EU AI Act delayed: the Digital Omnibus and the new deadlines for high-risk AI

From its adoption, the EU AI Act was locked into a tight timetable, but that timetable has changed. On 7 May 2026, the Council, the European Parliament, and the European Commission reached a provisional agreement on the Digital Omnibus on AI, the first package of amendments to the regulation since its adoption. The core of it: the obligations for high-risk AI systems are being postponed. For organizations that had geared up for those deadlines, something changes, but less than the term delay suggests.

What shifts

The Digital Omnibus takes a two-track approach to the high-risk deadlines. For standalone high-risk AI systems under Annex III, think of applications for recruitment, credit scoring, and biometrics, the application of the requirements shifts to 2 December 2027. For AI embedded in regulated products under Annex I, such as medical devices and machinery, the deadline moves to 2 August 2028. Originally the high-risk deadline stood at 2 August 2026.

Formal adoption and publication in the Official Journal are expected in the period before that old deadline of August 2026. Until that formal adoption, it remains important to keep the original deadline in view: only when the amendment is definitively published does the new date apply with certainty.

What stays

The delay concerns the high-risk obligations. Other parts of the AI Act remain in force. The ban on certain AI practices has applied since 2 February 2025. The AI literacy obligation under Article 4 likewise applies since February 2025, with enforcement from August 2026. And the obligations for general-purpose AI models have been in force since 2 August 2025. For those parts, the Omnibus changes nothing material.

In other words: organizations that thought the entire AI Act had been postponed are mistaken. The obligations that already apply remain in force. Only the heaviest and most labor-intensive part, the requirements for high-risk systems, gets more time.

Why a delay is not a pause

A delay sounds like breathing room, but for those who deploy high-risk AI it is mainly extra preparation time, not a reason to sit still. The requirements for high-risk systems are substantial: risk management, data quality, technical documentation, human oversight, transparency, and a conformity assessment. An organization that underestimates such a process still has work to do under the new deadlines. The time now freed up is best used to do the inventory, the risk classification, and the impact assessments thoroughly rather than under time pressure.

Moreover, preparing for the AI Act is rarely an end in itself. The measures the law requires overlap strongly with good AI governance in general, and with the structure ISO 42001 provides. An organization that sets up an AI management system now will not only meet the high-risk requirements when they take effect, but also gains a grip on its AI use today. That is value not dependent on a deadline.

What this means for your planning

The practical message is twofold. First: do not be caught out by what already applies. The ban, AI literacy, and GPAI obligations are current, not postponed. Second: use the extra time for high-risk systems to do it well. Start by knowing which AI you deploy and which category it falls into, because without that foundation no deadline moves you forward.

How Secure Audit can help

We help organizations determine their position under the EU AI Act, classify their AI systems, and build a realistic roadmap that takes the amended deadlines into account. Contact us for an AI Act readiness conversation.