On June 29, 2026, the Council of the European Union gave final approval to the Omnibus VII package, which simplifies parts of the AI Act and pushes back key compliance deadlines. Two days later, the Trump administration lifted export controls on Anthropic's Fable 5 model after an 18-day restriction period. Both events change the compliance landscape for companies building or deploying AI systems. Here is what the new dates mean and where the regulatory approaches diverge.
The EU timeline moves right
The original AI Act set most provisions to apply from 2 August 2026. The Omnibus VII amendments push that back. Standalone high-risk AI systems now need to comply from 2 December 2027. AI systems embedded as safety components in products covered by EU sectoral legislation on safety and market surveillance get until 2 August 2028. Watermarking obligations for AI-generated content have a separate deadline: 2 December 2026. From that date, any AI-generated content must be labeled in a machine-readable format.
The Council press release describes the changes as improving legal clarity and supporting innovation. I read it differently. The delays give industry more time to prepare, but they also indicate that the technical standards and support infrastructure the Act depends on are not ready. The European Commission needed the extra runway to publish harmonized standards and set up the AI Office's enforcement machinery. Companies that started compliance work early will have an easier time, but the extended deadlines may encourage procrastination.
Watermarking comes first
The 2 December 2026 watermarking deadline is the nearest fixed point. It applies to all AI-generated content, not just high-risk systems. Machine-readable labeling means metadata or invisible watermarks, not a simple disclaimer. The regulation requires that the label be "effective, technically robust, and interoperable." That is vague, and the industry still lacks a common standard. Cloud providers like Google and AWS have their own watermarking tools, but they use different formats. If your product generates text, images, audio, or video, you need a plan for metadata injection by November 2026.
Prohibitions on harmful content
The amendments also prohibit AI-generated non-consensual intimate imagery and child sexual abuse material. These categories were already illegal under other EU directives, but the AI Act makes it explicit that training models on or distributing such content through AI systems is banned. The wording covers "manipulated intimate imagery" and AI-generated CSAM. If your model can generate photorealistic human faces or bodies, you need content filters that catch these categories. The prohibition applies immediately from the date of entry into force, not the extended deadlines.
Regulatory overlap reduced
A recurring complaint from industry was that the AI Act duplicated requirements in other EU legislation, particularly the Machinery Regulation and sectoral safety rules. The Omnibus VII package clarifies that products with AI components only need to comply with the applicable sectoral safety legislation, provided the level of health and safety protection is equivalent. This is practical. A robot arm with AI collision avoidance should not need two separate conformity assessments.
The definition of "safety component" has also been refined. AI features that merely assist users or optimize performance are not automatically high-risk, unless their failure poses health or safety risks. A recommendation engine on a factory dashboard is not the same as a brake controller. The distinction matters for classification.
Bias correction gets a data processing allowance
The amendment permits processing of personal data where strictly necessary to detect and correct biases in both high-risk and non-high-risk AI systems. This addresses a tension in the GDPR. To test a model for racial or gender bias, you often need demographic data. The AI Act now explicitly allows this, subject to appropriate safeguards. Developers should document the data processing rationale and implement access controls. This provision is a net positive for fairness auditing, but it also opens a vector for privacy complaints if the safeguards are weak.
SME exemptions broaden
The original exemptions for small and medium enterprises have been extended to small mid-cap enterprises, which the EU defines as companies with up to 499 employees and annual turnover below EUR 100 million. If your organization falls into that band, you benefit from lighter reporting obligations and reduced fees for notified body assessments. The exemption covers the majority of European AI startups. Check whether your headcount and revenue qualify.
Enforcement centralized for general-purpose AI
The AI Office, based in Brussels, now has sole authority to enforce rules for general-purpose AI models, including large language models and foundation models. National regulators cannot impose their own requirements on top. This avoids the patchwork of national rules that plagued GDPR enforcement. But it also means the AI Office must scale its technical review capacity. As of July 2026, the office has around 80 staff. That is thin for the number of models in development.
The US takes a different path
While the EU codifies deadlines in law, the US is running an ad hoc system. On June 30, the Trump administration lifted export controls on Anthropic's Fable 5 model, restoring public access after an 18-day suspension. The model had been pulled for security reasons. Commerce Secretary Howard Lutnick said his office worked with Anthropic to analyze and approve the model after implementing a new safeguard that blocks the jailbreak officials were worried about 99% of the time. In the remaining 1% of cases, the model's output only included previously discovered or already patched security flaws, according to Anthropic.
OpenAI went through a similar process with GPT-5.6 last week, releasing it to a small set of government-approved customers. The White House faces an August 2026 deadline, under a recent executive order, to create standardized benchmarks for evaluating the security risks of new AI models. That deadline has not been extended.
The difference between the EU and US approaches is stark. The EU sets fixed compliance dates and lets industry adapt. The US deals with each model individually, with no published criteria for what triggers a restriction or what satisfies the government. Anthropic's Fable 5 was blocked, then unblocked, based on private negotiations. The company says it worked closely with the Commerce Department's Center for AI Standards and Innovation. That is not a repeatable process. If you are an AI developer in the US, you have no way to know in advance whether your model will be approved for public release.
Practical steps for technical teams
Map your AI systems against the updated risk classifications. The definition changes in Omnibus VII mean some systems that were high-risk under the original Act may now be classed as low risk, especially if they are assistive rather than safety-critical. On the other hand, systems that generate synthetic faces or voices now fall under the new content prohibitions.
Prioritize watermarking readiness for December 2026. Even if your system is low risk, you need machine-readable labels on AI-generated output. Test your pipeline with a reference implementation like the C2PA standard, which several browsers and social platforms already support.
If your company is an SME or SMC, verify that you qualify for exemptions. The lighter requirements save time and money, but you still need to document your classification. Do not assume you are exempt without checking the updated thresholds.
For bias correction, design your data collection procedures with the new personal data allowance in mind. Use synthetic or anonymized data where possible. Document the necessity of any real personal data processing.
Finally, monitor the August 2026 US deadline for the AI model benchmarking executive order. The outcome of that process will shape how frontier models are evaluated, and it may influence global norms. If the US adopts technically specific benchmarks, they could become de facto industry standards regardless of EU regulation.
I genuinely do not know whether the EU's structured delays or the US's case-by-case negotiations will produce better outcomes. The EU approach gives certainty but invites last-minute rushing. The US approach is flexible but arbitrary. Either way, the next six months will force every organization using AI to answer concrete questions about classification, labeling, and content safety. The old strategy of waiting and watching is no longer viable.