On 7 May 2026, the Council and the European Parliament reached a provisional agreement on the Digital Omnibus on AI — the first substantive package of amendments to the EU AI Act since it entered into force in August 2024. The headline is a deferral: the high-risk obligations for standalone systems that were due to apply from 2 August 2026 are postponed by 16 months, to 2 December 2027. Within hours, inboxes across DACH filled with compliance-newsletter subject lines that read like permission slips. "More Time for Compliance." "EU Extends AI Deadline." "Pressure Eased for Enterprises."
The relief is understandable. The framing is dangerous.
The Digital Omnibus did not delete a single substantive requirement for high-risk AI. It moved the application date for standalone high-risk systems and tidied a handful of transitional provisions. Everything underneath — the prohibitions in force since February 2025, the general-purpose AI obligations active since August 2025, the transparency duties, the full body of high-risk requirements in Articles 6 to 27 — survives intact. The deadline moved. The obligation did not. And one detail cuts the other way entirely: the Omnibus added a new prohibition.
For DACH enterprises that have already started their compliance work, this is a strategic gift: additional months to deepen what they have begun, test their documentation under real conditions, and run governance through a real operating cycle before enforcement bites. For those who were already behind, the danger is that 16 months of extra runway simply becomes 16 months of further drift.
A caveat worth stating up front: this is a provisional agreement. It becomes binding law only once the formal text is adopted and published in the Official Journal — expected before 2 August 2026, the date the original high-risk rules would otherwise have started to apply. The direction of travel is clear, but the final wording of the simplification measures is still being settled. Plan against the substance; verify the detail against the adopted text.
What the Digital Omnibus actually changed
Understanding precisely what shifted — and what did not — is the whole point of recalibrating a roadmap. Five changes matter.
Standalone high-risk systems (Annex III) move to 2 December 2027. These are the systems classified as high-risk because of their use case rather than because they sit inside an already-regulated product — recruitment and worker-management tools, credit scoring, insurance pricing and risk assessment, educational grading, certain biometric applications. The original Act required full compliance by 2 August 2026; the Omnibus defers that by 16 months. This is the change that touches the largest number of DACH enterprises, because standalone high-risk use cases are exactly where midmarket AI deployments most often intersect the regulation. For the use cases that trigger this classification, see the risk classification walkthrough.
Product-embedded high-risk systems (Annex I) move to 2 August 2028. AI acting as a safety component of products already regulated under EU sectoral law — medical devices, machinery, lifts, radio equipment, automotive — was originally due by 2 August 2027. The Omnibus extends that by a further year. For manufacturers in these sectors the shift is meaningful but narrower: they already had the later original deadline, and now have one more year on top.
Watermarking gets a short grace period — not a deferral. The Article 50 transparency obligations still apply from 2 August 2026 as originally scheduled, including the duty to disclose when people are interacting with an AI system. For the specific machine-readable marking requirement under Article 50(2), providers of generative systems already on the market before 2 August 2026 receive a short transitional window until 2 December 2026, recognising that the technical standards for content marking are still being finalised. This is a grace period for the marking mechanism, not a blanket pause on transparency.
A new prohibition is added — effective 2 December 2026. The Omnibus adds AI systems that generate or manipulate non-consensual intimate imagery of identifiable individuals — including so-called "nudifier" applications — and child sexual abuse material to the list of banned practices, with a transitional period to 2 December 2026. As prohibited practices, breaches sit at the top penalty tier of the Act. The legislature did not only relax timelines; where it saw acute harm, it tightened the net.
A new "small mid-cap" category is created. The Omnibus extends several SME simplifications to a newly defined band of enterprises that are not SMEs but employ fewer than 750 people and have annual turnover not exceeding €150 million (or a balance-sheet total not exceeding €129 million). The reported measures include simplified technical-documentation templates that notified bodies must accept, more proportionate quality-management expectations, priority access to regulatory sandboxes, and more tailored penalty caps. The precise contours are still being settled in the legislative text, but the intent is unambiguous: lower the documentation and conformity-assessment burden for firms that lack the compliance apparatus of a DAX-40 group. The core duties — risk management, human oversight — do not disappear. The midmarket compliance analysis covers the baseline that applies regardless of company size.
