On May 13, 2026, EU trilogue negotiators convene for the third and expected final round of negotiations on the AI Act Omnibus package. The outcome of this session will directly determine whether your August 2, 2026 AI compliance deadline holds — or shifts by twelve months.

The problem is that most development teams are in planning limbo: too many unknowns to commit to a full compliance programme, too much risk to ignore August entirely. This guide resolves that limbo. You will see exactly what each trilogue outcome means for your specific obligations, and a compliance strategy that is rational under both scenarios.

What Is the AI Act Omnibus?

The AI Act Omnibus is a package of proposed amendments to Regulation (EU) 2024/1689 (the AI Act) that was tabled by the European Commission in late 2025 and has been moving through inter-institutional negotiations since then.

The package was driven by three forces:

1. Industry feedback on implementation costs — particularly from SMEs and GPAI model providers who found the original compliance burden disproportionate to their risk profile
2. Member State concerns about competitiveness relative to US and Chinese AI firms operating without comparable obligations
3. Technical implementation challenges — several obligations lacked implementing guidance by the time they would have needed to be operationalised

The Omnibus is not a rollback of the AI Act. It is a recalibration of timing, thresholds, and scope. The prohibited practices in Article 5 — biometric categorisation, social scoring, real-time remote biometric identification in public spaces — remain fully intact and on their original schedule.

The Trilogue Process: Where We Are

Trilogue #3 is scheduled as the decisive session because the Council Presidency (Polish Presidency, expires June 2026) needs a final text before the handover. A fourth trilogue after the handover would require resetting positions under new Hungarian Presidency priorities — a scenario all parties are motivated to avoid.

Scenario A: Omnibus Passes — What Changes

Probability estimate (based on working document leaks and POLITICO reporting): ~60-65%

If negotiators reach agreement on May 13, the following changes are expected to enter into force via an amending regulation approximately 90 days after publication:

High-Risk AI Obligations — 12-Month Postponement

The core change: Annex III high-risk AI system obligations under Chapters III and IV (Articles 9-25, 43-49) would move from August 2, 2026 to August 2, 2027.

This affects:

• Technical documentation requirements (Art. 11)
• Record-keeping (Art. 12)
• Transparency obligations (Art. 13)
• Human oversight mechanisms (Art. 14)
• Accuracy, robustness, cybersecurity (Art. 15)
• Quality management systems (Art. 17)
• Fundamental rights impact assessments (Art. 27, for deployers)

Critical carve-out: Prohibited practices (Art. 5) are NOT postponed. They remain effective August 2, 2026 regardless.

Annex III Reclassification — Narrower High-Risk Definition

The Omnibus proposes removing or reclassifying several Annex III subcategories:

• Subcategory 1(a) — biometric identification in public spaces: converted to prohibited practice (Art. 5 already covers real-time; the extension to post-hoc remote biometric identification is the new element)
• Subcategory 4 — employment and workers management: threshold raised; only systems making final hiring/firing decisions without human review remain high-risk
• Subcategory 5 — access to essential services: narrowed to public sector deployments only (private sector credit scoring removed)
• Subcategory 6 — law enforcement: unchanged (remains high-risk)
• Subcategory 8 — migration: unchanged

Practical implication: Many B2B SaaS tools that fell under subcategory 4 or 5 may no longer be high-risk AI systems under the amended Annex III. Classification review becomes mandatory.

GPAI Model Obligations — Reduced Fines, Same Obligations

General-purpose AI model obligations (Chapter V, Articles 51-56) remain in force on their original schedule. Omnibus does not postpone GPAI obligations.

What changes for GPAI providers:

• Maximum fine: 3% → 1.5% of global annual turnover for compliance failures (systemic risk violations remain at 3%)
• Voluntary CoP participation: newly explicit in text as evidence of good-faith compliance
• Documentation thresholds: 10^25 FLOPS threshold for systemic risk designation confirmed in working text

SME Flexibility — Extended Sandbox Access

SMEs and startups (under EU Recommendation 2003/361/EC definitions) gain:

• Access to national AI regulatory sandboxes until December 2027 (originally June 2026 cutoff)
• Right to complete conformity assessments in sandbox environment rather than production
• 25% fee reduction for notified body assessments for micro-enterprises

Scenario B: No Deal — Original Deadlines Stand

Probability estimate: ~35-40%

If May 13 negotiations fail — a real possibility if Parliament rejects Council's reduced-fine position or if the Article 5 extension triggers a procedural objection — the original AI Act applies without modification.

