EU AI Act 2026 Update: What the Digital Omnibus Deferral Really Means

What the Digital Omnibus actually proposes

The Alev-B EU AI Act Compliance Guide lays out the original phased timeline: the core obligations for high-risk AI under Annex III were set to apply on August 2, 2026. This article is the necessary update to that guide — because on November 19, 2025, the European Commission tabled a package that calls that date into question: the Digital Omnibus.

The Digital Omnibus is not a new law but a simplification and clean-up package. It bundles several digital-policy adjustments into a single procedure. For AI regulation it contains a proposal of considerable significance: the application of the high-risk obligations would be tied to the availability of harmonized standards and supporting instruments. In concrete terms, that means a proposed deferral of the decisive deadline from August 2, 2026, to December 2, 2027.

Legal commentary by firms such as Orrick and DLA Piper makes the nature of the proposal clear: this is not a substantive softening of the obligations but a stretching of the timeline. The material requirements for high-risk systems — risk management, data quality, technical documentation, human oversight, robustness — remain unchanged under the proposal. What would move is solely the point in time from which non-compliance becomes enforceable.

The reference timeline on artificialintelligenceact.eu presents the implementation schedule in both readings — the original and the potentially deferred one. This dual presentation is not an editorial error but an accurate reflection of the legal situation: as long as the proposal is not adopted, only one binding timeline exists, and that is the original one.

Why a proposal is not yet law in force

The most common error in the current debate is equating a Commission proposal with the legal status quo. A Commission proposal goes through the EU's ordinary legislative procedure. It must be negotiated, voted on, and adopted in identical wording by the Council of the European Union and the European Parliament before it produces legal effect. Until that moment, nothing changes about the AI Act's applicable deadlines.

In practice this means: anyone aligning their compliance planning today with the potential December 2027 date is planning against a document that can fail, change, or be delayed at any point. The legislative process offers no guarantee. Trilogue negotiations can run for months, individual provisions can be split out, and political majorities can shift.

There is also a substantive limitation that applies even if the Omnibus succeeds: the deferral concerns the high-risk obligations under Annex III. The prohibitions on unacceptable practices, in effect since February 2025, and the rules for general-purpose AI models, in effect since August 2025, would be unaffected by an Omnibus adoption. They continue to apply regardless of the outcome.

Serious legal commentary — the analyses from Orrick and DLA Piper being representative — therefore converges on a single recommendation: organizations should treat the deferral as a possible scenario, not as a planning basis. Anyone who assumes the deferral as a given, only for the original timeline to hold, will stand in August 2026 with no compliance substance.

The scenario logic: two possible worlds

Instead of a single deadline, the organization faces a fork. There are exactly two relevant end states, and robust planning must address both simultaneously — because which one materializes is decided outside the organization's control and likely only late in the process.

Scenario A — the Omnibus is not adopted (in time): the original timeline remains binding. The high-risk obligations under Annex III apply on August 2, 2026. Organizations that waited solely for the deferral fall into acute time pressure — gap analysis, governance build-out, documentation, and conformity evidence cannot be retrofitted within a few weeks.

Scenario B — the Omnibus is adopted: the deadline for the high-risk obligations moves to December 2, 2027. Organizations gain roughly 16 additional months of preparation time. The prohibitions and the general-purpose AI model rules, however, remain in force unchanged. The additional time is preparation time, not a free pass — the requirements themselves are identical in both scenarios.

The decisive insight: in both scenarios the substantive requirements are the same. Only the available time window changes. From this follows a robust planning logic — measures that create value in both worlds are executed immediately; measures whose benefit depends purely on timing are deliberately phased.

No-regret measures: what pays off in any case

A no-regret measure is one whose benefit accrues regardless of which scenario materializes. It is not "wasted work" should the deferral arrive — on the contrary: it reduces risk in both worlds, creates transparency, and is a precondition for any further compliance work. The following measures meet this criterion and should begin immediately, independent of the Omnibus's fate.

