The 2026 Digital Omnibus on AI extended two critical AI Act deadlines: Annex III standalone high-risk systems to 2 December 2027, and Annex I embedded systems to 2 August 2028. Here is what changed, why, and what your compliance programme must do now.
What the 2026 Digital Omnibus on AI changes
The Digital Omnibus on AI amended two central application dates in EU Regulation 2024/1689 (the EU AI Act):
| Obligation | Original deadline | New deadline | Change |
|---|---|---|---|
| High-risk AI — Annex III (standalone systems) | 2 August 2026 | 2 December 2027 | +16 months |
| High-risk AI — Annex I (embedded in regulated products) | 2 August 2026 | 2 August 2028 | +24 months |
No other major deadlines were modified. Prohibited practices (2 February 2025), GPAI rules (2 August 2025), and transparency obligations for GPAI content marking (2 August 2025) remain in force on their original dates.
Why the omnibus deferred high-risk AI deadlines
The European Commission cited three drivers:
- Alignment with implementing acts — technical standards and harmonised norms for high-risk AI assessment (CEN/CENELEC work programme) were not finalised in time for August 2026. Conformity assessments require these standards.
- Compliance infrastructure gap — notified bodies, national competent authorities, and the EU AI Office needed additional setup time. Without operational enforcement infrastructure, an August 2026 deadline would have been unenforceable in practice.
- SME readiness — smaller providers, particularly in medtech, HR tech, and financial services, reported insufficient time to complete QMS implementation and technical documentation alongside parallel DORA and NIS2 obligations.
The extension is a grace period, not a reduction in scope. All obligations remain; only their timeline shifts.
Annex III — standalone high-risk AI (deadline: 2 December 2027)
Annex III standalone covers AI systems that are themselves placed on the market or put into service as high-risk systems, without being a safety component of another product. Examples:
- Recruitment and HR screening AI (CV ranking, interview analysis)
- Credit scoring and creditworthiness assessment AI
- Biometric categorisation (not real-time identification, which is prohibited)
- AI used in critical infrastructure management
- AI in educational and vocational training assessment
- AI used by law enforcement and migration authorities
Provider obligations by 2 December 2027:
- Complete a conformity assessment under Art. 43
- Implement a quality management system (Art. 17)
- Compile technical documentation (Art. 11 + Annex IV)
- Register the system in the EU AI database (Art. 71)
- Affix CE marking (Art. 48)
- Appoint an EU representative if established outside the EU
Deployer obligations (also by 2 December 2027):
- Conduct a Fundamental Rights Impact Assessment (FRIA) for public body deployers
- Implement human oversight measures (Art. 26)
- Document inputs and outputs (Art. 26(6))
- Inform employees where AI-assisted decisions affect them
Annex I — embedded high-risk AI (deadline: 2 August 2028)
Annex I embedded covers AI that forms a safety component of a product already regulated under existing EU product safety legislation. The AI Act compliance is integrated into the existing conformity assessment procedure for that product. Examples:
- AI components in medical devices (MDR/IVDR)
- AI in automotive systems (type-approval frameworks)
- AI in machinery (Machinery Regulation)
- AI in aviation components
- AI in toys and consumer products (low voltage/EMC)
The two-year additional extension (vs. 16 months for Annex III) reflects the layered complexity of conformity assessment across two regulatory regimes simultaneously.
What changed is the deadline — not the obligations
A common misreading of the omnibus: the deadline extension means obligations are softened. They are not.
The conformity assessment, QMS, technical documentation, CE marking, and registration requirements are identical to what was required under August 2026. The omnibus does not reduce scope, create exemptions, or add transition derogations. It moves the finish line.
Practical implication: organisations that use the extension as an excuse to pause compliance programmes will face a harder crunch in late 2027. The more productive use of the additional time is to complete QMS implementation, stress-test technical documentation against draft harmonised standards, and engage with notified bodies early — their capacity will be constrained as the December 2027 deadline approaches.
Prohibited practices that are already in force
These prohibitions under Art. 5 applied from 2 February 2025 and were not touched by the omnibus:
- Subliminal manipulation — AI techniques that exploit subconscious vulnerabilities to alter behaviour against users' interests
- Exploitation of vulnerabilities — targeting children, elderly, or disadvantaged groups
- Social scoring — AI-based general-purpose scoring of natural persons by public authorities
- Real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow exceptions)
- Emotion recognition in the workplace and educational institutions
- Biometric categorisation systems that infer sensitive characteristics (race, political opinions, trade union membership, sexual orientation, religion) — unless for legitimate law enforcement purposes with judicial authorisation
- NCII/CSAM — generation or manipulation of non-consensual intimate imagery or child sexual abuse material using AI is prohibited
Non-compliance with Art. 5 prohibitions from 2 February 2025 carries fines up to €35 million or 7% of global annual turnover, whichever is higher.
GPAI model rules: already applicable
Chapter 5 GPAI obligations apply from 2 August 2025:
- All GPAI providers must comply with transparency obligations (Art. 53)
- Providers of GPAI models with systemic risk (above 10²⁵ FLOPs training compute) face additional obligations including adversarial testing and incident reporting
- AI-generated content marking (watermarking) for synthetic media applies to generative GPAI systems
Convergence with DORA and NIS2
Organisations in financial services face the triple burden of AI Act, DORA, and NIS2 obligations with overlapping timelines. Key intersections:
- ICT risk management under DORA (Art. 5–16) must cover AI-driven ICT systems — DORA does not exempt AI tools from its ICT risk framework
- Incident reporting under DORA (Art. 19–23) applies to incidents caused by or involving AI systems
- NIS2 security measures (Art. 21) include AI-related cyber risks in scope
- AI Act Art. 9 risk management for high-risk AI overlaps significantly with DORA's ICT risk management — dual-mapping is possible and recommended to avoid duplicative documentation
See our full convergence analysis → or our sister site regulation-dora.eu for DORA-specific coverage.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
For standalone Annex III systems (e.g. recruitment AI, credit scoring, biometric categorisation): 2 December 2027. For AI embedded in Annex I regulated products (e.g. medical devices, machinery): 2 August 2028.
The Digital Omnibus on AI is an EU legislative amendment, formally adopted in mid-2026, that revised several deadlines and obligations in Regulation (EU) 2024/1689 (the AI Act). Its primary purpose was to give providers and deployers more time to build compliant AI governance frameworks, particularly for high-risk categories.
No. The prohibitions on unacceptable risk AI — including subliminal manipulation, social scoring, real-time biometric identification in public spaces (with exceptions), and NCII/CSAM generation — have applied since 2 February 2025 and were not changed by the omnibus.
GPAI obligations (Chapter 5 of the AI Act) also remain at 2 August 2025. The omnibus targeted Annex III and Annex I high-risk obligations only.
Providers must: complete a conformity assessment, implement a quality management system (QMS), register in the EU database, affix CE marking, and prepare technical documentation. Deployers must: conduct fundamental rights impact assessments, implement human oversight, and document all high-risk AI use.
The extension is purely temporal: no obligation is removed. The same conformity assessment, technical documentation, QMS, CE marking, registration, and transparency requirements apply — they must simply be met by the new dates.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.