EU AI Act Deadline Extension Explained: The Digital Omnibus, Dec 2 2027, and Aug 2 2028

The EU AI Act deadline extension agreed on May 7, 2026 is the most consequential change to the Act since it was adopted. It does not gut high-risk obligations. It moves the cliff back and narrows a few definitions. If you have been planning around the August 2, 2026 deadline, you now have roughly 16 extra months for stand-alone high-risk AI systems and roughly two extra years for AI built into safety-regulated products. That extra runway is real. It is also conditional.

This is the practitioner version. What the Digital Omnibus on AI actually changes. Which Annex III categories now align with December 2, 2027. Which product-safety categories slide to August 2, 2028. Why watermarking was pulled separately. What did not move. And the trap most teams will walk into if they assume the delay means a pause.

What was decided on May 7 2026

The European Parliament and the Council of the EU reached a provisional political agreement on the Digital Omnibus on AI, a targeted amendment to the EU AI Act that extends the high-risk AI system compliance deadlines and softens a small number of related obligations (Latham & Watkins). The agreement is part of the broader EU Digital Omnibus legislative package the European Commission published on November 19, 2025 to simplify the bloc's digital rulebook (White & Case).

The agreement is provisional. It still needs formal adoption by Parliament and Council, which was expected before August 2, 2026 to avoid the original high-risk rules biting in the meantime (Latham & Watkins). The Commission also published draft guidance on AI Act transparency obligations the same day (Skadden). That guidance is not binding. National regulators will do the primary enforcement.

The new dates, by category

There are two delays and one carve-out. The rest of the calendar is unchanged.

Stand-alone high-risk AI systems: December 2 2027

AI systems that fall under Annex III of the EU AI Act, meaning biometrics, critical infrastructure, education, employment, law enforcement, migration, access to essential public and private services, and administration of justice, now have a compliance deadline of December 2, 2027 (Latham & Watkins). The original date was August 2, 2026. That is a 16-month extension.

This category includes most of what people actually mean when they say high-risk AI. CV-screening tools, credit scoring, biometric verification at borders, AI used in social benefits determinations, AI that proctors exams. If you sell into Annex III scenarios, your runway just moved.

Product-safety AI: August 2 2028

AI systems that act as a safety component of a product, or are themselves products, governed by EU health and safety harmonisation legislation now have a compliance deadline of August 2, 2028 (White & Case). That covers medical devices under the MDR/IVDR, personal protective equipment, vehicles and watercrafts, toys, and lifts. The original date was August 2, 2027.

Watermarking: December 2 2026

Article 50(2) watermarking and machine-readable marking obligations for AI-generated content shift to December 2, 2026 (Latham & Watkins). That is only four months later than the original August 2, 2026 date. For generative AI systems placed on the EU market before August 2, 2026, the watermarking obligation does not bite until December 2, 2026 under a grandfathering rule.

What was NOT delayed

This is where teams get sloppy. The Omnibus delay is narrow. Several obligations are unchanged.

Article 5 prohibitions on social scoring, subliminal manipulation, untargeted scraping of facial images, and real-time remote biometric identification in public spaces have been in force since February 2, 2025. None of that moves (Latham & Watkins).

Article 50 transparency obligations other than the watermarking carve-out still apply from August 2, 2026 (Skadden). That includes chatbot disclosure under Article 50(1), emotion-recognition and biometric-categorisation disclosure under Article 50(3), deepfake disclosure under Article 50(4), and the public-interest text disclosure under Article 50(4). If you run a chatbot, deploy synthetic media, or publish AI-generated news content into the EU, August 2, 2026 is your live date. See our Article 50 transparency guide for the full breakdown.

GPAI model obligations have been in effect since August 2, 2025. They are unchanged (Debevoise). AI literacy obligations under Article 4 also remain in force, though the Omnibus softens their scope.

Penalties did not move either

The penalty tiers in Article 99 are unchanged. Article 5 prohibited-practice violations carry fines of up to €35 million or 7% of total annual worldwide turnover, whichever is higher. Article 50 transparency and watermarking violations carry fines of up to €15 million or 3% of total annual worldwide turnover (Latham & Watkins).

The new prohibition on nudifier applications, AI tools that generate non-consensual intimate imagery or child sexual abuse material, also kicks in December 2, 2026 and falls into the €35M / 7% tier.

Article 6(1) was not carved out. It was delayed.

There was speculation through April 2026 that Article 6(1), the clause that pulls AI-as-safety-component into the high-risk regime, would be removed altogether. That did not happen. Article 6(1) still applies and an AI system is classified as high-risk under it if it is a safety component of a product covered by EU harmonisation legislation in Annex I and is required to undergo third-party conformity assessment (artificialintelligenceact.eu — Article 6). The compliance deadline for those Art. 6(1) systems is what moved, to August 2, 2028 (White & Case).

The Omnibus did narrow the definition of safety component. AI that merely assists users or optimises performance without creating health or safety risks will no longer automatically be subject to high-risk obligations (Travers Smith). The carve-out is narrow and the Commission can still expand it through delegated acts. Machinery products that are already regulated under the Machinery Regulation are exempt from the AI Act directly. AI-related health and safety measures for machinery will instead be introduced through delegated acts under the Machinery Regulation (Latham & Watkins).

