What the delay means
The Digital Omnibus gives regulated companies a tempting sentence to repeat in meetings: high-risk AI obligations only land in December 2027.
Many will read that sentence as permission to wait, but the operating picture already says something else.
Deadlines move budgets, staffing plans, board attention, and the internal politics of who gets to own a new compliance problem. A sixteen-month shift changes the rhythm of implementation, but regulated institutions do not live by one calendar. They live inside overlapping regimes, supervisory priorities, audit trails, vendor contracts, risk committees, and the slow evidence of what the company actually did before someone asked for proof.
The EU failed to finalize the standards and support measures in time, which bought companies more time to build cleanly. The institutions that use that time well will not treat AI governance as a 2027 project.
The EU AI Act in Seven Moves
Brussels decides AI will not stay abstract
The Commission proposes a horizontal AI law, and the basic idea is simple enough: sort systems by risk, ban the worst uses, and make the serious uses carry a serious governance record.
What the Act demands
The European Union's Artificial Intelligence Act, formally Regulation (EU) 2024/1689, is the first comprehensive AI law that regulates the technology across sectors instead of one industry at a time. It sorts AI systems by risk: unacceptable, high, limited, minimal.
Article 5 prohibited practices are the Act's banned category, and they have applied since 2 February 2025. They include harmful manipulative or exploitative techniques, certain forms of social scoring, untargeted scraping for facial-recognition databases, certain emotion-recognition uses in workplaces and schools, and some predictive-policing practices. The ban is real, but some categories carry narrow statutory exceptions.
High-risk AI, listed in the Annexes III and I of the Act, are systems whose failure or misuse could cause significant harm to health, safety, or fundamental rights. Examples: AI in employment decisions, essential public and private services (including credit scoring), law enforcement, the administration of justice (Annex III), and AI embedded in regulated products like medical devices, machinery, and vehicles (Annex I).
Both must have a structure in place for risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity.
Limited-risk AI are systems that interact with humans or generate content in ways that could mislead without proper disclosure, such as chatbots and AI-generated or manipulated image, audio, video, or text content including deepfakes. For these, the user has to be told they are interacting with AI or viewing AI-generated content.
Article 50 of the Act regulates on "Transparency Obligations for Providers and Deployers of Certain AI Systems". Paragraph (2) establishes the watermarking obligation, which requires providers of AI systems generating synthetic audio, image, video, or text to mark those outputs in a machine-readable format and ensure they are detectable as artificially generated or manipulated. Paragraph (4) puts the deployer-side obligation on deepfakes specifically, and a parallel obligation applies to AI-generated text published to inform the public on matters of public interest, except where the content has undergone human review or editorial responsibility has been assumed by a natural or legal person.
Minimal-risk AI is everything else, such as spam filters, AI in video games and basic recommendation engines. These are largely unregulated under the Act, though they remain subject to other applicable law (GDPR, sectoral rules, consumer protection).
General-purpose AI models sit outside the four-risk taxonomy. These are models trained on broad data and capable of competently performing a wide range of tasks regardless of the domain in which they are eventually deployed.
The architecture matters because it turns AI governance into an operating problem, not only a legal classification exercise. The work lands across legal, compliance, risk, engineering, procurement, human resources, and the business line; in other words, a firm cannot answer the Act with one policy, one committee, or one vendor questionnaire.
The territorial scope is also broader than the usual shorthand suggests. The Act reaches providers placing AI systems on the EU market, deployers established or located in the EU, and providers or deployers whose AI system output is used in the EU. In sum, if the AI touches a European customer, employee, or counterparty, the firm should not assume the issue belongs somewhere else.
Why the standard travels
Simply put, the Brussels Effect.
In definition, it is the EU's ability to set rules that companies operating across borders adopt worldwide rather than maintain two systems.
The clearest was the GDPR - General Data Protection Regulation. Once the European privacy regime began to apply in May 2018, global firms with European exposure had to decide whether privacy would be managed as a regional exception or as a global baseline. Many chose the baseline because the alternative was operationally ugly: two audit trails, two explanations, two sets of controls, and a permanent question about why one group of people receives weaker protection than another.
AI is moving into the same kind of operating logic. The United Kingdom, Singapore, Brazil, and the United States are not copying the EU word for word. Even so, the grammar is converging: inventory the systems, classify the risk, govern the data, document who can decide what, monitor the model, and explain where the human being sits.
For multinational institutions, that convergence gives the AI Act its force even before every provision applies. It becomes the reference point for building the internal architecture once, instead of rebuilding the same architecture every time another regulator catches up.