What the Digital Omnibus did not change
This section matters more than the one above.
Prohibited practices remain in force. The bans on social scoring, untargeted scraping for facial-recognition databases, emotion recognition in workplaces and schools, and exploitation of vulnerable groups have been enforceable since 2 February 2025. The Omnibus does not touch them — it extends them. If you have not audited your AI inventory against the prohibited categories, you are already exposed.
GPAI obligations remain in force. Providers of general-purpose AI models have been subject to transparency, documentation, and copyright-related obligations since 2 August 2025, with additional duties for models presenting systemic risk. The Omnibus does not defer any of this. If your organisation builds on a GPAI model — including through API access to a large language model — the provider obligations are already live, and your own duties as a deployer around transparency and oversight are unaffected.
The high-risk obligation itself is unchanged. The Omnibus did not rewrite Articles 6 to 27 — the substantive requirements for high-risk systems. Conformity assessment, technical documentation, the risk-management system, data governance, human oversight, accuracy and robustness, automatic logging, registration in the EU database — all remain exactly as drafted. What moved is solely the date. On 2 December 2027, every requirement that was due on 2 August 2026 is expected in full. No phase-in. No further grace period.
One nuance that did soften is worth flagging honestly, because it is widely misread the other way. The AI literacy obligation under Article 4 — already binding since February 2025 — was eased to a duty to support the development of staff competence proportionate to role and risk, rather than to guarantee a specific level of literacy. Do not mistake softer wording for irrelevance. It still demands a defensible, documented effort, not a single all-hands webinar. For the complete map of which deadlines now apply when, see the updated timeline.
Why 16 months is less time than it sounds
Sixteen months feels comfortable until you map what has to happen inside them.
The conformity-assessment infrastructure does not yet exist at scale. The ecosystem of notified bodies and harmonised standards for standalone high-risk AI is still being built — which is precisely why the original August 2026 deadline was widely judged unworkable and why CEN-CENELEC was given more time to finish the standards that several requirements depend on. But 16 months has to make both sides ready at once: the infrastructure and the enterprise. Organisations that wait for the standards to be final before starting will be competing for scarce notified-body capacity in the last months before the date.
Technical documentation is not a weekend project. Article 11 demands documentation covering intended purpose, design, development process, data governance, performance metrics, risk analysis, and the post-market monitoring plan. For a non-trivial system — say, an automated claims-triage workflow handling thousands of cases a month — assembling that package is a matter of months, because it requires coordinated input from engineering, data, legal, compliance, and the business unit that runs the system. The cross-functional choreography is the bottleneck, not the prose.
Risk management is a process, not a document. Article 9 requires a risk-management system maintained across the entire lifecycle of the system — not a one-off pre-deployment exercise but continuous monitoring, updating, and mitigation in production. Standing up that capability is exactly the work described in the compliance-by-design approach, and it cannot be compressed into the final quarter before a deadline.
The strategic calculation for DACH enterprises
The Omnibus creates a divergence point, and the gap will be visible well before December 2027.
The first group treats the deferral as a planning horizon. They use the 16 months to build at a deliberate pace — classifying systems, drafting documentation iteratively, standing up monitoring and governance, supporting staff competence, and running internal conformity checks before external ones are required. When the deadline arrives, compliance confirms work already done rather than triggering a scramble.
The second group treats the deferral as a reprieve. They deprioritise the work, redirect resources, and plan to revisit it in mid-2027. When they come back, the task has not become easier — it has become harder: the AI portfolio has grown, new systems shipped without compliance baked in, and the notified-body capacity that was free in early 2027 is now oversubscribed.
The competitive dimension is real. In regulated industries — financial services, insurance, healthcare, critical infrastructure — the ability to demonstrate AI Act compliance becomes a procurement criterion. Enterprise buyers will ask suppliers whether their AI-enabled services meet high-risk requirements. The firm that can produce documented compliance in January 2028 has a tangible advantage over the one still assembling its evidence pack.
