised form: August 2026 is no longer the operative deadline. December 2027 has replaced it for the primary category of high-risk systems.
To be precise about what that means: the original prediction as stated in the paper — no delay, August 2026 operative — is now incorrect. What is confirmed is the revised tracking applied since Update #5: the delay was conditional on the Omnibus being enacted, the condition has been met, and the extension is on course to become law. These are different claims. Marking one wrong and the other right is not hedging. It is the record.
The caveat from Update #10 (“Local by Necessity”) applies in full. The Omnibus moved the deadline by 16 months. It did not fill the compliance vacuum that 16 months was supposed to give organisations time to prepare for. The high-risk classification guidelines that would tell organisations whether their system is in scope do not exist. The harmonised technical standards under Standardisation Request M/613 that would enable CE marking for high-risk systems were in draft as of January 2026 and remain unfinished. The AI Liability Directive, withdrawn by the Commission in early 2025, has not been replaced, leaving 27 different national civil liability regimes covering AI-related harm. The enforcement bodies in many member states have not been formally designated, despite a designation deadline that passed in August 2025.
December 2027 is 19 months away. The shelf that organisations need to fill for compliance remains largely empty. The extension gives time. It does not supply the missing instruments.
There is a political observation worth making once: the deadline moved before. It moved under the same combination of forces: industry pressure, member state divergence, internal coalition fracture, regulatory fatigue. Those forces have not been resolved by the agreement. They have been noted and set aside. December 2027 is now the firm date in the same way August 2026 was once the firm date. The organisations treating it as firm are probably right. They are not guaranteed.
The Argument the Omnibus Cannot Amend
The paper’s argument was never primarily about the AI Act deadline. It was about the convergence of four forces: geopolitical, environmental, hardware maturity, and the broader regulatory constellation. The AI Act was the fourth force, not the only one, and not the strongest.
GDPR was not amended by the Omnibus. It cannot be. GDPR is a separate regulation with its own enforcement machinery and its own fines. Health data remains special category data under Article 9. Cross-border transfers outside the EEA still require a valid transfer mechanism that, post-Schrems II, remains genuinely difficult to construct. An organisation that sends patient data through a US cloud API is not facing a potential compliance issue in December 2027. It is potentially in breach today.
NIS2 was not softened. Critical sector organisations (healthcare, energy, transport, finance) still face supply chain security obligations that include their AI supply chains. A US hyperscaler subject to the CLOUD Act sits in that supply chain. NIS2 requires the risk to be assessed, documented, and addressed. There is no NIS2 grace period attached to the Omnibus.
The geopolitical trajectory was not reversed. France’s DINUM is still migrating to Linux. The Health Data Hub is still moving from Azure to Scaleway. The Cohere–Aleph Alpha merger, the European AI consolidation event the paper predicted, is still pending regulatory approval. The Proximus NXT Cloud III contract is still a six-year Commission commitment to a European sovereign stack. None of these decisions depend on whether high-risk AI enforcement applies in August or December.
The organisations that moved to local AI in the first quarter of 2026 were not doing it because of the August 2026 deadline. They were doing it because cloud-based AI cannot satisfy the compliance requirements they operate under, right now, independent of any AI Act calendar. The Omnibus extends the window. It does not change the direction.
That last sentence is the paper’s analytical position, not a statement of fact. The counter-reading is that extended deadlines reduce compliance pressure, give cloud AI more runway, and slow the pace of local migration. That reading is reasonable. The case for disagreeing with it is laid out above: GDPR and NIS2 are operative now, geopolitical pressure is not calendar-dependent, and the procurement decisions already made do not reverse because a deadline moved. But readers following this series should know they are reading an argued position, not an established outcome.
The Week’s Other Story
The trilogue was not the only AI story running in Brussels this week.
The European Parliament’s internal market committee invited Anthropic to a hearing on the Mythos model, the AI system the company chose not to release after internal evaluations showed it could autonomously complete all 32 steps of the UK AI Security Institute’s corporate network attack simulation and identify thousands of vulnerabilities in live internet infrastructure. Anthropic briefed the Commission directly on the technical details. AI Office head Lucilla Sioli and ENISA were both included in the hearing invitation. OpenAI has announced a comparably capable model, GPT-5.4-Cyber, to be released less restrictively.
This is the context in which the Omnibus agreement was reached. While the Parliament was debating whether to delay enforcement obligations for AI in industrial machinery by an extra year, the most capable cyber-offensive AI system documented to date was being discussed in the same building.
The AI Act was drafted before the rise of agentic AI, before frontier cybersecurity capabilities reached this level, before Mythos. The Omnibus delayed implementation by 16 months. It did not expand the Act’s scope to address what Mythos represents. Those are not criticisms of the Omnibus; timeline adjustments and scope expansions are different legislative instruments. They are descriptions of what the agreement is: a proportionality and sequencing measure applied to a regulation that was already a step behind the technology it governs. The AI Office’s legal basis for oversight of Mythos, under GPAI systemic risk provisions, exists. Its capacity to act at the pace the technology is moving remains to be demonstrated.
What the Scorecard Shows
Update #13 (The April Stack) brought the scorecard to 12 of 30, with two predictions closing in April: the Health Data Hub migration from Azure to Scaleway confirming European cloud technical parity for regulated-sector workloads, and the Cohere–Aleph Alpha merger confirming the European AI consolidation event.
The Omnibus agreement closes one more.
Prediction 2.1 (AI Act high-risk obligations from August 2026 with no delay) moves from conditionally revised to confirmed revised. August 2026 is no longer the operative deadline. December 2027 is. The prediction as written did not survive contact with the political process. The argument it was part of, that the regulatory constellation makes local AI structurally advantageous for European organisations, is reinforced, not weakened, by the delay. An extended compliance vacuum favours the organisations that recognised it earliest and built accordingly.
Scorecard: 13 of 30. The next category to watch: the managed service layer predictions from Chapter 7, the sector-by-sector adoption curves that were projected for the 2026–2028 window, and the December 2027 enforcement date itself, which will be tested in real time by the same political forces that moved the first one.