What This Means in Scenario B

Under Scenario B, development teams have approximately 90 days from today to August 2, 2026.

For most teams working on Annex III systems, this is an emergency timeline. Completing a conformity assessment for a high-risk AI system in 90 days — when notified body queues are already 4-6 months long — is not realistic through the standard path. Alternative paths:

• Self-assessment under Module A (only available for Annex III subcategory systems not requiring mandatory notified body involvement)
• Engaging conformity bodies immediately — some EU notified bodies are taking limited expedited bookings at premium rates
• EUAI Office complaint-handling guidance — the AI Office has indicated a 6-month "good-faith compliance period" will apply for the first violation wave, though this is informal guidance, not a legal safe harbour

The Obligations That Are Immune to Omnibus

Regardless of whether Scenario A or B materialises, the following obligations remain on the same schedule:

Article 5: Prohibited Practices — August 2, 2026 (Immovable)

This is the compliance item every developer team must treat as fixed:

• Art. 5(1)(a): No subliminal manipulation to distort behaviour against interests
• Art. 5(1)(b): No exploitation of vulnerabilities of specific groups (age, disability, social/economic situation)
• Art. 5(1)(c): No social scoring by public authorities or private actors for social benefits access
• Art. 5(1)(d): No real-time remote biometric identification in public spaces (with narrow LE exceptions)
• Art. 5(1)(e)-(h): Emotion recognition in workplace/educational settings prohibited; untargeted biometric scraping prohibited; criminal risk profiling prohibited; manipulation to bypass protections prohibited

If your AI system does any of these things, August 2, 2026 is a hard deadline regardless of Omnibus. There is no political mechanism to extend Art. 5 compliance — Parliament treats this as a fundamental rights floor.

GPAI Transparency (Art. 50) — August 2, 2026

Users must be informed when they are interacting with an AI system capable of generating synthetic content. This applies to chatbots, AI writing tools, AI image generators, and AI voice systems. No Omnibus variant changes this.

Existing GPAI Model Obligations — Already In Force

If you are a GPAI model provider (training or fine-tuning a general-purpose model), your core obligations under Articles 51-53 already applied from August 2, 2025. The Omnibus only affects the fine level — not the underlying obligations.

The Scenario-Agnostic 90-Day Compliance Plan

The rational approach is to build a compliance programme that is efficient under both scenarios. Here is what that looks like starting from today (May 4, 2026):

Month 1 (May): Art. 5 + Classification Audit

Week 1-2 (May 4-18):

• Complete an Art. 5 prohibited practice audit of all AI features in production
• Document the outcome with reference to each Art. 5 subcategory
• This documentation is useful under both scenarios and takes approximately 2-4 days for a team familiar with their own product

Week 3-4 (May 19-31):

• Classify all AI systems against current Annex III AND proposed amended Annex III
• The delta between the two classifications tells you which systems are reclassification candidates
• If a system falls out of Annex III under the amended text, it may still be worth preparing lighter-weight documentation now (the work is reusable for any future version of the regulation)

Month 2 (June): GPAI Documentation + High-Risk Assessment Initiation

If you are a GPAI model provider:

• Complete technical documentation (Art. 53): training data sources, model architecture summary, capabilities and limitations, testing results
• Register in the EU AI model database (EUAI Office portal — registration opened March 2026)
• Cost: approximately 3-5 person-days for a model already documented internally

If you deploy Annex III systems:

• Under Scenario A: begin Fundamental Rights Impact Assessment (Art. 27) — not mandatory until 2027 under Omnibus, but completing it now leaves you ahead of a competitor who waits
• Under Scenario B: FRIA becomes mandatory by August 2, 2026 — starting now is the only path to completion