What changed
On 7 May 2026, the Council of the European Union and the European Parliament reached provisional political agreement on the Digital Omnibus on AI. Under the agreement, standalone Annex III high-risk systems will apply from 2 December 2027.
High-risk AI systems embedded in regulated products will apply from 2 August 2028. Article 50(2) sits on a shorter track: the agreement gives providers until 2 December 2026 to implement the technical measures for marking AI-generated audio, image, video, and text in a machine-readable and detectable format.
A delayed deadline changes how quickly institutions need to finalize specific AI Act controls, especially where the compliance program depends on standards that are still being completed.
The deeper implementation problem remains the same. A firm still has to know which AI systems it uses, where those systems sit in the business, what data they touch, who owns the decision, which third parties sit underneath them, and what evidence would show that the system has been governed rather than merely purchased.
The provisional agreement still requires formal adoption by the European Parliament and the Council, and the Official Journal has not yet published the amendments. Until that happens, the original deadlines remain the legally binding ones.
What is already live
Article 4 AI literacy has applied since 2 February 2025:
Providers and deployers of AI systems shall take measures to ensure (…) AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf (…)
It might sound soft on paper, but it can become an evidentiary burden once a company has to explain who touched the system, what they knew, what they were trained to understand, and what the company told them about the system's limits, risks, and escalation path.
A company cannot create that record the moment a regulator asks for it. Training logs, escalation paths, role-based guidance, and actual usage discipline need time to become real.
Article 5 prohibited practices have also applied since 2 February 2025. That means the Act's banned category is already live, even if the high-risk compliance stack has moved.
General-purpose AI provider obligations began applying on 2 August 2025, such as maintaining documentation about the model's training, testing, and evaluation available for authorities; complying with EU copyright law, such as respecting opt-outs of text and data mining; and publishing a sufficiently detailed summary of the content used for training the model, using a template provided by the AI Office.
Enforcement powers for General-purpose AI providers will attach from 2 August 2026. The Commission will have authority to require providers to give documentation, training information, and explanations; conduct or commission evaluations of GPAI models, including access to the model for testing; require providers to take corrective action where compliance gaps are found.
jhmacal.com
The fines, under the EU AI Act, are up to 3% of global annual turnover or €15 million, whichever is higher, and become enforceable on 2 August 2026.
Between 2 August 2025 and 2 August 2026, the GPAI obligations are live, but the Commission's direct GPAI enforcement powers have not yet attached.
Providers still need to comply during that window because the record they create before 2 August 2026 can become the record the Commission examines once its GPAI supervisory powers and penalty authority attach.
The market has started pricing compliance during this window. Downstream deployers integrating GPAI into high-risk systems need the upstream information from GPAI providers to meet their own obligations, and providers who don't deliver get cut out of downstream deals.
Article 111(3) gives providers of general-purpose models placed on the market before 2 August 2025 until 2 August 2027 to comply. That legacy runway does not move Article 50 transparency obligations, which remain on their own schedule.
The supervisor can get there first
The AI Act is not the only doorway into AI governance. Banks, insurers, and large employers already operate under regimes that let supervisors examine risk management, outsourcing, operational resilience, automated decision-making, and worker or customer protection before the high-risk AI Act deadline arrives.
GDPR Article 22 already gives people the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on them. GDPR Article 35 already requires a Data Protection Impact Assessment before processing likely to result in high risk to the rights and freedoms of natural persons.
The Digital Services Act (DSA), Regulation (EU) 2022/2065, the EU's framework for online platforms and intermediary services, designates Very Large Online Platforms and Very Large Online Search Engines (VLOPs and VLOSEs) and imposes systemic risk assessment duties under Article 34 and risk mitigation duties under Article 35.
For banks, the European Banking Authority (EBA) internal governance rules require firms to govern material activities, which means a firmwide AI deployment cannot be treated as a side experiment. The same logic runs through the EBA outsourcing rules for third-party providers. The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, which governs ICT risk, third-party ICT risk, and operational resilience for financial entities, has applied since 17 January 2025.
The NIS2 Directive, Directive (EU) 2022/2555, the EU's cybersecurity framework for essential and important entities, set a transposition deadline of 17 October 2024 and governs cybersecurity risk management and incident reporting in sectors that include digital infrastructure, ICT service management, public administration, and others. For covered entities, AI tools used in cybersecurity, or AI systems whose failure creates ICT exposure, can become part of the NIS2 risk-management and incident-reporting record.
