EU AI Act Deadlines Shift: Omnibus Package Extends High-Risk Compliance to 2027–2028
Target Audience: Compliance Officers, AI Governance Leads, Legal Counsel
Category: Regulatory Update / Compliance
Executive Summary:
The European Parliament has adopted its negotiating position on the Digital Omnibus package, which proposes targeted amendments to the AI Act deadlines . High-risk Annex III systems now have until December 2, 2027, and sectoral product safety systems until August 2, 2028. However, transparency obligations for generative AI begin November 2, 2026, and the August 2026 enforcement wave is still active. Critically, a potential loophole exists: high-risk systems placed on the market before the deadlines may fall outside obligations unless substantially modified.
Evidence Tier: Secondary Verified (Stephenson Harwood law firm analysis of European Parliament action)
What’s Changing
The European Parliament has adopted its negotiating position on the European Commission’s “Digital Omnibus” package, which proposes to amend the AI Act .
The text is not yet law. Trilogue discussions (European Parliament, Council of the EU, European Commission) begin April 28, 2026 .
But the direction is clear: deadlines are extending for some obligations, but NOT all.
Updated Deadlines
| Obligation Category | New Proposed Deadline | Original Landscape |
|---|---|---|
| GPAI (general-purpose AI) transparency and copyright | Still August 2026 | No change |
| Generative AI content transparency (machine-readable detection) | November 2, 2026 | New date |
| High-risk Annex III systems (biometrics, critical infrastructure, education, employment, law enforcement, etc.) | December 2, 2027 | Extended |
| EU sectoral product safety regimes (medical devices, radio equipment, toy safety) | August 2, 2028 | Extended |
The Critical Loophole (and Risk)
The law firm Stephenson Harwood highlights a potential key issue in their analysis of the Omnibus package :
“A potential key issue arises from the combination of delayed application dates and non-retrospective operation of the AI Act. High-risk AI systems placed on the market before the relevant deadlines would generally fall outside the high‑risk obligations, unless they are subsequently substantially modified. This could incentivise providers to deploy high‑risk systems ahead of late 2027, with the effect that such systems may remain in use without being brought within the full scope of the AI Act’s high‑risk regime.”
Translation: There is now a window to rush high-risk AI systems to market before December 2027 and potentially avoid compliance obligations for the life of those systems (absent major modifications).
This is not a compliance strategy. This is a risk creation strategy.
New Prohibition: “Nudifier” Apps
The European Parliament has also backed an explicit prohibition on “nudifier” AI systems that generate or manipulate realistic sexually explicit or intimate images of identifiable persons without consent, with narrow exceptions for effective technical safeguards that prevent misuse .
What Hasn’t Changed
The August 2026 enforcement wave is still active. Organizations that have been preparing for:
-
GPAI provider obligations
-
Copyright disclosures
-
Fundamental rights impact assessments for high-risk systems (even if enforcement is delayed)
…must continue on track. Delaying compliance because deadlines shifted is a governance failure.
Actionable Compliance Roadmap
| Timeline | Action |
|---|---|
| Immediate – August 2026 | GPAI transparency and copyright obligations. Generative AI content must be machine-readable and detectable as artificially generated by November 2, 2026 . |
| August – November 2026 | Implement content provenance and detection systems. |
| 2027 | Complete high-risk Annex III compliance assessments. Systems placed on market in 2027 will be subject to delayed deadlines but should be built compliant now. |
| 2028 | Sectoral product compliance for medical devices, radio equipment, etc. |
The Bottom Line for CISOs and Compliance Officers
Do not treat deadline extensions as permission to slow down. The compliance burden is not reduced—only the enforcement clock moved. Organizations that build compliant now will have market advantage over those who rush non-compliant systems to market before the deadlines.
Second-order risk: If you acquire or integrate a system placed on market before December 2027 that was rushed to avoid compliance, you inherit that risk when that system is “substantially modified” or when your use case triggers obligations independently.