The EU AI Act Delay Is Now a Deal: What the Digital Omnibus Changes

The EU AI Act delay is no longer just a proposal moving through Brussels. On May 7, 2026, the European Commission announced that the European Parliament and the Council of the EU had reached a political agreement on the Digital Omnibus on AI.

That matters because the most important open question from the past few months - whether the August 2026 high-risk deadline would actually move - now has a concrete answer. The agreement sets December 2, 2027 as the application date for many stand-alone high-risk AI systems, and August 2, 2028 for high-risk systems integrated into regulated products.

There is still one legal step left. The Parliament and Council must formally adopt the text, and the amendments will enter into force three days after publication in the Official Journal of the European Union. But this is no longer speculative. For planning purposes, the EU has signaled where the calendar is going.

The practical question is not "can we stop working on EU AI Act readiness?" The answer to that is no. The better question is: what work should move slower, what work should continue, and what new items did the Omnibus add?

What Changed

The headline change is timing. The original AI Act calendar made August 2, 2026 the major date for many high-risk obligations. That created a problem: the law expected companies to prepare for conformity assessment, documentation, technical controls, and post-market obligations before all of the supporting standards and guidance were ready.

The Digital Omnibus deal tries to fix that sequencing problem. It keeps the AI Act framework intact, but moves the application dates for high-risk systems so the technical standards, guidance, and support tools can land first.

• ●December 2, 2027: rules for systems used in certain high-risk areas, including biometrics, critical infrastructure, education, employment, migration, asylum, and border control.
• ●August 2, 2028: rules for high-risk systems integrated into regulated products, such as lifts or toys.
• ●Formal adoption still pending: the political agreement must still be formally adopted by Parliament and Council, then published in the Official Journal.

Why This Is Not a Repeal

The most common mistake will be treating the Omnibus as if Europe backed away from the AI Act. It did not. The Commission is describing the package as a simplification measure, not a retreat from AI regulation.

The structure of the AI Act remains the same: prohibited practices, high-risk systems, transparency duties, GPAI obligations, governance, market surveillance, and penalties. What changed is the implementation runway for some high-risk rules.

That distinction matters for U.S. companies, SaaS vendors, AI model providers, and downstream deployers. If your product reaches EU users or your AI output is used in the EU, the AI Act can still matter even if your company is not incorporated in Europe. The Omnibus gives more time for certain obligations; it does not erase the law.

What Is Still Active

Several parts of the AI Act are already active or remain on their existing track. Do not let the high-risk delay distract from them.

• ●Prohibited practices: the AI Act prohibitions have already applied since February 2, 2025. Those rules are not waiting for December 2027.
• ●AI literacy: Article 4 AI literacy obligations also began applying on February 2, 2025. The Omnibus discussion may change how some literacy duties are supported or framed, but organizations should not treat AI training as optional.
• ●GPAI obligations: general-purpose AI model obligations became applicable on August 2, 2025, and remain a live issue for model providers and companies relying on upstream model documentation.
• ●Transparency rules: chatbot disclosures, deepfake disclosures, and AI-generated content marking remain part of the AI Act compliance picture.
• ●Penalties and scope: the Omnibus does not make the AI Act geographically narrower or remove the penalty structure.

The New Nudification App Ban

The agreement also adds a politically important protection: AI systems that generate non-consensual sexually explicit or intimate content, or child sexual abuse material, are prohibited. The Commission specifically pointed to AI "nudification" apps.

For most business AI governance teams, this will not be the central compliance issue. But it is still worth noting because it shows where EU lawmakers are willing to move quickly: concrete consumer harms, synthetic intimate imagery, child safety, and abuses that are easy to explain to the public.

If your organization builds or deploys image, video, avatar, companion, or consumer-facing generative AI tools, the practical lesson is broader than this one ban. You need usage controls, reporting paths, safety testing, abuse monitoring, and escalation procedures for sexual content, minors, impersonation, and non-consensual imagery.

What Gets Easier for Companies

The Omnibus is also meant to simplify parts of the operating model around the AI Act. The Commission has emphasized lower compliance friction, clearer governance, and better alignment with product safety law.

• ●Small mid-cap companies get more relief: some simplifications that applied to SMEs are expected to extend to small mid-cap companies, including simplified technical documentation approaches.
• ●Product safety overlap is clarified: the agreement clarifies the interaction between the AI Act and sectoral product safety rules, especially the Machinery Regulation, so companies are not forced through duplicative processes where one integrated approach should work.
• ●Regulatory sandboxes expand: more innovators are expected to get access to regulatory sandboxes and real-world testing, including an EU-level sandbox from 2028.
• ●AI Office oversight strengthens: the AI Office is expected to have stronger oversight powers for certain AI systems, including systems built on general-purpose models and systems embedded in very large online platforms or very large search engines.

What to Do Now

The right response is a reset, not a pause. A company that was trying to finish a full high-risk conformity program by August 2026 can now re-plan. A company that had done nothing should not treat the extra time as permission to wait until late 2027.

Use the next 30 days to update the calendar, then keep building the parts of the program that will be needed under any version of the law.

• ●Update your AI Act roadmap. Replace the August 2026 assumption for affected high-risk systems with December 2, 2027 or August 2, 2028, but mark formal adoption as the remaining legal milestone.
• ●Keep the AI system inventory moving. You cannot benefit from extra time if you still do not know which systems you have, who owns them, what they do, and whether EU users or outputs are involved.
• ●Keep classifying risk. The new dates change when obligations apply, not whether a system is high-risk, limited-risk, prohibited, or outside scope.
• ●Do the low-regret controls first. Human oversight, logging, data governance, incident response, vendor review, and user disclosures are useful even if a final standard shifts.
• ●Slow down expensive formal conformity work. If a step depends on harmonized standards that are still incomplete, plan it carefully instead of paying for a premature assessment against moving targets.

What to Tell Leadership

The board-level message should be simple: the EU AI Act timeline got more realistic, not less serious.

That framing avoids both overreaction and complacency. The original August 2026 high-risk deadline created a rush toward documentation and conformity work before the operating details were mature. The new dates reduce that pressure. But the law still has active obligations, and the governance work is still the same work customers, insurers, investors, and procurement teams are starting to ask about.

A practical leadership update can fit in four sentences: the EU reached a political deal on May 7, 2026; the main high-risk dates are expected to move to December 2, 2027 and August 2, 2028; formal adoption and publication still need to happen; and the company should continue inventory, classification, training, vendor diligence, and incident-response work while re-timing conformity assessment.

The Bottom Line

The Digital Omnibus gives organizations more time, but not a blank page. The AI Act is still the main global reference point for comprehensive AI regulation, and its influence will keep showing up in procurement questionnaires, vendor contracts, risk assessments, and board reporting.

If you already started an AI governance program, the best move is to adjust the schedule and keep going. If you have not started, the deal gives you a better runway than August 2026 did. Use it to build the pieces that will still matter in 2027: inventory, classification, documentation, training, vendor evidence, incident response, and human oversight.

The deadline moved. The work did not disappear.

Related Regulations

Sources & References