EU Delays AI Act 'High-Risk' Enforcement to 2027 Under New Omnibus Deal
European lawmakers have reached a political agreement to delay the most stringent requirements of the AI Act by 16 months, giving enterprises until December 2027 to comply with high-risk system rules.
By Factlen Editorial Team
- Enterprise & Compliance Teams
- Relieved by the delay, arguing the original timeline was unworkable without finalized technical standards.
- Digital Rights & Safety Advocates
- Critical of the delay, warning that it leaves citizens unprotected from algorithmic harms for another 16 months.
- EU Regulators
- Framing the delay as a necessary simplification to ensure the law is practically enforceable.
What's not represented
- · Small and medium-sized AI startups who may still struggle with the compliance costs despite the delay.
- · Non-EU governments observing the timeline shift to calibrate their own domestic AI regulations.
Why this matters
The 16-month delay fundamentally alters the global timeline for AI compliance, giving multinational corporations a critical reprieve to build auditing systems while leaving European citizens temporarily without the Act's promised protections against algorithmic bias in hiring, credit, and law enforcement.
Key points
- The EU has agreed to delay the enforcement of 'high-risk' AI rules from August 2026 to December 2027.
- AI systems embedded in regulated products, such as medical devices, are delayed until August 2028.
- Transparency rules requiring the watermarking of AI-generated content will take effect on December 2, 2026.
- The Digital Omnibus agreement explicitly bans 'nudifier' apps that generate non-consensual intimate imagery.
- Industry groups welcomed the delay, citing a lack of finalized technical standards needed for compliance.
- Digital rights advocates criticized the move, warning it leaves citizens exposed to algorithmic harms for another 16 months.
The European Union has officially blinked on the enforcement timeline for its flagship artificial intelligence regulation. Facing mounting pressure from industry and a backlog of unfinished technical standards, EU lawmakers reached a provisional political agreement on May 7, 2026, to delay the most stringent requirements of the AI Act.[2][6][11]
The legislative package, known as the "Digital Omnibus on AI," pushes the compliance deadline for "high-risk" AI systems back by 16 months. Originally scheduled to take effect on August 2, 2026, the core obligations for standalone high-risk systems will now bite on December 2, 2027.[3][8][9]
This delay represents a massive shift in the global AI governance landscape. The EU AI Act was widely heralded as the world's first comprehensive legal framework for artificial intelligence, designed to set a global standard—the so-called "Brussels Effect." However, the practical realities of implementing complex risk-management and auditing frameworks forced regulators to concede that the original timeline was unworkable.[2][5][10]
The delay primarily affects systems categorized under "Annex III" of the Act. These are standalone AI applications deployed in sensitive, high-stakes environments where algorithmic errors could significantly impact fundamental rights or physical safety.[3][7]
Annex III covers AI used for biometric identification, critical infrastructure management, educational admissions, and employment decisions such as automated resume screening or worker performance monitoring. It also includes systems used for credit scoring, life insurance pricing, law enforcement, and border control.[3][4][9]
Under the original August 2026 deadline, companies deploying these systems would have been required to implement rigorous data governance, maintain extensive technical documentation, ensure human oversight, and establish post-market monitoring. Those obligations are now legally deferred to the end of 2027.[4][6]
An even longer extension was granted to "Annex I" systems—AI embedded as safety components in products that are already subject to existing EU sectoral safety legislation. This category includes medical devices, industrial machinery, toys, and aviation systems.[2][10]
For these embedded systems, the compliance deadline has been pushed to August 2, 2028. The extended runway is intended to give the European Commission time to draft implementing acts that harmonize the AI Act's requirements with existing product safety laws, preventing a scenario where manufacturers face duplicative or conflicting regulatory audits.[5][9]
While the high-risk obligations have been delayed, the entire AI Act has not been paused. The legislation operates on a staggered enforcement schedule, and several foundational tiers of the framework are already active and legally binding.[4][9]
While the high-risk obligations have been delayed, the entire AI Act has not been paused.
