The EU AI Act just changed. Here is what it actually means for your compliance planning.

Decision Focus GRC Intelligence Team
Jul 3, 2026

On 29 June 2026, the Council of the EU gave its final sign-off on the Digital Omnibus on AI, following the European Parliament's formal endorsement on 16 June. The regulation is now formally adopted - but not yet in force. Publication in the Official Journal is expected mid-to-late July,and the amendments enter into force on the third day after publication. Until that point, the original AI Act timeline remains the legal baseline.


If you have been tracking the EU AI Act, you will know this has been a long time coming. The original high-risk deadline of 2 August 2026 spooked a lot of compliance teams into either panic-mode preparation or a quiet hope that someone would press the pause button. The Omnibus provides that pause, but it is not a reset. The architecture of the AI Act has not moved. The risk-based framework, the Annex classifications, the penalties, the governance requirements, all intact. What has changed is the timeline for the most demanding obligations.

Here is a clear-eyed summary of what has shifted and, more importantly, what has not.


What has changed


The single biggest change is the deferral of high-risk AI system obligation under Annex III. These are the use-based categories: AI used in employment, education, access to essential services, biometric identification - and, most relevant for financial institutions, parts of insurance and credit worthiness assessment. Compliance for these systems is now required from 2 December 2027, a 16-month extension from the original August 2026 deadline.


For AI systems embedded in regulated physical products under Annex I - think medical devices, machinery, radio equipment - the deadline moves from August 2027 to August 2028, a 12-month shift.


The marking obligation under Article 50(2), which requires providers to label AI-generated content, has been given a 4-month grace period - shorter than the 6 months the Commission originally proposed. That means 2 December 2026 is the compliance date, but only for systems already placed on the market before 2 August 2026. Generative AI systems placed on the EU market from 2 August 2026 onwards must comply with Article 50(2) from the moment they are placed on the market. If you are launching a new feature this autumn, there is no grace period.

The Omnibus also introduces a material addition to Article 5, the list of prohibited AI practices. AI systems used to generate non-consensual intimate imagery (so-called "nudifier" apps) and child sexual abuse material are now explicitly banned. The prohibition turns on purpose and safeguards: it covers systems placed on the market for that purpose, and systems where such generation is reasonably foreseeable and adequate technical safeguards - judged against the state of the art - are lacking. These prohibitions take effect from 2 December 2026.


Finally, the compliance pathway for SMEs has been widened to include small mid-cap enterprises (SMCs). This reduces the documentation and penalty burden for a broader category of organisations than the original text anticipated. Two further changes matter for planning: the deadline for member states to establish national AI regulatory sandboxes moves to 2 August 2027, and the registration obligation for providers that consider their systems exempt under Article 6(3) is retained, albeit through a simplified process - a point that feeds directly into the inventory work described below. The Omnibus also extends the legal basis for processing special-category personal data for bias detection and correction: both providers and deployers, of high-risk and non-high-risk systems alike, may process Article 9 GDPR data where strictly necessary to detect and correct bias, subject to enumerated safeguards. For teams managing the AI Act/GDPR intersection, that is a provision to build into data protection assessments now.

What has not changed


The Article 50 transparency obligations for deployers take effect on 2 August 2026 as originally planned. If your organisation interacts with people through AI-driven systems - chatbots, emotion recognition, synthetic media - those users must be informed. That obligation is live in weeks, not months.


GPAI model rules (Articles 51-55) have been applied since August 2025 and are untouched. If your organisation uses or deploys general-purpose AI models, your obligations in this area are already active.


The prohibition on unacceptable-risk AI (Article 5 original prohibitions) has applied since February 2025. The Omnibus adds to that list but does not dilute what is already prohibited.


The core inventory requirement remains the most practical immediate task regardless of the deferral. You still need to know what AI systems your organisation deploys, how they are classified, and which Annex they fall under. Without that inventory, the December 2027 deadline becomes a last-minute compliance exercise.


Why the deferral does not mean delay


The headline that "AI Act high-risk rules delayed 16 months" is technically accurate and practically misleading.