1. 1Build an AI inventory: systematically capture every AI system you develop, procure, or deploy — including embedded AI features in off-the-shelf software. Without a complete inventory, any risk classification is speculation, and the inventory is needed in both scenarios.
2. 2Perform risk classification: assign each system a risk tier. The classification logic does not change with the Omnibus — only the date from which violations become enforceable. Early classification surfaces the few genuinely high-risk-relevant systems and avoids unnecessary effort on the rest.
3. 3Eliminate prohibited practices immediately: the prohibitions on unacceptable AI practices have been in effect since February 2025 and are unaffected by the Omnibus. Actively check whether any practice in use or in the pipeline falls under a prohibited category — there is no reprieve here and no scenario in which waiting is permissible.
4. 4Ensure AI competence among staff: the obligation to ensure sufficient AI competence among staff working with AI systems applies independently of the main timeline and is not deferred by the Omnibus. Role-specific training with documented curricula is required in every scenario.
5. 5Establish governance structures: accountabilities, approval processes, and a traceable decision audit for AI systems create value in both worlds. A deferral only extends the build-out window — it does not make the build-out unnecessary.
6. 6Prepare supplier and contract clauses: contractually clarify with AI vendors and integrators who holds which value-chain role and who supplies which evidence. These negotiations are protracted and necessary in both scenarios — an early start preserves negotiating leverage.
7. 7Document compliance evidence in an audit-proof way: structure documentation so it withstands scrutiny under either timeline. Evidence assembled only shortly before the deadline is, in experience, patchy — continuously maintained evidence is the more robust foundation in any scenario.

Timing-dependent measures: what may be deliberately phased

Not every measure is no-regret. Some activities derive their benefit primarily from the deadline, and performing them prematurely can in fact create rework in the deferral scenario — for instance, because technical standards or conformity procedures may still take shape by December 2027. These measures may be deliberately phased, provided the no-regret base is in place.

These typically include the final conformity assessment, the concluding technical documentation against then-harmonized standards, formal registration in the EU database, and the final design of labeling and disclosure mechanisms. Anyone who finalizes these steps today, only for the Omnibus to defer, risks later standard refinements forcing a rework.

The decisive point is sequencing, not waiting. Timing may only phase what sits on a complete no-regret base. An organization that builds its AI inventory, classification, and governance only once the final date is fixed has already lost its room for maneuver — regardless of which scenario materializes.

Practically: the no-regret measures run from now. The timing-dependent measures are prepared but their final completion is tied to the clarification of the Omnibus status — with a defined decision point at which the organization switches to the then-applicable timeline.

Organizational consequences for compliance planning

The scenario uncertainty has a concrete consequence for governance: compliance planning must not be locked to a single date. It needs a branching logic with an explicit decision point — the moment at which the Omnibus status is sufficiently clarified to switch to the then-applicable timeline.

It is advisable to clearly assign responsibility for monitoring the legislative procedure. Trilogue progress, the Council position, and Parliament votes are the signals on which the scenario turns. This monitoring belongs in regular governance reporting, not in a one-off memo.

For internal communication, the distinction between proposal and law in force is central. A common misconception in business units is that the AI Act has been "postponed." That is legally inaccurate as long as the Omnibus is not adopted. Communicating this message imprecisely risks no-regret measures being deferred because the perceived urgency drops away.

Finally, the plan should document why each measure was classified as no-regret or as timing-dependent. That rationale is itself a governance record: in an audit it demonstrates that the organization correctly appraised the legal situation and made its prioritization deliberately and traceably.

Connection to the AI Readiness Assessment

The no-regret logic described here aligns structurally with the approach of an AI readiness assessment. Both start from the same foundational question: which AI systems actually exist, at what maturity, and what gaps exist against the requirements that apply independently of regulatory timing?

The Alev-B AI Readiness Assessment Guide treats exactly this stocktaking — inventory, maturity, governance gaps — as the foundation of any further AI work. In the context of the Digital Omnibus, this foundation gains an additional function: it is precisely the intersection of measures that create value in both scenarios. An organization with a robust readiness picture can handle the fork with composure rather than being surprised by it in the summer of 2026.

The practical transition is therefore clear: a readiness stocktaking delivers the AI inventory and the maturity view that every no-regret measure presupposes. The regulatory fork of the Omnibus then only decides the phasing of the timing-dependent steps — not whether to prepare.

This closes the loop back to the original EU AI Act Compliance Guide: its phased plan remains the substantive reference. The Digital Omnibus changes nothing about the obligations — it only alters the time frame within which the gaps identified in the readiness work must be closed.