EU AI Act regulation document on a conference table with a calendar showing December 2027 and compliance checklist items visible alongside it

EU AI Act Digital Omnibus 2026: High-Risk AI Deadlines Extended to December 2027 and August 2028

New compliance timelines for AI systems in sensitive sectors

The EU Digital Omnibus on AI shifts the high-risk AI obligations significantly. For European companies, this means more preparation time, but also a mandate to build compliance foundations now.

Summary

On May 7, 2026, the EU adopted the Digital Omnibus on AI, establishing new compliance deadlines for high-risk AI systems. Standalone high-risk systems under Annex III must comply by December 2, 2027, while embedded systems under Annex I have until August 2, 2028. At the same time, transparency requirements for AI-generated content take effect earlier than expected, starting August 2026. 78 percent of mid-market companies are still unprepared, and penalties remain high at up to EUR 35 million or seven percent of global annual revenue.

The High-Risk Deadline Has Moved - But Not Disappeared

On May 7, 2026, the European Parliament and Council formally agreed the Digital Omnibus on AI. The package extends the compliance dates for high-risk AI by 16 months for Annex III systems and by roughly two years for Annex I systems. The European Parliament had approved the measure by a vote of 569 to 45 on March 26, 2026. The primary reason for the delay is that technical harmonised standards from CEN/CENELEC have not yet been finalised, making conformity assessment against a stable benchmark impossible for many companies.

Dec. 2, 2027
New deadline for Annex III systems
Aug. 2, 2028
New deadline for Annex I systems
EUR 35 million
Maximum fine for non-compliance
78%
Mid-market firms without compliance readiness
6-18 months
Typical conformity assessment duration
569 to 45
Parliament vote for the Omnibus

The extension is a practical response to structural bottlenecks, not a relaxation of the underlying obligations. Companies that use the additional time to build governance frameworks and documentation practices will be positioned well. Those that treat the extension as a reason to pause will face the same preparation gap in 2027 that existed in 2026.

Annex I and Annex III: Which Systems Are Affected

The EU AI Act distinguishes between two categories of high-risk systems. Annex III covers standalone AI applications in sensitive domains. Annex I covers AI embedded within regulated products that are already subject to their own safety legislation. Each category has a distinct compliance path and deadline.

Category Affected Systems New Deadline Note
Annex III Biometrics, HR tools, credit scoring, law enforcement, critical infrastructure, education, border control Dec. 2, 2027 Deadline may trigger earlier once standards are available (6-month window)
Annex I AI in medical devices (MDR), machinery, elevators Aug. 2, 2028 Dual-regulation: AI Act plus product safety law
GPAI / Generative AI ChatGPT-like models, AI content tools From Aug. 2026 New models immediately, existing systems by Dec. 2026

Timeline of key dates

August 2026

Watermarking obligation for new generative AI systems

All new generative AI systems must label AI-generated content from this date. The 4 percent penalty applies to violations.

December 2026

Existing generative AI systems must add watermarking

Systems already deployed before August 2026 must retrofit content labelling by this date.

December 2, 2027

Annex III high-risk systems must be fully compliant

Standalone high-risk systems including biometrics, HR, credit scoring, and law enforcement must meet all obligations under Articles 9-15.

August 2, 2028

Annex I high-risk systems must be fully compliant

AI embedded in regulated products such as medical devices and industrial machinery must satisfy both the AI Act and the relevant sectoral safety regulation.

What Already Applies from August 2026

The extended deadlines for high-risk AI do not move every obligation forward. Several requirements from the AI Act take effect in August 2026 regardless of the Omnibus. Companies that focus only on the December 2027 date risk missing near-term compliance obligations that carry their own penalties.

AI Labeling

All new generative AI systems must label AI-generated content from August 2026. This covers text, images, audio, and video produced by AI. Existing systems deployed before August 2026 have until December 2, 2026 to retrofit watermarking. Violations carry a penalty of up to 4 percent of global annual revenue.

Article 4 Competency

Companies must ensure that all staff who use or develop AI systems have adequate AI competencies. This obligation applies to providers and deployers alike. It requires documented training programmes and competency checks, not a general awareness campaign.

Prohibited AI

The ban on the most harmful AI applications has been in effect since February 2025 and is unchanged by the Omnibus. Real-time biometric surveillance in public spaces, social scoring by public authorities, and AI that exploits psychological weaknesses to manipulate behaviour are prohibited. Non-compliance carries penalties of up to EUR 35 million or 7 percent of global turnover.

