Skip to main contentSkip to main content
AI
AIAuditRef

Provisional Digital Omnibus deal — high-risk deadlines shifted

On 7 May 2026, the Council of the EU and the European Parliament reached provisional political agreement on the Digital Omnibus on AI. Key shifts:

  • Annex III high-risk obligations: 2 August 2026 → 2 December 2027
  • Annex I product-embedded high-risk: 2 August 2027 → 2 August 2028
  • New Art. 5 prohibition on AI generating child sexual abuse material or non-consensual intimate imagery: 2 December 2026
  • Art. 50(2) machine-readable watermarking ONLY: 2 August 2026 → 2 December 2026
  • Member State AI sandboxes: 2 August 2026 → 2 August 2027

What is NOT delayed by the Omnibus — still live on the original dates:

  • Art. 4 AI literacy — in force since 2 February 2025 (all organisations)
  • Art. 5 existing prohibitions — in force since 2 February 2025
  • Chapter V GPAI obligations — in force since 2 August 2025
  • Art. 50 transparency duties (chatbot disclosure 50(1), emotion recognition / biometric categorisation 50(3), deepfake disclosure 50(4), public-interest disclosure 50(5)) — still 2 August 2026. Only the machine-readable watermarking limb (50(2)) was shifted.

If you deploy a chatbot, a deepfake-generation tool, an emotion-recognition system or a biometric categoriser — your 2 August 2026 deadline is unchanged, even if your underlying AI is "minimal risk".

The Omnibus agreement is provisional. Formal adoption by Council and Parliament is expected before 2 August 2026. If formal adoption fails, the original Regulation (EU) 2024/1689 dates apply across the board.

See regulatory updates for full source citations.

Annex III high-risk: provisionally 2 Dec 2027 — but most of Art. 50 transparency stays at 2 Aug 2026. If you deploy a chatbot, deepfake tool, emotion-recognition system or biometric categoriser — your 2 August 2026 deadline is unchanged. Art. 4 AI literacy and Art. 5 prohibitions are live today. Enterprise procurement teams are issuing AI vendor questionnaires now; notified body queues already span 9–24 months. 566 days to the Annex III headline date; the operational fix list is longer.

The EU AI Act & CRA Self-Assessment Toolkit

Built for SMEs under 250 staff. A small fraction of the cost of an external audit, with the same structured evidence trail you would hand to a notified body or regulator.

External law firm

€10k–€40k

per system

Notified body

€15k–€60k

where required

AIAuditRef Pro

From €41 / month

unlimited systems

SMEs and corporate teams — using a third-party AI does not exempt you

Using Claude, ChatGPT, Gemini, Copilot, Mistral, Llama, or any third-party AI tool inside your product or business workflow? You are likely a deployer under Art. 26.

The AI vendor (Anthropic, OpenAI, Google, Microsoft, Meta, Mistral, etc.) takes the Art. 16 provider obligations for the underlying model. The duty to operate the system safely in your business context is yours as a deployer under Art. 26 — including:

  • Designating and training a human overseer (Art. 26(2))
  • Ensuring input data is relevant and representative for your context (Art. 26(4))
  • Monitoring system operation and reporting serious incidents to the provider (Art. 26(5)–(6))
  • Informing affected workers, customers or citizens about the AI's role in decisions (Art. 26(7), Art. 26(11))
  • Conducting a Fundamental Rights Impact Assessment if you are a public body or in Annex III 5(b)/(c) (Art. 27)
  • Registering as a deployer in the EU database where you are a public body (Art. 49(2))
  • Maintaining automatically generated logs for at least six months (Art. 26(6))
Run the Deployer CheckerProvider vs Deployer guideSME fast-track

Important — self-assessment tool only

This toolkit supports internal self-assessment under Art. 43(2) and Annex VI of the EU AI Act. Outputs are compliance aids — they are not certified assessments, do not replace notified body procedures where required (Art. 43(1)), and do not constitute legal advice. All outputs should be reviewed by a qualified lawyer before public disclosure or regulatory submission. What does self-assessment mean? →

Based on official EU AI Act text (Regulation 2024/1689)
14-day money-back guarantee
Cancel anytime — no lock-in
Secure payments via Stripe

Free

Get oriented and start assessing your AI systems.

€0

  • Risk Classifier
  • Timeline Calculator
  • Checklist Builder (interactive)
  • Deadline Tracker
  • Full legislation guides
  • Definitions glossary
Get started free
Most popular

Pro

Everything you need for full EU AI Act compliance.

49/month
  • Everything in Free
  • Annex IV Document Generator
  • Compliance Scorecard with PDF export
  • FRIA Generator
  • Post-Market Monitoring Plan
  • Checklist Builder with DOCX export
  • Annex IV Technical File Template
  • Risk Assessment Workbook
  • Compliance Checklist template
  • Priority email support
  • Early access to new tools

Need access for a team?

Custom pricing for organisations, law firms, and consultancies. Includes multiple seats, SSO, dedicated support, and invoice billing.

Get a quote

What's included

FeatureFreePro
Risk Classifier
Timeline Calculator
Checklist Builder (interactive)
Deadline Tracker (logged-in)
Full legislation guides
Definitions glossary
Checklist Builder DOCX export
Annex IV Document Generator
Compliance Scorecard + PDF export
FRIA Generator
Post-Market Monitoring Plan
Annex IV Technical File Template
Risk Assessment Workbook
Compliance Checklist template
Priority email support
CRA product classification (CRA Checker)
SBOM & dependency audit checklist
CRA Readiness Flow (6 stages)
CVD Policy Builder + ENISA SOP
NEW — Reg. EU 2024/2847

CRA Readiness Suite

Tools for Cyber Resilience Act compliance — included with your existing plan.

Explore CRA Tools

Included Free

  • CRA product classifier (Standard / Class I / Class II)
  • SBOM & dependency audit checklist
  • CRA Readiness Flow (6 stages)
  • Annex I requirements reference
  • ENISA incident reporting guidance

Pro only

  • CVD Policy document generator
  • ENISA notification SOP template
  • Researcher contact page template
  • Full document export (PDF/DOCX)
Note: CRA tools support self-assessment for Standard and Class I products. Class II products must use a notified body — see conformity assessment guidance →

Important — Self-Assessment Platform Disclaimer

AIAuditRef is a self-assessment and regulatory reference platform. All tools, reports, checklists, and generated documents are aids for your internal compliance process under the EU AI Act's Annex VI internal control procedure.

  • Outputs are not certified, audited, or independently verified — they are self-reported working documents.
  • This platform does not constitute legal advice. Always consult a qualified lawyer for legal guidance specific to your situation.
  • This platform does not replace a notified body assessment where one is required (e.g. biometric identification systems for law enforcement under Art. 43(1)).
  • All assessment risk lies with the user. AIAuditRef, its developers, and staff accept no liability for regulatory outcomes based on tool outputs.

By subscribing, you acknowledge that you have read and understood this disclaimer.

Common questions

Do you offer refunds?

Yes — 14 days, no questions asked. Cancel from your dashboard and we'll refund the current billing period.

Is this legal advice?

No. AIAuditRef provides regulatory reference and tools. Consult a qualified lawyer for legal advice.

What payment methods are accepted?

All major credit/debit cards via Stripe. VAT handled automatically for EU businesses.

Can I cancel anytime?

Yes — cancel from your dashboard settings. You keep access until the end of the billing period.