The Medical Device Regulation (MDR), Regulation (EU) 2017/745, and the In Vitro Diagnostic Regulation (IVDR), Regulation (EU) 2017/746, already govern AI used in medical devices and in vitro diagnostics. Annex I of the AI Act lists both regimes as carrying the high-risk obligations once the AI Act deadlines apply.
National employment and labor regulators across Member States already supervise AI used in recruitment, performance evaluation, and termination through standing labor law and national data protection law, and several Member States have added rules specifically on algorithmic decision-making in employment.
A supervisor does not need to wait for the high-risk AI Act deadline to ask whether a company knows what its models are doing, who owns the decision, what vendor sits underneath it, and what happens when something breaks.
What the extra time is for
Companies with serious AI exposure already must operate governance under the standing regimes. By 2027, the strongest institutions will be showing how the program has been operating through system inventories, decision-rights matrices across Legal, Compliance, Risk, Engineering, Human Resources, Procurement, and the business line, contractual allocation across the AI value chain under Article 25, data-flow discipline against GDPR Article 5 and AI Act Article 10, incident-response playbooks, and AI literacy programs by role.
Inventory
Maintain a central register of AI systems with owner, use case, deployment status, data provenance, model dependencies, and risk tier. Update it at procurement, release, material change, and decommissioning.
NIST AI 600-1 (July 2024); European Commission internal use of AI factsheet (October 2025).
Mapping
Map who acts as provider, deployer, controller, processor, joint controller, vendor, or downstream operator, then preserve the decision boundaries in DPIAs, contracts, system specifications, and supplier reviews.
ICO Data Protection Audit Framework, AI toolkit (October 2024); NIST AI 600-1 (July 2024).
Literacy
Give staff role-specific AI, data protection, and oversight training before access or responsibility, then retain completion evidence, assessment results, refresh dates, and non-completion follow-up.
ICO Data Protection Audit Framework, Accountability toolkit (October 2024); NIST AI 600-1 (July 2024).
Human-in-the-Loop
Require qualified reviewers to intervene at defined risk thresholds, record overrides, capture reasons, and report review outcomes to accountable management or governance owners.
ICO Data Protection Audit Framework, AI toolkit, Human review (October 2024).
Most of that work will happen in meetings, registers, vendor files, training records, and governance minutes, which is exactly why the extra time matters. It gives institutions room to make the system real before the legal deadline becomes the easy headline.
Use the time to build the record while the standards catch up to the law.
- Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), Official Journal of 12 July 2024. Articles cited include 4 (AI literacy), 5 (prohibited practices), 10 (data and data governance), 25 (responsibilities along the AI value chain), 50 (transparency obligations for providers and deployers of certain AI systems), 99 (penalties), 111(3) (legacy carve-out for general-purpose AI models), 113 (entry into force and application), Annex I, and Annex III. eur-lex.europa.eu
- European Parliament press release, "AI Act: deal on simplification measures, ban on 'nudifier' apps," 7 May 2026. europarl.europa.eu
- Council of the EU press release, "Artificial intelligence: Council and Parliament agree to simplify and streamline rules," 7 May 2026. consilium.europa.eu
- European Commission press release IP/26/1024, "Commission welcomes political agreement on simpler, innovation-friendly rules for artificial intelligence," 7 May 2026. ec.europa.eu
- European Commission, "Digital Omnibus on AI Regulation Proposal," 19 November 2025. digital-strategy.ec.europa.eu
- European Commission, "Code of Practice on marking and labelling of AI-generated content." digital-strategy.ec.europa.eu
- ECB Banking Supervision, "Supervisory priorities for 2026 to 2028." bankingsupervision.europa.eu
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), in particular Articles 20 to 23 (cybersecurity risk-management measures and reporting obligations). Transposition deadline 17 October 2024.
- Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services (Digital Services Act), in particular Articles 33 to 35 on designation of VLOPs and VLOSEs and on systemic risk assessment and mitigation.
- Regulation (EU) 2017/745 (Medical Device Regulation) and Regulation (EU) 2017/746 (In Vitro Diagnostic Regulation). Both regimes are listed in Annex I of the AI Act as carrying high-risk obligations when the AI Act deadlines apply.
- Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act, DORA), applicable from 17 January 2025.
- Regulation (EU) 2016/679 (General Data Protection Regulation), in particular Articles 5 (principles relating to processing of personal data), 22 (automated individual decision-making, including profiling), and 35 (data protection impact assessment).
- This article was updated on 27 May 2026. The Digital Omnibus agreement remained subject to formal adoption by the European Parliament and the Council, and to publication in the Official Journal of the European Union, as of that date.