At a Glance
- A provisional political agreement was reached on 7 May 2026 and parliamentary committees approved the text in early June 2026; a full plenary vote and Council adoption expected before August 2026. Existing obligations remain in force until Official Journal publication.
- Once adopted, the Annex III high-risk deadline moves to 2 December 2027; the Annex I deadline to 2 August 2028.
- Article 50 transparency obligations are not amended by the Omnibus. Deployer-facing obligations apply from August 2026; the Article 50(2) watermarking deadline is 2 December 2026.
- The Article 50(4) editorial control exemption applies where AI-assisted content undergoes human review before publication.
- Consent infrastructure requirements are unchanged. A shift in enforcement deadlines does not change how long infrastructure takes to build.
A provisional EU AI Act simplification agreement has been reached, though formal adoption is still pending. Some Article 50 transparency obligations are expected to have an earlier deadline of December 2026 for AI-generated content, pending formal adoption of the provisional agreement. The case for building consent infrastructure now is unchanged, and in some respects stronger.
What the Provisional Agreement Confirms and What It Does Not
On 7 May 2026, the European Parliament and the Council reached provisional political agreement on the Digital Omnibus on AI. The agreement confirms postponement of the Annex III high-risk deadline from 2 August 2026 to 2 December 2027.
That deadline covers biometrics, critical infrastructure, HR and recruitment systems, credit-scoring algorithms, education platforms, and others. For AI systems governed by sectoral product safety legislation under Annex I, the agreed date is 2 August 2028.
The agreement is provisional. Parliamentary committee approval was secured in early June 2026, with a plenary vote expected later in June and Council formal adoption to follow. Legal-linguistic revision precedes Official Journal publication, which is expected ahead of the 2 August 2026 date. Until publication, the existing obligations remain legally in force.
Organizations that have structured compliance programmes around August 2026 can treat the postponement dates as a reliable planning baseline, but should not stand down compliance work on the assumption that formal adoption is guaranteed before 2 August. The prudent posture is to continue programme execution while monitoring for Official Journal publication.
What Did Not Change
The obligations themselves are unchanged. The EU AI Act’s requirements for high-risk AI system operators remain as written. Categories of high-risk AI system operators include:
- Data governance
- Risk management systems
- Technical documentation
- Human oversight design
- Audit-ready record-keeping
- Conformity assessment
The penalty structure is unchanged, going up to EUR 35 million or 7 percent of global annual turnover for the most serious violations.
The territorial scope is unchanged. If you deploy AI systems affecting people in the EU, the Act applies regardless of where your organization is incorporated.
The consent infrastructure requirement is also unchanged. The majority of Annex III use cases process personal data. That processing requires a demonstrably lawful basis. Where that basis is consent, it needs to be documented, timestamped, auditable, and retained in a form that can be produced on demand.
A shift in enforcement deadlines does not change how long that infrastructure takes to build. It changes the window available, and for organizations that deferred preparation on the assumption of a delay, that window has not widened as much as the headline date suggests.
What the Omnibus Adds: A New Prohibited Practice
The provisional Omnibus agreement introduces a new prohibition in addition to extending deadlines. Article 5 of the AI Act is expanded to ban AI systems that generate or manipulate non-consensual intimate imagery (NCII) or child sexual abuse material (CSAM), including so-called “nudifier” applications. A safe harbour applies where the system has effective technical safeguards that reliably prevent such outputs.
The prohibition reaches any provider whose system generates this content as a reasonably foreseeable outcome, not only those who design systems for this purpose. This has direct implications for providers of general-purpose image or video generation tools, who must assess foreseeable misuse as part of risk management documentation.
The effective date for this prohibition is 2 December 2026, which is the same milestone as the Article 50(2) watermarking deadline. It takes legal effect upon formal adoption and Official Journal publication.
What Article 50 Actually Requires
Article 50, which includes the EU AI Act’s transparency obligations for AI systems and AI-generated content, is not amended by the Digital Omnibus.
The General-Purpose AI obligations under Articles 50 to 55 have been in force since 2 August 2025.
The deployer-facing obligations under Article 50 apply from August 2026. One targeted exception applies: the Article 50(2) watermarking obligation for providers of generative AI systems has been given a four-month grace period under the provisional agreement, moving that specific deadline to 2 December 2026.
The obligations fall into three distinct categories, each with different scope.
AI Interaction Disclosure
Article 50(1) requires that people be informed when they are interacting with an AI system, for example, an AI-powered chat or conversational interface, unless this is obvious from context.
This applies to deployers: organizations that operate AI-facing customer interfaces need a straightforward disclosure mechanism in place before August 2026.
Deepfake Disclosure
Article 50(4) requires deployers of AI systems that generate or manipulate image, audio, or video content in ways that appreciably resemble real persons, places, or events to clearly disclose that the content is AI-generated or manipulated.
This is one of the more broadly applicable obligations for organizations using generative AI in marketing or media production.
Article 50(2) Watermarking
Article 50(2) requires providers of generative AI systems to mark synthetic audio, image, video, and text outputs in a machine-readable format detectable as artificially generated or manipulated.
Under the provisional Omnibus agreement, this obligation is subject to a four-month grace period from 2 August 2026, placing the effective deadline at 2 December 2026. Providers shipping generative features into the EU market should treat this as a near-term engineering and compliance deadline, independent of the high-risk postponement.
AI-Generated Text on Matters of Public Interest
Article 50(4) also requires deployers who publish AI-generated text intended to inform the public on matters of public interest to disclose this, unless two conditions are met:
- The content has undergone human review or editorial control, and
- A natural or legal person assumes editorial responsibility for the publication
This editorial control exemption is directly relevant to organizations where AI assists in drafting content that is then reviewed and approved by humans before publication.
The European Commission’s draft Code of Practice on the Transparency of AI-Generated Content remains work in progress. The second draft was published in March 2026; the final version is expected later this year. Organizations that begin mapping their AI content workflows now will be better positioned to close any gaps once the final standard is published.
Read more: A GDPR AI Compliance Guide for Businesses
What This Means for Your AI and Consent Infrastructure
Article 50’s obligations for businesses’ customers (where relevant) are met through how they label AI-generated content on their own platforms. That is not a CMP-layer obligation. It is a product and editorial operations decision.
The more immediate question for most organizations is whether any customer-facing AI chat or conversational functionality exists or is planned. If so, Article 50(1) disclosure is required. The mechanism is straightforward, but it needs to be in place.
From a product planning perspective, any AI functionality built directly into products engages Article 50 on the provider side, both in terms of disclosing to customers that they are interacting with AI under Article 50(1), and potentially the technical marking obligations under Article 50(2).
This could include an AI-assisted configuration flow, AI-generated text suggestions, or a conversational interface, and none of this requires waiting for formal adoption of the Omnibus.
Why Building Now Remains the Right Call
From a product and infrastructure standpoint, the argument for using the current period deliberately rather than deferring is straightforward. Organizations that rush consent infrastructure deployments in the weeks before a regulatory deadline tend to produce implementations that are fragile, underdocumented, and difficult to audit.
That approach generates technical debt that can surface at the worst possible moment, such as during an enforcement inquiry, a due diligence process, or a customer audit.
The provisional agreement has, predictably, prompted some organizations to revise compliance timelines downward. In that gap, the organizations that continue building carry a genuine competitive advantage into the enforcement period. Provided that they are able to demonstrate to auditors, procurement teams, and partners that their data infrastructure was designed with compliance in mind from the outset.
The General-Purpose AI obligations under Articles 50 to 55 have been in force since August 2025 and are unaffected by the Omnibus. Article 50(2) watermarking lands in December 2026. Neither waits for the high-risk postponement to resolve.
| Date | Obligation / Event | Notes |
|---|---|---|
| 2 August 2025 | General-Purpose AI obligations (Articles 50–55) entered into force | Unaffected by the Digital Omnibus agreement |
| 7 May 2026 | Provisional political agreement on Digital Omnibus on AI reached | Not yet formally adopted; existing obligations remain in force until Official Journal publication |
| August 2026 | Article 50 deployer-facing transparency obligations apply | Includes Article 50(1) disclosure for AI-facing customer interfaces; unaffected by the Omnibus |
| 2 December 2026 | Article 50(2) watermarking obligation applies | Four-month grace period under provisional Omnibus; providers of generative AI systems must machine-label synthetic outputs |
| 2 December 2026 | New Article 5 prohibition on AI-generated NCII and CSAM applies (provisional) | Covers nudifier applications; safe harbour for systems with effective preventive safeguards; same date as Article 50(2) watermarking deadline |
| 2 December 2027 | Annex III high-risk system obligations apply (provisional) | Covers biometrics, employment, credit-scoring, education, and critical infrastructure; moved from 2 August 2026 |
| 2 August 2028 | Annex I product-embedded AI obligations apply (provisional) | AI systems governed by sectoral product safety legislation; subject to formal Omnibus adoption |
Three Things Worth Doing Now
The trilogue outcome is uncertain. The August 2026 high-risk deadline may or may not shift. Article 50 will apply from August 2026 regardless. Three actions are worth taking without waiting for resolution.
Conduct an AI System Inventory
Identify every AI system your organization develops, deploys, or procures that could fall within Annex III categories or trigger Article 50 obligations. Classification is the prerequisite for everything else and consistently takes longer than organizations expect, particularly where AI capabilities are embedded in third-party tools rather than built in-house.
Assess Your Consent and Data Governance Infrastructure
For each AI system processing personal data, confirm that you can answer the following: What is the lawful basis for this data? Is that basis documented at the point of collection? Can you produce consent records on demand, with timestamps and purpose linkage? If any answer is uncertain, the current window is the opportunity to address it without deadline pressure.
Map Your Article 50 Obligations
Identify where Article 50 disclosure obligations will arise across your AI content and product workflows. Apply the editorial control analysis: where AI-assisted content undergoes human review before publication, the Article 50(4) exemption may apply. Where AI-facing customer interfaces exist or are planned, Article 50(1) disclosure will be required.
The final Code of Practice is expected later in 2026, so organizations that have mapped their workflows in advance will be in a position to close gaps quickly once the standard is published.
The Deadline Has Moved But There Is Still Work to Be Done
The high-risk deadline has provisionally moved. The Article 50 watermarking deadline has not moved far as it lands in December 2026. The consent infrastructure requirement has not moved at all.
The organizations that treat the current period as an implementation window rather than a deferral opportunity are the ones that could enter the enforcement period with infrastructure that is genuinely defensible, rather than assembled under pressure.
This article is for informational purposes only and does not constitute legal advice. For guidance specific to your organization’s circumstances, consult a qualified legal professional.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
