Regulation and policy

The EU AI Act Digital Omnibus: Why the High-Risk Deadlines Moved

The Digital Omnibus deferred the EU AI Act's high-risk obligations to fixed dates: stand-alone Annex III systems now comply by 2 December 2027, and AI embedded in regulated products, including medical devices, by 2 August 2028. Co-legislators cited missing technical standards and swapped the earlier conditional trigger for firm calendar dates.

The EU AI Act's high-risk obligations no longer take effect in August 2026. Under the Digital Omnibus, on which the Council and Parliament reached political agreement on 7 May 2026, stand-alone high-risk systems listed in Annex III now have until 2 December 2027 to comply, and high-risk AI embedded in regulated products under Annex I, which includes medical devices and in-vitro diagnostics, has until 2 August 2028. These are fixed calendar dates. They replace an earlier plan that would have switched the rules on only once supporting standards were ready.

This is an update to the risk-class framework I described previously. The tiers themselves did not change. What changed is when the heaviest tier of duties starts to bite, and the reasoning behind the shift is worth understanding for anyone building or evaluating clinical AI.

What actually moved

Two dates carry most of the weight. Obligations for Annex III systems, the use-case list covering areas such as biometrics, critical infrastructure, education, employment, and access to essential services, were originally set to apply from 2 August 2026. They now apply from 2 December 2027, roughly a sixteen-month deferral. Obligations for Annex I systems, meaning AI that sits inside a product already governed by EU product-safety law such as the Medical Device Regulation or the IVDR, were set for 2 August 2027 and now apply from 2 August 2028, a one-year deferral. The Gibson Dunn analysis of the agreement lays out both shifts against their original timelines.

For a health context, the second date is the one to watch. Software that qualifies as a medical device and also meets the AI Act's high-risk criteria falls under Annex I. It must satisfy both regimes. The Omnibus gives those manufacturers until 2 August 2028 before the Act's full high-risk requirements, covering risk management, data governance, technical documentation, human oversight, and conformity assessment, sit on top of their existing device obligations.

What did not move

A deferral of high-risk duties is not a pause on the whole law. The prohibitions on certain AI practices in Article 5 have been in force since February 2025. Obligations for general-purpose AI models took effect in August 2025. Transparency duties under Article 50, such as disclosing that a person is interacting with an AI system or that content is AI-generated, remain anchored to 2 August 2026, with only a short grace window for certain marking obligations on systems already on the market. According to Covington's analysis, the registration of high-risk systems in the EU database also stays in place. The structure of the Act is intact. The high-risk compliance clock is what was reset.

Why the dates changed

The stated reason is sequencing, not a retreat from the underlying goals. High-risk conformity depends on harmonized technical standards and guidance that tell developers, in operational detail, how to demonstrate that a system meets the legal requirements. Those standards were not finished. The co-legislators concluded that firms should not face penalties for missing benchmarks that do not yet exist, and that standards bodies needed more time to produce the documents that make compliance auditable. The European Commission's own regulatory-framework materials describe the Act as leaning on harmonized standards to translate high-level obligations into testable engineering practice, which is precisely the machinery that was not ready.

There is a second, quieter change in method. The Commission's original proposal contained a conditional trigger: high-risk rules would start once the supporting standards and tools were available. The final agreement discarded that mechanism in favor of fixed dates. As a physician-scientist who has worked inside global drug development and served as an FDA clinical investigator, I read that swap as a familiar regulatory instinct. Conditional triggers create uncertainty that is hard to plan around, because no one can schedule engineering, validation, and audit work against a date that floats. A firm calendar date, even a later one, is something a quality system can actually be built toward. Regulators face the same trade-off when they set device transition timelines: predictability often does more for real-world safety than an aggressive date that most of the field cannot meet.

What this means in practice

The delay buys time; it does not remove the work. A system that is high-risk on 2 August 2026 is still high-risk on 2 December 2027 or 2 August 2028. The classification logic, the documentation burden, and the conformity-assessment path are unchanged. For a health-AI team, the sensible reading is that the runway got longer, not that the destination moved.

A few practical implications follow. First, classify early. Whether a tool lands in Annex III, Annex I, or neither drives which deadline and which obligations apply, and that determination should not wait for the deadline. Second, treat the interim standards work as your specification. When harmonized standards publish, they will define what "adequate" data governance and human oversight look like in evidence, and building to a draft you can later revise is cheaper than building to nothing. Third, keep the unchanged obligations on your calendar. Transparency and prohibited-practice rules are already live, and a medical-device manufacturer still answers to the MDR or IVDR regardless of what the AI Act clock says.

The Omnibus is a schedule change reached through political agreement, and its precise text becomes binding only on formal adoption and publication. The direction, though, is clear: the same high-risk regime, on later fixed dates, with more time for the standards that make it enforceable.

This article is educational and does not constitute legal or medical advice.

References and sources

  1. Council of the EU press release (7 May 2026)
  2. Gibson Dunn: Omnibus postponed high-risk deadlines
  3. Covington Inside Privacy: EU AI Act timeline relief
  4. European Commission: Regulatory framework for AI

How this was researched. This explainer is built from the primary sources listed above and reflects Dr. Tojjar's own critical appraisal of that evidence. It explains and evaluates research and does not provide medical care.

This article is for general education and is not medical or professional advice. For guidance about your own health, talk with a qualified clinician.

Cite this article

Tojjar, D. (2026). The EU AI Act Digital Omnibus: Why the High-Risk Deadlines Moved. Dr. Damon Tojjar. https://readingtheevidence.org/articles/eu-ai-act-digital-omnibus-timeline-2026/

Back to all insights