The EU AI Act's August Deadline Is Wobbling: The Digital Omnibus, the High-Risk Delay, and What to Do Now

For most of the past year, the EU AI Act's August 2, 2026 deadline for high-risk AI obligations has been the single biggest date on any AI compliance calendar. It is when the rules for Annex III systems — AI used in employment, education, critical infrastructure, law enforcement, essential services, and more — were supposed to become fully enforceable.

That deadline is now wobbling. In November 2025 the European Commission proposed the Digital Omnibus, a package that would delay most high-risk AI obligations by up to 16 months. On March 18, 2026, the European Parliament's IMCO and LIBE committees adopted a joint position in favor of the delay by a decisive 101–9 vote. The Council of the EU agreed its own negotiating mandate on March 13, 2026 with different numbers. Trilogue negotiations are now underway, with final adoption targeted before the original August deadline.

None of this is law yet. As of April 2026, August 2, 2026 is still the legally binding date.

This post unpacks what the Digital Omnibus actually does, what the proposed new deadlines look like, what is and isn't being delayed, and — most usefully — what posture to take if your organization is in the middle of an Annex III readiness program.

What the Digital Omnibus Is

The Digital Omnibus is a legislative simplification package the European Commission published in November 2025. It bundles together targeted amendments to the GDPR, the AI Act, the ePrivacy framework, and related digital rules. The Commission's stated goal is to reduce complexity and align overlapping obligations across the EU's digital rulebook, not to rewrite AI policy on the fly.

In practice, though, the AI Act portion of the Omnibus is significant. It does three things.

• ●Proposes a delay of up to 16 months for most high-risk AI system obligations, conditional on harmonized compliance standards being available.
• ●Pushes the deadline for AI-generated content marking and labeling rules (watermarking and similar transparency measures) out to November 2026.
• ●Softens the AI literacy obligation in Article 4 — from a binding requirement into something closer to encouragement, in some proposed versions.

The Proposed New Deadlines

The Commission, Parliament committees, and Council each have slightly different views on exact dates. The most recent Parliament committee text — the one adopted by IMCO and LIBE on March 18, 2026 — sets two new application dates for high-risk AI.

• ●December 2, 2027 — application date for stand-alone high-risk AI systems under Annex III (biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration, justice, and democratic processes).
• ●August 2, 2028 — application date for high-risk AI systems embedded in products already covered by EU sectoral safety legislation (medical devices, machinery, toys, etc.).
• ●November 2, 2026 — compliance deadline for watermarking and marking of AI-generated audio, image, video, and text content.

Why a Delay Was Even on the Table

A delay of this scale is unusual for the EU. It did not happen because lobbying worked — it happened because the machinery needed to make the law operational was not in place. Three specific gaps drove the Commission's proposal.

• ●Harmonized standards are not ready. CEN and CENELEC — the European standardization bodies tasked with producing the technical standards companies rely on to demonstrate conformity — missed their 2025 delivery deadline. They are now targeting end of 2026. Without standards, "conformity assessment" has no concrete yardstick.
• ●Member state authorities have not been designated. Many EU countries have still not appointed the national market surveillance authorities that enforce the AI Act. Several have only partially appointed them. Enforcement without enforcers is difficult.
• ●Commission guidance has slipped. The Commission itself missed deadlines for publishing implementing guidance on high-risk classification, GPAI, and other operational questions. Companies have been told to comply with rules that the regulator has not yet finished explaining.

Where the Legislative Process Actually Stands

EU lawmaking involves three institutions: the Commission (proposes), the Parliament (amends and co-decides), and the Council (represents member states and co-decides). All three need to align before text becomes law. Here is what each has done on the Digital Omnibus AI portion.

• ●Commission (November 2025): Proposed the original Omnibus text, including the delay mechanism tied to standards availability.
• ●Council of the EU (March 13, 2026): Adopted a negotiating mandate with a different set of dates than the Commission proposed. The Council generally prefers a more cautious delay.
• ●European Parliament, IMCO + LIBE committees (March 18, 2026): Adopted a joint position by 101–9 setting the December 2, 2027 and August 2, 2028 dates above. The full plenary still needs to vote.
• ●Trilogue negotiations (ongoing): Parliament, Council, and Commission now need to reconcile their three versions in closed-door negotiations. Final adoption is targeted before August 2026 — practically, before the July parliamentary recess — so that the delay takes effect before the original deadline.

