Updated May 8, 2026: Provisional political agreement on the EU Digital Omnibus was reached May 7, 2026. The Annex III deadline extension to December 2, 2027 is agreed in principle. Formal adoption and Official Journal publication remain pending.
The EU AI Act Annex III (high-risk AI) deadline is being extended. Provisional agreement was reached May 7. Below is the current status and what to do.
| Event | Date | Status |
|---|---|---|
| Digital Omnibus proposal published | December 2025 | Done |
| First trilogue | March 2026 | Done, partial alignment |
| Second trilogue | April 28, 2026 | Done, no agreement |
| Third trilogue | May 7, 2026 | AGREEMENT REACHED |
| Formal adoption by Parliament + Council | June 2026 | Expected |
| Official Journal publication | July 2026 | Expected |
| Current Annex III deadline | August 2, 2026 | In force until OJ publication |
| New Annex III deadline (Omnibus) | December 2, 2027 | Agreed, not yet enacted |
| New Annex I deadline (Omnibus) | August 2, 2028 | Agreed, not yet enacted |
TL;DR: The EU AI Act Annex III (high-risk AI) deadline is being extended from August 2, 2026 to December 2, 2027. Provisional political agreement on the EU Digital Omnibus was reached on May 7, 2026. Formal adoption by Parliament and Council is expected in June 2026; Official Journal publication in July 2026. The extension is not yet legally in force, August 2, 2026 remains the operative deadline until publication. GPAI enforcement (August 2, 2026) is NOT affected by the Omnibus and remains unchanged. If you are a high-risk AI deployer, the practical effect is: you likely have until December 2027, but do not stop compliance work, the formal adoption step must still happen.
What the Digital Omnibus Changes
The EU Digital Omnibus agreement (May 7, 2026) makes six changes to the EU AI Act:
1. Annex III high-risk deadline: Moves from August 2, 2026 to December 2, 2027 , a 16-month extension for stand-alone high-risk AI (hiring, credit, healthcare, education, biometrics, critical infrastructure, border control).
2. Annex I deadline: AI embedded in regulated products (medical devices, machinery, vehicles) moves from August 2, 2027 to August 2, 2028, a one-year extension.
3. Article 50 content labeling delayed: AI-generated content marking and deepfake labeling (Article 50 Obligations 1-3) delayed from August 2, 2026 to December 2, 2026. Chatbot disclosure (must say "I am an AI" when asked) remains August 2, 2026.
4. New prohibitions (December 2, 2026): The Omnibus adds an explicit ban on AI systems that generate non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM), including AI "nudifiers". Compliance required by December 2, 2026. See the nudification ban + watermarking checklist.
5. SME threshold expanded: The simplified compliance framework extends to companies with up to 750 employees and €150 million annual revenue (previously standard SME thresholds). Exclusions apply for critical infrastructure, justice, democratic processes, law enforcement, and financial institutions regardless of size.
6. Bias detection special category data: Organizations may process special category data (race, health, sexual orientation) where strictly necessary for bias detection and correction in both high-risk and non-high-risk AI systems. Previously ambiguous under GDPR Article 9.
What Happened: May 7 Agreement
The third trilogue between the European Parliament, the Council of the EU, and the European Commission produced a provisional political agreement on May 7, 2026.
The key sticking point from the April 28 failure was resolved: the Commission's proposed "conditional application mechanism" was dropped. The agreed text uses fixed dates, December 2, 2027 for Annex III, August 2, 2028 for Annex I, which is what the EP and Council demanded.
Provisional agreement means the political deal is done. What remains is:
- Legal-linguistic review of the agreed text (typically 4-6 weeks)
- Formal vote by the European Parliament
- Formal adoption by the Council of the EU
- Publication in the EU Official Journal (when the new dates take legal effect)
When Does the Extension Take Legal Effect?
The May 7 agreement is politically binding but not yet law. The extension takes effect only when published in the EU Official Journal. The realistic timeline:
- June 2026: Formal adoption by Parliament and Council
- July 2026: Official Journal publication
- On publication: December 2, 2027 becomes the operative deadline for Annex III
If publication happens before August 2, 2026, which the current timeline suggests it will, organizations will have a clean extension with no gap. If there is any delay and publication slips to August or later, August 2, 2026 would technically be the deadline for a brief period. This scenario is unlikely but not impossible.
Practical guidance: Plan for December 2027, but do not cancel the compliance work you have already started.
GPAI Model Rules Are Already in Force
The GPAI (General Purpose AI) model obligations under Articles 51-56 came into force on August 2, 2025, not 2026. The Digital Omnibus does not affect this. The Commission's enforcement powers for GPAI providers activate on August 2, 2026 regardless of what happens with the Omnibus.
If you use Claude, GPT-4, or Gemini as underlying models in your product, this enforcement date is relevant to your providers, it is not directly your obligation as a deployer, but it means your AI vendors are now subject to active Commission supervision.
What To Do Right Now (6-Point Checklist)
Agreement is reached. The extension is coming. Here is what to do this week:
- Do not cancel compliance work already in progress. The extension gives you more time, it does not mean the AI Act goes away. High-risk AI deployers still have obligations by December 2027.
