Update — 24 May 2026: On 7 May 2026, the third EU Digital Omnibus political trilogue concluded with a provisional agreement. It defers standalone high-risk obligations (Annex III) to 2 December 2027 and AI in regulated products (Annex I) to 2 August 2028. The deal is still provisional — it must be formally adopted by Parliament and Council and published in the Official Journal before it takes legal effect, expected around June–July 2026. Until publication, 2 August 2026 remains the date in force. Note that the deferral does not cover everything: Article 50 transparency and watermarking duties still apply from 2 August 2026 (with a grace period to 2 December 2026 for systems already on the market), and a new prohibition on AI-generated child sexual abuse material and non-consensual intimate imagery applies from 2 December 2026.
What Is the EU Digital Omnibus?
The EU Digital Omnibus is a legislative package proposed by the European Commission that amends several EU digital regulations simultaneously. The package covers changes to the EU AI Act, the Product Liability Directive, GDPR's liability framework, and other digital laws. The motivation is regulatory simplification — the Commission described it as a measure to reduce administrative burden and give businesses more time to adapt to new requirements.
For the EU AI Act specifically, the provisional agreement makes two headline changes to the high-risk enforcement timelines:
| Obligation Category | Original Deadline | New Deadline (provisionally agreed) |
|---|---|---|
| Standalone high-risk AI systems (Annex III) — CVscreening, credit scoring, biometrics, etc. | 2 August 2026 | 2 December 2027 |
| High-risk AI embedded in Annex I regulated products — medical devices, machinery, vehicles | 2 August 2027 | 2 August 2028 |
Once in force, these changes give businesses an additional 16 months for standalone Annex III AI and 12 months for embedded product AI. This is significant — but it is provisional, not yet law. Beyond the timeline relief, the agreement also clarifies the "safety component" definition (AI that merely assists or optimises, without creating health or safety risks, is no longer automatically high-risk) and pushes the deadline for national regulatory sandboxes to 2 August 2027.
Where the Digital Omnibus Actually Stands
To become EU law, the Digital Omnibus must complete the full EU ordinary legislative procedure. The European Parliament voted in favour on 26 March 2026 (569 votes), and on 7 May 2026 Parliament and Council reached a provisional agreement in trilogue — but provisional agreement is still not the final step.
| Stage | Status (as of 24 May 2026) |
|---|---|
| European Commission proposal | Completed |
| European Parliament first reading vote (569 in favour, 26 March 2026) | Completed |
| Council of the EU position | In progress |
| Trilogue — negotiation between Parliament, Council, and Commission | Completed — provisional agreement reached 7 May 2026 |
| Formal adoption by Parliament and Council | Expected ~June 2026 |
| Publication in the Official Journal of the EU | Expected ~July 2026 |
| Entry into force | Not yet |
The critical legal question is when the text is formally adopted and published in the Official Journal. The high-risk deferral takes effect only when the Omnibus itself enters into force — not when Parliament votes, and not when negotiators reach a provisional agreement. The institutions have stated their intention to complete adoption before 2 August 2026, with publication expected around July, but until that is done the original dates remain the law.
Why You Still Cannot Treat the Deadline as Gone
A provisional agreement is real progress, but three things mean businesses cannot down tools as of May 2026:
1. It is not law until it is published
The deferral takes legal effect only on publication in the Official Journal and entry into force. Adoption is expected around June and publication around July 2026 — ahead of August — but legislative timelines can slip. Until publication is confirmed, 2 August 2026 is still the binding high-risk date, and the change is not retroactive: any compliance gap before entry into force is not cured by a later extension.
2. Not everything is deferred
The deferral covers high-risk obligations only. Article 50 transparency and watermarking duties still apply from 2 August 2026 (with a grace period to 2 December 2026 for systems already on the market). A new Article 5 prohibition on AI-generated child sexual abuse material and non-consensual intimate imagery applies from 2 December 2026, carrying penalties of up to €35M or 7% of global turnover. The February 2025 prohibitions and August 2025 GPAI obligations remain fully in force.
3. The standards clock does not stop
The new dates apply whether or not harmonised standards and Commission guidance are ready in time — the compromise fixed firm dates rather than tying them to standards readiness. Because building a compliant high-risk system typically takes 3–6 months, December 2027 is not as far away as it sounds for organisations starting from zero.
The relief is real, but conditional. Treating the high-risk deadline as already lifted — before the Omnibus is published — is not a compliance strategy, it is a gamble on legislative timing. And it ignores the obligations that were never deferred. The cost of preparation is modest; the cost of being wrong on the prohibitions is up to €35M or 7% of global annual turnover.
The Procurement Dimension: Why the Deadline Matters Regardless of Enforcement
Even with the high-risk deferral to December 2027, the practical deadline arrives much sooner for many businesses. Large enterprise buyers — banks, public sector bodies, major corporates — are already incorporating EU AI Act compliance into procurement requirements. They need their AI vendors to demonstrate compliance before they will sign or renew contracts, irrespective of the statutory enforcement date.
This creates a market enforcement mechanism that is entirely independent of whether the EU AI Office or national MSAs are actively enforcing: if your customer requires EU AI Act compliance documentation as a condition of doing business, you need it regardless of what the law says about enforcement dates.
What to Actually Do Right Now
The correct response to the Digital Omnibus situation is not to pause compliance work — it is to:
- Use the extra time, don't waste it — December 2027 gives breathing room, but a compliant high-risk system takes 3–6 months to build and the standards clock doesn't stop. Map your high-risk systems and start the documentation now.
- Confirm publication before relying on the new dates — adoption is expected around June and Official Journal publication around July 2026. Until then, 2 August 2026 is still the date in force, and the change is not retroactive. Track it; don't assume it.
- Act on what was not deferred — Article 50 transparency and watermarking still apply from 2 August 2026 (grace period to 2 December 2026 for existing systems), and the new prohibition on AI-generated CSAM and non-consensual intimate imagery applies from 2 December 2026 with €35M / 7% penalties.
- Article 5 prohibitions remain in force — the original prohibited AI practices have applied since 2 February 2025 and are unchanged. Compliance is already required.
Aurora Trust tracks EU AI Act legislative developments and updates compliance documentation accordingly. If the Digital Omnibus changes the compliance landscape, the platform updates. Starting at €49/month — complete your documentation now, adapt as the law evolves.