Digital Omnibus: The EU Simplification Package That Moved the AI Act's High-Risk Deadline
Digital Omnibus: the EU package that agreed to defer high-risk Annex III duties to 2 December 2027. What it is, its status, and what it leaves untouched.
The Digital Omnibus is an EU simplification package — a single legislative instrument that amends several existing EU digital-economy laws at once to cut compliance burden. Among its measures, it agreed to defer the EU AI Act's stand-alone high-risk Annex III obligations from 2 August 2026 to 2 December 2027. That re-timing is what most people mean when they reference the Digital Omnibus, but the package itself is broader and, as of June 2026, it is not yet law.
This page defines the term, explains why it is called an "omnibus", sets out exactly what it changes in Regulation (EU) 2024/1689, and states its current legal status. It is a definition page, not a full walkthrough of the deferral mechanics — that lives on the sibling deep-dive linked at the end.
What is the Digital Omnibus?
One-paragraph definition
The Digital Omnibus is an EU simplification package: one legislative instrument that bundles amendments to multiple separate EU digital-economy laws into a single bill, with the aim of reducing overlapping compliance burden. For the EU AI Act specifically, its load-bearing measure is a re-timing of the high-risk application dates — it agreed to push the stand-alone high-risk Annex III obligations from 2 August 2026 to 2 December 2027, and the product-embedded high-risk obligations from 2 August 2027 to 2 August 2028.
The package touches several EU digital files, not just the AI Act. For the purposes of this page, the change that matters is the AI Act re-timing — so the term is defined broadly first, then narrowed to the Regulation (EU) 2024/1689 angle that brings most readers here.
Why it is called an "omnibus"
In EU law-making, an "omnibus" is a single bill that carries amendments to several separate laws at once, rather than a stand-alone reform of one statute. The Latin sense — "for all" — captures it: one vehicle, many passengers. The Digital Omnibus bundles changes across multiple EU digital-economy regulations into one instrument, with the EU AI Act being just one of the laws it touches.
That bundling is the defining feature of the term. It signals a package of simultaneous amendments aimed at trimming compliance burden across files, not a dedicated AI Act reform. When you read "Digital Omnibus", read "one bill amending many laws" — the AI Act content is the headline, not the definition.
What does the Digital Omnibus change in the EU AI Act?
The headline change — high-risk deferral
The single most-cited change is the high-risk deferral. Stand-alone high-risk systems — those classified through the Article 6(2) route by reference to the Annex III use-case list — are agreed to move from 2 August 2026 to 2 December 2027.
A second, separate date sits alongside it. High-risk AI embedded as a safety component of an Annex I regulated product — the Article 6(1) route — is agreed to move from 2 August 2027 to 2 August 2028. Two routes, two dates: keep them apart when you plan.
These are fixed calendar dates, not a standards-contingent trigger. An earlier "stop the clock" variant would have tied the high-risk start date to the availability of harmonised standards, leaving the deadline open-ended. That variant was rejected. You cannot assume a further slip if the standards are late.
Stand-alone vs product-embedded high-risk
Frame the deferral correctly: it re-times when the obligations bite, not what they require. The substance is identical — only later.
| Classification route | Where it sits | Original date | Agreed new date |
|---|---|---|---|
| Stand-alone high-risk (Article 6(2)) | Annex III use-case list (e.g. recruitment) | 2 August 2026 | 2 December 2027 |
| Product-embedded high-risk (Article 6(1)) | Safety component of an Annex I product | 2 August 2027 | 2 August 2028 |
The Article 9 risk-management system, the Article 10 data-governance measures, and the Article 11 / Annex IV technical documentation are the same duties they always were. The Digital Omnibus does not soften any of them. It moves the start line, not the finish standard.
Is the Digital Omnibus law yet?
No. As of June 2026 it is agreed but not enacted.
Agreed vs enacted
The Digital Omnibus reached provisional political agreement on 6-7 May 2026, and COREPER confirmed the text around 13 May 2026. That is a political deal, not a binding instrument. The new dates do not yet have legal force.
The three remaining steps
Three steps remain before the new dates bind: a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal of the European Union. Until Official Journal publication, Article 113 of Regulation (EU) 2024/1689 is unchanged on paper — the statute legally still reads 2 August 2026 for stand-alone high-risk Annex III systems.
Which date you plan against today
Plan against 2 August 2026 until the deferral is enacted. Treat 2 December 2027 as the agreed-but-not-yet-binding target, and build toward it as if it might not arrive — because, on the statute as written, it has not.