As of February 2025, the EU's ban on "unacceptable risk" AI practices—such as social scoring systems, cognitive behavioral manipulation, and untargeted scraping of facial images—has been in full legal force. Similarly, obligations for providers of General-Purpose AI (GPAI) models, which include the large language models powering popular generative AI tools, took effect in August 2025.[1][2][4]
The Digital Omnibus also maintained a tight timeline for transparency rules governing AI-generated content. Under Article 50 of the Act, providers of generative AI must ensure that synthetic audio, video, and text are clearly identifiable and machine-readable.[1][5][9]
Lawmakers compressed the proposed grace period for these transparency rules, setting a firm compliance deadline of December 2, 2026. This means that any company shipping generative AI features into the EU market has only months left to implement robust watermarking and user-interface labeling.[2][8]
In addition to adjusting timelines, the Omnibus package introduced a new, immediate prohibition to address a rapidly escalating digital harm. Lawmakers voted to explicitly ban AI systems designed to generate non-consensual intimate imagery—commonly known as "nudifier" apps—as well as child sexual abuse material (CSAM).[5][7]
The inclusion of this ban was overwhelmingly supported by the European Parliament, passing by a vote of 569 to 45. It targets not only the use of such systems but also the act of placing them on the EU market without reasonable safeguards to prevent their misuse.[6][7][10]
The reaction to the Omnibus deal has been sharply divided. Enterprise compliance teams and industry groups have breathed a collective sigh of relief. Legal experts note that the original August 2026 deadline was looming while the European Commission had yet to publish the finalized harmonized standards required for compliance.[2][7][9]
Industry representatives argued that without these technical standards, companies were being asked to build compliance architectures in the dark, risking massive sunk costs if their interpretations misaligned with eventual regulatory guidance.[6][8][10]
Conversely, digital rights organizations and AI safety advocates have heavily criticized the delay. They warn that pushing back the high-risk rules by 16 months leaves European citizens exposed to algorithmic harms in employment, credit, and law enforcement without the Act's intended legal recourse.[7][11]
Critics argue that a regulation that gets delayed the moment enforcement approaches risks losing its credibility, potentially weakening the broader framework if companies assume future deadlines will also be flexible.[2][7]
Despite the political agreement reached in May, the Digital Omnibus still requires formal adoption by the Council and the European Parliament and publication in the Official Journal. This must occur before the original August 2, 2026, deadline; otherwise, the original statutory requirements will legally snap into place.[5][6][8]
How we got here
August 2024
The EU AI Act officially entered into force, starting the original 24-month countdown.
February 2025
Bans on 'unacceptable risk' AI practices, such as social scoring, became legally enforceable.
November 2025
The European Commission proposed the Digital Omnibus to simplify rules and delay high-risk obligations.
May 2026
The Council and European Parliament reached a provisional political agreement on the Omnibus package.
December 2026
The revised deadline for AI-generated content transparency and watermarking rules.
December 2027
The new enforcement date for Annex III high-risk AI systems.
Viewpoints in depth
Enterprise & Compliance Teams
Relieved by the delay, arguing the original timeline was unworkable without finalized technical standards.
Corporate legal departments and industry groups argue that the original August 2026 deadline was a recipe for chaos. Because the European Commission had not yet published the final 'harmonized standards'—the technical blueprints detailing exactly how to audit and log AI systems—companies were forced to guess at compliance. Industry advocates maintain that the 16-month delay prevents massive sunk costs and allows organizations to build robust, standardized risk-management frameworks rather than rushing untested policies.
Digital Rights & Safety Advocates
Critical of the delay, warning that it leaves citizens unprotected from algorithmic harms for another 16 months.
Civil society organizations and digital rights watchdogs view the Digital Omnibus as a capitulation to industry lobbying. They argue that pushing back the enforcement of high-risk rules leaves a dangerous governance gap. For the next year and a half, AI systems used in hiring, credit scoring, and law enforcement will operate without the strict oversight, human-in-the-loop requirements, and bias testing mandated by the Act. Critics warn that a regulation that delays its core provisions before they even take effect risks losing its global credibility.
EU Regulators
Framing the delay as a necessary simplification to ensure the law is practically enforceable.