Immediate action required: The August 2026 deadline is less than 70 days away. Companies using generative AI in communications, marketing, or customer interactions need a watermarking solution in place now. Waiting until after the deadline to implement labelling is not an option.

European Perspective: Readiness Gap and SME Relief

Research published by Hilker Consulting in May 2026 shows that the majority of European mid-market companies have not yet built the compliance infrastructure required under the AI Act. The data reveals structural gaps across all three foundational readiness indicators.

Without compliance readiness 78%
Without an AI registry 83%
Without named AI compliance responsibility 74%

Source: Hilker Consulting, May 2026.

Bitkom, the leading German digital industry association, welcomed the Omnibus as a step toward planning certainty. At the same time, it criticised the documentation requirements as excessive for mid-size firms, arguing that the level of detail required by Annex IV creates disproportionate administrative burdens for companies that have limited legal and compliance resources.

SME relief provisions

The Omnibus includes targeted relief for smaller businesses. Companies with no more than 750 employees or no more than EUR 150 million in annual revenue qualify for simplified documentation requirements. This does not change the compliance deadlines, but reduces the volume and detail of technical documentation required. The European Commission is required to publish standardised templates and practical guidance specifically for SMEs before the December 2027 deadline.

SME threshold

Simplified documentation applies to companies with up to 750 employees or up to EUR 150 million in annual revenue. Check whether your organisation qualifies and adjust your documentation planning accordingly.

EU AI Act compliance timeline pinned to a cork board in a law firm office with handwritten annotations on deadline columns
Many compliance teams are now mapping out the concrete deadlines set by the Digital Omnibus.

Critical Perspectives and Open Questions

Demanding but feasible - companies should not wait for standards to appear before starting their preparation.

TUV Consulting, 2026

TUV Consulting data shows that conformity assessments for high-risk AI systems typically take between six and eighteen months. Companies that begin preparations only after the harmonised standards are published will face a very tight window before December 2027.

Open legislative question: Annex I technical details

The second trilog specifically addressing the technical details of Annex I conformity assessment ended on April 28, 2026 without agreement. The Cypriot Council Presidency is targeting completion before June 30, 2026. Until those details are settled, companies in the medical device, machinery, and related sectors face continued uncertainty about exactly which assessment procedures will apply to their products.

GDPR and AI Act overlap: AI model training on personal data requires a valid legal basis under the GDPR. The AI Act does not resolve or replace this requirement. Companies must comply with both frameworks simultaneously. The risk management system required under Article 9 of the AI Act must account for data protection obligations, and GDPR impact assessments must reflect AI-specific risks. Neither regulation exempts compliance from the other.

Bitkom criticism and unchanged penalties

Bitkom has consistently argued that the documentation requirements in Annex IV create a disproportionate burden for mid-size European companies compared to large enterprises with dedicated legal teams. Despite this criticism, the penalty framework remains unchanged. Violations of prohibited AI practices still carry fines of up to EUR 35 million or 7 percent of worldwide annual turnover. The extension of deadlines does not reduce the penalties that apply once obligations become enforceable.

What Companies Should Do Now

The extended deadlines are not an invitation to pause. Companies that treat December 2027 as a hard deadline and plan backward must build foundations today. TUV Consulting estimates that conformity assessments alone take six to eighteen months, which means preparation must begin well before 2027 to leave adequate time for testing, documentation, and registration.

Compliance officer working through an AI system inventory checklist in a German mid-market company meeting room
Building a complete AI system inventory is the first step toward high-risk compliance.

  1. Inventory and classify AI systems

    Create a complete register of all AI systems in use and in development across your organisation. Classify each system against Annex III and Annex I categories. 83 percent of mid-market companies currently have no AI registry. Without a complete inventory, it is impossible to determine scope, prioritise effort, or assign responsibility accurately.

  2. Build a governance structure

    Designate a named AI compliance responsibility in writing. Establish internal processes for ongoing risk management, incident logging, and documentation under Articles 9-15. 74 percent of companies currently have no named owner for AI compliance. Governance structures take time to embed and cannot be retrofitted at short notice before a deadline.

