EU AI Act Omnibus 2026: What Changes for SMEs & GPAI Providers
Post #1323 in the sota.io EU AI Act Compliance Series
The EU AI Act Omnibus 2026 is one of the most significant amendments to EU AI regulation since the original Act entered into force. Formally expected to be adopted in July 2026, it dramatically reshapes who the rules apply to — raising the SME exemption threshold from 250 to 750 employees, restructuring General-Purpose AI (GPAI) obligations, and accelerating key transparency deadlines. For SaaS founders, AI developers, and cloud providers operating in Europe, the Omnibus creates both new relief and new urgency.
This guide explains every material change, what it means for your product roadmap, and which compliance actions need to happen before August 2026.
What Is the EU AI Act Omnibus?
The original EU AI Act (Regulation 2024/1689/EU) entered into force in August 2024 and began applying in phases through 2025–2026. But almost immediately, European tech industry groups — from the European Startup Network to BigTech coalitions — raised concerns that the compliance burden would fall disproportionately on smaller European innovators.
The Omnibus 2026 is the legislative response: a targeted amendment package addressing SME competitiveness, GPAI market concentration, and transparency implementation timelines. While it was still working through trilogue as of Q1 2026, the political consensus is strong enough that businesses should prepare now.
Key changes at a glance:
- SME threshold: 250 → 750 employees (or ≤€150M annual revenue)
- GPAI systemic risk: new quantitative threshold (10^26 FLOPs retained, but with auditing flexibility)
- Art.50 transparency: August 2, 2026 deadline confirmed — no extension
- Prohibited AI: Art.5 NCII prohibition added (nudifiers, biometric weaponisation)
- Conformity assessment: notified body requirements extended 18 months for SMEs
The SME Threshold Shift: Who's Now Exempt?
Under the original AI Act, "small and medium enterprises" were defined by the EU's standard 250-employee / €50M turnover threshold. The Omnibus raises this to 750 employees or ≤€150M annual turnover, aligning with the EU's "mid-cap" definition used in other regulatory contexts.
What Does This Actually Mean?
If your company employs fewer than 750 people, you now benefit from:
Reduced documentation burden: High-risk AI systems developed by sub-750 companies still require technical documentation, but the prescribed format is simplified — a single "Technical Summary" document replaces the full Technical File for initial market placement.
Extended conformity timelines: The 24-month conformity assessment period for Annex III high-risk systems extends to 36 months for mid-cap providers.
Proportionality principle codified: Regulators must apply a "proportionality test" before imposing fines — the maximum fine for mid-cap SMEs is capped at €7.5M or 1.5% of global annual turnover (whichever is lower), reduced from the original €15M/3%.
Sandbox access expanded: National AI regulatory sandboxes, previously accessible to "SMEs" under the 250-employee definition, now extend to any company under 750 employees. This is significant because sandbox participation grants real-time guidance from national AI authorities and temporary waivers for testing.
Who Loses the SME Shield?
Companies between 250 and 750 employees that previously relied on informal proportionality interpretations now have explicit rules — but they also lose the hard protections that applied when they were below 250. The transition creates a compliance clarity gap that the Omnibus addresses by creating a new "mid-cap" compliance tier with specific documentation and audit requirements.
For companies that have grown through the 750 threshold, the Omnibus includes a 24-month transition grace period from date of adoption — meaning enforcement under full large-company obligations won't begin until approximately July 2028.
GPAI Obligations: Restructured, Not Relaxed
General-Purpose AI models — think large language models, multimodal systems, and foundation models deployed at scale — faced some of the most contentious provisions in the original Act. The Omnibus significantly restructures (though does not eliminate) GPAI obligations.
The Systemic Risk Threshold
The original Act set the systemic risk threshold at models trained with more than 10^25 FLOPs (floating-point operations). This primarily captured GPT-4-class and above models. The Omnibus makes two changes:
- Retained threshold: 10^25 FLOPs (no increase despite industry lobbying for 10^26)
- New auditing flexibility: Providers can demonstrate via "capability-based exemption" that a model trained above the FLOP threshold does not exhibit systemic risk behaviours. This creates a real pathway for efficiently-trained models to avoid the most burdensome GPAI obligations.
