EU AI Act Digital Omnibus — the Omnibus deal shifts the deadlines and extends the SME track to companies up to 750 employees
16 May 2026. On 7 May 2026 the EU Council and Parliament reached a political agreement on the Digital Omnibus to the AI Act — formal adoption is expected by July 2026. The change that matters most for our customers: the SME relief now also covers small mid-cap companies with up to 750 employees and EUR 150 million in annual revenue — a band of the German Mittelstand that previously sat in the full enterprise duty corridor. The high-risk AI deadlines move to 2 December 2027 (stand-alone) and 2 August 2028 (regulated-product), the watermarking obligation for AI-generated content shifts from August to 2 December 2026.
TL;DR — 90 seconds
The most important message of the Omnibus for our customers is not the postponement, but the extension of the SME definition to small mid-caps (up to 750 employees / EUR 150 million revenue). The deadline shifts buy planning time, but they do not reduce the obligations — they re-order them in time.
| Question | Answer |
|---|---|
| Affected? | Any company operating in the EU that develops, runs or distributes AI systems. For the German Mittelstand and small mid-caps (up to 750 employees / EUR 150 million revenue) the regulatory corridor changes substantially. |
| What changes? | (1) SME relief now also covers small mid-caps. (2) High-risk AI deadlines: stand-alone HRAIS to 2 Dec 2027, regulated-product to 2 Aug 2028. (3) Watermarking obligation for AI-generated content: from 2 Aug 2026 to 2 Dec 2026. (4) Centralisation of oversight at the AI Office, EU-wide regulatory sandbox. |
| What stays? | Transparency and documentation duties for GPAI models (general purpose AI), prohibitions (Article 5), 2 Aug 2026 deadline for the oversight architecture. The Omnibus reorders the load, it does not remove it. |
| Immediate action? | Classification inventory with lawyer or data protection officer: where does your company sit in the new SME / SMC / enterprise grid? Which AI systems in your inventory are high-risk, which GPAI application layer do you run? Which supplier contracts govern the shared responsibility? |
| When does it bite? | GPAI duties from 2 Aug 2026, watermarking from 2 Dec 2026, high-risk AI staggered from 2 Dec 2027 (stand-alone) and 2 Aug 2028 (regulated-product). |
What changes — and what stays
We have been following the AI Act since the original 2024 trilogue text, because our platform decisions in the work with customers depend on it — from CMS setup to the choice of AI components. What changed on 7 May is not the EU's regulatory will, but the temporal choreography and the definition of which company size falls into which duty corridor. Four changes are decisive from our perspective, a fifth remains in discussion. The legal classification in each individual case lies with your lawyer or data protection officer — we frame the platform-side implications here, not the legal duty position.
First: SME relief now also for small mid-caps
The original SME definition in the AI Act followed the EU standard definition (up to 250 employees, EUR 50 million revenue or EUR 43 million balance sheet). The Omnibus extends the SME regulatory relief to a new small mid-cap (SMC) category with up to 750 employees and EUR 150 million in annual revenue. The analysis by Latham & Watkins quantifies this extension as covering a substantial layer of the European Mittelstand that previously sat under the full enterprise corridor.
Concrete relief covers simplified documentation templates, reduced fine corridors, prioritised access to national regulatory sandboxes and simplified conformity assessment procedures. For a German Mittelstand company with 400 employees and EUR 80 million revenue, previously clearly in the enterprise corridor, the entire compliance load now shifts onto a more pragmatic track.
Second: high-risk AI deadlines postponed
The high-risk AI system obligations (Annex III: employment, education, critical infrastructure, law enforcement and others) would have entered into force on 2 August 2026. The Omnibus postpones:
- Stand-alone HRAIS (independent high-risk systems) to 2 December 2027
- Regulated-product safety components to 2 August 2028
That is 16 and 24 months of breathing room. The extension is not a call to defer — it is a correction of the originally optimistic trilogue assumption that the harmonised standards and national supervisory bodies would be operationally ready by August 2026. As of May 2026, this assumption does not hold: the key harmonised standards (via CEN-CENELEC JTC 21) are still in draft, several member states have not yet built out their national notified-body architecture.
