The Digital Omnibus defers the EU AI Act high-risk obligations to December 2027 — but Article 50 transparency and GPAI enforcement still land on 2 August 2026.

On 29 June the Council of the EU gave its final approval to the Digital Omnibus — the single package of amendments through which Brussels is revising its digital rulebook — and the countdown that European compliance teams had been running toward 2 August 2026 ended with a calendar edit. The high-risk obligations of the EU AI Act — the ones covering credit scoring, insurance pricing and the rest of Annex III — now apply from 2 December 2027. Publication in the Official Journal is expected this month, weeks ahead of the deadline it replaces.
The relief is real, and institutions that spent the spring in triage mode have earned it. But the headline most of the coverage settled on — the AI Act is delayed — is the least useful reading of what happened. Two of the Act's August dates survived the omnibus untouched, and both land in three weeks.
The omnibus defers the obligations for stand-alone high-risk systems under Annex III from 2 August 2026 to 2 December 2027. AI embedded in products regulated under Annex I gets until 2 August 2028. For financial services, that covers the classifications that matter most: creditworthiness assessment and credit scoring under point 5(b) — the systems examined in our look at AI in credit decisioning — and risk assessment and pricing in life and health insurance under 5(c).
The reasons for the deferral are institutional rather than substantive. Member states were late designating national competent authorities; the harmonised standards that high-risk conformity work depends on were unfinished. The obligations themselves — risk management, data governance, technical documentation, human oversight, logging — emerge from the omnibus intact. The readiness gaps we described in June are the same gaps; what changed is the runway.
Brussels moved the date because the enforcement infrastructure was behind, and that is worth registering precisely: this was a deferral of capacity, and reading it as a softening of intent would be a misreading.
Two tracks were deliberately left on the original schedule:
Article 50 breaches carry the same ceiling under Article 99. And a further date now sits in the calendar: the omnibus added new prohibited practices to Article 5, applying from 2 December 2026.
For a financial institution, the August obligations arrive at the most customer-visible layer of the AI estate. The call-centre assistants and service chatbots that institutions have spent two years deploying are precisely the systems Article 50 addresses. The compliance work is mostly design work — a disclosure at the start of a conversation, marking in the content pipeline — and for most institutions it is light. The harder question is the same one the high-risk track keeps asking: does the institution know, with confidence, every place a customer currently interacts with a model? An Article 50 review tends to become an inventory exercise, and the inventory is the artefact regulators ask for first in any AI conversation.
The GPAI track is narrower but sharper. An institution that consumes models is largely a spectator to it; an institution that fine-tunes an open-weight model and passes it onward can inherit provider-like duties of its own — and from August, the enforcement behind those duties has teeth.
Marketing functions deserve a mention too. A content operation generating synthetic imagery or AI-drafted commentary on public-interest topics acquires labelling and editorial-review obligations that most communications policies were written before anyone imagined.
The deferral changes the quality of the work available. Six weeks buys triage; sixteen months buys the deliberate version of the same programme — a complete inventory, classification rationale written to be read, Annex IV documentation assembled per system rather than reconstructed under pressure. The harmonised standards should mature inside the window, which means institutions starting now get to build against the final specification rather than a moving one.
The counterweight is equally factual. Regulatory reviews continue through the deferral period, and AI questions have already migrated into DORA reviews, prudential conversations and thematic work — those questions are measured against the Act's expectations regardless of its application date. Personal accountability for AI outcomes stays where it was, attached to named individuals rather than to deadlines. And a programme paused in July 2026 restarts in mid-2027 with a new team, a colder file and seventeen months of estate growth to re-inventory. The institutions that treat December 2027 as the finish line of a steady programme will spend less, in total, than the ones that treat it as the new date to begin.
The omnibus redrew the calendar. It did not redraw the direction of travel — and the two obligations it left in August are a reasonable indication of how Brussels expects institutions to spend the interval. If your institution is deciding what its August obligations actually touch, or what a sixteen-month programme should look like from here, that is a conversation we have often.
Related reading:
Sources: Council of the EU press releases (7 May and 29 June 2026), European Commission AI Act guidelines and Code of Practice on Transparency (10 June 2026), Regulation (EU) 2024/1689 Articles 5, 50, 99 and Annex III.
Stop renting generic models. Start building specialized AI that runs on your infrastructure, knows your business, and stays under your control.