The EU AI Act just got its final shape. Negotiators from the European Parliament and the Council of the EU wrapped up trilogue discussions on April 28, 2026, reaching a political agreement on the Digital Omnibus on AI, the package that significantly revises the compliance timeline for high-risk AI systems.
This is a different milestone from the separate votes each institution took in March. A political agreement at the trilogue stage means Parliament and Council have negotiated a single agreed text together. Formal adoption by both institutions is now expected in July 2026, after which the revised rules have legal certainty.
What the Deal Changes
The most significant change is to the compliance deadlines for high-risk AI systems. Under the original AI Act, providers and deployers of high-risk AI had until 2 August 2026 to meet technical documentation, transparency, and risk management requirements for most categories.
The Omnibus revises that to two distinct dates depending on the type of system:
Annex III systems (standalone high-risk AI) — AI used in hiring and recruitment, education, essential services, law enforcement, border management, access to benefits, and critical infrastructure. New deadline: 2 December 2027, giving organisations an additional 16 months beyond the original date.
Annex I systems (AI embedded in regulated products) — AI built into machinery, medical devices, vehicles, toys, and other products already subject to product safety regulation. New deadline: 2 August 2028, a two-year extension.
What Has Not Changed
Not everything got pushed back. The provisions that remain on the original schedule include:
General Purpose AI (GPAI) obligations — Providers of foundation models and large language models must comply with transparency, documentation, and copyright requirements from August 2, 2026. This timeline was NOT extended by the Omnibus.
Prohibitions on unacceptable-risk AI — Systems categorised as presenting unacceptable risk (social scoring, real-time biometric surveillance in public spaces, emotion recognition in workplaces and education) remain banned from August 2026 as originally planned.
AI literacy requirements — Organisations deploying AI must take reasonable steps to ensure staff have sufficient AI literacy. No extension was applied here.
The Omnibus also formalises a ban on applications that generate non-consensual explicit imagery, closing a gap that some member states had already addressed through national legislation.
Why the Extensions Were Granted
The practical case for delay was straightforward. The conformity assessment infrastructure needed to certify high-risk AI systems was not ready. Harmonised technical standards were behind schedule. Most businesses had not yet completed the risk classification exercise required to determine whether their systems fell into regulated categories. Rushing compliance without that foundation would have produced checkbox compliance, not meaningful risk governance.
The European Parliament voted 569 to 45 in March to adopt its negotiating position, a margin that reflected broad cross-party agreement that the extensions were appropriate while preserving the core framework.
What This Means for Business
For most businesses outside the EU, the Omnibus changes the urgency calculation but not the direction of travel. If you operate in Europe, deploy AI to European users, or use AI that touches employment, education, or financial services in the EU, the high-risk category framework still applies to you.
The extensions buy time for proper preparation, not for ignoring the regulation. The businesses that will be in the strongest position by December 2027 are the ones who begin risk classification and governance work now, while standards are still being finalised, rather than scrambling against a hard deadline.
Practically, that means three things:
-
Audit your AI use by category. Map each AI system you use or deploy against the Annex I and Annex III categories. If you have systems that qualify as high-risk, document that fact and assign ownership for compliance.
-
Check your GPAI obligations. If your business uses or exposes foundation models, transparency and documentation requirements still apply from August 2026. The GPAI provisions were not extended.
-
Build AI governance infrastructure now. The compliance burden for high-risk AI is not just a documentation exercise. It requires ongoing monitoring, human oversight protocols, and incident reporting processes. Building that takes longer than most organisations expect.
If you’re building with Claude or Codex right now, grab the free Working With Claude field guide. Thirty-two pages on the full ecosystem, Claude Code in depth, and how to roll agents out properly. Get the free guide.
The Omnibus did not make the EU AI Act optional. It made the timeline more realistic. The question for every business now is whether you are using the extra time well.
Source
European Parliament