The omnibus and the nudifier line — EU AI Act pulls one in, draws a new one

The May 7 AI Act omnibus extended high-risk-system deadlines to 2027-2028, expanded the SME relief framework, and added the first new prohibited practice since the Act's original adoption: nudifier applications. The two moves point in opposite directions on purpose.

The political agreement on May 7 contains two ostensibly opposite moves. On compliance, the EU softened: high-risk system rules push to December 2027, product-integrated systems to August 2028, SME relief expands to companies with up to 750 employees and €150M revenue. On prohibitions, the EU hardened: nudifier applications become a prohibited practice from December 2, 2026.

The opposite-direction framing is misleading. Both moves point at the same underlying principle: the EU is sharpening which specific risks the AI Act exists to prevent, and easing pressure on everything else.

The compliance softening is responsive to industry feedback that the original 2024 schedule was unrealistic and that the SME thresholds were poorly calibrated. The deadlines weren't producing better compliance — they were producing political backlash and lobbying for outright repeal. By extending and softening on the operational side, the EU buys political room to enforce the substantive prohibitions when they kick in.

The nudifier prohibition is the EU drawing a clear bright line on a category of harm that voluntary platform moderation visibly failed to control through 2024-2025. The mechanism — banning the apps in EU markets, with enforcement structured similarly to GDPR's long-arm jurisdiction — sends a stronger signal than the underlying volume of nudifier apps justifies, because the EU is establishing the principle that it will add specific prohibited practices as new categories of harm emerge.

The model the EU is signaling for the next decade of AI regulation: a small, sharp list of prohibitions, enforced seriously, expanded as needed; a much larger framework of compliance obligations, calibrated to industry capacity, extended when needed. This is closer to the GDPR enforcement model than to the EU AI Act's original schedule, and it's probably the regulatory equilibrium the EU was always going to converge on.

The US contrast is sharp. The Trump EO of December 11, 2025 ('Ensuring a National Policy Framework for Artificial Intelligence') is structured to consolidate federal oversight and roll back state AI regulation. Where the EU is adding specific prohibitions, the US is preempting subnational rules. The 2026 International AI Safety Report's warning that pre-deployment eval suites are breaking down lands in a transatlantic policy environment where the two major frameworks are now moving in opposite directions.

The throughline: the regulatory consolidation phase is over. The implementation phase is here. The EU model — sharp prohibitions, soft compliance, GDPR-style enforcement — is a different model than the US is now pursuing. Companies that operate in both jurisdictions are going to spend the rest of 2026 figuring out which model they're calibrating to.

Consilium — AI Council and Parliament agree to simplify and streamline rules → · Latham & Watkins — AI Act Update: EU Resolves to Change Rules and Extend Deadlines →