The reason the Omnibus was necessary in the first place is that the compliance infrastructure - harmonised standards from CEN-CENELEC, guidance from national competent authorities, conformity assessment pathways - was not ready. It still is not fully ready. The Commission has, however, published a pipeline of planned guidelines - covering the practical application of high-risk classification, provider and deployer obligations, and a template for fundamental rights impact assessments - which gives the deferral period concrete regulatory milestones. The 16 months buys time for that infrastructure to catch up. But it does not change what a well-run compliance programme needs to do.


Every organisation deploying AI in an Annex III context faces the same question in December 2027 that it faced in August 2026: can you evidence that your systems have been assessed, classified, and governed appropriately? The documentation, human oversight mechanisms, and risk management processes that underpin compliance do not get easier to build under time pressure. They get harder.


The organisations that will be in front in December 2027 are the ones that used the intervening 16 months to build the governance infrastructure, not the ones that noted the extension and moved on.

The practical implications by obligation type


For most compliance teams, the Omnibus creates 3 distinct workstreams:


Now (by 2 August 2026)

Transparency obligations under Article 50 for deployers. If your AI-powered systems interact with individuals, disclosure requirements are live. Review your customer-facing AI touchpoints, assess whether they meet the "obvious to a reasonable user" threshold, and document your position.

By 2 December 2026.

Marking and synthetic content labelling under Article 50(2). Any generative AI feature delivering content into the EU must carry machine-readable metadata and UI labelling - by 2 December 2026 for systems already on the market before 2 August 2026, and from the moment of placement for anything launched after that date. For technology teams, this is a relatively short implementation window from now. It is not a long runway for organisations that have not started.

By 2 December 2027.

Full high-risk Annex III compliance. This is the extended deadline. Use the time to build your AI system inventory, assign ownership, establish risk classification logic, and develop the documentation architecture. Do not treat the deferral as permission to deprioritise.


What this means for governance and risk programmes


The EU AI Act, even in its deferred form, represents a material addition to the regulatory compliance landscape for any organisation operating in the EU. For risk and compliance teams, the practical question is whether AI governance sits inside your existing GRC framework or parallel to it.


For most organisations, integrating AI governance into the existing GRC framework is generally preferable. AI risk touches multiple domains simultaneously: operational risk (what happens when a model fails),third-party risk (if you are deploying a third-party model), data privacy (particularly where Annex III systems process sensitive data), and regulatory compliance (the Act itself). Managing these in isolation produces gaps. Managing them in a connected GRC programme surfaces them.


That is the design principle behind our DP (Data Privacy) and ISMS modules, and the direction of our Decision Focus Next AI layer: not separate AI governance tooling, but AI risk embedded in the same framework as every other risk type your organisation manages. Regulators are moving toward outcomes-based oversight. Your AI governance posture needs to be audit-ready in the same way your operational resilience posture is audit-ready-documented, evidenced, and continuously maintained.


3 things to do before August 2026


If you have not already done so:

- Audit every AI system your organisation deploys or uses in an EU context and note which Annex, if any, applies

- Review customer and user-facing AI interactions against Article 50 disclosure requirements

- Assign an owner for AI Act compliance within your existing risk or compliance structure, not as a standalone workstream

The Omnibus has bought time. Whether your organisation uses it well is a governance question, not a legislative one.

 

Sources

Council of the EU, press release, “Artificial Intelligence: Council gives final green light to simplify and streamline rules”,

29 June2026: https://www.consilium.europa.eu/en/press/press-releases/2026/06/29/artificial-intelligence-council-gives-final-green-light-to-simplify-and-streamline-rules/

European Parliament, plenary adoption of the Digital Omnibuson AI, 16 June 2026 (423 votes to 57, 174 abstentions).

European Commission, Digital Omnibus proposal, 19 November2025.

Council of the EU, provisionally agreed compromise text,document 9247/26 (endorsing document 9034/26), 13 May 2026 - for clause-levelverification pending the consolidated text.

European Commission, overview of planned AI Act guidelines:https://digital-strategy.ec.europa.eu/en/news/supporting-implementation-ai-act-clear-guidelines

[EUR-Lex Official Journal reference: to be added upon publication, expected 18–25 July 2026.]

Ready to see Decision Focus in action?
Our agile no-code platform adapts to your organisation, so you can pick and choose the solutions you need. Explore the solution with one of our experts.
Book a demo
Any questions?
Or just curious to see a demo
The Decision Focus team are here to answer your questions.