The August 2, 2026 deadline for high-risk AI Act compliance is no longer what it was. On November 19, 2025, the European Commission published its Digital Omnibus on AI, a proposal that pushes back the enforcement dates for high-risk AI systems by 16 to 24 months. If your team has been sprinting toward an August 2026 cutoff for Annex III or Annex I compliance, the finish line just moved.
The IMCO and LIBE committees of the European Parliament adopted their joint position on March 18, 2026, voting 101 to 9 in favor. A plenary vote is expected on March 26, with trilogue negotiations likely starting in April. This is not a rumor or a draft floating in working groups. The omnibus is on a fast track, backed by the Cypriot Council Presidency, with a target for agreed text by May 2026.
Here is exactly what shifted, what stayed the same, and how to adjust your compliance roadmap.
The New Timeline: Annex III by December 2027, Annex I by August 2028
The original AI Act set August 2, 2026 as the date when obligations for all high-risk AI systems would kick in. The Digital Omnibus splits that into two separate tracks with conditional triggers.
Annex III systems (standalone high-risk AI like biometric identification, HR screening tools, credit scoring, and law enforcement applications) now face a hard backstop of December 2, 2027. The actual enforcement could come earlier: once the Commission confirms that adequate standards, common specifications, or compliance guidance exist, providers get six months to comply. But December 2027 is the absolute latest.
Annex I systems (AI embedded in regulated products under existing EU product safety legislation, like medical devices, machinery, elevators, and automotive components) get an even longer runway: August 2, 2028. The trigger mechanism works the same way, but with a 12-month grace period after the Commission’s readiness decision.
The logic behind the split is pragmatic. Annex I products already face their own regulatory frameworks (the Medical Device Regulation, Machinery Regulation, etc.), and aligning AI requirements with those existing cycles avoids duplication. Annex III systems, which are often pure software with no physical product overlay, can move faster.
What did not change: the prohibitions on unacceptable-risk AI systems (social scoring, real-time biometric mass surveillance) that took effect on February 2, 2025 remain in place. The transparency obligations for limited-risk AI (chatbots, deepfakes) still apply from August 2, 2025. The omnibus only touches the high-risk provisions.
Why the Commission Pushed Back: Standards, Not Politics
The delay is not about political resistance to AI regulation. It is about a practical bottleneck: harmonized standards are not ready.
Under the AI Act’s original timeline, companies would need to demonstrate conformity with high-risk requirements by August 2026. But conformity assessment depends on standards that CEN and CENELEC (the European standardization bodies) have not finalized. Without published standards, providers face a Catch-22: the law requires compliance, but the compliance benchmarks do not exist yet.
The Commission’s solution is a conditional trigger: enforcement begins only after the Commission officially confirms that standards or common specifications are available. This is more pragmatic than a blanket delay. It means that if standards materialize early, enforcement starts early. The backstop dates (December 2027 / August 2028) are just the ceiling.
For companies, this creates both breathing room and ambiguity. You know the deadline will not come before the Commission acts, but you do not know exactly when the Commission will act. The safest approach: prepare as if enforcement could start in early 2027 for Annex III systems, and treat December 2027 as the hard wall.
The Bigger Picture: What Else the Digital Omnibus Changes
The AI Act timeline shift is the headline, but the Digital Omnibus package covers much more. The Commission proposed two separate regulations: the Digital Omnibus (amending GDPR, ePrivacy Directive, NIS2, and the Data Act) and the Digital Omnibus on AI (amending the AI Act specifically).
Single Reporting Portal
One of the most practically useful changes: a unified EU portal for data breach and security incident reporting. Right now, a company hit by a breach may need to notify authorities under GDPR, NIS2, DORA, and the Cyber Resilience Act, each with different forms, timelines, and contact points. The omnibus proposes a “submit once, share widely” model that routes a single report to all relevant authorities. The Commission estimates this alone could save businesses EUR 6 billion by 2029.
SME and Small Mid-Cap Relief
Companies with up to 750 employees or EUR 150 million in turnover (classified as “small mid-caps” or SMCs) get proportionate compliance requirements. Specifically:
- Simplified technical documentation for demonstrating high-risk AI compliance
- Proportionate quality management systems, scaled to organizational size
- Capped penalties for noncompliance, so fines do not threaten business viability
This is a meaningful shift. Under the original AI Act, a 200-person company building a recruiting AI tool would face the same documentation burden as Google or SAP. The omnibus acknowledges that disproportionate compliance costs effectively ban smaller players from the high-risk AI market.
