AccuroAI
Platform
What We Do
Solutions
Company
Resources
Book demo
← Blog·AI Compliance11 read

EU AI Act, Delayed to December 2027: What the May 2026 Digital Omnibus Actually Changed (and What Still Hits August 2)

The May 2026 Digital Omnibus deferred the EU AI Act's high-risk obligations to December 2, 2027. The GPAI enforcement powers and penalty regime still activate August 2, 2026. This is the practical reading: what changed, what didn't, and what to do in the next 60 days.

S
Sofia Reyes
Compliance
2026-04-27

Answer box

On May 7, 2026, EU institutions reached a provisional political agreement on the Digital Omnibus package. The most consequential change for enterprise CISOs and GRC leaders: the high-risk Annex III obligations of the EU AI Act, originally enforceable from August 2, 2026, have been deferred to December 2, 2027. The GPAI (general-purpose AI) obligations and the penalty regime still activate as scheduled on August 2, 2026. Article 5 prohibitions remain in force. The headline is not "the EU AI Act is delayed" — three different deadlines moved differently. This guide is the practical reading: what changed, what didn't, and what to do in the next 60 days.

The headline most other coverage is getting wrong

Three different timelines exist under the EU AI Act. The Digital Omnibus moved one of them. The other two did not change.

What Original date New date Status
Article 5 prohibitions (manipulative AI, untargeted scraping, social scoring, etc.) Feb 2, 2025 No change In force
AI literacy obligations (Article 4) Feb 2, 2025 No change In force
GPAI provider obligations (Articles 51-55) Aug 2, 2025 (with one-year wind-down) No change Wind-down ends Aug 2, 2026 — enforcement powers activate then
Penalty regime + AI Office authority Aug 2, 2025 No change Fines live Aug 2, 2026 for GPAI; immediately for Article 5 violations
High-risk Annex III obligations (employment, education, credit, law enforcement, etc. — Articles 6, 16-29) Aug 2, 2026 Dec 2, 2027 Deferred 16 months
High-risk Annex I product-safety obligations Aug 2, 2027 No change On schedule

The Digital Omnibus also introduced targeted simplifications across the AI Act and related laws (GDPR, NIS2 interactions), some of which are still being finalized in trilogue.

The combined effect: GPAI enforcement still hits August 2, 2026. High-risk system providers and deployers got 16 extra months. Prohibitions and AI literacy are unaffected.

Caveat: the Digital Omnibus reached political agreement on May 7, 2026. Formal adoption requires the European Parliament plenary vote and Council approval. The recitals and final text may shift in trilogue. Reverify against the published Official Journal text before making date-specific compliance commitments. AccuroAI will publish updates as the formal adoption lands.

What still applies on August 2, 2026

This is the section every CISO needs in front of them.

1. GPAI enforcement powers activate

The Commission and AI Office gain the power to investigate, request documentation from, and sanction providers of general-purpose AI models. For most enterprises this means:

  • If you fine-tune or modify a GPAI model and place it on the market, you may be classified as a "downstream provider" with provider obligations.
  • If you procure a GPAI model and use it internally as a deployer, the obligations sit with the provider — but you will be asked by the provider for input documentation, model use cases, and risk acknowledgments. Many enterprise contracts now include flow-down clauses.
  • Documentation obligations under Article 53 become enforceable: training data summary, technical documentation, evaluation results, instructions for downstream.
  • GPAI Code of Practice signatories (finalized July 2025) get a presumed-conformity safe harbor for the corresponding obligations.

2. Penalty regime is live

Fines reach €35M or 7% of global turnover for the most serious infringements (Article 5 prohibitions). €15M or 3% for non-compliance with most other obligations. €7.5M or 1% for supplying incorrect information to authorities. SMEs benefit from reduced caps but not from exemption.

3. AI literacy obligation (Article 4) remains operative

All providers and deployers must "ensure a sufficient level of AI literacy of their staff" appropriate to their role. Already in force since Feb 2, 2025; auditors are increasingly asking to see the training program. Most enterprises have something in place; few have role-tiered evidence.

4. Prohibitions stay enforced

Article 5's prohibited practices (subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, real-time remote biometric ID in public spaces with narrow exceptions, predictive policing based solely on profiling, untargeted facial scraping, emotion recognition in workplaces/education with narrow exceptions, biometric categorization to infer protected attributes) have been enforceable since February 2025.

5. Transparency obligations on certain AI systems (Article 50)

Where AI interacts with natural persons, generates synthetic content, performs emotion recognition or biometric categorization, or generates deepfakes — disclosure obligations apply. These were in force February 2025 and are being clarified through the EC's May 2026 draft Transparency Guidelines.

