Skip to main content
ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
← JOURNAL
AI ACT·MAY 23, 2026·10 MIN READ

EU AI Act Deadlines After the 2026 Omnibus: What Changed and What Did Not

BY COMPLICER TEAM

For many companies, the EU AI Act used to have one major planning date:

2 August 2026 — the date when many high-risk AI obligations were expected to start applying.

That timeline is now more complicated.

In May 2026, EU institutions moved toward delaying some high-risk AI Act obligations through the Digital Omnibus package. The Council of the EU announced a political agreement on 7 May 2026 to simplify and streamline AI rules, noting that high-risk AI provisions were originally due to enter into force on 2 August 2026.

At the same time, the European Commission published draft guidelines on high-risk AI classification in May 2026 and opened a consultation until 23 June 2026. The guidelines are meant to help providers, deployers, authorities, and other stakeholders determine whether an AI system is high-risk under Article 6 of the AI Act.

The practical message for companies is not "AI Act delayed, ignore it."

The practical message is:

Some deadlines may move, but classification, inventory, governance, documentation, and evidence work should start now.

1. The original AI Act timeline

The EU AI Act entered into force in 2024 and applies progressively. The Commission's AI Act overview explains that prohibited practices and AI literacy rules applied from 2 February 2025, GPAI obligations began from 2 August 2025, and transparency rules are due to apply from August 2026.

The Commission's AI Act implementation timeline also states that the Act applies progressively, with full rollout originally foreseen by 2 August 2027.

A simplified original timeline looked like this:

DateOriginal AI Act milestone
2 February 2025General provisions, AI literacy, and prohibited AI practices started applying
2 August 2025Governance rules and GPAI model obligations started applying
2 August 2026Many obligations for high-risk AI systems, transparency obligations, and governance provisions expected to apply
2 August 2027Further high-risk obligations for systems linked to regulated products expected to apply
2030Special timeline for certain AI systems in large-scale EU IT systems

This phased model remains important because not everything is affected in the same way by the 2026 Omnibus changes.

2. What the 2026 Digital Omnibus changed

The Digital Omnibus is a simplification package affecting digital regulation, including the AI Act. The key AI Act issue is the timing of high-risk obligations.

Reliable coverage of the May 2026 agreement reports two major planning dates:

AI system typePrevious planning dateNew planning baseline reported after Omnibus agreement
Standalone Annex III high-risk AI systems2 August 20262 December 2027
High-risk AI embedded in Annex I regulated products2 August 20272 August 2028

ITPro reported that, following the political agreement on the AI Omnibus, rules for areas like biometrics and border control are set to take effect on 2 December 2027, while product-integrated systems must comply by 2 August 2028.

VerifyWise similarly summarizes the May 2026 agreement as moving Annex III standalone high-risk obligations to 2 December 2027 and high-risk AI embedded in Annex I regulated products to 2 August 2028, while noting that formal adoption was still pending at the time of publication.

Pinsent Masons also reported that high-risk AI rules would take effect from late 2027 rather than summer 2026 if the new deal is adopted.

For compliance planning, this means the timeline is now split:

AreaPractical status in 2026
Prohibited AI practicesAlready active
AI literacyAlready active
GPAI obligationsAlready active from 2025 for relevant providers
Transparency obligationsStill important for August 2026 planning
High-risk Annex III systemsExpected to move to December 2027 under Omnibus planning
High-risk AI in regulated productsExpected to move to August 2028 under Omnibus planning

3. What did not change

The most dangerous interpretation is:

"The AI Act was delayed."

That is too broad.

The Omnibus does not erase the AI Act. It mainly affects parts of the high-risk implementation timeline.