What GPAI Providers Must Do
For GPAI providers above the systemic risk threshold (and those who cannot qualify for the capability-based exemption), the Omnibus adds:
Incident reporting to the EU AI Office: Any systemic failure, misuse pattern, or adversarial exploitation must be reported within 72 hours of detection — mirroring DORA's incident reporting structure.
Third-party red-team testing: Annual adversarial testing by an accredited third party, with results published in the GPAI model register. The EU AI Office maintains the register and sets the red-team methodology.
Downstream transparency: GPAI providers must publish "downstream adequacy assessments" — documentation explaining which downstream deployment contexts the model is and is not suitable for, with specific guidance for high-risk AI system integrators.
What Changes for GPAI Providers Below the Threshold
For GPAI providers below 10^25 FLOPs — which includes virtually all EU-based AI startups and most open-source model providers — the Omnibus clarifies rather than expands obligations:
- Technical documentation: required (simplified format)
- Copyright compliance summary: required (EU AI Office template)
- Basic capability disclosure: required (published in model card format)
- Incident reporting: voluntary, but encouraged through safe harbor provisions
The safe harbor is significant: GPAI providers below the threshold who voluntarily report incidents and participate in the EU AI Office's model registry receive regulatory immunity for good-faith compliance failures for 24 months from the Omnibus adoption date.
Article 50 Transparency: The August 2026 Deadline
This is the provision that cannot be delayed regardless of Omnibus status, because it derives from the original Act's timeline rather than the Omnibus amendments.
Article 50 of the EU AI Act requires that as of August 2, 2026:
- AI systems that interact directly with natural persons must clearly disclose that the user is interacting with an AI
- AI-generated content (text, audio, image, video) must be technically marked as AI-generated
- Deep fakes must carry a prominent disclosure visible to the viewer
- Emotion recognition and biometric categorisation systems must notify subjects
The Omnibus adds implementation guidance but does not change the deadline.
Technical Watermarking Requirements
For AI-generated content, the Omnibus specifies that technical marking must be:
Machine-readable: Using either C2PA (Coalition for Content Provenance and Authenticity) metadata standards or the ETSI TS 103 993 European standard for AI content marking (expected to finalise by June 2026).
Human-perceivable for public-facing content: In addition to machine-readable metadata, any AI-generated content published to general audiences must include a visible "AI-generated" label in the EU's 24 official languages, sized proportionally to the content display area.
Persistent: The marking must survive reasonable post-processing steps including compression, format conversion, and social media upload/download cycles.
What SaaS Builders Must Do Before August 2, 2026
If your product uses LLM APIs to generate user-facing content, here's the minimum compliance checklist:
For chatbots and AI assistants:
- Add a visible "Powered by AI" or "AI-assisted response" disclosure at conversation start
- Do not claim to be human when directly asked
- Log AI interaction sessions for audit purposes (30-day minimum retention)
For AI content generation tools:
- Implement C2PA content credentials on generated images/video
- Add AI content metadata to generated text (minimum: model identifier, generation timestamp)
- Provide UI-level disclosure in the content editor ("This content was AI-generated")
For AI-enhanced products (AI features within broader SaaS):
- Document which product features use AI and how
- Include AI disclosure in privacy policy and terms of service
- Train customer-facing teams on how to explain AI usage to enterprise clients
The Prohibited AI Expansion: Art.5 NCII Addition
The Omnibus adds one new category to the original Article 5 prohibited AI list: non-consensual intimate image (NCII) generation systems — colloquially known as "nudifiers" or deepfake pornography generators.