Third: watermarking obligation from August to December 2026
The transparency obligation to label AI-generated content (Article 50) moves from 2 August 2026 to 2 December 2026. Four months of postponement for a duty that is relevant for every customer running generative AI in marketing content, product imagery, voice output or code generation — effectively every productive AI user in the German Mittelstand. On the platform side, Article 50 is already addressable with our AI-Ready CMS: C2PA-compliant manifest embedding into image and media paths is part of the product standard, a text disclosure line for chatbot responses can be configured on the same platform foundation. Whether the concrete implementation variant meets the legal requirement in your constellation is for your lawyer to decide — but the technical preparation already sits in the platform.
Fourth: oversight centralisation and EU sandbox
The AI Office at the European Commission receives more competence for direct supervision of GPAI models and cross-border cases. In parallel, an EU-wide sandbox programme is being set up to complement the national regulatory sandboxes. For companies with cross-border AI applications this reduces the heterogeneity of the oversight conversation — one application, one contact at EU level instead of 27 national variations.
What stays unchanged
Three points are explicitly not relaxed in the Omnibus:
- GPAI transparency and documentation duties (Article 53) remain on the August 2026 deadline. Providers and application layers of general-purpose AI models must deliver the summary training-data descriptions, technical documentation and copyright compliance concepts by then.
- Prohibitions (Article 5: social scoring, manipulative AI, untargeted face-recognition databases and others) have applied since February 2025 and remain unchanged.
- Fine corridor for the prohibitions (up to EUR 35 million or 7 % of worldwide annual revenue) has applied since 2 August 2025 and is not touched by the Omnibus — the reduced fine corridor for SME/SMC applies to the other duty classes, not to Article 5.
The Omnibus is correction, not retreat. Whoever reads it this way will use the time gained not as deferral, but as the window for the proper inventory and supplier contract update.
Who falls under SME or small mid-cap now?
The clean classification is the strategically most important question the Omnibus raises — and it is not trivial. The SME definition follows EU recommendation 2003/361/EC, the small mid-cap definition comes from the InvestEU framework, and both terms have to be examined in the AI context against group consolidation, majority shareholdings and foreign subsidiary revenues.
| Company profile | Before Omnibus | After Omnibus |
|---|---|---|
| Family-owned company, 120 employees, EUR 25 million revenue, standalone | SME — full relief corridor | SME — unchanged |
| Mid-sized company, 380 employees, EUR 70 million revenue, standalone | Enterprise — full duty corridor | Small mid-cap — newly relieved |
| Family holding, 600 employees, EUR 140 million revenue, three subsidiaries | Enterprise — full duty corridor | Small mid-cap (after group consolidation check) — newly relieved, provided the group thresholds are not exceeded |
| Mid-sized company, 250 employees, EUR 200 million revenue | Enterprise | Enterprise — revenue threshold of EUR 150 million exceeded |
| Mid-sized company, 800 employees, EUR 120 million revenue | Enterprise | Enterprise — employee threshold of 750 exceeded |
| Group subsidiary with 200 employees, parent group 12,000 employees globally | Enterprise (group consolidated) | Enterprise (group consolidated) — group thresholds break through |
The group consolidation rule is the most common pitfall, and it is a legal check, not a platform check. In the work with our customers over the past 18 months we have repeatedly seen a seemingly standalone unit classify itself as SME, while the legal review by data protection officer or in-house counsel takes the majority shareholding of a holding into account — and the SME classification then comes out differently than initially assumed. With the new SMC threshold, the same check now becomes relevant for a larger corridor layer. What we can tell you practically: raise the question early and answer it cleanly, because the later documentation builds on the answer.
Impact on planning
We divide the operational impact into three time horizons.
