EU AI Act delayed: what the Digital Omnibus to 2027 really means
The EU is stretching the AI Act through the Digital Omnibus: high-risk obligations move to December 2027, AI embedded in products to August 2028. What stays, what is merely deferred, and why "delayed" does not mean "gone".
In short
Through the Digital Omnibus, the EU has deferred the application of the AI Act's high-risk obligations: for Annex III systems from August 2026 to 2 December 2027, and for AI embedded in regulated products to 2 August 2028. Prohibitions, GPAI duties and the labelling of AI content stay. It is a timeline stretch plus simplification, not the end of the law. Those who wait now will build under time pressure in 2027.
Auf Deutsch lesen: deutsche Fassung
The EU AI Act was billed as the world's most ambitious AI rulebook. Now it is being stretched in time and freed from overlapping requirements through the so-called Digital Omnibus. Many headlines read like an all-clear. That is the wrong lesson. What moves are mainly the deadlines for high-risk systems, the risk-based core stays, and in places Brussels is even tightening.
What has actually changed
The official reason for the deferral is that the necessary tools were missing: harmonised standards were not ready and national authorities not fully designated. On top came significant industry pressure. What moves and what stays, at a glance:
| Obligation | Before | Status after Omnibus |
|---|---|---|
| High-risk AI (Annex III, e.g. employment, education, biometrics) | from 2 August 2026 | deferred to 2 December 2027 |
| AI in regulated products (Annex I, e.g. machinery, lifts) | staggered | deferred to 2 August 2028 |
| Prohibited practices | since 2 February 2025 | remain unchanged |
| AI literacy obligation (Art. 4) | since 2 February 2025 | downgrade proposed, officially still applies |
| GPAI obligations (general-purpose models) | since 2 August 2025 | remain in force |
| Labelling of AI content (towards Art. 50) | in progress | Code of Practice, if anything moving forward |
Worth being precise: the downgrade of the AI literacy obligation is part of the Omnibus proposal, on the Commission's official AI Act page the obligation still applies as of February 2025. So "abolished" would be wrong, "to be downgraded" is correct.
Why the delay happened
It was driven by an open letter from around 46 European corporations calling for a two-year stop, including names such as ASML, SAP and Siemens, with political backing from Germany for an exemption of industrial AI. The Siemens CEO made public that most of a billion-euro investment in industrial AI would go to the United States if the AI Act is not adapted. That unrealistic deadlines and missing standards are being stretched is understandable, not a scandal but a dose of realism.
The wrong lesson: delayed means done
Turning this into "let's just wait" is a mistake for three reasons. First, prohibitions and GPAI duties already apply, and a new ban on non-consensual deepfakes was even added. Second, the real pressure does not hang on Brussels alone: customers, supply chains, liability and insurers ask for evidence regardless of any deadline. Third, December 2027 arrives faster than mid-sized companies think, and building a robust management system takes months, not days.
The right lesson: build on a system, not on a date
Precisely because the rules drift with the political wind, it is a mistake to build your AI system to a Brussels date. What is robust is a management system to ISO/IEC 42001: it makes you audit-ready independent of the exact deadline and adapts whether the rules tighten or loosen. Governance then is a capability, not a box ticked on a date. And speed needs guardrails, not bureaucracy: ISO 42001 enables speed with provability, instead of banning speed or racing blind.
In short: the AI Act gains more time, not less relevance. Those who build their AI management system now are ahead whether the rules loosen or tighten. How that looks in your organisation, we clarify in a free initial call.
Frequently asked questions
Has the EU AI Act been repealed or suspended?+
No. The Digital Omnibus mainly stretches the deadlines for high-risk AI and removes overlapping requirements. Prohibited practices, GPAI duties and the labelling of AI content stay, and the risk-based core of the law remains in force.
By when must high-risk AI systems meet the requirements?+
For stand-alone high-risk systems under Annex III, application is deferred to 2 December 2027, and for AI embedded in regulated products under Annex I to 2 August 2028. As of June 2026, proceedings ongoing.
Does the AI literacy obligation still apply?+
Officially the AI literacy obligation under Article 4 still applies as of 2 February 2025. The Digital Omnibus proposes to downgrade it for providers and deployers, but that is not yet adopted. Regardless of the obligation, AI literacy is in every company's own interest.
What should companies do now?+
Do not wait for 2027. Building an AI management system to ISO/IEC 42001 takes months and makes you audit-ready independent of the exact deadline. Those who start now stay ahead of every rule change.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 16 June 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.