On 7 May 2026, the European Council and Parliament reached provisional agreement on the Digital Omnibus on AI — the first formal set of amendments to the EU AI Act since its adoption in June 2024. The headline is a deferral: high-risk AI obligations that were due to take effect on 2 August 2026 are now postponed by 16 months. Within hours, inboxes across DACH filled with compliance newsletter subject lines that read like permission slips. "More Time for Compliance." "EU Extends AI Deadline." "Pressure Eased for Enterprises."
The relief is understandable. The framing is dangerous.
The Digital Omnibus did not remove a single obligation. It moved the enforcement date for standalone high-risk AI systems from 2 August 2026 to 2 December 2027. Everything else — the prohibitions already in force since February 2025, the GPAI obligations active since August 2025, the AI literacy requirement, the full scope of high-risk compliance demands — remains exactly where it was. The deadline moved. The obligation did not.
For DACH enterprises that have already started their compliance work, this is a strategic gift: additional months to deepen what they have begun, test their documentation under real conditions, and refine governance before the enforcement clock starts. For those who were already behind, the risk is that 16 months of extra time simply becomes 16 months of additional delay.
What the Digital Omnibus actually changed
The provisional agreement restructures several timelines and introduces new provisions. Understanding precisely what shifted — and what did not — is essential for any enterprise recalibrating its AI roadmap.
Annex III standalone high-risk AI systems (use-based classification). These are the systems classified as high-risk not because they are embedded in regulated products, but because of their application domain — employment decisions, credit scoring, insurance risk assessment, educational grading, biometric identification. The original AI Act required full compliance by 2 August 2026. The Digital Omnibus defers that date to 2 December 2027, a shift of exactly 16 months. This is the change that affects the largest number of DACH enterprises, because standalone high-risk systems are precisely where midmarket and enterprise AI deployments most commonly intersect with the regulation. For the full list of use cases that trigger this classification, see the risk classification walkthrough.
Annex I product-embedded high-risk AI systems. AI systems that serve as safety components of products already regulated under EU sectoral legislation — medical devices, machinery, automotive, aviation — were originally due for compliance by 2 August 2027. The Omnibus extends this to 2 August 2028. For manufacturers in these sectors, this is significant but narrower in scope: the original Act already gave them an extra year, and the amendment adds another.
Watermarking and content-marking obligations. The broader Article 50 transparency obligations — including disclosure when users interact with AI systems — remain applicable from 2 August 2026 as originally scheduled. For the specific watermarking requirement under Article 50(2), which mandates machine-readable markers in AI-generated content, providers of systems already on the market before 2 August 2026 receive a transitional period until 2 December 2026. This is not a blanket deferral of the watermarking obligation but a grace period for existing systems, recognising that technical standards for watermarking are still being finalised.
A new prohibition on non-consensual intimate imagery. The Omnibus adds AI systems that generate or manipulate non-consensual intimate imagery of identifiable individuals — including so-called "nudifier" applications — and child sexual abuse material to the list of banned AI practices. This prohibition takes effect on 2 December 2026. It extends the existing prohibitions that have been in force since February 2025 and signals the legislature's willingness to update the Act's scope as new harms emerge.
A new "small mid-cap" category. Enterprises with fewer than 750 employees and annual turnover below €150 million will benefit from simplified compliance pathways. The precise contours of the simplification are still being finalised in the legislative text, but the intent is clear: reduce the documentation and conformity assessment burden for organisations that lack the compliance infrastructure of a DAX-40 company. For many Mittelstand firms, this could materially reduce the cost of compliance — though the core obligations around risk management and human oversight will remain. The midmarket compliance analysis covers the baseline obligations that apply regardless of company size.
What the Digital Omnibus did not change
This is the section that matters more than the one above. The deferral is limited in scope, and several critical obligations remain exactly on their original schedule.
Prohibited practices remain in force. The ban on social scoring, real-time biometric identification in public spaces, emotion recognition in workplaces and schools, and exploitation of vulnerable groups has been enforceable since 2 February 2025. The Omnibus does not touch this. If you have not audited your AI inventory against the prohibited categories, you are already exposed.
GPAI obligations remain in force. Providers of general-purpose AI models have been subject to transparency, documentation, and copyright compliance requirements since 2 August 2025. Providers of models with systemic risk face additional obligations including adversarial testing and incident reporting. The Omnibus does not defer any of this. If your organisation deploys a GPAI model — including through API access to large language models — the provider obligations are already active, and your deployer obligations regarding transparency and human oversight are likewise unaffected.
AI literacy remains in force. The requirement that organisations ensure sufficient AI literacy among their staff — proportionate to the role, context, and risk level of the AI systems they interact with — is already binding. This is one of the most underestimated obligations in the entire Act. It requires documented training, not a single all-hands webinar. And it has no deferral.
The obligation itself remains identical. The Omnibus did not amend Articles 6 through 27 — the substantive requirements for high-risk AI systems. Conformity assessments, technical documentation, risk management systems, data governance, human oversight, accuracy testing, automatic logging, registration in the EU database — all remains as originally drafted. What moved is solely the enforcement date. On 2 December 2027, every requirement that was due on 2 August 2026 will be expected in full. No phase-in. No grace period.
For the complete map of which deadlines now apply when, refer to the updated timeline, which we are revising to reflect the Omnibus changes.
Why 16 months is less time than it sounds
Sixteen months feels comfortable until you map what needs to happen within them.
Conformity assessment infrastructure does not yet exist at scale. The ecosystem of notified bodies, harmonised standards, and conformity assessment procedures for standalone high-risk AI systems is still maturing. The original August 2026 deadline was widely regarded as unrealistic precisely because this infrastructure was not ready. The deferral acknowledges that reality. But 16 months is the time for both the infrastructure and the enterprises to become ready simultaneously. Organisations that wait for standards to be finalised before beginning compliance work will find themselves competing for limited notified body capacity in the final months before the deadline.
Technical documentation is not a weekend project. Article 11 requires comprehensive documentation covering the system's intended purpose, design specifications, development process, data governance, performance metrics, risk analysis, and post-market monitoring plan. For a complex AI workflow — an automated claims triage system processing thousands of cases monthly — producing this documentation takes months, not weeks. It requires coordinated input from engineering, data science, legal, compliance, and the business unit that operates the system. That cross-functional coordination is the real bottleneck, not the writing itself.
Risk management is a process, not a document. Article 9 requires a risk management system that is maintained throughout the entire lifecycle of the high-risk AI system. This means not merely identifying risks before deployment but continuously monitoring, updating, and mitigating them in production. Building this capability — the monitoring infrastructure, the escalation procedures, the governance rhythms — is precisely the work described in the compliance-by-design approach. It cannot be compressed into the final quarter before a deadline.
The strategic calculation for DACH enterprises
The Omnibus creates a divergence point. Enterprises will split into two groups, and the gap between them will be visible well before December 2027.
The first group treats the deferral as a planning horizon. They use the 16 months to build compliance infrastructure at a deliberate pace — classifying their AI systems, drafting technical documentation iteratively, implementing monitoring and governance structures, training staff, and running internal conformity assessments before external ones are required. When the deadline arrives, compliance is a confirmation of work already done, not a scramble to produce artefacts under pressure.
The second group treats the deferral as a reprieve. They deprioritise compliance work, redirect resources to other initiatives, and plan to revisit the topic in mid-2027 when the deadline feels imminent. When they return to it, they will find that the task has not become easier — it has become harder, because their AI portfolio has grown, new systems have been deployed without compliance considerations, and the notified body capacity that was available in early 2027 is now oversubscribed.
The competitive dimension is real. In regulated industries — financial services, insurance, healthcare, critical infrastructure — the ability to demonstrate AI Act compliance will become a procurement criterion. Enterprise customers will ask suppliers whether their AI-powered services meet high-risk requirements. Organisations that can produce documented compliance in January 2028 will have a tangible advantage over those still assembling their evidence packs.
The same pattern played out with DSGVO. Organisations that used the two-year transition period for genuine preparation were ready on 25 May 2018. Those that waited spent more money, achieved lower-quality compliance, and faced years of remediation. The AI Act's complexity exceeds DSGVO's in several dimensions — not least because it regulates the technology itself, not merely the data it processes. The comprehensive compliance guide covers the full scope of what high-risk compliance entails.
The small mid-cap opportunity
The new "small mid-cap" category deserves specific attention from DACH midmarket companies. The threshold — fewer than 750 employees and annual turnover below €150 million — captures a significant portion of the Mittelstand. While the exact simplifications are still being codified, the direction is clear: reduced documentation burden, simplified conformity assessment pathways, and potentially lighter risk management requirements.
This does not mean exemption. Small mid-cap enterprises deploying high-risk AI systems will still need to demonstrate compliance with the core requirements: risk management, data governance, human oversight, accuracy, and transparency. What changes is the expected depth and formality of the evidence. A 200-person insurance brokerage using AI for claims triage will not be held to the same documentation standard as Allianz — but it will need to show that it has identified the risks and established oversight mechanisms.
The practical implication is that midmarket companies should begin building their governance frameworks now, using the simplified expectations as a design constraint. A lightweight model covering accountability, oversight, compliance, and decision rights is not merely a best practice. Under the amended Act, it is likely to be the minimum viable compliance posture.
What to do in the next 90 days
The deferral does not change the work. It changes the sequencing. Here is where to focus the first quarter after the Omnibus.
Complete your AI inventory. If you have not catalogued every AI system in your organisation — including third-party tools with embedded AI — this is the foundational step. You cannot classify what you have not identified. Each entry should cover the system's purpose, the data it processes, who operates it, and which decisions it informs or automates.
Classify every system against the amended timeline. Map each system to its risk category and the applicable compliance date. Standalone high-risk systems now have until December 2027. Product-embedded high-risk systems have until August 2028. Everything else — prohibited, GPAI, limited risk — is already in effect. The classification framework provides the decision tree for this exercise.
Start technical documentation for your highest-risk system. Do not attempt to document everything at once. Pick the system most clearly high-risk — the one processing employment decisions, credit assessments, or insurance claims — and build the Article 11 documentation package for it first. The process will teach you what information you are missing, which teams need to be involved, and how long the work actually takes. That learning is more valuable than any checklist.
Establish your governance baseline. Appoint an AI workflow owner for each production system. Define the delegation rules: what the AI decides, what it recommends, what stays fully human. Document the oversight rhythm — weekly metrics review, monthly edge-case analysis, quarterly governance assessment. This structure is the operational backbone of compliance, and it needs to be running long before the deadline.
Treat trust as the leading indicator. The enterprises that scale AI most effectively are not the ones with the best models. They are the ones whose organisations trust the AI outputs enough to act on them. That trust is built through observability, governance, and validation — the same infrastructure that satisfies the AI Act's requirements. The trust infrastructure analysis details how the 6% of companies achieving material AI impact differ structurally from the rest. The overlap with AI Act compliance is nearly complete.
The deadline moved — the obligation did not
The Digital Omnibus is a pragmatic adjustment. The European legislature recognised that the compliance ecosystem was not ready for August 2026, and it provided additional time. That is a rational response to a real implementation challenge.
But the worst possible reading of this amendment is the one most likely to spread: that the AI Act is softening, that compliance can wait, that the deferrals signal a lack of regulatory seriousness. The opposite is true. The Omnibus added a new prohibition. It maintained every existing obligation. It preserved the full scope of high-risk requirements. And it created a new category designed to make compliance achievable for smaller companies — which only makes sense if the legislature intends to enforce those requirements broadly.
DACH enterprises that use these 16 months to build compliance infrastructure will arrive at December 2027 with documented systems, trained teams, and operational governance. They will also, not coincidentally, have built the trust architecture that allows AI to move from pilot to production in the applications that actually move the income statement. Compliance and capability are not competing priorities. Under the AI Act, they are the same work.
Talk to us about your AI Act compliance roadmap. We help DACH enterprises build AI governance and compliance into the operating model — not as a regulatory checkbox, but as the foundation for scaling AI into production. If you are recalibrating after the Digital Omnibus, a 30-minute Fit Call will clarify where you stand and what to prioritise next. Book your Fit Call →
References: Council of the European Union, "Artificial Intelligence: Council and Parliament Reach Provisional Agreement on Digital Omnibus," Press Release, 7 May 2026; Gibson Dunn, "EU Digital Omnibus: AI Act Amendments and Revised Timelines," Client Alert, May 2026; Orrick, "EU AI Act Digital Omnibus: 7 Key Changes," AI Law Centre, May 2026; PwC EU Services, "Digital Omnibus AI Regulation: Impact Assessment for High-Risk Systems," May 2026; Inside Privacy (Covington), "EU AI Act Omnibus: Deferred Deadlines and New Obligations," May 2026; Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), Articles 6–27 (High-Risk AI Systems), Article 11 (Technical Documentation), Article 9 (Risk Management).