EU AI Act Digital Omnibus: the high-risk delay explained

For most of this year the financial-services compliance calendar had one immovable date circled in red: 2 August 2026, the day the EU AI Act's obligations for high-risk AI systems were due to become binding. Credit scoring, insurance pricing, and the analytics layered on top of them all sit squarely inside that high-risk perimeter, and firms had been building toward the deadline as a hard stop. As of this month, that stop has moved.

On 7 May 2026, negotiators from the Council, the European Parliament, and the European Commission reached a provisional political agreement on the Digital Omnibus on AI — the simplification package the Commission first tabled on 19 November 2025. The headline change is a deferral: the high-risk obligations that were set to apply from 2 August 2026 will now apply from 2 December 2027 for standalone (Annex III) systems, with product-embedded (Annex I) systems pushed from August 2027 to August 2028. The most consequential date in many firms' AI roadmaps has slid by roughly sixteen months.

It would be a mistake to read this as a reprieve, and a worse one to read it as a cancellation. The Omnibus reshuffles the timeline; it does not switch the regime off. Several obligations remain in force this summer, the new dates are not yet final law, and the reason the high-risk clock was paused — missing technical standards — is the same reason the eventual conformity work will be demanding. This post walks through what actually changed, what did not, and how we are advising firms to use the extra runway.

9-minute read · Updated June 16, 2026

Key takeaways

• The Digital Omnibus on AI (provisional agreement 7 May 2026) defers high-risk obligations for standalone Annex III systems from 2 August 2026 to 2 December 2027, and for product-embedded Annex I systems from August 2027 to August 2028.
• The deferral does not touch the prohibited practices, the GPAI model obligations (in force since 2 August 2025), or the Article 50 transparency rules — those still bite in 2026. The AI-literacy duty under Article 4 also appears to remain in force, though its exact landing should be confirmed against the final text.
• The trigger for the delay is practical, not political: the harmonised technical standards that grant presumption of conformity are not finished, with first publications not expected before late 2026.
• Treat the extension as runway, not relief. Inventory, classification, and continuous documentation are date-independent and remain the right work to do now.

What the Digital Omnibus actually changes

The Commission framed the Digital Omnibus as a "simplification" package rather than a reopening of the AI Act, and the substance largely matches that framing. The centrepiece is the timeline change. Standalone high-risk systems — the Annex III use cases that reach furthest into finance, including creditworthiness assessment, risk pricing for life and health insurance, and the AI components feeding those decisions — move from a 2 August 2026 start to 2 December 2027. High-risk AI embedded in products already regulated under Annex I (think safety-component regimes) moves from August 2027 to August 2028.

Two points are worth holding onto. First, the agreement reached on 7 May is provisional: it still requires formal adoption by the Parliament and Council and publication in the Official Journal before it is law. The Commission has signalled it wants that done ahead of the original 2 August 2026 date precisely so that firms are not left in a vacuum if the old deadline arrives first — but until the text is published, the prudent planning assumption is "very likely, not yet certain."

Second, the package is not only a delay. It folds in targeted simplifications and at least one expansion: a new prohibition under Article 5 covering AI systems that generate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, with compliance expected by 2 December 2026. That is a reminder that the direction of travel on prohibited uses is still toward more, not fewer, hard limits.

What did not move — and still applies in 2026

This is the part most likely to be missed in the relief of a postponed deadline. The Omnibus carved out the high-risk obligations specifically; it left the rest of the Act's live provisions running on their existing schedule.

The prohibited practices in Article 5 have applied since 2 February 2025 and are unchanged (now with the additional nudifier/CSAM ban arriving in December 2026). The obligations on general-purpose AI models in Articles 53–55 have applied since 2 August 2025 — and for firms deploying or fine-tuning foundation models, that is the regime that already governs you today. The AI-literacy duty under Article 4 appears to remain in force — the published agreements did not signal a change here, though the point is worth confirming once the final text is available. And the transparency obligations under Article 50 take effect in 2026 regardless of the high-risk deferral — with one wrinkle worth noting. The deployer-facing disclosures (telling a person they are interacting with an AI system, and that content is AI-generated) apply from 2 August 2026 as scheduled. The provider-side obligation to mark AI-generated output as machine-readable under Article 50(2) was given a short grace period and now applies from 2 December 2026 — a three-month extension, down from the six months originally proposed, not a reprieve.

The practical implication: a firm that pointed its entire AI-Act programme at the 2 August 2026 high-risk date and then exhaled when it moved has, in some cases, just walked past obligations that are live now and carry their own enforcement exposure. We have seen exactly this pattern in early conversations this month, which is why our first move with clients has been to re-separate the estate into "deferred" and "still due" rather than treating the whole programme as paused.

Operationalised: in Regulatory Crawler we tag each obligation with its own effective date rather than a single programme date, so a timeline change to one provision does not silently reset the others. When the Omnibus landed, that tagging is what let us tell clients within a day which of their workstreams genuinely had more time and which did not.

Why the deadline slipped: the standards gap

The delay is easy to read as lobbying success, but the operative cause is more mundane and more instructive. High-risk compliance under the Act runs through conformity assessment, and the cleanest route to conformity is to build against harmonised standards — the CEN/CENELEC technical standards that, once cited in the Official Journal, grant a presumption of conformity. Build to the standard, and you are presumed to meet the corresponding legal requirement.