By 2 August 2026 (short-term, 11 weeks): GPAI transparency and documentation duties remain unchanged. Anyone integrating GPAI models (OpenAI, Anthropic, Mistral, Google Gemini and others) into their own application layers must have the use-case documentation, the data-flow description and the risk classification in an auditable form by then. Supervisory structures at national level (in Germany led by BNetzA, with BSI and BfDI participating) enter into force.
By 2 December 2026 (mid-term, 7 months): watermarking obligation for AI-generated content. Anyone running generative models for image, text or audio production in customer-facing channels must have the machine-readable and where applicable human-recognisable labelling integrated into the production paths. The TechPolicy.Press analysis stresses that, especially for CMS and e-commerce platforms, the implementation must be prepared at tooling level — the labelling cannot be added only at delivery time, it must be anchored in the generation pipeline.
By 2 December 2027 and 2 August 2028 (long-term, 19 and 27 months): high-risk AI system obligations. Anyone operating AI systems in Annex III application fields (HR recruiting tools, credit scoring, education assessment AI, critical infrastructure control) must have the conformity assessment, the risk management system, the training data quality assurance, the technical documentation dossier, post-market monitoring and the supervisory connection in functional shape by then. The time corridor gained is real, but the requirement depth is substantial — anyone starting only at the turn of the year 2027 has no meaningful lead time for the external conformity assessment.
Economically the Omnibus means two things for our customers. First: one deadline pressure fewer in the summer business half of 2026. Second: for the Mittelstand layer between 250 and 750 employees, a shift from “a compliance block that mandates external large-firm consulting” towards “a compliance block that can be mapped internally with standard templates plus legal sign-off on the final version”. That does not save the work, but it saves a substantial consulting cost item — and it makes the platform decisions we make together with our customers more plannable.
Immediate actions — your classification inventory
Three paths, in exactly this order.
Path 1 — company classification (legal layer)
Clarify at executive level with your lawyer or data protection officer which corridor you fall into under the new thresholds. The check typically considers:
- Employee count on a group-consolidated basis (not just the legal entity)
- Annual revenue on a group-consolidated basis
- Balance sheet total as alternative to the revenue threshold (relevant for capital-intensive industries)
- Shareholding structures — majority interests from large groups break through onto your classification via the EU consolidation rule
- Foreign subsidiaries and their revenues
The underlying data (employee counts, revenue, group consolidation) is usually available in controlling or with your auditor — it is collected occasionally anyway for KfW or BAFA funding applications, for balance sheet publications or for the SME classification under individual EU programmes. A standalone “AI Act initial check” is not part of the standard tax-advisor scope, but the data points themselves are typically available.
Path 2 — AI system inventory (platform layer)
Create an inventory of all AI systems operated productively in the company. Three columns have proven useful in our platform work: (a) use case and business process, (b) underlying model layer (own model, GPAI application layer, purchased SaaS product), (c) risk classification according to AI Act Annex categories. The risk classification is a legal assessment — we deliver the technical inventory, the legal mapping is for your lawyer.
In the work with our customers, the majority of AI applications land in the GPAI application layer (own customer-support chatbots on GPT-4, internal knowledge bases with RAG pipelines, marketing text generation) and in the low / no risk class (internal productivity tools, translation aids). High-risk systems are rare in the German Mittelstand, but where they exist (recruiting algorithms, credit scoring, school / university assessment AI) they are strategically non-negotiable. Our AI-Ready CMS is built so that this inventory does not live in an Excel shadow register, but as a metadata layer on the content itself — the CMS entry knows which model created it, with which prompt, and whether the result triggers an Article 50 labelling duty.
