← All Posts

EU AI Omnibus: They Delayed the Deadline — Don't Celebrate Yet

Matthias Bruns · · 5 min read
eu ai act ai governance compliance regulation

The Commission Blinked

In February 2026, the European Commission published its Digital Omnibus proposal — a legislative package that, among other things, pushes back the enforcement dates for high-risk AI systems under the EU AI Act.

The new timeline:

  • Annex III high-risk systems (credit scoring, HR screening, law enforcement): delayed from August 2026 to no later than December 2027.
  • Annex I high-risk systems (safety components in regulated products): delayed from August 2027 to August 2028.

The reason? Harmonised standards aren’t ready. National authorities haven’t been designated. Conformity assessment bodies are still being set up. The infrastructure for enforcement doesn’t exist yet.

In short: the regulators aren’t ready to regulate.

Why This Isn’t a Free Pass

If your reaction is “great, we can push AI governance to next year” — think again.

The EDPB and EDPS joint opinion on the Omnibus makes the tone clear: the data protection authorities are uncomfortable with these delays. They explicitly warned that postponement may “harm fundamental rights and undermine legal certainty.” They’d prefer the original timeline to remain in place.

Here’s what this means practically:

  1. The GPAI rules already apply. General-purpose AI model obligations — transparency, documentation, copyright compliance — took effect in August 2025. The AI Office can begin enforcement from August 2026. That’s five months away.

  2. The Omnibus is a proposal, not law. It still needs European Parliament and Council approval through trilogues. The final timeline could change in either direction.

  3. NIS2 deadlines are converging. The Cybersecurity Act 2 and amended NIS2 Directive proposals are open for feedback until April 2026. If your AI systems touch critical infrastructure, you’re dealing with overlapping regulatory waves.

  4. Your customers won’t wait. Enterprise procurement teams are already including AI Act compliance in RFPs. “We’ll be ready by 2027” isn’t going to win deals in 2026.

What the Omnibus Actually Changes

Beyond the timeline shift, the proposal makes substantive changes worth understanding:

Sensitive Data for Bias Detection — Expanded

Currently, you can only process special category data (ethnicity, health, etc.) for bias detection in high-risk systems under strict necessity. The Omnibus would extend this to all AI systems and lower the threshold from “strictly necessary” to “necessary and proportionate.”

The EDPB pushes back hard here — they see this as weakening GDPR safeguards. If you’re building AI systems that touch sensitive categories, expect this provision to be heavily debated.

Registration Duties — Loosened

The current AI Act requires all Annex III systems to register in the EU high-risk database, even if a provider self-classifies them as non-high-risk under Article 6(3). The Omnibus would remove this for self-classified non-high-risk systems.

The EDPB strongly opposes this, arguing it reduces visibility and incentivises “overly optimistic self-assessment.” Translation: companies will classify themselves out of obligations if given the chance.

EU-Level AI Sandboxes — New

The proposal creates EU-level regulatory sandboxes run by the AI Office. National sandboxes already existed, but cross-border sandboxes could help smaller companies test AI systems without navigating 27 different regulatory environments. The catch: data protection authority involvement isn’t explicitly required, which the EDPB wants fixed.

VLOPs Get Central Oversight

AI systems integrated into very large online platforms (VLOPs/VLOSEs) would move under the AI Office’s exclusive supervision. This centralisation makes sense — nobody wants 27 national authorities independently auditing the same platform’s AI.

What Smart Teams Should Do Now

The extra runway is a gift, but only if you use it. Here’s the play:

1. Lock Down Your AI Inventory

You can’t comply with rules you can’t map. Most companies still don’t have a clear picture of which AI systems they run, where they got the models, and what data they process. Start here.

2. Build Governance Foundations Now

Risk assessments, documentation templates, human oversight procedures — this stuff takes months to get right in practice. The organisations that’ll be ready by late 2027 are the ones starting in Q1 2026, not Q1 2027.

3. Watch NIS2 Convergence

If your AI touches critical infrastructure sectors (energy, transport, health, finance), NIS2 obligations are arriving on a parallel track. Your compliance architecture needs to handle both.

4. Engage with the Omnibus Process

The proposal is open for trilogues throughout 2026. Industry input shapes the final text. If a specific provision affects your business, now is the time to make your position known — through trade associations, consultations, or direct engagement.

5. Don’t Bet on Further Delays

The Commission already extended once. Another push-back is politically difficult. Plan for December 2027 as a hard stop, and build buffer into your timeline.

The Bottom Line

The EU AI Omnibus is an honest acknowledgment that the regulatory infrastructure isn’t where it needs to be. The Commission chose pragmatism over symbolic enforcement — which, frankly, is the right call. Enforcing rules nobody can verify benefits no one.

But the direction hasn’t changed. The AI Act will be enforced. The question was never if, only when and how strictly.

Companies that treat this delay as extra preparation time will come out ahead. Companies that treat it as permission to ignore AI governance will have a very expensive 2027.

Your call.

Reader settings

Font size