Month 3 (July): Technical Infrastructure + QMS Draft

The most infrastructure-dependent compliance obligations:

Art. 12 — Logging: Annex III systems must generate logs enabling reconstruction of events during operation. This requires:

• Structured log storage with retention periods matching the deployment context
• EU-jurisdiction storage (CLOUD Act exposure creates unresolvable Art. 46 GDPR tension for logs containing personal data processed by the AI system)
• Access controls and tamper-evident logging

Art. 17 — Quality Management System: A QMS is required for all Annex III systems. Under Omnibus it may be delayed to 2027, but the documentation burden is the same. Starting the QMS skeleton now (risk assessment procedures, data governance policies, human oversight protocols) saves time under either scenario.

Infrastructure Decisions Before Omnibus Outcome

One compliance dimension is independent of the Omnibus outcome: where your AI system runs matters for GDPR compliance, regardless of AI Act timing.

Art. 10 (data governance requirements for high-risk AI training data) and Art. 12 (logging requirements) both implicitly require EU-jurisdiction data handling when the AI system processes personal data. Running high-risk AI inference on US-jurisdictioned infrastructure creates CLOUD Act exposure that cannot be resolved through standard contract mechanisms.

This is not a new insight — the EDPB's 2025 guidelines on AI system data governance reached the same conclusion. But the practical implication is: the infrastructure decision you make before August 2026 becomes the infrastructure you document in your technical file.

Teams that switch to EU-native hosting (no US parent entity, EU data residency by default) before the August deadline eliminate a structural compliance gap rather than managing it through contractual workarounds.

What to Do This Week (Before May 13)

Regardless of Omnibus outcome:

1. Start the Art. 5 audit now. It is mandatory in both scenarios and takes 2-4 days. There is no reason to wait.

2. Pull your GPAI model documentation. If you have a GPAI model in production, gather your training data documentation, architecture specs, and testing records. Registration in the EUAI Office model database is open — creating the account takes 15 minutes.

3. Map your systems against both Annex III versions. The working text of the amended Annex III has been circulating in POLITICO and EURACTIV reporting. Compare your system against both the current and proposed new definition. The delta identifies your "reclassification candidates" — systems that may exit high-risk status under the Omnibus.

4. Make your infrastructure decision. If you are running AI inference on AWS, GCP, or Azure with EU region settings but US-parent CLOUD Act exposure, evaluate whether this needs to change before your technical file documentation is due.

5. Check your notified body queue position. If your system requires a notified body under current Annex III, contact a EU-designated notified body (NANDO database) now. Wait times are 4-6 months. Even under Scenario A, the 2027 deadline arrives faster than it appears.

After May 13: How to Read the Outcome

If negotiations succeed on May 13, the amending regulation will need to pass through a fast-track legislative procedure. Expect:

• European Parliament vote: June-July 2026
• Official Journal publication: July 2026
• Entry into force: 20 days after publication
• Application: 90 days after entry into force (i.e., October-November 2026 at earliest)

Important: The August 2, 2026 deadline is not automatically suspended when a trilogue deal is reached. The amending regulation must complete the full legislative procedure and enter into force before the postponement applies. Teams cannot assume a May 13 deal immediately removes their August obligations.

If negotiations fail, the Commission is expected to issue a communication within 2-3 weeks clarifying enforcement posture. Based on previous patterns (GDPR 2018 ramp-up, NIS2 2024 implementation), expect a 6-month informal enforcement grace period for first-time non-complex violations — but this is not a legal safe harbour.

Summary: The Two Scenarios at a Glance

The overlap — Art. 5, GPAI obligations, Art. 50 transparency — is where your compliance programme should focus before May 13. That work is not wasted under either outcome. The high-risk AI system work is scenario-dependent, but starting now is rational: you either need it by August 2026 (Scenario B), or you get a head start on 2027 (Scenario A).

Build the programme that makes sense regardless of what happens on May 13. Then refine it the week after.