Path 3 — supplier contract audit (legal layer)
Anyone consuming GPAI models as a cloud service carries the compliance load in shared responsibility with the provider. The contract terms of the large providers have been adjusted in several waves since the start of 2026 — anyone with a supplier contract from 2024 or earlier should have the DPA annexes, the training-data transparency clauses and the data processing terms reviewed by counsel against the current AI Act state. In particular the question who executes the Article 50 watermarking duty in which step is often left unclear between model provider and user. On the platform side the watermarking path can be implemented cleanly once the contractual role split is in place — see AI-Ready CMS above.
Verifying your classification — a short checklist
A pragmatic first-line check you can run in 30 minutes in an executive meeting. The legal sign-off on the answers afterwards lies with lawyer or data protection officer.
- We have run at least one AI system (including GPAI-based) productively in the business in the last 12 months. If yes: AI Act applies to you, regardless of size.
- We sit consolidated under 250 employees and EUR 50 million revenue. If yes: SME corridor with full relief. If no: continue to the next question.
- We sit consolidated under 750 employees and EUR 150 million revenue. If yes: SMC corridor with extended Omnibus relief. If no: enterprise corridor.
- We run at least one AI system in an Annex III application field (HR recruiting decision, credit scoring, education assessment, critical infrastructure, law enforcement, biometric identification). If yes: high-risk AI duties from 2 Dec 2027 / 2 Aug 2028, regardless of size corridor.
- We run generative AI in customer-facing channels (text, image, audio, video generation with publication or outbound delivery path). If yes: watermarking duty from 2 Dec 2026.
- Our AI applications process personal data. If yes: GDPR layer with AI Act interplay (data protection impact assessment, processing contract, right to explanation). Unchanged by the Omnibus.
Whoever can answer all six questions clearly has the classification state ready for the next board meeting. Whoever is uncertain on two or more questions has the point at which a structured inventory pays off.
Operator recommendation
Up front a when / then overview for the most common constellations.
Act now if you operate AI systems in an Annex III application field, or use generative AI in direct customer contact, or your size classification within the group consolidation is unclear. In these cases the inventory and supplier contract audit are worth doing now — the time corridor gained is not infinitely stretchable.
Plan within the week if you run GPAI applications without Annex III exposure and your size classification is unambiguous. The GPAI documentation duty on 2 Aug 2026 stays; it is achievable with the AI Office standard templates and two to three weeks of preparation.
Pick it up in the quarterly cycle if you use AI exclusively for internal productivity purposes, with no customer-facing exposure and no Annex III application. The inventory is still worth doing — as preparation in case an application field is added later.
Mittelstand (up to 250 employees / EUR 50 million — SME)
You sit in the most favourable corridor. The SME templates from the AI Office, which will become available in German translation in the coming months, are designed as the backbone of internal documentation. Anyone binding six-figure consulting day rates at this size over-delivers — the SME layer is intentionally designed in the Omnibus for in-house preparation with legal sign-off on the final version.
Small mid-cap (250–750 employees / EUR 50–150 million — newly added by the Omnibus)
You are the main beneficiary layer of the Omnibus. So far you oriented yourself by enterprise standards, going forward the SME relief is open to you. This is not a free pass, but a real resource relief. A formal executive decision to use the SMC track with documented size classification will in practice be the basis vis-à-vis the national supervisor — the wording of that decision belongs in the hand of your lawyer or data protection officer.
Enterprise (over 750 employees or over EUR 150 million revenue)
You remain in the full duty corridor. The deadline shifts give you planning time, but they do not reduce the requirement depth. The additional 16–24 months are the window for the proper conformity assessment, training of internal data protection and IT security officers and building out post-market monitoring structures — all topics that must be set up legally and procedurally before the platform side can sensibly be configured at all.
Providers of GPAI application layers
If you build your own products on a GPAI model layer (e.g. an in-house customer-support bot using OpenAI or Anthropic as model provider), it is often discussed in legal practice whether you qualify as provider under the AI Act in the sense of the GPAI application duties. The transparency duties on 2 Aug 2026 may, under that reading, apply to you and not only to the model maker. The classification in the concrete case is made by counsel — in practice it is often asked too late. Anyone running a GPAI application layer productively should have clarified this question with in-house counsel before August 2026.
