Key takeaways (May 17, 2026)
- The Digital Omnibus proposal is still being negotiated as of May 17, 2026 and has not delayed the GPAI deadline.
- Suggested adjustments largely concern high-risk obligations and SME-friendly transitions, not GPAI duties.
- Watch the Council and Parliament rapporteur statements through summer 2026 for the final shape.
- Plan for the existing August 2026 timeline; treat any delay as upside.
Short answer: the EU AI Act has not been finally delayed yet, but the Digital Omnibus is now the live legislative path for moving stand-alone high-risk AI obligations to December 2, 2027. As of April 25, 2026, the European Commission’s AI Act FAQ still says the Digital Omnibus is under consideration by Parliament and Council. The Council position and the Parliament report both support fixed backstop dates: December 2, 2027 for Annex III stand-alone high-risk AI systems and August 2, 2028 for Annex I product-embedded systems.
That means the practical answer is not “ignore August 2026.” It is: plan for the delay, but do not stop compliance work until the amending regulation is adopted.
I’ve been tracking this legislation since the Commission dropped the omnibus proposal in November 2025, and the situation right now is genuinely confusing. Some deadlines are likely moving. Some are not. And too many companies are treating the proposed delay as a green light to do nothing.
That’s a mistake. Here’s what actually changed, what’s still coming on time, and what I’d do if I were running a compliance program today. If you need a working plan while the legal timeline is still unsettled, use my EU AI Act August 2026 compliance checklist.
What the Digital Omnibus actually proposes for the EU AI Act
The European Commission published the Digital Omnibus on November 19, 2025, as part of its seventh simplification package. The stated goal: reduce regulatory burden on businesses while keeping the AI Act’s core protections intact.
The biggest change is the proposed delay of high-risk AI system obligations. Under the original AI Act timeline, these were set to kick in on August 2, 2026. The Digital Omnibus pushes that date out by up to 16 months, depending on the category of high-risk system.
Here’s the breakdown:
- Annex III high-risk systems (biometrics, employment, education, law enforcement, critical infrastructure, migration, justice): delayed to December 2, 2027
- Annex I high-risk systems (AI used as safety components in products covered by existing EU safety legislation like medical devices, machinery, vehicles): delayed to August 2, 2028
The delay is conditional. It only applies once the Commission confirms that adequate compliance support — meaning harmonized standards, common specifications, and guidance documents — is available. After that confirmation, providers get six months (Annex III) or twelve months (Annex I) to comply. But the backstop dates are hard caps. Even if the Commission never confirms readiness, the obligations apply by December 2027 and August 2028 respectively.
I covered the broader enforcement structure in my piece on EU AI Act 2026 enforcement updates, which explains the penalty tiers and conformity assessment process if you need that background.
Why the Commission proposed the delay
The official reason is practical, not political: the harmonized standards aren’t ready.
The AI Act requires companies building high-risk AI systems to meet specific technical requirements — data governance, documentation, human oversight, accuracy, robustness. To know whether you’ve met those requirements, you need standards. And those standards are still being drafted by European Standardization Organizations (ESOs), primarily CEN and CENELEC.
As of early 2026, most of the critical harmonized standards haven’t been published. Companies have been asking a reasonable question: how do you comply with rules when the measuring stick hasn’t been built yet?
There’s a second reason the Commission won’t say out loud but everyone in Brussels knows. Only 8 of the 27 EU member states had designated their national competent authorities by early 2026 — the bodies responsible for actually enforcing the Act at the national level. Three member states have designated both notifying and market surveillance authorities. Fourteen haven’t designated any authority at all.
You can’t enforce a law if the enforcers don’t exist yet. That’s the quiet part.
And then there’s the competitiveness argument. The Commission has been under pressure from industry groups — and several member state governments — who argue that premature enforcement would put European companies at a disadvantage against US and Chinese competitors operating under lighter rules. I wrote about how Japan is taking a different approach to AI regulation that puts developer flexibility first, which gives you a useful comparison point.
Where things stand right now: the legislative timeline
The Digital Omnibus is not law yet. That distinction matters more than most people realize.
Here’s the sequence of events so far:
- November 19, 2025 — European Commission publishes the Digital Omnibus proposal
- March 13, 2026 — The Council of the EU adopts its negotiating position
- March 18, 2026 — The IMCO (Internal Market) and LIBE (Civil Liberties) committees adopt their joint position: 101 votes in favor, 9 against, 8 abstentions
- March 26, 2026 — The European Parliament adopts its negotiating position in plenary: 569 votes in favor, 45 against, 23 abstentions
- April 2026 — Trilogue negotiations begin between Parliament, Council, and Commission
- April 28, 2026 — Second trilogue meeting, where a political agreement could land
The Cypriot Presidency of the Council has set the target: get this done by April or May 2026. Both Parliament and Council broadly agree on the backstop dates (December 2027 for Annex III, August 2028 for Annex I). The major sticking points are in the details — how to handle the conditional trigger mechanism and a few additions Parliament wants.
I track the EU AI Act regulation news on a rolling basis, so check there for updates as trilogue progresses.
What Parliament added that wasn’t in the original proposal
The Parliament didn’t just rubber-stamp the Commission’s text. They made three significant additions:
Ban on AI-generated non-consensual intimate imagery
Both Parliament and Council added a new prohibited practice under Article 5: AI systems that generate or manipulate sexually explicit images depicting an identifiable real person without their consent. These are the so-called “nudifier” applications. The Council’s text also expressly covers child sexual abuse material.
This is one area where I think the institutions got it right. The original AI Act didn’t specifically address this, and the technology moved faster than the 2024 legislative text anticipated.
Watermarking deadline pulled forward
The Commission proposed giving companies until February 2027 to comply with AI-generated content marking requirements (the watermarking and disclosure rules for synthetic audio, image, video, and text). Parliament shortened that to November 2, 2026 — about three months earlier.
My read: Parliament wanted to signal that not everything is getting a free pass. Deepfake labeling is politically popular and technically achievable with current tools, so there’s no excuse for a long grace period.
Expanded SME relief
Companies with up to 750 employees and €150 million in turnover will get the same compliance reliefs previously reserved for SMEs. That’s a meaningful expansion. If your company falls in that mid-cap range, your compliance burden just got lighter.
The original deadlines vs. what’s proposed now
Here’s the timeline comparison. I’m putting both the original and proposed dates side by side because I’ve seen too many articles that only show one set.
| Obligation | Original deadline | Proposed deadline | Status |
|---|---|---|---|
| Prohibited AI practices (Article 5) | February 2, 2025 | No change | Already in effect |
| AI literacy requirements (Article 4) | February 2, 2025 | Softened to “encouragement” | Change proposed |
| GPAI model obligations | August 2, 2025 | No change | Already in effect |
| Transparency obligations (Article 50) | August 2, 2026 | No change | On schedule |
| High-risk AI — Annex III systems | August 2, 2026 | December 2, 2027 | Delay proposed |
| High-risk AI — Annex I systems | August 2, 2026 | August 2, 2028 | Delay proposed |
| AI-generated content watermarking | August 2, 2026 | November 2, 2026 | Slight delay (Parliament shortened from Feb 2027) |
| Commission enforcement powers for GPAI | August 2, 2026 | No change | On schedule |
| National regulatory sandboxes | August 2, 2026 | December 2, 2027 in Council position | Proposed delay |
| Legacy high-risk systems full compliance | August 2, 2027 | Moves with respective annex dates | Delay proposed |
The pattern is clear: high-risk AI obligations are the main delay target, and national sandbox timing is also in play. Transparency, GPAI enforcement, and prohibited-practice penalties are still the near-term compliance priorities.
What still matters for August 2, 2026
Even if the Digital Omnibus passes with the current delay structure, these obligations still matter for August 2, 2026:
Transparency obligations under Article 50 are the big one. If your AI system interacts directly with people, you have to tell them they’re talking to a machine. If your system generates synthetic content — images, audio, video, text — that content must be machine-detectable as AI-generated. Emotion recognition and biometric categorization systems require explicit user disclosure. This applies to everything from AI assistants to enterprise chatbots.
GPAI enforcement is also on schedule. The rules for general-purpose AI models took effect in August 2025, but the Commission’s enforcement powers — including the ability to levy fines — become applicable in August 2026. If you’re a foundation model provider, you’re in scope. The GPAI Code of Practice gives you a presumption of conformity, but it’s voluntary. Not signing it means regulators start from a position of skepticism.
National regulatory sandboxes are one of the moving pieces. The original AI Act calendar points to August 2026, but the Council mandate proposes postponing national sandbox establishment to December 2, 2027. That is why I would not treat sandbox readiness as settled until the final Digital Omnibus text is adopted.