What got pushed to December 2, 2027

The Annex III high-risk obligations are the operational core of the Act for most enterprises. The 16-month deferral changes the planning math significantly.

Categories of Annex III high-risk systems

  • Biometric identification and categorization
  • Critical infrastructure (water, gas, electricity, transport, digital infrastructure)
  • Education and vocational training (admissions, evaluation, monitoring)
  • Employment, workers management, and access to self-employment (recruitment, promotion, termination, performance evaluation)
  • Access to essential public and private services and benefits (credit scoring, public assistance eligibility, emergency response triage)
  • Law enforcement (risk assessments, evidence evaluation, deep-fake detection)
  • Migration, asylum, and border control
  • Administration of justice and democratic processes

Provider obligations now due December 2, 2027

For each high-risk system on the market:

  • Article 9 Risk management system (continuous, iterative).
  • Article 10 Data governance — training, validation, and testing data quality requirements.
  • Article 11 Technical documentation (Annex IV template).
  • Article 12 Record-keeping (automatic logging of events).
  • Article 13 Transparency and provision of information to deployers.
  • Article 14 Human oversight measures.
  • Article 15 Accuracy, robustness, and cybersecurity.
  • Article 16-21 Provider duties (conformity assessment, declaration of conformity, CE marking, post-market monitoring).
  • Article 26 Deployer obligations (use in accordance with instructions, human oversight, monitoring, data input quality, log retention, fundamental rights impact assessment for certain deployers).

Why this matters even with the delay

Three reasons not to relax:

  1. Procurement contracts already written under the August 2026 assumption now have slack but include flow-down clauses you may have signed against the old timeline. Review and align.
  2. The Annex IV technical documentation, the FRIA (Fundamental Rights Impact Assessment), and the Annex VIII registration database all still exist as concepts and as evidence requirements — they're just not enforceable until December 2027. Auditors and customers will still ask for them. Producing them retroactively is significantly more expensive than producing them as you go.
  3. December 2027 is closer than it appears. Annex IV documentation, conformity assessment, post-market monitoring, FRIA, registration — each requires 6-12 months of lead time. Net useful runway is closer to 12 months than 18.

What changed for high-risk Annex I products

Annex I covers AI systems that are safety components of regulated products (medical devices, machinery, toys, recreational craft, lifts, pressure equipment, radio equipment, in-vitro diagnostics, civil aviation, motor vehicles, marine equipment, agricultural and forestry vehicles). The Digital Omnibus left this category on its original schedule: enforcement August 2, 2027.

For pharma, medtech, automotive, aviation, and machinery enterprises with embedded AI safety components, nothing meaningful changed. Annex IV documentation, harmonised standards conformity, and notified-body involvement all still apply on the original timeline. Treat your Annex I program as on its prior critical path.

What the Digital Omnibus actually simplified

The Omnibus is a "targeted simplification" package, not a wholesale rewrite. The simplifications most relevant to enterprises:

  • High-risk classification thresholds for some borderline cases (e.g., where AI is used in narrow ancillary functions of an Annex III process). Recital text is still being finalized; expect some reclassification of edge cases out of high-risk.
  • Registration database obligations simplified for deployers in specific sectors.
  • Streamlined coordination between EU AI Office and national competent authorities to reduce duplicate documentation requests.
  • Clarifications on the provider/deployer distinction when an enterprise fine-tunes a GPAI model for internal use.
  • GDPR/AI Act interaction — clarifications on the lawful basis for processing personal data in AI training under Article 10(5).

None of these change the core obligations. They reduce friction.

A 60-day plan for what to do now

  1. Re-confirm your GPAI posture. If you are a provider of a fine-tuned GPAI model or you embed a GPAI in a product you place on the market, you have provider obligations going live August 2, 2026. Documentation gaps need to be closed in the next 60 days.

  2. Re-confirm your AI literacy program. Auditors are asking. Role-tiered training, attendance records, refresh cadence, and assessment evidence are the artifacts. If you only have a generic e-learning, upgrade now.

  3. Inventory your Annex III in-scope systems. Even with the deferral, you need the list. Many enterprises learn during inventory that they have more in-scope systems than they thought (recruitment AI, credit scoring, customer triage). The earlier this list is accurate, the cheaper the December 2027 program is.

  4. Annex IV documentation rolling baseline. Even though enforcement is deferred 16 months, customers and auditors will ask sooner. Produce a v1 Annex IV pack for each in-scope system this quarter. Updating is cheap; building from scratch is not. See our companion piece: EU AI Act Annex IV Technical Documentation: A CISO's Evidence Walkthrough (publishing shortly).

