Why the May 7 Omnibus shifts pressure without removing it and what CTOs need to decide before August 2.
Since May 7, 2026, the same phrase has come up in the AI committees that I come across: “we have eighteen months left, we’re putting the subject back on the pile”. That day, the Council and the European Parliament concluded a provisional political agreement on the Digital Omnibus on AI, full application of the high-risk obligations of Annex III postponed from August 2, 2026 to December 2, 2027. The press spoke of a respite and some of the AI departments made a global postponement.
This is the most costly misreading of the year, what is actually postponed represents only a fraction of the regulation, and because what remains applicable on August 2, 2026 “that is in twelve weeks” covers almost everything that organizations use on a daily basis: chatbots, AI agents, co-pilots, GenAI tools and biometric systems. Here’s what the Omnibus moves, what it doesn’t touch, and the three decisions the AI committees should make before summer.
What is actually reported:
The trilogue agreement, subject to formal adoption and publication in the Official Journal of the EU before August 2, 2026, provides for two significant delays. The first being the full application of the obligations for AI systems classified as high risk within the meaning of Annex III of the regulation is postponed from August 2, 2026 to December 2, 2027. Second shift, a transition rule specifically targets the obligations for marking and detection of synthetic content of Article 50(2) AI Act, suppliers of generative AI systems already on the market before August 2, 2026 have until February 2 2027 to comply. At first glance, another eighteen months on high risk.
What doesn’t move:
What the media coverage of May 7 underweighted was the extent of the scope which remains applicable to August 2, 2026 according to the initial schedule. The detail deserves to be asked.
The prohibited practices of Article 5 AI Act have already been in force since February 2, 2025, namely: subliminal manipulation, social scoring, non-targeted biometric scraping. These bans have never changed and their sanctions can reach 35 million euros or 7% of global turnover.
The transparency obligations of Article 50(1), (3) and (4) AI Act remain applicable as of August 2, 2026 without any postponement. Chatbots and AI agents must declare themselves as such. Emotion recognition and biometric categorization systems must inform exposed people. Deployers of deepfakes and AI texts published on matters of public interest must label the content. The Commission’s Guidelines published on July 29, 2025 are unambiguous on these points: Article 99(4) sanctions up to €15 million or 3% of global turnover.
GDPR Article 35 obligations on impact analysis prior to risky AI processing do not depend on the AI Act. They have been mandatory since 2018. And the CNIL announced in its 2026 program that it is preparing to become an AI Act surveillance authority, in addition to its GDPR role. The controls will be crossed from this year.
The report therefore concerns a fraction of the scope. The rest continues its course, more visible than before.
The three managerial traps
I currently identify three readings circulating in French AI committees regarding the Omnibus and two are major strategic errors.
First trap, the “respite”, the most widespread reading “We have 18 more months, we postpone the subject until the end of 2026”. The problem is mathematical, this reading only deals with Annex III, which represents a fraction of the applicable obligations. Chatbots, AI agents, GenAI tools consumed internally, biometric systems almost all fall under Article 50 without falling under Annex III. Ignoring them does not postpone control, it concentrates it on matters not reported.
Second trap, wait-and-see attitude PLAYS. “We are waiting for the official publication in the Official Journal to confirm the postponement before acting.” Legally understandable reading, operationally risky. The trilogue text must still be revised, translated, formally adopted and published. Three months minimum in the best scenario, more likely. During this time, the original schedule remains legally enforceable. An organization controlled on August 3, 2026 will not be able to oppose a political agreement not yet published.
Third trap, the CTO silo without an AI committee. This is most common in scale-ups and mid-sized companies. Management entrusts “the AI Act subject” to its CTO, without additional budget or formal framework. The CTO alone carries a file that combines technical, legal, GDPR, data governance and civil liability. The AI Act explicitly requires the establishment of integrated internal governance. An isolated technical decision by the DPO automatically leads to GDPR non-compliance that the CNIL will detect during the first cross-check.
Three decisions to be made before August 2, 2026
Instead of waiting, French AI committees should adopt three structuring decisions in the next twelve weeks.
First decision: formally compose the AI committee, not a technical committee, a multidisciplinary committee including DPO, CISO, lawyer, Management representative, and depending on the organization, Chief AI Officer or designated referent. Minimum quarterly cadence. Written mandate. This composition is not a nice-to-have, it is the explicit expectation of the AI Act and the emerging doctrine of supervisory authorities.
Second decision: finalize the AI inventory outside Annex III but under Article 50 which is the blind spot for most of the organizations I meet. Customer support chatbots, commercial co-pilots, GenAI tools deployed in marketing, meeting transcribers, internal agents, all these systems often escape the Annex III inventory but fall under Article 50. Without an inventory, no classification possible. Without classification, no disclosure strategy and without disclosure, direct exposure to control from August 2.
Third decision: publish an aligned corporate AI policy Article 4 of the regulation. Article 4 AI Act requires providers and deployers to ensure a sufficient level of AI literacy among their staff. The AI policy, which also constitutes control §5.2 of the ISO 42001 standard, must formalize the authorized uses, the prohibited uses, the roles, the training plan. Without it, defense in the event of control is impossible. It is therefore necessary to have a written, published, dated framework, signed by Management, and enforceable.
Postponement is not the absence of control, it is its displacement:
The mistake I see most often made by French AI committees at the moment is to consider the calendar as an opportunity to save time. The calendar is, on the contrary, an opportunity for calm structuring, so organizations that have formally composed their AI committee, finalized their inventory and published their AI policy by August 2, 2026 will be able to approach the rest with mastery. Those who have “put the subject back on the pile” will discover that the pile collapsed at the first CNIL check.
The May 7 Omnibus never meant “you can wait” but “focus your compliance on what is applicable now.” It’s a movement, not a suspension.
In twelve weeks, the scope of Article 50, Article 4, Article 5, and the entire cross-GDPR system will come into force for good. The question is no longer whether you will be inspected but whether your AI committee will have been formed, and what documents it will be able to present on the morning of August 3.