The following areas still matter now:

AreaWhy it still matters
Prohibited AI practicesThese started applying in February 2025 and are not simply postponed by the high-risk delay
AI literacyOrganizations using AI must still build internal competence and awareness
GPAI obligationsProviders of general-purpose AI models have obligations that started from August 2025
Transparency dutiesThe Commission still describes transparency rules as coming into effect in August 2026
Risk classificationCompanies still need to know whether their system is prohibited, high-risk, transparency-risk, GPAI-related, or lower-risk
GDPRAI processing of personal data remains subject to GDPR regardless of AI Act timing
Product liability and sector lawMedical, employment, credit, consumer, cybersecurity, and discrimination rules may still apply

The Commission's AI Act overview still describes transparency obligations for certain AI systems, including identifying AI-generated content and labelling deepfakes or certain public-interest AI-generated text.

So the correct planning sentence is:

Some high-risk AI system obligations are being delayed, but AI governance obligations and related legal risks continue.

4. Why the delay happened

The official and legal commentary around the Omnibus describes it as a simplification and streamlining effort. The Council press release frames the May 2026 agreement as an effort to simplify and streamline AI rules while treating the high-risk timeline with priority because the original date was close.

The policy background is that companies, industry groups, and some governments argued that businesses needed more time because guidance, standards, and conformity assessment infrastructure were not ready enough for the original 2026 deadline.

This creates a real compliance problem:

ProblemWhy it matters
Classification uncertaintyCompanies may not know whether a system is high-risk
Missing harmonised standardsIt is harder to prove compliance consistently
Late guidanceHigh-risk classification guidelines appeared only in draft form in May 2026
Limited notified body capacityProduct-integrated AI may depend on external conformity assessment
Enterprise AI sprawlMany companies have AI systems deployed without a central inventory

The May 2026 draft high-risk guidelines are therefore important even before final obligations apply. They help organizations build the classification logic they will need later.

5. What SaaS teams should do now

The delay gives teams more time, but not a reason to wait.

A SaaS company should use 2026 to build the foundation.

Step 1: Create an AI system inventory

List every AI feature, model, workflow, automation, or customer-facing AI capability.

For each system, record:

FieldExample
System nameAI Candidate Summary Assistant
OwnerProduct team / engineering lead
Model typeLLM, classifier, recommender, vision model
ProviderInternal, OpenAI, Anthropic, Google, open-source
InputsCVs, tickets, user messages, images, logs
OutputsScores, summaries, recommendations, decisions
UsersInternal staff, customers, applicants, students
Affected personsEmployees, candidates, consumers, citizens
Deployment statusPrototype, beta, production
EU exposureEU users, EU customers, EU market

Without inventory, classification is impossible.

Step 2: Classify risk

Every system should be classified into one of these categories:

CategoryMeaning
Prohibited AI riskPotentially banned or severely restricted
High-risk under Article 6(1)Product safety route
High-risk under Article 6(2) / Annex IIISensitive use-case route
Transparency obligationUsers must be informed they interact with AI, or content must be labelled
GPAI-relatedYou provide or integrate general-purpose AI models
Lower/minimal riskNo specific AI Act obligations, but governance still recommended

The May 2026 draft guidelines are especially relevant to Article 6 high-risk classification.

Step 3: Identify Annex III exposure

Most SaaS teams should check Annex III first.

High-risk indicators include AI used for:

DomainExample
EmploymentHiring, ranking, promotion, performance monitoring
EducationAdmission, exam scoring, proctoring
Credit and essential servicesEligibility, scoring, prioritisation
BiometricsIdentification, categorisation, emotion recognition
Law enforcementRisk assessment, evidence support
Migration and border controlVisa, asylum, identity checks
Justice and democratic processesLegal decision support, election influence

This classification should be reviewed by legal, product, engineering, and customer-facing teams.

Step 4: Document intended purpose

High-risk classification depends heavily on intended purpose.

A product marketed as "AI for HR decisions" has a different risk profile than a general writing assistant, even if both use similar LLM technology.

Document:

EvidenceWhy it matters
Product specShows designed use
Marketing claimsShows promoted use
Customer docsShows expected deployment
UI copyShows user interpretation
API docsShows technical capability
Sales deckShows commercial positioning
Terms of serviceShows prohibited uses

This prevents "classification drift", where the product evolves into a high-risk use case without formal reassessment.

Step 5: Start documentation early

Even if deadlines move, documentation takes time.

Prepare:

DocumentPurpose
AI inventoryKnows what exists
Classification memoExplains legal risk category
Risk assessmentIdentifies harms and mitigations
Data governance recordShows data sources and quality controls
Evaluation reportMeasures accuracy, robustness, bias, and failure modes
Human oversight designShows how humans review and override
Logging specificationSupports traceability and auditability
Incident processHandles failures, complaints, and serious incidents
Change controlReassesses classification after major updates

These artifacts are useful even if your product ultimately remains lower-risk.

6. What high-risk teams should prioritize before 2027

Teams with likely high-risk systems should not wait until late 2027.

High-risk compliance is a system, not a document.

6.1 Risk management system

High-risk AI systems require lifecycle risk management. That means identifying risks, evaluating them, mitigating them, testing controls, and monitoring the system after deployment.

Build a risk register around:

Risk typeExample
Fundamental rightsDiscrimination in hiring or credit
SafetyIncorrect decision support in health or infrastructure
SecurityPrompt injection, model manipulation, data leakage
AccuracyWrong recommendations or false classifications
Automation biasHumans over-trust system output
TransparencyUsers do not understand AI involvement
Data qualityBiased, incomplete, or outdated data
DriftPerformance changes after deployment

6.2 Evaluation and testing

Create repeatable tests before launch.

For SaaS teams, this means:

Test typeExample
Functional testsDoes output format match specification?
Accuracy testsDoes the system meet defined performance thresholds?
Robustness testsDoes it fail safely on noisy or adversarial input?
Bias testsAre error rates different across protected or sensitive groups?
Explainability testsCan users understand why output was produced?
Human oversight testsCan reviewers override or stop the system?
Logging testsAre inputs, outputs, model versions, and decisions traceable?
Abuse testsCan users push the AI into unsafe behavior?

The AI Act official text requires high-risk systems to meet appropriate accuracy, robustness, and cybersecurity requirements, and to be designed so their operation is sufficiently transparent for deployers.

6.3 Human oversight

Human oversight cannot be fake.

A real oversight design should specify:

QuestionGood answer
Who reviews AI output?Named role or team
When do they review?Before the decision affects a person
What information do they see?Output, confidence, limitations, evidence
Can they override?Yes
Can they stop the system?Yes
Are they trained?Yes, with AI literacy and domain training
Is override logged?Yes
Is automation bias addressed?Yes

A dashboard with "human in the loop" is not enough if the human cannot understand, challenge, or override the system.

7. What lower-risk teams should still do

Even if your system is not high-risk, you still need governance.

For example:

AI featureLikely categoryStill needed
Support chatbotUsually lower-risk or transparency-riskUser notice, hallucination testing, escalation
Marketing copy generatorUsually lower-riskCopyright, brand safety, misleading claims control
Internal summarizerUsually lower-riskConfidentiality, data leakage, access control
Code assistantUsually lower-riskSecurity review, license review, developer oversight
Recommendation widgetContext-dependentUser profiling, GDPR, fairness review

The AI Act does not replace GDPR, consumer protection, confidentiality, cybersecurity, or sector rules.

A lower-risk AI feature can still create legal or business risk if it leaks personal data, generates discriminatory content, misleads users, or makes unsupported claims.

8. The compliance trap: waiting for final certainty

Many teams are waiting for final standards, final guidance, final templates, and final deadlines.

That is risky.

The parts that are uncertain:

Uncertain areaWhy it matters
Final Omnibus adoption detailsSome dates or wording may still shift
Final high-risk guidelinesDraft guidance may change after consultation
Harmonised standardsTechnical compliance expectations may become clearer later
Enforcement practiceAuthorities will develop interpretation over time

The parts that are already clear:

Clear areaWhat you can do now
AI systems must be inventoriedBuild the inventory
Intended purpose mattersDocument it
Annex III domains are sensitiveMap your systems
Human oversight mattersDesign it
Accuracy and robustness matterTest them
Transparency mattersInform users clearly
GDPR still appliesAssess personal data processing
Evidence mattersKeep records

Do not wait for legal certainty to start engineering discipline.

9. Updated AI Act planning roadmap for 2026–2028

A practical roadmap:

PeriodWhat to do
Q2 2026Build AI inventory, map systems to risk categories, identify obvious high-risk candidates
Q3 2026Review transparency obligations, update user notices, label AI interactions/content where required
Q4 2026Create classification memos for all AI systems; build high-risk readiness plan
H1 2027Implement evaluation, logging, human oversight, data governance, and risk controls
H2 2027Run internal audits, fix gaps, prepare high-risk evidence package
2 December 2027 planning dateBe ready for Annex III high-risk obligations if the Omnibus timeline applies
2028Prepare product-integrated high-risk AI systems for conformity and sector-specific requirements
2 August 2028 planning dateBe ready for high-risk AI embedded in regulated Annex I products if Omnibus timeline applies

This roadmap assumes the Omnibus planning dates are used, but companies should keep monitoring the final legal text.

10. Practical checklist

Use this checklist now.

QuestionStatus
Do we have a complete inventory of AI systems?
Have we identified all systems used in the EU or offered to EU customers?
Have we checked prohibited AI practices?
Have we checked whether each system falls under Article 6(1)?
Have we mapped each system against Annex III?
Have we documented intended purpose?
Have we checked whether the system profiles natural persons?
Have we identified transparency obligations for chatbots, deepfakes, and AI-generated content?
Have we identified GPAI dependencies?
Have we defined human oversight for risky systems?
Have we created evaluation tests for accuracy, robustness, and bias?
Have we created logging and monitoring requirements?
Have we documented classification decisions?
Have we assigned owners for AI Act compliance?
Are we monitoring final Omnibus adoption and Commission guidance?

Conclusion

The 2026 Omnibus changes give companies more time for some high-risk AI Act obligations, especially Annex III systems and product-integrated systems.

But the delay is not a compliance holiday.

The AI Act is already partially active. Prohibited practices, AI literacy, GPAI obligations, and transparency planning remain relevant. The European Commission has also published draft high-risk classification guidelines and opened consultation, which means classification work is becoming more concrete, not less.

The safest planning principle is:

Use the delay to build evidence, not excuses.

A serious AI compliance program in 2026 should already know:

  1. what AI systems exist,
  2. what they are intended to do,
  3. whether they affect people,
  4. whether Annex III applies,
  5. whether profiling occurs,
  6. what transparency duties apply,
  7. what testing exists,
  8. what human oversight exists,
  9. what documentation proves the decision.

The deadline may move.

The work should not.

Sources

  1. Council of the EU, Artificial Intelligence: Council and Parliament agree to simplify and streamline rules, 7 May 2026.
  2. European Commission, AI Act: Shaping Europe's digital future, implementation overview.
  3. European Commission AI Act Service Desk, Timeline for the Implementation of the EU AI Act.
  4. ITPro, European Commission opens public consultation on draft high-risk AI guidelines, May 2026.
  5. VerifyWise, EU AI Act omnibus: what changed on 7 May 2026 and what changed, May 2026.
  6. Pinsent Masons, Rules on high-risk AI to be delayed under EU omnibus deal, May 2026.
NEXT STEP

Ready to automate your compliance?

Complicer scans your website, identifies compliance issues, and generates evidence packages — all in under 5 minutes.

START FREE AUDIT →
ComplicerAUDIT GRADE

Outcome-driven GDPR compliance — banners that actually work, evidence you can show your auditor.

GDPR-ALIGNED · SHA-256 · Ed25519 · EU-W1
PRODUCT
Free scanUse casesMethodologyEU AI ActPricingDocsBlog
COMPANY
ContactSecurity
LEGAL
PrivacyTermsComplaint
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161-READY© 2026 COMPLICER