EU AI Act: The deadline moved, the work didn't

The Digital Omnibus postponed the high-risk obligations. Why that's no reason to relax, and what the extra time is actually worth.

For months, many companies were anchored to one date: 2 August 2026, the cut-off for the EU AI Act’s high-risk obligations. With the Digital Omnibus (provisional agreement in May 2026), that date has moved: standalone high-risk obligations to December 2027, embedded product systems to August 2028. If your AI roadmap was built around “comply by August 2026, no matter what,” you can exhale.

But you shouldn’t switch off.

In short: The Digital Omnibus postpones the high-risk obligations, not the work. The early-applicable duties still stand, and no moved deadline closes the gap between model, organization and operation.

EU AI Act timeline: bans and AI literacy in force since February 2025, GPAI obligations since August 2025, high-risk obligations standalone from December 2027 and embedded from August 2028.

What hasn’t changed

Three things still apply, some of them already today:

Prohibited practices (Art. 5) and the AI literacy duty (Art. 4) have been applicable since February 2025. No grace period.
GPAI obligations have applied since August 2025.
The ceiling on penalties, up to €35M or 7% of global annual turnover, remains the hard backdrop of every conversation.

So the deadline moved. The workload for a high-risk system did not: risk management, data governance, logging, human oversight, robustness and the technical documentation don’t materialize in the week before the cut-off. They take shape over months, tightly woven into how a system is built and run.

Why “more time” is deceptive

Most AI initiatives fail on the gap between model, organization and operation. Regulation is rarely the real reason. A postponed deadline doesn’t move that gap; it only delays the moment it becomes visible. Companies that switch to “wait and see” now will face the same mountain in 2027, just with less runway.

There is more: governance set up shortly before the deadline is bolted onto a finished system. That is expensive and creates friction. Build it early, as part of development, and you end up with a better product that meets the requirements anyway.

What the extra months are worth

Inventory and classification. Which AI systems are in use, and which risk class do they fall into? More than half of companies can’t answer that today. It’s the basis for everything else, and you can start this afternoon.
Governance as part of delivery. Logging, data governance, model lifecycle and human-in-the-loop are jobs for the build team, with legal closely involved. Build them as part of product development and you end up with a better system that also happens to be compliant.
Capability over compliance theatre. The Art. 4 duty is real and overdue. Role-based enablement, from the board through the business units to the works council, is the lever that makes adoption possible in the first place. It pays off regardless of the deadline.

The board checklist

Four questions a board should be able to answer today:

Do we have a complete inventory of our AI systems, with risk class?
Who owns AI governance, and is that role backed by mandate and resources?
Can we demonstrably meet the AI literacy duty in force since February 2025?
Do we build logging and human oversight into our systems, or bolt them on later?

Bottom line

The Digital Omnibus is an opportunity, not a free pass. The companies that invest the extra time in durable governance instead of a panic checklist won’t be scrambling in 2027, and will have AI that runs in production and is carried by the organization along the way.

The deadline moved. The work didn’t.