- Inform your leadership. The August 2, 2026 compliance sprint is likely unnecessary, but send them the confirmation that this is provisional agreement, not final law yet.
- Update your project timelines. If you built an August 2026 deadline into your compliance roadmap, the new target is December 2, 2027 for Annex III systems.
- Do not stop GPAI-related work. The GPAI enforcement date (August 2, 2026) is not affected by the Omnibus. If you use frontier AI models (Claude, GPT-4, Gemini) in your products, your vendors face active Commission enforcement from August 2.
- Request vendor documentation for a December 2027 timeline. If vendors were slow to respond because of the August crunch, re-engage with the new timeline, you may get better documentation with more time.
- Monitor for Official Journal publication. The extension is not law until published. Set a calendar reminder for July 2026 to confirm the OJ publication has happened.
What the SME Simplification Actually Means
The Digital Omnibus includes documentation simplification for small and medium-sized enterprises. This is worth unpacking carefully, because it does not eliminate compliance obligations, it reduces the paperwork burden for specific conformity assessment steps.
Under the standard EU AI Act framework, deployers of Annex III high-risk AI systems must maintain technical documentation, conduct conformity assessments, register in the EU AI Act database, and implement post-market monitoring. The full documentation requirement was designed for large organisations with compliance teams. For a 10-person company using an AI hiring tool, it was disproportionate.
The Omnibus carve-out for SMEs and small mid-caps:
- Reduces the conformity assessment documentation to a simplified format rather than the full technical file
- Allows SMEs to rely more heavily on documentation provided by the AI system developer rather than conducting independent assessments
- Retains the obligation to register in the EU database for Annex III systems
What is explicitly excluded from the lighter-touch process: critical infrastructure operators, justice-related AI systems, democratic process applications, law enforcement, and financial institutions, regardless of whether the deployer is an SME. If your small team operates in one of these sectors, the full conformity assessment requirements apply to you even after the Omnibus.
How the Extended Timeline Affects Your Compliance Roadmap
The 16-month extension from August 2026 to December 2027 creates three distinct planning scenarios depending on where you are now:
Scenario 1, You have not started: The extension means December 2027 is your operational deadline for Annex III systems. You have time to plan properly. Priority actions in the next 90 days: classify your AI systems against Annex III categories, identify which if any qualify as high-risk, and request vendor EU AI Act documentation. The GPAI enforcement date (August 2, 2026) is unchanged, if your product uses a frontier model, your vendors face active supervision from August.
Scenario 2, You are mid-compliance project: The extension gives you more runway. Do not stop work, use the additional time to improve quality rather than delay start. Documentation prepared now will be more defensible than documentation assembled under deadline pressure in late 2027.
Scenario 3, You were planning to be ready by August 2026: The extension does not invalidate your work. Being compliant ahead of the December 2027 deadline is a competitive and reputational advantage in regulated sector sales. Enterprise customers in healthcare, financial services, and the public sector are already asking for EU AI Act documentation as part of procurement. Being able to provide it in 2026 differentiates your team.
What Has Not Changed
Several obligations remain unaffected by the Digital Omnibus agreement:
Prohibited AI practices (Article 5): Bans on social scoring, real-time remote biometric identification in public spaces for law enforcement (with exceptions), and AI systems that exploit vulnerabilities to distort behaviour have been in force since February 2, 2025. The Omnibus does not touch these.
GPAI model obligations (Articles 51-56): Came into force August 2, 2025. Commission enforcement powers activate August 2, 2026. Unchanged by the Omnibus.
Transparency obligations (Article 50): Chatbot disclosure (must disclose being AI when directly asked) entered force August 2, 2026 and is not affected by the Omnibus. AI-generated content labeling and deepfake marking (Obligations 1-3) were delayed by the Omnibus to December 2, 2026. See the Article 50 compliance checklist and nudification ban + watermarking checklist for deadline-specific action steps.
GDPR obligations for AI data processing: Entirely separate from the EU AI Act. Not affected by the Omnibus.
For most small teams, the practical list of obligations active now is shorter than the Annex III compliance discussion suggests: prohibited practices (have you deployed anything in Article 5 categories?), GPAI-adjacent obligations (if you use frontier models in a product), and transparency requirements for chatbots and synthetic content. Those are live today. The Annex III high-risk framework, the big compliance project, is what December 2027 governs.
References
- EU Digital Omnibus AI proposal: digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
- EU AI Act Legislative Train: europarl.europa.eu/legislative-train/package-digital-package/file-digital-omnibus-on-ai
- Morrison Foerster European Digital Compliance update, May 1, 2026
- Related: EU AI Act August 2 countdown action plan
- Related: EU AI Act compliance checklist
The Digital Omnibus must complete formal enactment steps, legal-linguistic review, European Parliament vote, Council adoption, and publication in the Official Journal, before the December 2027 dates take legal effect. Publication in July 2026 is the realistic target. August 2, 2026 remains the operative deadline for GPAI obligations regardless of Omnibus status.
