EU AI Act Digital Omnibus: High-Risk Deadline Extended to December 2027 — What It Means

On May 7, 2026, the European Parliament and Council reached a provisional agreement on the Digital Omnibus legislative package. The headline change for AI: Annex III high-risk obligations are officially extended by 16 months, from August 2, 2026 to December 2, 2027. Here's what that means for your compliance planning — and why starting now is still the right call.

What the Digital Omnibus changes

The Digital Omnibus is an umbrella legislative package touching several EU digital regulations simultaneously — the AI Act, GDPR, the Data Act, and the Cyber Resilience Act. For the EU AI Act specifically, the confirmed change extends the application date for Annex III high-risk AI system obligations by 16 months, from August 2, 2026 to December 2, 2027.

Annex III covers the majority of commercial AI systems with meaningful real-world impact: AI used in employment decisions, credit scoring, education, critical infrastructure, law enforcement, and migration. Companies with these systems now have until December 2, 2027 to meet the full technical documentation, risk management, and conformity assessment requirements.

What the Digital Omnibus does NOT change

The extension only applies to Annex III high-risk obligations. The following remain in force on their original timelines:

• Article 5 — Prohibited practices: In force since February 2025. Social scoring, real-time biometric surveillance, subliminal manipulation, and emotion recognition in workplaces and schools remain banned.
• Chapter V — GPAI obligations: In force since August 2025. Companies deploying general-purpose AI models (Claude, GPT-4, Gemini, etc.) have active obligations around transparency, copyright compliance, and incident reporting.
• Article 50 — Transparency obligations: Takes effect August 2, 2026 as originally planned. If your product has a chatbot, virtual assistant, or generates AI content, you must disclose this to users. This deadline has NOT moved.
• Article 53 — GPAI provider obligations: In force. Model providers have active technical documentation and transparency requirements.

The Digital Omnibus only delays the most burdensome high-risk AI documentation requirements. Transparency obligations are 74 days away and are not affected by this extension. A significant portion of the EU AI Act already applies to you today.

The new dual-deadline reality

Companies now face two distinct enforcement dates:

• August 2, 2026 (74 days): Article 50 transparency obligations — chatbot disclosure, AI-generated content labeling, deepfake marking
• December 2, 2027 (561 days): Annex III high-risk obligations — technical documentation, risk management, conformity assessment, EU database registration

This dual timeline creates a practical question for every company: which deadline applies to you? The answer depends on your classification. Run the free classifier to find out exactly where you stand.

Three reasons not to wait until 2027

1. Commercial pressure is already here

Enterprise procurement teams — particularly at larger EU companies who are themselves subject to deployer obligations under the AI Act — are already asking vendors for evidence of compliance. RFPs are including EU AI Act compliance questionnaires. Security assessments reference Annex IV documentation. This commercial pressure is not waiting for December 2027. A company that cannot demonstrate a credible compliance posture will face sales friction regardless of when the regulatory deadline actually hits.

2. Compliance work takes 3 to 6 months

December 2027 sounds comfortable. But high-risk AI compliance still requires months of focused work: technical documentation, risk management system, data governance review, human oversight implementation, conformity assessment, and EU database registration. If you wait until mid-2027 to begin, you will be rushing to complete months of work in weeks — the exact position companies were in before the extension.

3. The extension may not cover your system

The Digital Omnibus targets Annex III high-risk obligations. If your system falls under Annex I (AI used in regulated products — medical devices, machinery, vehicles), the original timeline may still apply under sector-specific legislation. The interaction between the AI Act and sector regulations is one of the most complex areas of compliance, and the Digital Omnibus does not fully resolve it.

The smart approach

The extension is real, and it gives you more runway. Use it wisely. The companies that will be in the strongest position in 2027 are the ones that used 2026 to build a genuine compliance foundation — not the ones who treated the extension as permission to do nothing for another year.

Start by classifying your AI systems to understand which obligations apply. The free classifier at getactready.com/classify takes 60 seconds and tells you exactly what tier you're in, what requirements are already in force, and what the December 2027 deadline means for your specific system.