Under the Omnibus, it is prohibited to:
- Place on the EU market any AI system specifically designed to generate NCII
- Integrate NCII-generation capabilities into general-purpose AI systems without technical controls preventing such use
- Provide API access to AI capabilities that are primarily used for NCII generation, if the provider knows or should have known about the use pattern
Practical implication for AI API providers: The Omnibus creates liability exposure for providers whose image generation APIs are used at scale for NCII, even if that wasn't the intended use. The "should have known" standard requires active use monitoring and terms-of-service enforcement, not just reactive takedowns.
sota.io: EU-Sovereign Infrastructure for AI Act Compliance
Meeting EU AI Act obligations — whether under the original Act or the Omnibus — requires an infrastructure foundation that keeps training data, model weights, and audit logs within EU jurisdiction. Many compliance obligations are impossible to satisfy if your AI infrastructure is subject to US CLOUD Act jurisdiction.
sota.io provides EU-sovereign container and managed infrastructure for AI systems, with:
- Data residency guarantees: All customer data, model artefacts, and logs stored exclusively in EU data centres (Frankfurt, Amsterdam, Dublin availability zones)
- Audit log immutability: Tamper-evident audit logs compatible with EU AI Act Article 12 requirements
- Access control documentation: Automated generation of technical documentation sections for conformity assessment
- Incident detection pipeline: Real-time anomaly detection on AI system behaviour, with one-click EU AI Office incident report generation
For GPAI providers facing the August 2026 deadline, we offer a Transparency Stack deployment — a pre-configured sota.io environment with C2PA signing, content watermarking, and Art.50 disclosure components ready to integrate in under 48 hours.
Start your EU AI Act compliance deployment →
Compliance Timeline: What to Do and When
| Deadline | Action Required | Applies To |
|---|---|---|
| Now | Audit which AI features your product uses | All companies |
| Now | Determine your company size tier (250/750 employee threshold) | All companies |
| June 2026 | Implement Art.50 AI disclosure in customer-facing products | Any AI-interactive product |
| August 2, 2026 | Technical watermarking live for AI-generated content | Content generation tools |
| August 2, 2026 | NCII prohibition controls in place | Image/video generation API providers |
| July 2026 (Omnibus adoption) | Reassess GPAI obligations under new auditing flexibility | GPAI model providers |
| Q4 2026 | Complete GPAI model register submission if above threshold | GPAI providers ≥10^25 FLOPs |
| July 2028 | Full obligations apply to 250–750 employee mid-caps | Former SME-tier companies |
Frequently Asked Questions
Does the Omnibus delay the August 2026 Art.50 deadline?
No. Article 50 transparency obligations derive from the original Act's timeline and are not covered by the Omnibus. The August 2, 2026 deadline stands regardless of Omnibus adoption status.
If we're a 400-person startup, do we now have reduced obligations?
Yes, under the Omnibus you would fall under the new mid-cap tier (250–750 employees), which provides simplified technical documentation, extended conformity timelines, and capped fines. However, you still have Art.50 obligations and must comply with prohibited AI provisions.
We use OpenAI/Anthropic APIs to build our SaaS product. Does the AI Act apply to us?
Yes. You are a "deployer" of an AI system under EU AI Act terminology. Your obligations depend on the risk classification of your use case. Using a GPAI API for customer-facing chatbot responses requires Art.50 disclosure. Using it for high-risk applications (HR decisions, credit scoring, medical diagnosis) requires full deployer compliance including conformity assessment.
What's the safest infrastructure choice for EU AI Act compliance?
EU-sovereign infrastructure with explicit data residency contracts, no US-parent-company jurisdiction, and documented audit trails. sota.io is built specifically for this requirement. See the compliance infrastructure guide →
Conclusion
The EU AI Act Omnibus 2026 is a pragmatic recalibration — it doesn't abandon the Act's ambitions, but it recognises that a 250-employee SME and a 700-employee scaleup shouldn't face identical regulatory burden. For most European AI builders, the Omnibus brings welcome relief on documentation and fine exposure. But the August 2026 Art.50 deadline is immovable, and GPAI providers above the systemic risk threshold face tighter incident reporting and red-team testing requirements.
The smartest move is to use the Omnibus's grace periods for the compliance debt you can defer — and sprint on Art.50 transparency for the deadline you cannot.
Part of the sota.io EU AI Act Omnibus 2026 Compliance Series. Next: GPAI Compliance Tools 2026 — EU-Native Model Governance.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.