Grandfathering: the rule most people will miss

A stand-alone high-risk AI system placed on the EU market before December 2, 2027 will not be subject to HRAIS requirements unless it undergoes a substantial modification after that date (Latham & Watkins). The same logic applies with an August 2, 2028 cutoff for product-safety component HRAIS. Generative AI systems placed on the market before August 2, 2026 must comply with watermarking only by December 2, 2026.

"Substantial modification" is doing a lot of work in that sentence. The AI Act's definition is broad. Significant changes to intended purpose, performance, or behaviour generally count. Routine model retraining within an authorised PCCP-style change plan generally does not. If you plan to lean on grandfathering, document your version baselines now and treat material model changes after the cutoff as triggering events.

Why the delay happened

Two public reasons. First, the Commission had not yet issued the harmonised standards and guidance that providers need to actually implement HRAIS requirements (Latham & Watkins). Standards from CEN-CENELEC JTC 21 were running behind schedule, and the AI Office's guidance and templates for Annex IV technical documentation, post-market monitoring, and fundamental rights impact assessments were not in final form. Second, the delay was framed as part of the broader November 2025 Digital Omnibus simplification package (White & Case).

The political read is straightforward. European industry, particularly in Germany, France, and the Nordics, pushed hard for breathing room. Technical and operational reality caught up.

What changed beyond the dates

A handful of substantive softening provisions made it into the Omnibus alongside the delay.

The SME simplified compliance framework was extended to cover companies with up to 750 employees and €150 million in annual revenue (Latham & Watkins). The original threshold was much lower. This pulls a significant slice of European mid-market companies into the relaxed regime.

The Omnibus clarified that organisations may use GDPR special category data where strictly necessary to detect and correct AI bias, subject to a necessity test (Travers Smith). That resolves a real tension between GDPR Article 9 and the AI Act's bias-testing expectations under Article 10. See our GDPR Article 22 vs EU AI Act guide for how those two regimes overlap.

Registration was partly reinstated. Providers who consider their Art. 6(3) systems exempt from high-risk classification must still register them in the EU database, though with reduced information requirements (IAPP).

What you should actually do this quarter

Do not stop. Re-time.

If you are mid-stream on a fundamental rights impact assessment, finish it. The Omnibus reduced FRIA scope slightly but the underlying obligation survives. If you have a draft Annex IV technical documentation file, polish it. The harmonised standards behind those files are still being finalised. The work is not wasted.

The immediate-priority list:

1. Confirm whether each of your AI systems is Annex III stand-alone, Article 6(1) product-safety, or neither. The two delay tracks diverge on August 2, 2028.
2. Lock down which systems will be on the EU market before December 2, 2027 so you can claim the grandfathering benefit. Inventory the model versions.
3. Treat Article 50 transparency as live. August 2, 2026 is real for chatbot disclosure, deepfake disclosure, and public-interest AI text. Watermarking gets the December 2, 2026 extension, nothing else does.
4. Continue GPAI documentation if you fine-tune or deploy general-purpose models. Those obligations are unchanged.
5. Update your conformity assessment plan. Notified bodies were stretched even with the original timeline. The delay buys you a slot, not infinite slots.

If you want a system-by-system view of what each Article 50 obligation requires, our Article 50 transparency deep dive walks through chatbot disclosure language, the watermarking technical requirements, and the deepfake artistic-content exception. For the broader picture, our EU AI Act compliance checklist for 2026 and EU AI Act framework page tie everything together.

One last point. The Omnibus is a political agreement. Until Parliament and Council formally adopt it, the original deadlines technically still apply. Few teams should bet on the agreement collapsing this late in the process. But it is worth tracking the formal adoption vote so your compliance calendar moves at the right moment, not the wrong one.

References

1. Latham & Watkins. AI Act Update: EU Resolves to Change Rules and Extend Deadlines. May 13, 2026. https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines
2. White & Case. EU agrees Digital Omnibus deal to simplify AI rules. May 14, 2026. https://www.whitecase.com/insight-alert/eu-agrees-digital-omnibus-deal-simplify-ai-rules
3. Skadden. AI Act State of Play. May 12, 2026. https://www.skadden.com/insights/publications/2026/05/ai-act-state-of-play
4. Debevoise Data Blog. EU AI Act Omnibus Agreed: More Time, Limited Substantive Change. May 8, 2026. https://www.debevoisedatablog.com/2026/05/08/eu-ai-act-omnibus-agreed-more-time-limited-substantive-change/
5. Travers Smith. EU agrees to delay key AI Act compliance deadlines. May 8, 2026. https://www.traverssmith.com/knowledge/knowledge-container/eu-agrees-to-delay-key-ai-act-compliance-deadlines/
6. IAPP. EU agrees to amend AI Act, clarifies overlap with machinery rules. May 7, 2026. https://iapp.org/news/a/eu-agrees-to-amend-ai-act-clarifies-overlap-with-machinery-rules
7. artificialintelligenceact.eu. Article 6 — Classification rules for high-risk AI systems. https://artificialintelligenceact.eu/article/6/
8. European Commission. Regulatory framework for AI. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai