EU AI Act Digital Omnibus: What the 2027 Deferral Actually Means

On 19 November 2025, the European Commission tabled the Digital Omnibus — a legislative package amending several EU digital regulations simultaneously to reduce compliance burdens, particularly for smaller organisations. For anyone with an EU AI Act compliance roadmap, one amendment stands above everything else: the high-risk deadline moved, and it moved significantly.

---

What the Digital Omnibus Is

The Digital Omnibus is a Commission proposal (COM(2025) 820) that amends multiple EU digital-economy regulations in a single instrument — among them Regulation (EU) 2024/1689, the EU AI Act. Its stated rationale is that harmonised standards and supervisory guidance for high-risk AI systems were not ready in time for organisations to comply with the original August 2026 date. Rather than hold companies to obligations they could not practically demonstrate, the Commission proposed, and the European Parliament and Council agreed, to push the high-risk deadlines out.

Political agreement between Parliament and Council was reached on 7 May 2026. Formal adoption is expected before 2 August 2026. Treat these dates as settled; the political agreement is authoritative for planning purposes even before the Official Journal publication.

---

The Two New High-Risk Deadlines

The Digital Omnibus converts what were originally backstop transition provisions into fixed, binding application dates:

2 December 2027 — Stand-alone high-risk AI systems. These are AI systems that fall into Annex III of the Act directly: systems used for recruitment and HR decisions (Annex III, point 4), creditworthiness assessment and credit scoring (point 5(b)), biometric identification and categorisation (point 1), critical infrastructure safety (point 2), education and vocational training (point 3), access to essential public and private services (point 5), law enforcement (point 6), migration and border control (point 7), and administration of justice and democratic processes (point 8).

2 August 2028 — High-risk AI systems that are safety components of products already covered by EU product safety legislation listed in Annex I of the Act (medical devices under MDR/IVDR, machinery, toys, lifts, and others). These systems follow the Annex I product-integration route under Article 6(1), with an integrated conformity assessment and the longer deadline.

Both dates replace the original 2 August 2026 date. You may reference 2 August 2026 only as the date that has been superseded — never as a current high-risk deadline.

---

What Did Not Change

The deferral is precise. Three earlier milestones remain untouched:

Article 5 prohibitions — 2 February 2025 (already in force). The Act's banned practices have been live for over a year. Systems that conduct social scoring by public authorities (Article 5(1)(c)), manipulate users through subliminal techniques (5(1)(a)), exploit vulnerabilities of specific groups (5(1)(b)), make predictions of offending based solely on profiling (5(1)(d)), scrape facial images from the internet or CCTV at scale (5(1)(e)), infer emotions in the workplace or educational settings (5(1)(f)), classify individuals on sensitive characteristics from biometric data (5(1)(g)), or conduct real-time remote biometric identification in public spaces for law enforcement except in narrowly permitted cases (5(1)(h)) — these are already prohibited. Maximum fine: €35,000,000 or 7% of worldwide turnover, whichever is higher (Article 99(3)). The Digital Omnibus does not touch Article 5.

GPAI obligations — 2 August 2025 (already in force). Chapter V of the Act, covering general-purpose AI models, applied from August 2025. Article 53 imposes baseline obligations on all GPAI model providers: technical documentation, downstream information for deployers, a copyright policy, and a summary of training data. Article 55 adds heavier requirements for providers of systemic-risk GPAI models — model evaluation, adversarial testing, incident reporting to the AI Office, cybersecurity measures. The Digital Omnibus high-risk deferral does not affect Chapter V. If your organisation provides or integrates a GPAI model, those obligations are live now.

Article 50 limited-risk transparency — 2 August 2026 (unchanged). This provision requires disclosure when users interact with AI systems (chatbots, voice interfaces), when AI generates synthetic media (deepfakes, AI-generated text in contexts of public interest), and when systems use emotion recognition or biometric categorisation. Article 50 applies from 2 August 2026. The Digital Omnibus did not defer it.

Article 4 AI literacy — 2 February 2025 (already in force). All organisations deploying AI must ensure staff have sufficient AI literacy for their roles. No threshold, no size exemption, no extension.

---

The Revised Timeline at a Glance

---

Why the Deferral Happened

The official reasoning matters for understanding what the Commission expects now. Harmonised technical standards under the Act were not adopted by the time they were needed for providers to conduct conformity assessments against them. The AI Office's supervisory guidance and the templates for technical documentation under Annex IV were also later than planned. Extending the deadline was an acknowledgement that the regulatory infrastructure was not ready, not a signal that the underlying obligations are less serious.

The Commission was explicit: this is time to prepare, not time to defer. The deferral does not reduce the Article 11 / Annex IV technical documentation pack you must produce, the Article 9 risk management system you must maintain, the Article 14 human oversight mechanisms you must design, or the Article 43 conformity assessment you must complete before your system goes to market. It gives you more runway. It does not give you a shorter track.

