The short version
On 29 June 2026 the Council of the EU gave final approval to the “Digital Omnibus on AI” — a simplification package that amends the EU AI Act. The headline change for most organisations: the compliance deadlines for high-risk AI systems have moved. Annex III high-risk obligations shift from 2 August 2026 to 2 December 2027, and Annex I (product-embedded) high-risk obligations from 2 August 2027 to 2 August 2028.
That is relief, not a reprieve. The rules that are already in force stay in force — and the omnibus also tightened some obligations.
What is already binding today
- Prohibited practices (applying since 2 February 2025): social scoring, manipulative techniques, most real-time biometric identification in public spaces, and — newly added by the omnibus — AI practices for generating non-consensual sexual or intimate content and child sexual abuse material.
- AI literacy (Article 4): organisations using AI must ensure staff have an appropriate level of AI competence.
- General-purpose AI (GPAI) obligations (applying since 2 August 2025) for model providers.
What the omnibus changed
| Annex III high-risk systems | 2 Aug 2026 → 2 Dec 2027 |
| Annex I high-risk systems | 2 Aug 2027 → 2 Aug 2028 |
| Transparency marking of AI-generated content | Grace period cut from 6 to 3 months — deadline 2 Dec 2026 |
Why controllers should not slow down
If you are a GDPR data controller deploying AI — a chatbot handling customer data, CV screening, credit or fraud scoring, workplace monitoring — the AI Act treats you as a deployer, and your GDPR duties never moved. DPIAs, lawful basis, transparency to data subjects, and vendor due diligence apply to AI projects today. Regulators have been clear that GDPR enforcement around AI is not waiting for AI Act deadlines.
The extra 16 months is best spent the way procurement and audits will eventually demand: build the AI inventory, classify systems against Annex III, assign provider/deployer roles, and fold AI risk into your existing DPIA and vendor-review workflow. Organisations that start when the deadline is close pay more and document worse.
A practical 90-day plan
- Inventory: list every AI system in use or in procurement, including AI features inside SaaS tools.
- Classify: map each system to AI Act risk categories and your role (provider, deployer, importer).
- Integrate: add AI triggers to your DPIA checklist and vendor onboarding questions.
- Train: meet the Article 4 AI-literacy duty with role-appropriate training, and keep evidence.
- Monitor: assign an owner to track guidance from the AI Office and your market-surveillance authority.
Sources: Council of the EU press releases of 7 May and 29 June 2026; European Commission Digital Omnibus on AI (19 November 2025); Regulation (EU) 2024/1689.