What we are doing
We have run an initial sort through our customer list since 7 May. Three observations from the portfolio:
First: around 60 % of our customers shift through the SMC threshold from the enterprise into the relieved corridor. For these customers we have added the point “SMC track relevant?” to the next scheduled platform meeting — as technical preparation so that the SMC resolution draft, once drawn up by counsel, lands cleanly on the platform reality.
Second: the watermarking duty on 2 Dec 2026 hits all customers running generative AI in marketing output, in image generation for product catalogues or in voice output for customer voicebots — effectively all who have integrated AI tooling into the marketing or customer service stack in the past 18 months. In the AI-Ready CMS the C2PA-compliant manifest embedding into image, video and audio paths is already part of the product; for TYPO3 and Sylius estates outside the AI-Ready stack we are preparing a module package by Q3/2026 that retrofits the same watermarking pipeline. A text disclosure line for chatbot responses can be configured on the same platform foundation.
Third: the GPAI provider classification is consistently discussed too late in the portfolio. Anyone building their own application on a foundation-model layer can, under the AI Act reading, slip into a provider role vis-à-vis their own customers. We address this question explicitly in the onboarding of new projects from June 2026 and refer to lawyer or data protection officer for the legal classification.
On the platform side we are in parallel building out a module that runs the AI system inventory as a structured metadata layer on the content — that avoids Excel shadow registers and makes later audit requests technically answerable.
Frequently asked questions on the AI Act Digital Omnibus
Do we need to revise our AI roadmap because of the Omnibus?+
No, if your roadmap is built on realistic deadlines and proper inventory, the Omnibus changes nothing substantial. Yes, if your roadmap implicitly took the August 2026 deadline as the driving date and you can now push watermarking implementation into Q3/2026 or HRAIS conformity assessment into Q1/2027. The shift is an option, not a mandate.
Does the SMC extension apply already, or only after formal adoption?+
The political agreement of 7 May 2026 is not yet in force — formal adoption by Council and Parliament is expected by July 2026, before the original 2 August 2026 deadline. Until adoption the old thresholds formally still apply. In practice, the inventory and preparation can be aligned to the new threshold now — the likelihood of a material deviation from the political agreement text is low. The final assessment of entry into force in the individual case belongs with your lawyer.
We run our customer-support bot on the OpenAI API. Are we a GPAI provider or a user?+
With regard to the foundation model you are a user; with regard to your own application towards your customers a provider role can arise depending on the constellation — the AI Act reading knows this shared role. The transparency duties towards your end customers (disclosure that the bot is AI; labelling of AI-generated answers from 2 Dec 2026) typically rest with you, the model-specific transparency duties (training-data description, technical documentation of the foundation model) with OpenAI. The precise classification in the concrete case is made by your lawyer.
How much effort does the SMC classification documentation actually take?+
If the group-consolidated employee and revenue figures already sit annually in your controlling or with your auditor, the SMC documentation is one supplementary page — size classification under the AI Act with reference to the underlying financial-year data. Effort on the platform side: one half-session block in the executive meeting plus document drafting. The legal sign-off on the classification belongs in any case in the hand of your lawyer or data protection officer.
What happens if we miss the watermarking deadline on 2 Dec 2026?+
The fine corridor for the transparency duties goes up to EUR 15 million or 3 % of worldwide annual revenue (with reduced application rates for SME / SMC). More important than the fine is the supervisory relationship: the national supervisor (in Germany led by BNetzA) will most likely take a negotiating stance in the early phase, but documented non-implementation without serious preparation will be treated as a signalling case in the first procedures. Better pragmatic and documented preparation than perfect and late. On the platform side, C2PA manifest embedding in our AI-Ready CMS is already standard.