General-Purpose AI Grace Period
Providers of general-purpose AI models (think foundation models like GPT, Claude, Gemini, or Mistral) that were already on the market before August 2026 get until February 2027 to update their technical documentation and governance processes. New entrants after August 2026 must comply immediately.
Regulatory Sandboxes
The omnibus mandates that member states establish AI regulatory sandboxes by August 2, 2026, with the Commission also setting up an EU-level sandbox for general-purpose AI models. These sandboxes allow companies to test high-risk AI systems under regulatory supervision before full market launch, with particular focus on SMEs and startups.
What This Means for Your Compliance Roadmap
If you were building toward August 2026 compliance for a high-risk AI system, the omnibus gives you options. But “the deadline moved” is not the same as “stop working.”
Reassess, do not pause. The extension gives you time to do compliance properly rather than rushing through a checkbox exercise. Use the additional months to implement genuine risk management systems, not just paper policies. The obligations themselves have not changed; only the enforcement date has.
Track the Commission’s readiness decisions. Once the Commission confirms that standards or common specifications exist for your AI system category, the clock starts ticking: six months for Annex III, twelve months for Annex I. Monitor CEN/CENELEC working groups and Commission announcements.
Do not ignore the parts that did not move. AI literacy obligations under Article 4 are already in force. Transparency requirements for chatbots and deepfakes apply from August 2025. And the general-purpose AI provisions hit in August 2026 regardless of the omnibus.
Factor in national implementation. Germany’s KI-MIG (the national AI Act implementation law) adds a domestic layer. Even if the EU-level deadline shifts, national enforcement authorities may set their own expectations for readiness.
Legislative Status: Where the Omnibus Stands Now
As of March 2026, the Digital Omnibus on AI has cleared the committee stage. The IMCO/LIBE vote on March 18 passed overwhelmingly (101-9-8) and introduced several additions beyond the Commission’s original text:
- A hard December 2027 deadline (the Commission originally proposed a more open-ended conditional trigger)
- A ban on “nudifier” AI applications that generate non-consensual sexually explicit images
- A shortened watermarking grace period to November 2, 2026
The plenary vote is expected on March 26, 2026. After that, trilogue negotiations between Parliament, Council, and Commission begin, likely in April. The Cypriot Council Presidency has prioritized rapid agreement, targeting May 2026 for a final text.
Given the broad consensus (only 9 votes against in committee), adoption is widely expected before the original August 2026 high-risk deadline would have hit. The practical effect: by the time August 2026 arrives, the omnibus will likely already be law, making the extension official.
Frequently Asked Questions
When is the new deadline for high-risk AI Act compliance under the Digital Omnibus?
The Digital Omnibus sets two backstop dates: December 2, 2027 for Annex III high-risk AI systems (standalone AI like biometric tools, HR screening, credit scoring) and August 2, 2028 for Annex I systems (AI embedded in regulated products like medical devices and machinery). Enforcement could start earlier if the Commission confirms that adequate standards exist.
Does the Digital Omnibus change the AI Act requirements themselves?
No. The core obligations for high-risk AI systems remain the same: risk management, data governance, technical documentation, transparency, human oversight, and accuracy requirements. The omnibus only changes when these obligations become enforceable, and adds SME-proportionate compliance options.
What parts of the AI Act are not affected by the Digital Omnibus delay?
The ban on unacceptable-risk AI systems (effective since February 2025), transparency obligations for limited-risk AI (August 2025), AI literacy requirements under Article 4 (already in force), and general-purpose AI model obligations (August 2026) are all unaffected by the omnibus timeline changes.
How does the Digital Omnibus affect SMEs and smaller companies?
Companies with up to 750 employees or EUR 150 million turnover benefit from simplified technical documentation requirements, proportionate quality management systems, and capped penalties. The Commission estimates total administrative savings of EUR 6 billion by 2029 across all businesses.
When will the Digital Omnibus on AI become law?
The IMCO/LIBE committees voted in favor on March 18, 2026 (101-9-8). A European Parliament plenary vote is expected March 26, 2026, followed by trilogue negotiations starting in April. The Cypriot Council Presidency is targeting agreement by May 2026, well before the original August 2026 high-risk deadline.