The pattern is familiar from the GDPR. Organisations that used the two-year transition for genuine preparation were ready on 25 May 2018; those that waited spent more, achieved weaker compliance, and lived with years of remediation. The AI Act is harder in several dimensions — not least because it regulates the technology itself, not merely the data it processes. The comprehensive compliance guide covers the full scope of what high-risk compliance entails.
The small mid-cap opportunity
The new small mid-cap band deserves specific attention from the Mittelstand. The threshold — fewer than 750 employees and turnover up to €150 million — captures a large slice of mid-market Germany, Austria, and Switzerland. The simplifications are still being codified, but the reported direction is reduced documentation burden, simpler templates that notified bodies must accept, and priority sandbox access.
This is relief, not exemption. A small mid-cap deploying a high-risk system still has to demonstrate the core requirements — risk management, data governance, human oversight, accuracy, transparency. What changes is the expected depth and formality of the evidence. A 200-person insurance brokerage using AI for claims triage will not be held to Allianz's documentation standard, but it will still have to show it identified the risks and put oversight in place.
The practical move is to start building your governance framework now, treating the simplified expectations as a design constraint rather than a finish line. A lightweight model covering accountability, oversight, and decision rights is not merely good practice. Under the amended Act, it is close to the minimum viable posture.
What to do in the next 90 days
The deferral does not change the work. It changes the sequencing.
Complete your AI inventory. If you have not catalogued every AI system in the organisation — including third-party tools with embedded AI — this is the foundational step. You cannot classify what you have not found. Each entry should capture purpose, the data processed, who operates it, and which decisions it informs or automates.
Classify every system against the amended timeline. Map each system to its risk category and its applicable date. Standalone high-risk now runs to December 2027; product-embedded high-risk to August 2028; prohibited, GPAI, and limited-risk duties are already live. The classification framework gives you the decision tree.
Start technical documentation for your single highest-risk system. Do not try to document everything at once. Pick the system most clearly high-risk — the one touching employment decisions, credit, or claims — and build its Article 11 package first. The exercise will surface what information you are missing, which teams you need, and how long the work genuinely takes. That learning beats any checklist.
Establish your governance baseline. Name a workflow owner for each production system. Define the delegation rules: what the AI decides, what it recommends, what stays fully human. Set the oversight rhythm — a metrics review, an edge-case analysis, a periodic governance assessment. This structure is the operational backbone of compliance, and it needs to be running long before the deadline.
Treat trust as the leading indicator. The enterprises that scale AI are rarely the ones with the best models; they are the ones whose people trust the outputs enough to act on them. That trust is built through observability, governance, and validation — the same infrastructure that satisfies the AI Act. Compliance and adoption are not competing budgets. They are the same build.
The deadline moved — the obligation did not
The Digital Omnibus is a pragmatic adjustment. The legislature acknowledged that the compliance ecosystem was not ready for August 2026 and bought time for the standards and the notified bodies to catch up. That is a rational response to a real implementation problem.
But the worst reading of the amendment is the one most likely to spread: that the AI Act is going soft, that compliance can wait, that the deferrals signal a loss of nerve. The text says otherwise. It added a new prohibition. It preserved every substantive high-risk requirement. It created a category designed to make compliance achievable for smaller firms — which only makes sense if the legislature intends to enforce those requirements broadly.
DACH enterprises that spend these 16 months building compliance infrastructure will reach December 2027 with documented systems, competent teams, and operational governance. They will also, not coincidentally, have built the trust architecture that lets AI move from pilot to production in the applications that actually move the income statement. Under the AI Act, compliance and capability are not competing priorities. They are the same work.
A Fit Call maps your AI estate against the amended timeline and tells you where to start — before the 16 months quietly become a scramble.
References: Council of the European Union, "Artificial Intelligence: Council and Parliament Agree to Simplify and Streamline Rules," Press Release, 7 May 2026; Gibson Dunn, "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes," 2026; Orrick, "The EU's Digital Omnibus on AI: 7 Key Changes You Need to Know," May 2026; Covington (Inside Privacy), "EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions," 2026; White & Case, "EU Agrees Digital Omnibus Deal to Simplify AI Rules," 2026; Regulation (EU) 2024/1689 (EU AI Act), Articles 4, 5, 6–27, 9, 11 and 50.