---

What It Means in Practice

Documentation takes months. For a single high-risk AI system — say, an HR tool that screens job applications (Annex III, point 4(a)) — the Article 11 / Annex IV technical documentation alone requires capturing the system's general description, design specifications, development methodology, training data governance under Article 10, risk management records under Article 9, post-market monitoring plan under Article 72, and an Annex V EU Declaration of Conformity under Article 47. If you have ten AI systems that touch Annex III use cases, the work is parallel, not sequential.

The deferral shifted 2 December 2027 from "imminent" to "eighteen months out" — but only as of late 2025. Today, as of June 2026, it is eighteen months away. A realistic high-risk compliance programme for a mid-sized organisation takes twelve to eighteen months to execute: inventory and classification, risk management system design, data governance review, technical file drafting, internal conformity assessment, registration in the EU AI database under Article 49. That leaves no margin if you start in late 2026.

Companies that treated August 2026 as their deadline and had already started preparation are in a stronger position than those who treated the deferral as permission to restart the clock. If you were building documentation and then paused when the Omnibus was announced, resume.

---

Classification Is Still the First Step

The Omnibus does not change how systems are classified. Article 6 and Annex III remain the classification gateway. A system that falls into an Annex III area is high-risk — subject to the Article 6(3) filter, which lets providers argue a system is not high-risk if it does not pose a significant risk of harm and meets one of four defined conditions (narrow procedural task; improving a previously completed human activity; detecting patterns without replacing human assessment; preparatory work). Any system that profiles natural persons is always high-risk regardless.

Getting classification right is still the first task, and it is the most consequential. A provider who misclassifies a high-risk system as limited-risk faces the full non-compliance penalty under Article 99(4): up to €15,000,000 or 3% of worldwide annual turnover, whichever is higher. The deferral does not reduce that exposure — it only moves the date by which you must be compliant.

---

How Confir Helps

Confir's classification module encodes Article 6 and the full Annex III logic as deterministic rules. You answer plain-English questions about your system's purpose and context; Confir derives the risk tier and your role (provider under Article 16 or deployer under Article 26) from those answers. The same intake always produces the same finding — reproducible, human-readable, audit-defensible.

Once a system is classified as high-risk, Confir drives the structured documentation programme: the Article 9 risk management records, the Article 11 / Annex IV technical documentation pack, the Article 27 Fundamental Rights Impact Assessment for qualifying deployers, and the Article 47 / Annex V EU Declaration of Conformity — all in one workflow, priced from €600/year.

---

Frequently Asked Questions

What is the Digital Omnibus and what did it change for the EU AI Act? The Digital Omnibus is a European Commission proposal (19 November 2025) amending several EU digital regulations simultaneously. For the EU AI Act, it moved the high-risk compliance deadline from 2 August 2026 to 2 December 2027 for stand-alone Annex III systems and to 2 August 2028 for high-risk AI embedded in Annex I regulated products. Political agreement between Parliament and Council was reached on 7 May 2026; formal adoption is expected before 2 August 2026.

Does the deferral apply to Article 5 prohibited practices? No. Article 5 prohibitions have been in force since 2 February 2025. The Digital Omnibus did not extend or modify that timeline. If any system in your portfolio touches the prohibited categories — social scoring, subliminal manipulation, real-time remote biometric ID in public spaces for law enforcement outside permitted exceptions, and others — it requires immediate attention.

Does the 2 December 2027 deadline cover all high-risk AI systems? No. It covers stand-alone Annex III systems only. High-risk AI that is a safety component of a product regulated under Annex I of the AI Act (medical devices, machinery, toys, and others) follows the Annex I product route under Article 6(1) and has a separate deadline of 2 August 2028.

Were GPAI obligations extended by the Digital Omnibus? No. Chapter V obligations — Articles 51–55 — applied from 2 August 2025 and were not deferred. Providers of general-purpose AI models with systemic risk (classified under Article 51, including the 10²⁵ FLOP presumption) are subject to the full Article 55 stack now. The deferral applies only to the high-risk AI regime.

Is the Article 50 transparency obligation for chatbots and deepfakes affected? No. Article 50 applies from 2 August 2026, unchanged. If you operate a chatbot, voice assistant, or any system that generates synthetic audio, video, or text in public-interest contexts, the disclosure duties apply from that date regardless of the Omnibus deferral.

Does the extension mean we should slow down preparation? No. Chapter III compliance for a high-risk system requires an Article 9 risk management system, Article 10 data governance, Article 11 / Annex IV technical documentation, Article 14 human oversight mechanisms, an Article 43 conformity assessment, and Article 49 registration. For an organisation with multiple Annex III systems, that work takes at least twelve months. Starting later compresses the runway, increases costs, and raises the risk of errors in documentation that a market-surveillance authority could flag.

---

Related guides

• high-risk AI systems compliance requirements
• Articles 6–29 obligations checklist
• provider and deployer obligations template