EU’s Digital Omnibus proposes major delay to AI Act high-risk rules

The European Commission has officially unveiled its Digital Omnibus, confirming sweeping adjustments to the EU’s digital rulebook and, crucially, proposing to postpone the obligations of the AI Act. According to the Commission’s FAQ on the Digital Package, the omnibus is part of a broader effort to ‘streamline’ existing laws, reduce compliance costs and create a more innovation-friendly environment.

Under the Commission’s plan, the high-risk requirements associated with AI systems listed in Annexe III of the AI Act would no longer take effect in August 2026 as originally planned. Instead, companies would have until the end of 2027 to comply. For high-risk AI linked to sectorally regulated products under Annexe I, such as medical devices, machinery and aviation systems, the deadline would shift even further, to August 2028. These delays are framed as part of the Digital Omnibus’ rationale: giving businesses more time to adjust while the EU simplifies overlapping rules across data, cybersecurity and AI.

However, it comes with a major catch. It remains uncertain whether the omnibus will be adopted before the existing AI Act deadlines kick in. If political negotiations extend beyond August 2026, enforcement of high-risk AI obligations would technically be possible during this unresolved period, raising questions about whether regulators might pursue infringements that could later be ‘pardoned’ retroactively.

The Commission has also reserved the right to accelerate, rather than delay, the start of the high-risk regime. If Brussels concludes that adequate compliance tools exist, such as harmonised standards, common specifications or official guidance, it could bring the rules into force much earlier. In that scenario, high-risk AI in Annexe III would need to comply within six months, and Annexe I systems within one year of the Commission’s decision. Businesses, therefore, face a moving target: even once the omnibus is agreed, the Commission could decide that the compliance clock should start sooner.

The Digital Omnibus sits within a broader package of measures intended to simplify digital regulation and support innovation across the EU economy. It includes the Data Union Strategy, model contractual terms for cloud services and cross-border data sharing, and new ‘Business Wallets’ designed to reduce administrative burdens. The Commission estimates these measures could save companies up to €5 billion in administrative costs by 2029, but the AI component of the omnibus is already emerging as its most contentious element.

In practice, companies developing or deploying high-risk AI systems now face more uncertainty than clarity. They do not yet know when the AI Act’s core obligations, covering risk management, transparency, data-governance standards and post-market monitoring, will actually apply. And even after co-legislators reach a deal, the Commission retains the power to move deadlines again based on its assessment of the maturity of the compliance ecosystem.

Why does it matter?

The bottom line. The proposed delay may ease immediate pressure on industry, but it introduces a new layer of unpredictability to Europe’s AI regulatory landscape. Until the entire Digital Omnibus is negotiated, passed and potentially adjusted again, businesses will have no firm date for when the most demanding parts of the AI Act will truly begin to bite.