Does the Omnibus affect already-running conformity assessment projects?+
Yes, in a relieving direction. Anyone already in a HRAIS conformity assessment project can use the deadline corridor to smooth the external assessment slots — the notified bodies are currently overloaded, the extension gives room. From a platform perspective it makes sense to not pause the project but to move it into a calmer cadence.
Conclusion
The Omnibus is the most honest regulatory correction to the AI Act since the trilogue conclusion — it converts the originally optimistic deadlines into realistic implementation corridors and creates with the SMC extension a layer that comes closer to European economic reality. What makes the Omnibus tenable is not the postponement, but the recognition that a 380-employee company has different compliance capacities than a 38,000-employee group.
The question is not whether the AI Act will bite too hard from August 2026 — the postponements solve the acute deadline pressure. It is whether the months now gained will be used for a proper inventory, a lawyer-led supplier contract update and a platform preparation — or whether the new deadline is read as an invitation to defer. From our view in the platform work with customers, the second reading leads in every case to the same bottleneck, only 16 months later, because then everyone asks at the same time.
We build the platform side of your AI Act preparation — the legal classification stays with your lawyer.
Concretely: AI system inventory as a structured metadata layer in the CMS, watermarking pipeline with C2PA manifest embedding for image, video and audio paths, text disclosure line for generative chatbot responses, technical preparation of the GPAI documentation, platform line that makes SMC resolutions and audit requests technically answerable. Preferably directly on our AI-Ready CMS, for TYPO3 and Sylius estates outside the AI-Ready stack as a module retrofit.
If you, as managing director or board member of a German Mittelstand or small mid-cap company, want to structure the platform side of AI Act preparation, let us speak before the next executive meeting. Book an appointment directly, or take a look at our AI-Ready CMS as a Service, our AI Agent as a Service line and our DevSecOps as a Service platform.
About the author
Kim Hartwig
Kim is responsible for day-to-day operations and provides strategic support to our clients on a daily basis. Her expertise in computational linguistics combines an understanding of communication with technical know-how.
Related posts
![[Translate to English:] Ein messingfarbener Prägestempel auf cremefarbenem Papier mit leerem Prägekreis in der unteren Ecke, daneben ein gefalteter Brief auf Holz und ein oxblutfarbener Wachsstift mit messingfarbenem Lineal im kühlen Nordlicht.](/fileadmin/_processed_/6/8/csm_8ea1b36aee471bf17187b06cb26d53e2448b11c6515aceb8f648c9dc3f73075d_bfcb3888b1.webp)
Article 50 gets concrete — the European Commission publishes its transparency guidelines for the AI Act and gives you 26 days to weigh in
Weiterlesen →![[Translate to English:] Vier kleine Holzkisten in präziser Reihe auf Beton mit aufsteigender Risiko-Beschriftung, die rechte oxbloodfarben wachsversiegelt; dahinter ein halb gefalteter August-Kalenderblatt, daneben Messingstempel, Lupe und ledernes Notizbuch im kühlen Nordlicht.](/fileadmin/_processed_/a/e/csm_57bb67098b76626285b9efb3dd52567e7ee427e6700c157cdc55e8ac1a6508db_fcf83f7f74.webp)
Three months until the EU AI Act: what mid-market companies should have in place by 2 August 2026
Weiterlesen →![[Translate to English:] Walnuss-Schreibtisch mit antiquem Setzkasten (vier Fächer voller Bleilettern), geöffneter Brass-Karteikassette mit Kraftpaper-Tags, messingfarbener Lupe und einem aufrecht gestellten Oxblood-Wachssiegel-Etikett; im Hintergrund die Glasfront eines modernen Moselhauses mit sonnigem Weinberg-Hang — visuelle Metapher für die vier Schichten eines AI-ready CMS: strukturierte Inhalte, semantische Auslieferung, Agent-Interaktion und Vertrauen.](/fileadmin/_processed_/a/3/csm_67118060b63fe73c743485051efa3328caa4e62b8a211e2addb1b9a3c5fe9bfb_89b3061d60.webp)