  3. Monitor CEN/CENELEC standards development

    The technical harmonised standards are the foundation for conformity assessment. Track the publication schedule and engage your industry association or a technical consultancy to receive early drafts. The December 2027 deadline for Annex III may trigger earlier once the standards are published, with only a six-month run-in window. Acting only after publication leaves too little time.

  4. Implement watermarking for generative AI by August 2026

    Any system in your organisation that generates text, images, audio, or video must be able to label that output as AI-generated from August 2, 2026. Evaluate your current tools, check vendor roadmaps, and implement labelling before the deadline. Violations carry up to 4 percent of global annual revenue as a penalty.

  5. Prepare for conformity assessment

    Identify notified bodies relevant to your high-risk AI systems and begin preliminary conversations now. Waiting lists for conformity assessments are extending as demand increases. Gap analyses against Articles 9-15 should be conducted this year to understand what documentation, testing, and oversight measures need to be in place before formal assessment begins.

Key takeaway

The December 2027 deadline for Annex III and August 2028 for Annex I are the compliance endpoints, not the starting points. Given the six-to-eighteen-month assessment window, companies that have not begun inventory and governance work by late 2026 will face a compressed and costly compliance sprint. The preparatory work also produces value in itself: a documented AI governance structure signals maturity to buyers, auditors, and investors well before any formal deadline.

Further Reading

How the AI Act Trilog Collapsed Ethics and Legal AI Compliance Guide AI Agent Governance in the Enterprise Stanford AI Index 2026 EU AI Act (official) EU Digital Omnibus AI Act Timeline Analysis

Frequently Asked Questions

What is the EU AI Act Digital Omnibus? +

The EU Digital Omnibus on AI is an amendment package agreed on May 7, 2026 that extends the compliance deadlines for high-risk AI systems under the EU AI Act. Standalone high-risk systems (Annex III) must comply by December 2, 2027 and embedded systems in regulated products (Annex I) by August 2, 2028. The extension was necessary because the technical harmonised standards from CEN/CENELEC have not yet been finalised.

What are high-risk AI systems under Annex III of the EU AI Act? +

Annex III covers standalone AI systems used in sensitive areas: biometric identification and categorisation, critical infrastructure management, education and vocational training, employment and workforce management (including CV screening and performance monitoring), essential public services and creditworthiness assessment, law enforcement, migration and border management, and justice and democratic processes.

What is the difference between Annex I and Annex III high-risk AI? +

Annex III lists categories of standalone AI systems that are directly classified as high-risk. Annex I covers AI systems embedded in regulated products such as medical devices, machinery, and elevators. These products are already subject to sectoral safety legislation. For Annex I systems, both the AI Act and the relevant product safety law apply simultaneously. This dual regulation is why their deadline (August 2, 2028) is longer than for Annex III systems (December 2, 2027).

When does my company need to comply with high-risk AI requirements? +

For standalone Annex III systems (biometrics, HR tools, credit scoring, law enforcement, critical infrastructure), the new deadline is December 2, 2027. For AI embedded in regulated products under Annex I (medical devices, machinery), the deadline is August 2, 2028. Companies should note that the December 2027 deadline may trigger earlier once the technical standards are finalised, with a six-month run-in window. Preparation should begin well before 2027 given that conformity assessments typically take six to eighteen months.

What applies to generative AI from August 2026? +

From August 2, 2026, all new generative AI systems must label AI-generated content (watermarking). This applies to text, images, audio, and video. Existing generative AI systems have until December 2, 2026 to add watermarking. Violations of these transparency obligations carry a penalty of up to 4 percent of global annual revenue.

What fines apply for non-compliance with the EU AI Act? +

Penalties depend on the type of violation. Prohibited AI practices (Article 5) carry fines of up to EUR 35 million or 7 percent of global annual turnover. Violations of high-risk obligations carry up to EUR 15 million or 3 percent. Transparency obligation violations for AI-generated content carry up to 4 percent. Providing incorrect information to authorities carries up to EUR 7.5 million or 1 percent.

Are there any concessions for small and medium-sized enterprises? +

Yes. Companies with no more than 750 employees or no more than EUR 150 million in annual revenue qualify for simplified documentation requirements under the SME relief provisions in the Omnibus. This does not change the compliance deadlines, but reduces the volume and detail of technical documentation required. The European Commission is required to publish standardised templates and practical guidance specifically for SMEs before the December 2027 deadline.