What does the Digital Omnibus NOT change?
The deferral is narrow. It touches only the high-risk application dates. Everything else in the timeline stands.
Obligations already in force
The Article 5 prohibited practices have applied since 2 February 2025 and were not touched. The Article 4 AI literacy obligation — also in force since 2 February 2025 — was not deferred. General-purpose AI model obligations under Articles 51–55 have applied since 2 August 2025 and were not deferred either. "The AI Act was delayed" is misleading shorthand; the prohibitions, literacy duty, and GPAI rules are live regardless of the Omnibus.
A new 2 December 2026 date the package adds
Not everything moved later. The package also adds near-term obligations landing 2 December 2026 — a new CSAM / "nudifier" prohibition and Article 50 content-marking and watermarking duties. So the Digital Omnibus delays some things and accelerates others; treating it as a blanket delay is inaccurate.
The penalty architecture under Article 99 is unchanged. Breaches of the Article 5 prohibitions carry fines up to €35 million or 7% of total worldwide annual turnover, whichever is higher (Article 99(3)). Most other obligation breaches carry up to €15 million or 3% (Article 99(4)). Supplying incorrect, incomplete or misleading information to authorities carries up to €7.5 million or 1% (Article 99(5)). For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount.
Digital Omnibus at a glance: agreed dates vs binding law
The before-and-after table
| Obligation | Original statutory date | Agreed new date | Current legal status (June 2026) |
|---|---|---|---|
| Article 5 prohibitions | 2 February 2025 | unchanged | Binding, in force |
| Article 4 AI literacy | 2 February 2025 | unchanged | Binding, in force |
| GPAI obligations (Articles 51–55) | 2 August 2025 | unchanged | Binding, in force |
| CSAM/nudifier ban + Article 50 content-marking | new | 2 December 2026 | Agreed, not yet law |
| High-risk Annex III stand-alone (Art 6(2)) | 2 August 2026 | 2 December 2027 | Agreed; statute still reads 2 Aug 2026 |
| High-risk Annex I product-embedded (Art 6(1)) | 2 August 2027 | 2 August 2028 | Agreed, not yet law |
How to read the legal-status column
"Binding, in force" means missing the obligation is current non-compliance — enforceable today. "Agreed, not yet law" means the new date has political agreement but no Official Journal publication and is not enforceable as written.
The load-bearing caveat, restated: until publication, the old statutory dates remain binding — including 2 August 2026 for stand-alone high-risk Annex III. The agreement is real, but agreement is not law.
Worked example: what the Digital Omnibus means for one company
The company and its AI systems
Northwall Talent is a 140-person EU recruitment-software company. Its flagship product is an automated CV-screening and candidate-ranking tool that employers use to filter and order job applicants.
Which date applies to which system
The CV-screening tool sits in Annex III, point 4 (employment and recruitment) and is a stand-alone high-risk system under Article 6(2). Its agreed application date is 2 December 2027. But the binding statutory date today remains 2 August 2026 until the Omnibus is enacted — so Northwall plans against 2 August 2026 and treats December 2027 as a contingent extension, not a certainty.
The Digital Omnibus reached provisional political agreement on 6-7 May 2026 (COREPER confirmed the text around 13 May 2026), but as of June 2026 it is not yet law — it still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal.
What is live for Northwall now, regardless of the deferral: Article 4 AI literacy for staff (since February 2025), and Article 50 transparency where candidates interact with the system. If any feature crosses an Article 5 line — say, inferring emotions of applicants in the workplace — it is already unlawful, today, with no grace period.
The takeaway: the deferral gives Northwall more runway to build the Article 11 / Annex IV technical file and the Article 9 risk-management records — not permission to pause. A realistic high-risk programme runs many months, and because the date is fixed rather than standards-contingent, there is no open-ended cushion to fall back on.
How Confir helps
Confir's classification workflow asks structured, plain-English questions about each AI system your organisation builds or operates, then derives the obligations and the dates that attach to it. For a stand-alone high-risk Annex III system, it surfaces both the agreed 2 December 2027 target and the binding 2 August 2026 statutory date, so you plan against the right one. The engine is deterministic and rule-based — no model inference, no hallucination — so the same intake produces the same finding, with every Article and Annex cited back to Regulation (EU) 2024/1689.
Related terms
- how the 2027 high-risk deferral works in detail
- whether the EU AI Act is actually delayed
- what counts as a high-risk AI system
- the full EU AI Act deadline list
- the EU AI Act implementation timeline
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →