Published May 8, 2026. The EU Digital Omnibus provisional political agreement was reached May 7, 2026. This article covers what changed, what did not change, and what compliance teams should do now.
The EU AI Act Annex III (high-risk AI) deadline is extended to December 2, 2027. Here is the confirmed timeline:
| Item | Old deadline | New deadline | Status |
|---|---|---|---|
| Annex III, high-risk AI (hiring, credit, healthcare, education) | August 2, 2026 | December 2, 2027 | Agreed May 7, pending OJ publication |
| Annex I, regulated products (medical devices, vehicles, machinery) | August 2026 | August 2, 2028 | Agreed May 7, pending OJ publication |
| GPAI enforcement (Commission enforcement powers over AI providers) | August 2, 2026 | August 2, 2026 | UNCHANGED, not affected by Omnibus |
| GPAI obligations (rules on frontier model providers) | August 2, 2025 | August 2, 2025 | Already in force, unchanged |
| Prohibited AI (social scoring, subliminal manipulation) | February 2025 | February 2025 | Already in force, unchanged |
| Formal adoption (Parliament + Council) | , | June 2026 | Expected |
| Official Journal publication | , | July 2026 | Targeted |
What this means for your compliance timeline: August 2026 compliance sprints can be deprioritized. December 2, 2027 is your new Annex III target. GPAI enforcement (August 2, 2026) is unchanged, if you use frontier AI models in your product, your vendors face active Commission enforcement from August.
TL;DR: The EU AI Act Annex III (high-risk AI) deadline has been extended from August 2, 2026 to December 2, 2027. Provisional political agreement on the EU Digital Omnibus was reached May 7, 2026. Formal adoption by Parliament and Council is expected June 2026; Official Journal publication July 2026. The extension is not yet legally in force, August 2, 2026 remains operative until publication. GPAI enforcement (August 2, 2026) is NOT extended. Annex I moves to August 2, 2028. SME documentation requirements are simplified.
What the Digital Omnibus Changes
1. Annex III deadline: August 2026 → December 2027
The Omnibus extends the compliance deadline for high-risk AI systems by 16 months. High-risk AI includes:
- AI used in hiring and HR decisions (CV screening, scoring, interview tools)
- AI used in credit scoring and lending
- AI in healthcare (clinical decision support, diagnostic tools)
- AI in education (student assessment, admissions screening)
- AI in critical infrastructure (energy, water, transport)
- AI used by law enforcement and border management
- Biometric identification systems
If your team uses or deploys AI in any of these categories, December 2, 2027 is your new compliance deadline for conformity assessment, human oversight, and database registration.
2. Annex I deadline: August 2026 → August 2028
AI embedded in regulated products (CE-marked medical devices, automotive components, industrial machinery) moves to August 2028. This primarily affects product manufacturers, not deployers.
3. SME documentation simplified
The Omnibus reduces conformity assessment documentation requirements for small and medium-sized enterprises and small mid-caps. The specific simplifications are in the legal text pending Official Journal publication, but the direction is less paperwork, not fewer obligations.
What the Digital Omnibus Does NOT Change
- GPAI enforcement August 2, 2026, unchanged. The Commission's enforcement powers over providers of general-purpose AI models (GPT-4, Claude, Gemini) activate August 2 as planned. Your AI vendors are affected.
- Prohibited AI (February 2025), social scoring, subliminal manipulation, real-time biometric surveillance in public spaces. These have been in force since February 2025 and are not affected.
- GPAI obligations (August 2, 2025), already in force. GPAI providers have been subject to transparency, copyright, and documentation obligations since August 2025.
- Transparency requirements for limited-risk AI, chatbot disclosure obligations and AI-generated content labeling are in force and unchanged.
6-Point Action Checklist for Compliance Teams
- 1. Update your compliance roadmap. Replace August 2, 2026 Annex III milestones with December 2, 2027. Do not delete them, extend them.
- 2. Communicate to leadership. Confirm that the August compliance sprint can be deprioritized. Attach the source (EU AI Office statement or Official Journal once published), do not act on this until OJ publication if your legal team requires formal law.
- 3. Keep GPAI work on schedule. If you integrated frontier AI models into your product, your vendors face active enforcement from August 2, 2026. Verify your vendor agreements are compliant by August.
- 4. Re-engage vendors on documentation. With the December 2027 deadline, vendors who were slow to respond to conformity documentation requests may be more responsive, you have time to do it properly.
- 5. Update your risk register timeline. If you have an existing EU AI Act risk register or compliance project tracker, update deadline fields now.
- 6. Monitor for Official Journal publication. Set a calendar reminder for July 2026 to confirm the Omnibus has been published. Until then, August 2, 2026 remains technically in force.
What the SME Simplifications Actually Mean
The Digital Omnibus includes documentation simplifications for small and medium-sized enterprises. While the detailed legal text awaits Official Journal publication, the direction disclosed in the provisional agreement affects three areas:
Conformity assessment documentation. SMEs deploying Annex III high-risk AI will face reduced documentation requirements for their conformity assessments. The full technical documentation standard (Article 11 of the AI Act) was written with large enterprises and AI developers in mind, extensive records of training data, model architecture, and performance metrics that are disproportionate for small deployers. The Omnibus narrows the documentation bar for small deployers who are not also the AI system's developer.
Self-assessment vs. third-party assessment. For some high-risk AI categories, the Omnibus expands the range of systems eligible for self-assessment rather than mandatory third-party notified body assessment. This is significant for cost: notified body assessments for AI systems can cost tens of thousands of euros. SME deployers in categories where self-assessment is now permitted will face a lower compliance cost, though self-assessment still requires documented evidence.
Registration database. The EU AI Act requires high-risk AI systems to be registered in an EU database before deployment. The Omnibus adjusts the registration timeline and the data required from SME deployers. The specific fields and timeline will be confirmed in the Official Journal text.
What has not changed: The substance of the obligations, risk assessment, human oversight, accuracy monitoring, bias testing, and incident reporting, remains intact for all Annex III deployers. The simplification is administrative, not substantive.
Practical implication for small teams: the December 2, 2027 deadline gives you 16 additional months to complete the compliance work, and the SME simplifications reduce the documentation volume. Use the time to complete substantive compliance tasks, AI system inventory, risk classification, vendor conformity documentation requests, rather than waiting for the Official Journal to confirm the administrative simplifications.
How to Use the Extended Time Productively
The extension is most valuable to teams that use it to do compliance work systematically rather than treating it as permission to restart everything in Q3 2027. Here is how to structure the 16-month runway:
Months 1-3 (now through August 2026): Complete AI system classification. Every AI system your team uses should be assessed against the Annex III high-risk categories: hiring/HR, credit scoring, healthcare, education, critical infrastructure, law enforcement, biometric identification. Classification does not depend on the final Omnibus text, the Annex III categories are not changing.
Months 4-8 (September 2026, January 2027): Vendor documentation. For each AI system that classifies as high-risk, your vendor must provide conformity documentation: technical documentation, EU declaration of conformity, and instructions for use. This is a vendor obligation, but you need to request it and receive it before deployment. Vendors who were unresponsive under August 2026 pressure may be more cooperative with a December 2027 deadline, use this window to complete requests rather than deferring them.
Months 9-14 (February, September 2027): Implement oversight mechanisms. Human oversight requirements, accuracy monitoring, and incident reporting procedures are operational work, they require process design, tool configuration, and staff training. This is the time-intensive phase. The 16-month extension ensures these can be built properly rather than rushed.
Months 15-16 (October, November 2027): Final review and registration. Confirm all documentation is complete, register systems in the EU AI Office database, and conduct a pre-deadline internal audit.
The teams that benefit most from the extension are those that use it to avoid a sprint, completing foundational classification and vendor work early, then building operational mechanisms steadily through 2027. The teams that will find themselves in the same position in late 2027 as they were in mid-2026 are those that treat the extension as a reason to stop.
Timeline for Official Enactment
The agreement is provisional, it requires formal steps before becoming law:
- Legal-linguistic review, approximately 4-6 weeks after provisional agreement (completed by mid-June)
- European Parliament vote, formal vote adopting the agreed text
- Council of the EU adoption, formal ministerial approval
- EU Official Journal publication, the date the new deadlines take legal effect
Based on this process, Official Journal publication in July 2026 is the realistic target. If the process slips, August 2, 2026 could be in force briefly, but the political will to complete the process before August 2 is strong given the agreement has been reached.
Sources: EU AI Office, European Parliament legislative tracker, Digital Omnibus trilogue outcome (May 7, 2026). This article will be updated when the Omnibus is published in the Official Journal.
What the Extension Means If You Were Mid-Implementation
Teams that started GPAI compliance work targeting August 2, 2026 now have additional time, but the work completed is not wasted. Technical documentation, transparency notices, and usage policies written for August compliance will satisfy the December 2027 requirements without modification. The extension does not change what compliance looks like; it changes when enforcement begins.
If your team completed foundational steps, a GPAI provider self-assessment, a transparency notice, and a data governance review, you are in a stronger position than teams that paused. The extension period is useful for adding depth: more complete technical documentation, formal red-teaming of high-risk use cases, and integration with broader AI governance processes that a hard August deadline compressed.
Teams that did nothing before the extension should not treat it as a reset. The requirements are unchanged and the EU AI Office has indicated it will issue guidance and begin informal engagement with providers before formal enforcement begins. Starting now puts you ahead of that engagement window.
Related Reading
- EU AI Act Digital Omnibus, full trilogue history and what changed
- EU AI Act compliance guide for small teams
- EU AI Act August 2026 compliance checklist
- EU AI Act GPAI compliance checklist, August 2, 2026 deadline
- Am I a GPAI provider? EU AI Act self-test 2026
- AI regulation deadline calendar 2026, every jurisdiction
