CattleGrid

UK Financial Services

EU AI Act Omnibus Agreement

Author: Brian PaintingPublished:

What changed, what did not, and what UK financial services firms should do next

What happened on 7 May 2026

The European Council and European Parliament reached provisional political agreement on the Digital Omnibus on AI — a legislative package designed to simplify and streamline how the EU AI Act is implemented.

This is a real and material change to the timeline. It is not a rewrite of the Act’s core architecture. The risk-based framework — prohibited practices, high-risk systems, transparency obligations, governance requirements — remains entirely intact.

The Omnibus requires formal adoption and publication in the Official Journal before it becomes binding law. On the basis of political agreement between both co-legislators, it represents the operative planning baseline for compliance teams from today.

The key changes

The table below summarises what changed, what did not, and what each change means in practice for UK regulated organisations.

[Add Table]

What this means for UK financial services firms

The headline delay to high-risk system obligations is real. But it is not the story that matters most to you.

For most FCA-regulated firms using AI tools today, the obligations that are live right now are not the high-risk chapter. They are UK GDPR, the FCA’s Multi-Firm AI Review expectations, Consumer Duty, and the SMCR accountability framework. None of those has been delayed by anything in Brussels.

The shadow AI problem is already here

The FCA’s 2024 multi-firm review found that shadow AI — staff using personal or unsanctioned AI tools in client-facing work — is already widespread in regulated firms. The review identified audit trail failure, data export risk, and inadequate oversight as the three most common control gaps.

The EU AI Act Omnibus does not address that. It does not touch the question of what your staff are sending to AI models right now, through tools your firm has not assessed or approved.

That exposure exists regardless of which chapter of the AI Act applies and on what date.

Your cross-border exposure

If your firm has EU clients, EU branches, or provides services to EU entities, the EU AI Act’s extraterritorial scope applies to you. The territorial reach of the Act has not changed. Simplification of timelines is not simplification of scope.

A London-based financial advisory firm serving institutional clients in Germany or France is within scope now for prohibited practices and transparency obligations, regardless of where its servers sit.

What the delay actually gives you

The 16-month extension on Annex III high-risk obligations is genuinely useful — if you use it well. It is a structured planning window for firms that have not yet completed an AI use-case inventory, classified their systems, or mapped their data flows.

It is not a signal that this can wait until 2027. Firms that start their classification work in Q4 2027 will not have enough time to do it properly before the December deadline.

The risk of misreading this announcement: the delay is being reported as ‘the AI Act has been delayed.’ What has been delayed is one chapter of one regulation. The obligations that apply to your firm’s current AI use are not in that chapter.

Five things to do in the next 90 days

These are proportionate, practical steps for a regulated SME. None of them requires a significant budget. All of them reduce your exposure and build a defensible governance record.

1. Audit your AI tool inventory. Document every AI tool in active use — sanctioned and unsanctioned. Include tools accessed through personal accounts. You cannot govern what you have not mapped.

2. Check your data export controls. Understand what client data, personal data, or commercially sensitive information is leaving your environment through AI API calls. This is a live UK GDPR exposure, not a future one.

3. Document your AI use-case classifications. For each tool in your inventory, note whether it is used in a way that could constitute a high-risk application under Annex III — employment decisions, creditworthiness assessments, access to essential services. This is the groundwork for 2027 compliance.

4. Review your AI-generated content outputs. If you use generative AI in client-facing materials — reports, summaries, correspondence — consider how you will meet the Article 50 labelling obligation by December 2026. Seven months is workable. Leaving it to Q4 2026 is not.

5. Confirm your CLOUD Act position. If you are using US-domiciled AI providers, understand what data sovereignty protections (if any) apply. The EU AI Act Omnibus does not address this. GDPR Chapter V obligations on international transfers remain fully in force.

What we are doing in light of this announcement

We think it is worth being transparent about how the Omnibus affects our own work at CattleGrid. We have no direct high-risk AI obligations under the Act — as an input-layer gateway, we are not a provider or deployer of a high-risk AI system. But our customers are, or will be, and that changes what we need to do.

Our immediate actions are these. We are updating our Legislative Reference Library and compliance maps to reflect the confirmed 2027 and 2028 backstop dates. We are reviewing our Data Processing Agreement and End User Service Agreement to ensure they accurately describe our role in the AI supply chain and do not inadvertently imply that we assume obligations which belong to our customers. We are examining whether any updates are needed to our Terms of Service in light of the express new prohibition on AI systems generating non-consensual intimate imagery and CSAM.

We are also updating our GTM materials, including the whitepaper and sector briefings, so that they do not overstate the urgency of the August 2026 cliff-edge that no longer applies — while making clear that the obligations that do apply now are real and proximate.

If you are working through your own compliance preparation and want to understand how a technical control layer like CattleGrid could support your AI governance programme, we are happy to have that conversation.


cattlegrid.uk  |  hello@cattlegrid.uk

This note is published for informational purposes only. It does not constitute legal advice. CattleGrid Ltd makes no warranty as to the accuracy or completeness of this analysis. Consult qualified legal counsel for advice specific to your organisation.