What Is NOT Being Delayed

It is important to separate the politics of the delay from its actual legal scope. Several parts of the AI Act are not part of the Omnibus delay and remain fully in force.

• ●Prohibited practices (Article 5). The bans on real-time remote biometric identification in public spaces (with narrow exceptions), social scoring by public authorities, subliminal manipulation, and exploitation of vulnerable groups have been in force since February 2, 2025. Penalties of up to €35 million or 7% of global turnover apply today.
• ●GPAI model obligations. Transparency, documentation, copyright, and systemic-risk obligations for general-purpose AI model providers have been in force since August 2, 2025. The GPAI Code of Practice framework continues to apply.
• ●AI literacy (Article 4). Formally in force since February 2025. Some proposed Omnibus text would soften the obligation to "encouragement," but the current legal position is that AI literacy is a binding requirement for anyone using AI inside an organization that serves EU users.
• ●Governance rules and the AI Office. The EU AI Office, the AI Board, and Scientific Panel structures have all been operational since August 2025. They are not paused.

Penalties and Extraterritorial Reach Are Unchanged

Even if the Omnibus passes exactly as the Parliament committees have drafted it, two things do not move.

The penalty structure stays the same. Prohibited practices: up to €35 million or 7% of worldwide turnover. Other infringements: up to €15 million or 3%. Supplying incorrect or misleading information to regulators: up to €7.5 million or 1%.

The geographic scope stays the same. The AI Act applies to providers and deployers placing AI systems on the EU market or whose AI system output is used in the EU — regardless of where the provider is incorporated. U.S., UK, and other non-EU companies that serve EU customers are in scope exactly as they were before.

The Right Posture: "August Is Real, December 2027 Is Likely"

Schellman president Doug Barbin captured the right posture for most organizations: "prepare as if August is real, plan as if December 2027 is the likely enforcement date."

Here is what that means in practice.

Trilogue negotiations can drag. If Parliament, Council, and Commission fail to agree before August 2, 2026, the original deadline stays on the books. Organizations that treated the delay as a done deal in April would be in breach in August. That is not a hypothetical risk — it is how every EU legislative package looks in the final weeks.

At the same time, treating the August deadline as untouchable means committing to a conformity assessment process against standards that do not yet exist. That is also wasteful.

The workable middle is to continue building the Annex III compliance program — risk management, data governance, technical documentation, human oversight, logging, post-market monitoring — on a schedule that would land in late 2026 or early 2027. That pace gives you real compliance if the delay fails, and meaningful readiness if the delay passes.

What to Do in the Next 90 Days

If you have an active EU AI Act program, the Omnibus does not change what you should be doing this quarter. It changes how hard you should be pushing on a handful of specific items.

• ●Do not pause the Annex III inventory. You still need to know which of your AI systems fall in the high-risk tiers. Classification does not depend on when obligations become enforceable.
• ●Keep building Article 4 AI literacy. Even under the softened proposals, AI literacy is already legally in force and is a prerequisite for any serious Annex III program. Roll out training now.
• ●Watch the watermarking deadline. If the Parliament text holds, AI-generated content marking becomes binding on November 2, 2026. Providers of generative models and downstream deployers that modify or surface AI-generated content both have obligations here. This is the next hard deadline, regardless of what happens with high-risk.
• ●Do not start formal conformity assessments against unpublished standards. Technical standards from CEN/CENELEC are not expected until late 2026 at the earliest. Running a full assessment against draft or proxy standards is expensive and may not map to the final requirements.
• ●Track the trilogue. Whether the delay passes, and on what exact dates, will likely be resolved between April and July 2026. Follow the AI Act Service Desk, the AI Office, or reputable AI Act trackers — this is not a "read about it in September" situation.

The Bigger Picture

The Digital Omnibus delay does not mean the EU AI Act is collapsing. It means the law was ambitious, the operational machinery (standards, authorities, guidance) wasn't ready, and the EU is adjusting dates to preserve the law's effectiveness rather than launch it into a vacuum.

For organizations outside the EU, the lesson is more subtle. The EU AI Act is still the most comprehensive AI regulation anywhere. Its prohibitions, GPAI obligations, and penalty structure are in force and enforceable today. The delay affects timing, not the law's reach.

The organizations investing in governance infrastructure now — risk management, classification, documentation, human oversight, training — are not wasting effort. They are building the program they would have needed in August, on a schedule that will be quietly validated whenever the Omnibus is finalized.

Related Regulations

Sources & References