Digital Omnibus

The European Commission proposed delaying several core compliance deadlines under the EU AI Act as part of a broader “Digital Omnibus” package intended to align and simplify EU digital regulations. The measures would postpone the Act’s strictest requirements, including those covering high-risk AI systems, by more than a year beyond the original schedule.

Key Changes to Enforcement Timelines

Under the EU AI Act, adopted in 2024, high-risk systems, such as those used in credit scoring, biometric identification, recruitment, and medical devices, were required to comply by August 2026 (Annex III) and by August 2027 for systems embedded in regulated products (Annex I).

The Commission’s new proposal revises these deadlines to:

• Annex III: High-risk AI systems, December 2027.
• Annex I: Regulated products, August 2028. This assumes harmonized standards are not yet in place.

Once standards or official guidelines are available, obligations may take effect six months after publication for Annex III systems and 12 months for Annex I.

 

The Digital Omnibus package also introduces administrative streamlining measures to reduce overlap across the AI Act, GDPR, and other digital policy frameworks.

Rationale for the Delay

The Commission stated that additional time is needed to finalize technical standards, develop conformity-assessment mechanisms, and ensure that national authorities can consistently supervise and enforce the law. Officials warned that prematurely enforcing high-risk requirements without these elements could result in fragmented national implementation and non-compliance.

Industry groups support the extension, arguing that the original timeline posed operational challenges for healthcare, finance, manufacturing, and other sectors deploying high-risk AI. Companies noted that documentation, model testing, and oversight requirements require significant preparation.

Concerns Raised by Lawmakers and Civil Society

Consumer protection and digital rights organizations expressed concern that the delay weakens core protections intended to prevent the deployment of biased or unsafe AI. Critics argue that slower enforcement may disproportionately benefit large technology providers, who can scale AI systems in sensitive domains before full obligations take effect.

Some EU lawmakers also questioned the use of an omnibus legislative package, noting that bundling multiple regulatory adjustments could limit scrutiny typically applied to major policy changes.

Implications for Businesses

The Commission emphasized that the postponement should not be viewed as an opportunity to defer compliance planning. Pending standards, potential early activation of obligations, and ongoing rulemaking mean timelines could still shift.

Organizations developing or deploying high-risk AI are expected to continue preparations, including documentation, risk assessment procedures, and data governance controls. The Commission said it aims to simplify compliance for small and medium-sized enterprises, though details are not finalized.

Next Steps

The proposal must first be approved by both the European Parliament and the Council. Several Members of Parliament have already signaled caution about reopening the newly enacted AI Act. The final timeline will depend on legislative negotiations and the pace at which technical standards and supervisory frameworks are completed.

If adopted, the revised schedule would represent a significant adjustment to Europe’s flagship AI regulatory framework, extending the implementation runway while maintaining the option of earlier enforcement where standards are ready.