What you need to know
- The deal is real and it is the first ever. On 7 May 2026 the Council and Parliament agreed a political deal on the EU “Digital Omnibus” — the first amendments to the AI Act since adoption.
- A new prohibition arrives 2 December 2026. AI systems used to generate or manipulate non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM) are banned outright.
- Transparency rules still hit in August 2026. Machine-readable marking of AI-generated content and deepfake disclosure were not delayed.
- The high-risk rules slipped. Biometrics, critical infrastructure, education, employment, and migration controls now apply from 2 December 2027 — and 2 August 2028 for AI inside regulated products.
Most of the coverage of the 7 May agreement has fixated on what slipped. For builders shipping into the EU, that framing buries the lede. The delay buys you time on the heaviest conformity work — the high-risk regime — but it changes nothing about the two obligations that touch the largest number of generative-AI products today. This piece focuses on those two: the new prohibitions and the confirmed transparency timeline. For the mechanics of the delay itself, we have covered that in our analysis of the AI Act omnibus delay and what the 2027 timeline means for builders.
If you read the omnibus as “great, we have more time,” you have read it backwards. The relief is concentrated on high-risk systems, which are a minority of products. The two earliest deadlines — transparency in August 2026 and the NCII/CSAM ban in December 2026 — were not moved, and they affect nearly every team shipping generative features.
What the 7 May agreement actually does
The agreement, announced by the Council in its press release of 7 May 2026, is framed as an effort to “simplify and streamline” the AI Act. It is the first time the Act has been reopened since it was adopted, and it does three distinct things. First, it offers targeted simplification and timeline relief for the most operationally heavy obligations — the high-risk regime. Second, it preserves the transparency obligations that were always scheduled for the Act’s earlier waves. Third, and least reported, it introduces a new prohibition that did not exist in the original text.
That structure tells builders where to spend effort. The simplification is genuine, but it is concentrated on the parts of the Act that apply to a minority of systems — biometric identification, critical-infrastructure safety components, employment screening, education access, and migration and border control. The obligations that touch nearly every generative-AI product — transparency and the abuse prohibitions — were not relaxed. As legal commentators tracking the file have observed, the deal pairs timeline relief and targeted simplification with new prohibitions, not a wholesale softening.
For a dual-market builder — a team in Bengaluru or in London selling into the EU — the practical lesson is that the omnibus is not a reason to pause compliance work. It is a reason to re-sequence it: deprioritise nothing on transparency and abuse, and rephase the high-risk conformity work to the new 2027 and 2028 dates.
The new prohibition: NCII and CSAM, from 2 December 2026
The single most important addition in the omnibus is a prohibition on AI systems used to generate or manipulate non-consensual intimate imagery and child sexual abuse material. It takes effect on 2 December 2026. This is a hard prohibition, sitting alongside the Act’s existing list of banned practices — not a high-risk obligation you can satisfy with a conformity assessment and a CE mark. There is no compliant way to offer such a system in the EU.
The reach is broad. The prohibition bites on placing such a system on the market, putting it into service, and using it. That captures providers who build image and video generation models, deployers who integrate those models into a product, and operators who host an open-weight model as a service. A startup that fine-tunes an open image model and exposes it through an API is squarely in scope. So is a consumer platform that lets users upload a photograph and “restyle” it, if the system can be used to produce intimate imagery of a real person without consent.
This is a prohibited practice, which sits at the top of the AI Act’s penalty tier — the same band as the Act’s other outright bans — and it applies extraterritorially. A team in India or the UK that has never set foot in the EU is in scope the moment its output reaches an EU user. Treat the abuse-prevention controls below as launch blockers for any image or video feature, not as a backlog item.
Because there is no permitted version of an NCII or CSAM generator, the obligation is functionally one of prevention. Builders deploying image or video models into the EU should be able to demonstrate, at minimum: input and output classifiers that detect and block intimate-image and child-safety violations; refusal behaviour for prompts that target an identifiable real person; provenance and watermarking on generated media so abuse can be traced; rate-limiting and an abuse-reporting path; and a documented incident-response process. For teams reselling a third-party model, the contractual chain matters too — you need assurances from your model provider, and you remain responsible for how your deployment is configured.
Indian builders should read this prohibition alongside their domestic obligations rather than as a foreign-only concern. India’s framework on synthetic media is tightening in parallel, and the overlap is substantial; our India DPDP and deepfake rules builder checklist sets out the labelling and consent expectations that are converging with the EU position. The controls you build for one regime largely satisfy the other — the strongest argument for building them once, properly.
Want to discuss this with other verified Builders?
Every article on AI Tech Connect is written by a Verified Builder. Browse profiles, shortlist who you want to hire or collaborate with.
Browse Builders →The confirmed transparency timeline: August 2026
The omnibus did not touch the AI Act’s transparency obligations, which come into effect in August 2026. These are the rules most generative-AI builders will feel first, and they are easy to underestimate because they are not labelled “high-risk.”