For the European Commission and the newly established AI Office, the delay is a pragmatic compromise. Regulators recognized that enforcing the Act without the necessary technical infrastructure—such as national regulatory sandboxes and clear conformity assessment pathways—would lead to widespread non-compliance and legal challenges. By extending the timeline, regulators aim to ensure that when the rules do bite in 2027, they are backed by clear guidance, preventing the AI Act from becoming a purely theoretical framework.
What we don't know
- Whether the European Commission will finalize the necessary harmonized technical standards before the new 2027 deadline.
- How strictly national competent authorities will enforce the watermarking and transparency rules starting in December 2026.
- Whether the delay will cause regulatory fragmentation if individual member states attempt to enforce local AI safety laws in the interim.
Key terms
- Digital Omnibus on AI
- A legislative package agreed upon in May 2026 that simplifies the EU AI Act and delays its most complex compliance deadlines.
- Annex III High-Risk Systems
- Standalone AI applications used in sensitive areas like employment, education, credit scoring, and law enforcement.
- Annex I High-Risk Systems
- AI systems embedded as safety components in products already regulated by the EU, such as medical devices or machinery.
- Article 50 Transparency
- Rules requiring AI-generated content, such as deepfakes or synthetic text, to be clearly labeled and machine-readable.
- General-Purpose AI (GPAI)
- Highly capable AI models, such as large language models, that can perform a wide range of tasks and carry systemic risks.
- Harmonized Standards
- Official technical blueprints published by the EU that detail exactly how companies should audit, log, and secure their AI systems to achieve compliance.
Frequently asked
Has the EU AI Act been delayed?
Yes. Under the Digital Omnibus agreement, the compliance deadlines for 'high-risk' AI systems have been pushed back to December 2027 and August 2028.
Are any AI rules currently enforced in the EU?
Yes. Bans on 'unacceptable risk' AI (like social scoring) and obligations for General-Purpose AI (GPAI) models are already active.
When do AI watermarking rules take effect?
Transparency rules requiring the labeling and watermarking of AI-generated content will take effect on December 2, 2026.
What is a 'nudifier' app?
It is an AI system used to generate non-consensual explicit images of real people. The Omnibus agreement explicitly bans these applications.
What happens if a company ignores the new deadlines?
Once enforced, breaches of the high-risk AI requirements can result in fines of up to €15 million or 3% of a company's global annual turnover.
Sources
Source coverage
11 outlets
3 viewpoints surfaced
[1]European CommissionEU Regulators
Timeline for the Implementation of the EU AI Act
Read on European Commission →[2]VerifyWiseEnterprise & Compliance Teams
The Digital Omnibus Delay: What the New EU AI Act Timeline Means
Read on VerifyWise →[3]Travers SmithEnterprise & Compliance Teams
EU AI Act: High-risk compliance deadlines pushed back
Read on Travers Smith →[4]Augment CodeEnterprise & Compliance Teams
EU AI Act Timeline: What Enforces on August 2, 2026
Read on Augment Code →[5]Gibson DunnEnterprise & Compliance Teams
Digital Omnibus on AI: High-Risk AI Obligations Delayed to 2027 and 2028
Read on Gibson Dunn →[6]ProskauerEnterprise & Compliance Teams
EU AI Act: Political Agreement Reached on the Digital Omnibus
Read on Proskauer →[7]EU PerspectivesDigital Rights & Safety Advocates
Parliament backs delay to high-risk AI rules, push 'nudifier' app ban
Read on EU Perspectives →[8]DLA PiperEnterprise & Compliance Teams
The Digital Omnibus on AI: High-risk compliance deadline deferred
Read on DLA Piper →[9]ModulosEnterprise & Compliance Teams
Has the EU AI Act been delayed? Yes, here is the new timeline
Read on Modulos →[10]Bird & BirdEnterprise & Compliance Teams
Digital Omnibus on AI: Trilogue collapse and the final compromise
Read on Bird & Bird →[11]Factlen Editorial TeamEU Regulators
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →
Every angle. Every day.
Get ai stories with full source coverage and perspective breakdowns delivered to your inbox.