Those standards are not finished. CEN and CENELEC were asked to deliver against an ambitious timetable and have repeatedly slipped; current expectations put the first publications no earlier than late 2026. Without cited standards, providers of high-risk systems would have faced a 2 August 2026 obligation to demonstrate conformity against a benchmark that did not yet exist — assessing themselves against a moving target, with no presumption of conformity to lean on. The standards bodies have adopted exceptional acceleration measures, but several committee members have warned that compressing the process risks weakening the consensus the standards are supposed to carry.

For practitioners, the lesson sits underneath the date change: the work that was hard enough to justify a sixteen-month delay is the same work that will land at the end of it. A deferral driven by "the measurement instruments are not ready" is not a deferral of the difficulty.

What the agent flagged: when our Regulatory Crawler surfaced the CEN/CENELEC slippage earlier in the year, the signal it raised was not "the deadline will hold" but "the deadline is structurally fragile" — because a legal obligation that depends on an unfinished standard tends to bend before it breaks. The December 2027 move is that fragility resolving in the expected direction.

How to use the extra runway

A deadline moving outward is most dangerous when it converts urgency into drift. The firms that will be in the best position in December 2027 are the ones that keep doing the date-independent work now, because almost none of the genuinely hard parts depend on the deadline at all.

Keep the inventory and classification current. Knowing which of your AI systems are high-risk, which are limited-risk, and which involve third-party providers is foundational work that the calendar does not change. If anything, the extra time is best spent closing the inventory gaps most firms still carry — the AI features that crept into existing tools through vendor updates rather than through a procurement decision.

Treat documentation as continuous, not as a 2027 deliverable. The Act expects technical documentation to reflect the current state of a system, not its state at the last validation cycle. A documentation pack generated from runtime state is robust to deadline changes by construction: it is always current, so there is no cliff to sprint toward. This is the pattern we ship by default and the one we help clients retrofit.

Do not pause GPAI and transparency work. These are live. If you deploy foundation models or surface AI-generated content to clients, the obligations governing that are already in effect or arrive in 2026, independent of the high-risk move.

Track the standards, not just the statute. Because conformity will run through harmonised standards, the publication schedule out of CEN/CENELEC is now as important to your roadmap as the legal deadline. The firms that begin aligning to draft standards early will face a far smaller conformity push in 2027 than those that wait for the final citations.

How DF Analytics can help

Two ways, depending on where you sit. For your own AI estate, our Regulatory & MRM Documentation service line produces continuous, audit-ready documentation packs for in-house and third-party systems, mapped to the Act's specified contents and to draft harmonised standards as they emerge. For our products in your stack, the MRM packs for PortIQ, CyronOS, and the Quantitative Engines are generated continuously from runtime state, so they stay current through timeline changes without re-authoring.

If you want to pressure-test which parts of your programme genuinely gained time and which did not, the discovery call is the place to start.

Frequently asked questions

What is the EU AI Act Digital Omnibus?

The Digital Omnibus on AI is a simplification package the European Commission proposed on 19 November 2025 and on which negotiators reached a provisional agreement on 7 May 2026. Its headline effect is to defer the AI Act's high-risk obligations, alongside targeted simplifications and a new Article 5 prohibition.

When do high-risk AI obligations now apply?

Under the provisional agreement, obligations for standalone (Annex III) high-risk systems move from 2 August 2026 to 2 December 2027. High-risk AI embedded in products regulated under Annex I moves from August 2027 to August 2028. These dates become final once the text is formally adopted and published in the Official Journal.

Does the delay mean the AI Act no longer applies in 2026?

No. The deferral is specific to high-risk obligations. The prohibited practices, the general-purpose AI model obligations in force since 2 August 2025, and the Article 50 transparency rules all continue to apply on their existing schedule, as does the Article 4 AI-literacy duty on the current understanding, and a new prohibition on AI-generated intimate imagery and CSAM is expected by 2 December 2026 — the same date the Article 50(2) watermarking obligation now takes effect.

Why was the high-risk deadline delayed?

Primarily because the harmonised technical standards that provide a presumption of conformity are not finished. Without cited CEN/CENELEC standards, providers would have had to demonstrate conformity against a benchmark that did not yet exist. First standard publications are not expected before late 2026.

What should financial firms do with the extra time?

Keep inventory, classification, and continuous documentation current — that work is date-independent. Do not pause GPAI and transparency compliance, which remain live. And track the CEN/CENELEC standards schedule, since conformity in 2027 will run through those standards.

Related reading

• EU AI Act readiness checklist for asset managers (2026)
• Governance by default: 9 principles for AI in finance
• MRM documentation template for LLM-based agents

External references

• EU AI Act — official text (Regulation (EU) 2024/1689)
• European Commission — Regulatory framework for AI
• European Parliament — Digital Omnibus on AI (Legislative Train)

About the author — Compliance Liaison — Deep Finance Analytics. The Compliance Liaison tracks supervisory developments through Regulatory Crawler and translates them into operational guidance. See the Insights hub for the full archive, or book a discovery call to discuss this post with the team.