Two duties dominate. First, providers of generative systems must ensure that AI-generated or AI-manipulated audio, image, video, and text content is marked as artificially generated in a machine-readable format — the watermarking and content-credentials requirement. Second, deployers of deepfake systems must disclose that the content has been artificially generated or manipulated, and deployers of emotion-recognition and biometric-categorisation systems must inform the people exposed to them.
For a builder, the August 2026 transparency wave translates into concrete engineering work. If you ship a feature that generates or edits media, you need machine-readable provenance embedded at generation time — not a visible watermark bolted on afterwards. If you ship a deepfake or face-swap feature, you need clear user-facing disclosure. If you run any emotion-recognition or biometric-categorisation capability, even as a minor feature, you have notification duties. None of this was delayed by the omnibus, and August 2026 is closer than December 2027.
| Date | Obligation |
|---|---|
| August 2026 | Transparency obligations take effect — machine-readable marking of AI-generated content; deepfake and biometric-categorisation disclosure. |
| 2 December 2026 | New prohibition on AI systems used to generate or manipulate NCII and CSAM takes effect. |
| 2 December 2027 | High-risk rules apply — biometrics, critical infrastructure, education, employment, migration / asylum / border control. |
| 2 August 2028 | High-risk rules apply to AI integrated into regulated products (for example, lifts and toys). |
Read the table top to bottom and the sequencing is unmistakable: the two earliest deadlines are the two the omnibus did not move. The relief is all at the bottom.
Why UK and Indian builders are in scope
The AI Act applies extraterritorially. It binds providers who place AI systems on the EU market and deployers whose use of an AI system — or whose system’s output — is used within the EU, regardless of where the company is established. A UK SaaS firm with EU customers and an Indian model lab whose API is called from inside the EU are both caught. There is no “we are not a European company” exemption.
This is sharpened for UK builders by the absence of a domestic equivalent. The UK has no AI statute in force; the Artificial Intelligence (Regulation) Bill [HL] remains before Parliament and is not law. In practice, the EU AI Act is the binding AI rulebook for any UK builder selling into Europe, and for many it is the de facto global baseline. UK teams that treat the Act as “someone else’s regulation” are exposed precisely because there is no home-grown framework filling the gap.
For Indian builders, the picture is one of convergence. The EU’s NCII and CSAM prohibition and its content-labelling rules sit close to India’s evolving deepfake and data-protection regime. The compliance investment for the EU — provenance, disclosure, abuse controls, and a record of accountability — maps cleanly onto what Indian rules increasingly demand. Our DPDP Phase 2 AI compliance playbook for India covers how to structure that work so a single control set serves both jurisdictions.
Deadlines mean little without teeth, and the AI Act’s penalty architecture is severe — prohibited-practice breaches sit in the top fine band. We set out how the numbers and timelines work in our explainer on the GPAI fines and enforcement mechanics. The omnibus did not soften the penalty regime; it changed which obligations apply when.
A builder compliance checklist
If you ship generative or biometric features into the EU, here is the work to sequence now, in priority order.
- Map your scope. Determine whether you are a provider, a deployer, or both for each AI feature, and whether output reaches the EU. Extraterritorial reach means “based outside the EU” is not a defence.
- Treat NCII and CSAM as a launch blocker (by 2 December 2026). For any image or video model, ship input and output safety classifiers, refusal behaviour for identifiable real people, provenance, rate-limiting, and an abuse-reporting and incident-response path. Get written assurances from upstream model providers.
- Build machine-readable provenance (by August 2026). Embed content credentials at generation time for AI-generated or manipulated media; do not rely on a cosmetic watermark.
- Add deepfake and biometric disclosure (by August 2026). Clear user-facing notices wherever you generate manipulated media or run emotion-recognition or biometric-categorisation.
- Rephase, do not pause, high-risk work. If you operate in biometrics, critical infrastructure, education, employment, or migration, your conformity-assessment work targets December 2027, and August 2028 for AI inside regulated products. Plan to those dates — do not stop.
- Build once for both markets. Design the control set so it satisfies the EU Act and India’s deepfake and DPDP requirements together, with one provenance, disclosure, and accountability layer.
The omnibus is being sold as relief, and for high-risk operators it genuinely is. But the deadlines that moved are not the deadlines that matter to most builders this year. The two that arrived — transparency in August 2026 and the NCII and CSAM prohibition in December 2026 — are the ones to put on the roadmap now. The teams that get verified and ship clean abuse controls early will treat the EU rulebook as a moat, not a tax.
Primary source: the Council of the EU press release of 7 May 2026 announcing the provisional agreement to simplify and streamline the AI Act. The dates and obligations described here follow that announcement and the published AI Act text; specific article and clause numbering will be confirmed when the amending regulation is published in the Official Journal.