Penalties for prohibited practices under the Article 99 penalty structure are already active: up to €35 million or 7% of global annual turnover for violations of prohibited practices. Up to €15 million or 3% for high-risk system violations (once they apply). Up to €7.5 million or 1% for providing incorrect information.
For the full picture of what’s already being enforced this month, see my EU AI Act news roundup for April 2026.
The political debate: is this good policy or a cave to industry?
This is where I want to be honest about my own conflicted position.
On one hand, the delay makes practical sense. You can’t fine companies for failing to meet standards that haven’t been written yet. That’s not fair enforcement — that’s a Kafka novel. The Commission is acknowledging a real readiness gap, and the conditional mechanism (tie compliance start dates to standards availability) is actually more thoughtful than a blanket extension.
On the other hand, I’ve seen this pattern before with European regulation. The GDPR went through a similar “we need more time” cycle before its 2018 enforcement date. And there’s a real cost to delay: every month the high-risk obligations slip is another month that unregulated AI systems operate in employment screening, credit scoring, border management, and criminal justice — areas where the real-world harm is not theoretical.
TechPolicy.Press put it bluntly: the delays let high-risk systems dodge oversight. Civil society groups have argued that the people most affected by high-risk AI — job applicants, welfare recipients, asylum seekers — don’t have lobbyists pushing their timeline. Industry does.
The European Parliament’s overwhelming plenary vote (569 to 45) tells you the political reality: there’s broad consensus that the delay is necessary. But the addition of the nudifier ban and the shortened watermarking deadline shows Parliament wanted to prove this isn’t a pure giveaway to industry.
My take? The delay is probably the right call on pragmatic grounds, but I’m uncomfortable with how easily “we need more time for standards” can become “we need more time, period.” The backstop dates are what save this proposal from being toothless. December 2027 and August 2028 are hard caps. If those slip too, then the criticism that the EU is retreating from its own rules becomes fair.
What I’d tell a compliance team right now
I’ve spoken with three compliance leads at mid-sized companies in the past two weeks about how to handle the uncertainty. Here’s what I’m telling them:
Don’t stop your compliance program. The delay isn’t final. August 2, 2026 is still the legal deadline until the Digital Omnibus is formally adopted. If trilogue talks stall — unlikely but possible — you’re on the hook in four months.
Focus on what’s definitely happening. Transparency disclosures (Article 50), GPAI documentation, and your AI system inventory. These don’t move regardless of the omnibus outcome.
Use the extra time for real preparation, not procrastination. If Annex III obligations shift to December 2027, that gives you about 20 months from now. Sounds like a lot. It isn’t. Building a conformity assessment process, getting technical documentation in shape, and training your teams takes 12-18 months in my experience. I’ve walked through the process with two organizations since January, and neither was even halfway through their AI system inventory after three months of work.
Get your AI system inventory done this quarter. This is step zero. You cannot risk-classify what you haven’t cataloged. Every company I talk to underestimates how many AI systems they have in production. The average mid-market company finds 30-50% more AI systems than they expected once they start looking.
Watch the trilogue outcome. The European Parliament’s Legislative Train Schedule tracks the Digital Omnibus in near-real time. If a political agreement lands at the April 28 meeting, formal adoption could follow within weeks.
For a broader framework on how to structure your AI governance program around these deadlines, I put together a guide on AI governance strategies for 2026 that covers the organizational and technical pieces.
What Annex III high-risk categories actually cover
Since these are the systems getting the December 2027 deadline, it’s worth knowing exactly what falls under Annex III. The categories listed in Article 6(2) are:
- Biometrics — Remote biometric identification, biometric categorization based on sensitive attributes, emotion recognition systems
- Critical infrastructure — AI in management of digital infrastructure, road traffic, water/gas/heating/electricity supply
- Education and vocational training — Admissions decisions, student assessment, exam proctoring, learning adaptation systems
- Employment and worker management — Recruitment, hiring decisions, task allocation, performance monitoring, promotion/termination decisions
- Access to essential services — Credit scoring, insurance risk assessment, emergency service dispatch prioritization
- Law enforcement — Risk assessment for criminal offenses, polygraph and similar tools, evidence reliability assessment, crime analytics
- Migration, asylum, and border control — Risk assessments for migrants, document authentication, residence permit and visa applications
- Administration of justice — AI assisting judges in applying law, alternative dispute resolution outcomes
If your AI system touches any of these eight areas, the proposed December 2027 deadline applies to you.
Annex I systems are different. These are AI systems embedded in products already regulated under existing EU safety legislation — think medical devices, machinery, vehicles, toys, marine equipment, civil aviation. Those products already have conformity assessment processes, and the AI Act layers additional requirements on top. That’s why they get the longer runway to August 2028.
For more context on how these categories interact with the broader agentic AI deployment risks, particularly in employment and critical infrastructure use cases, that piece breaks down the operational side. If you’re specifically looking at AI in CI/CD or infrastructure automation, my article on agentic AI in DevOps covers the frameworks and where the compliance lines get blurry.
The standards gap that caused all of this
I want to give you context that most coverage of the delay skips over: why the harmonized standards aren’t ready.
The Commission issued standardization requests to CEN and CENELEC back in 2024. These organizations are supposed to develop technical standards that companies can use to demonstrate conformity with the AI Act’s requirements. Think of them as the “how” behind the “what” — the AI Act says your system needs to be accurate and robust, and the harmonized standards would specify exactly what that means in measurable terms.
The problem is that AI standardization is genuinely hard. Unlike product safety standards for, say, electrical equipment (where decades of engineering practice inform the specs), AI system standards are being written almost from scratch. How do you standardize “human oversight” across a hiring algorithm and a medical imaging system? What does “appropriate level of accuracy” mean when the same model performs differently across demographic groups?
CEN and CENELEC have made progress, but as of April 2026, most standards are still in draft form. The European Commission published common specifications as an interim fallback, but these don’t carry the same legal weight as full harmonized standards.
This matters because the AI Act’s conformity assessment process leans heavily on standardized testing. Without published standards, even companies that want to comply don’t have a clear finish line.
How this compares to other jurisdictions
The EU’s delay puts it in an interesting position globally. The IAPP’s analysis noted that the Digital Omnibus is as much a competitiveness move as a practical one.
The United States still has no federal AI legislation. Executive orders come and go with each administration. China has several AI-specific regulations in effect but enforces them selectively. Japan — as I covered in my piece on Japan’s AI regulation shift — is deliberately keeping its framework flexible and developer-friendly, with voluntary guidelines rather than binding obligations.
The EU’s approach remains the most prescriptive in the world. But the delay signals that even Brussels has limits on how fast it can move from law-on-paper to law-in-practice. Every compliance team I’ve spoken to in the US is watching the EU timeline closely, because the AI Act’s extraterritorial reach means American companies selling to European customers are in scope.
Three things I’m watching closely
First, the April 28 trilogue. If a political agreement lands, the path to formal adoption opens up. The text won’t change dramatically — Parliament and Council are broadly aligned. But the specific language around the conditional trigger mechanism matters for planning.
Second, the watermarking compliance deadline. November 2, 2026 is closer than most content platforms think. If you generate synthetic media at scale, your engineering team needs to be implementing detection and labeling now. This isn’t a “figure it out later” situation.
Third, member state readiness. Even if the high-risk obligations shift to 2027, national competent authorities need to exist before enforcement can happen. The 8-out-of-27 readiness rate is genuinely concerning. I’ll be watching whether the delay gives lagging member states cover to move even slower on designating their authorities.
What happens after the delay
Assuming the Digital Omnibus passes with the current backstop dates, here’s what the enforcement calendar looks like:
- August 2026: Transparency obligations, GPAI enforcement, prohibited practice penalties all active
- November 2026: AI-generated content watermarking requirements apply
- December 2027: Annex III high-risk AI system obligations fully enforceable
- August 2028: Annex I high-risk AI system obligations fully enforceable
That’s a staggered rollout over two years. For compliance teams, it means you can prioritize: transparency and GPAI documentation first, Annex III preparation second, Annex I third.
But here’s what I keep coming back to: the companies that treat December 2027 as their start date will be in the same position companies are in now with the August 2026 deadline — scrambling at the end because the work takes longer than they budgeted for. Every organization I’ve worked with underestimates the documentation burden by a factor of two or three.
Start your inventory. Build your risk classification framework. Write the technical documentation that you can write today, even if the standards haven’t been finalized. The standards will tell you what format and level of detail — but they won’t change what your system does or how it was trained. That information exists now. Capture it now.