  5. Re-baseline your AI Bill of Materials (AIBOM). Annex IV requires it implicitly. ISO 42001 requires it. Your procurement RFPs are starting to require it. One canonical AIBOM serves all three.

  6. Update your AI procurement contracts. Flow-down clauses written against August 2, 2026 should reference Article 25 and the December 2, 2027 high-risk effective date. New contracts should anticipate the formal adopted text.

  7. Brief your AI risk committee. This is a board-level update. The deferral is not a relaxation; it is a re-phasing. The framing matters.

For organizations using AccuroAI, the compliance pack auto-generates evidence mapped against the updated timeline — Article 11 technical documentation skeletons, Article 12 logging schemas, and the GPAI Article 53 documentation requirements. Book a 30-minute walkthrough if you'd like the gap report against your environment.

What auditors will ask in Q3 and Q4 2026

Based on conversations with enterprise audit committees over the past four weeks:

  1. "Show me your AI literacy program." Article 4 evidence.
  2. "Are you a GPAI provider, deployer, or both, by system?" Article 25 + 53 classification.
  3. "For each GPAI you use, show me the provider's Article 53 documentation." Flow-down evidence.
  4. "Show me your high-risk system inventory." The Annex III list, even though obligations are deferred.
  5. "For each high-risk system, where are you on Annex IV documentation?" Forward-looking even before the December 2027 deadline.
  6. "What is your timeline to FRIA for each in-scope deployer use?" Article 27 prep.
  7. "Show me your AI incident response runbook for Article 73 reporting." Pre-positioning.

If any of these can't be answered, that is the work for the next 90 days.

FAQ

Has the EU AI Act been delayed? Partially. The high-risk Annex III obligations have been deferred from August 2, 2026 to December 2, 2027 by the May 2026 Digital Omnibus political agreement. The GPAI enforcement powers, penalty regime, prohibitions, AI literacy, and transparency obligations are all unchanged.

Is the May 7, 2026 Digital Omnibus agreement final? It is a provisional political agreement. Formal adoption requires the European Parliament plenary vote and Council approval. The text may shift in trilogue. Reverify against the published Official Journal text before making date-specific commitments.

Do GPAI provider obligations still activate on August 2, 2026? Yes. The Digital Omnibus did not change the GPAI track. Provider obligations are enforceable from August 2, 2026, and the Commission gains the power to investigate and sanction at that date.

If I'm a deployer (not provider), what changed for me? For deployment of GPAI systems: nothing material changed. For deployment of high-risk Annex III systems: your obligations under Article 26 are deferred to December 2, 2027 along with the provider obligations.

Should I delay our EU AI Act readiness work? No. The deferral creates planning runway, not relief. Annex IV documentation, FRIA, and the registration obligations all have 6-12 month lead times. Producing them as you go is cheaper than producing them retroactively. Customers and auditors will continue to ask before the formal deadline.

Where can I read the official text? - EU AI Act (Regulation 2024/1689): EUR-Lex. - Digital Omnibus political agreement: tracking on EUR-Lex and the European Parliament legislative observatory once formal adoption occurs. - EC draft Transparency Guidelines (May 2026): tracking through the AI Office publications.

Sources: EU AI Act on EUR-Lex (Regulation 2024/1689) · EU AI Act Implementation Timeline · Inside Global Tech — Digital Omnibus AI Act Update (May 2026) · Global Policy Watch — EC Draft Transparency Guidelines · GPAI Code of Practice (EU AI Office, July 2025).

Related: The EU AI Act August 2, 2026 Deadline: What Becomes Enforceable in Ten Weeks · EU AI Act Compliance Checklist: CISO Action Plan for 2026 · One Map to Rule Them All: A Unified Crosswalk Between NIST AI RMF, ISO 42001, and the EU AI Act.

See AccuroAI in action.
30-minute demo tailored to your top AI risk.
Book a demo
More from the blog
Agentic AI Governance · 12
The CISO's MCP Field Guide v2: From Inventory to Runtime Governance
Pillar Hub · 6
The CISO & Board AI Narrative: The Enterprise Hub
Prompt DLP · 11
Microsoft 365 Copilot vs ChatGPT Enterprise: Where Each Leaks (and How to Plug It)
See AccuroAI in action.

Book a 30-minute demo and see how security teams use AccuroAI to discover, govern, and protect every AI asset across their organization.

Book a demoTalk to security