EU AI Act Deadlines After the Digital Omnibus: The Definitive 2026 Timeline

After the Digital Omnibus (agreed 7 May 2026), the key EU AI Act deadlines are: prohibited practices and AI literacy already apply (2 Feb 2025); GPAI model obligations apply (2 Aug 2025); governance bodies and most transparency duties (2 Aug 2026); AI-content marking/watermarking (2 Dec 2026); standalone high-risk (Annex III) obligations postponed to 2 December 2027 (was 2 Aug 2026); and high-risk AI embedded in regulated products (Annex I) on 2 August 2028.

If you read a blog post, a vendor checklist, or even a law-firm alert telling you that high-risk AI obligations apply from 2 August 2026 — it is now wrong. The Digital Omnibus deal reached by EU co-legislators on 7 May 2026 rewrote the EU AI Act timeline. The headline high-risk deadline moved by roughly 16 months, and a chunk of the internet hasn't caught up.

This page is the corrected, dated reference. Bookmark it, cite it, and check it against your own compliance plan — because planning around the old August 2026 date is now a planning error.

What the Digital Omnibus changed

The EU AI Act — Regulation (EU) 2024/1689 — entered into force on 1 August 2024 with a staged rollout. The original plan front-loaded the heaviest obligations on high-risk systems to 2 August 2026. Through 2025, regulators, industry, and member states all signalled the same problem: the harmonised standards, the technical guidance, and the conformity-assessment infrastructure simply would not be ready in time.

The Digital Omnibus on AI is the EU's response. On 7 May 2026, negotiators from the Council, the European Parliament, and the Commission reached a provisional political agreement to simplify and stagger the rollout. Crucially, the co-legislators rejected the Commission's original "conditional trigger" idea (where deadlines would move only once standards were ready) in favour of fixed calendar dates — chosen specifically to give businesses clarity and predictability.

Here's the before → after that matters most:

Two things did not move backwards: the prohibited practices that have applied since February 2025, and the GPAI model obligations live since August 2025. The Omnibus is relief on the high-risk track — it is not a reset of the whole Act. And it adds new prohibitions in Article 5 (AI-generated non-consensual intimate imagery — "nudifiers" — and AI-generated child sexual abuse material), so the obligation surface is in some respects wider, not just later.

One caveat worth stating plainly: these changes take legal effect only upon formal adoption and publication in the Official Journal, expected before 2 August 2026. The political deal is firm and the dates below are what to plan against, but the OJ publication is the moment they become black-letter law.

EU AI Act deadlines after the Omnibus — full table

This is the centerpiece. Every date reflects the post-Omnibus position. For the always-current version, see the live EU AI Act Omnibus tracker and the AI Act deadline tracker.

Note: Legalithm's staged AI Act timeline guide narrates the original phasing for context and education. Where it shows 2 Aug 2026 / 2 Aug 2027 for high-risk, the Omnibus dates in the table above govern — 2 Dec 2027 and 2 Aug 2028 respectively.

What this means for providers

If you build an AI system, the Omnibus buys you time on the high-risk track — but only if you're actually in scope and only on the standalone path. Concretely:

• Annex III high-risk providers (e.g. AI in recruitment, credit scoring, education, critical infrastructure): your hard deadline is now 2 December 2027, not August 2026. That's runway for risk management systems (Art 9), data governance (Art 10), technical documentation (Art 11), and conformity assessment — but it is runway, not a holiday.
• GPAI providers: nothing changed for you. Your obligations have been live since 2 August 2025. Documentation, copyright policy, and training-data summaries are due now.
• Generative / synthetic-media providers: the 2 December 2026 marking and watermarking obligation is the nearest new cliff. Machine-readable marking of AI-generated output is not optional, and the new Art 5 bans land the same day.

Not sure whether your system is even high-risk? Run the EU AI Act applicability checker before you spend a euro on compliance you may not owe.

What this means for deployers

If you use AI rather than build it, the picture is more nuanced. Deployer obligations for Annex III high-risk systems — including human oversight under Art 26 and the Fundamental Rights Impact Assessment (FRIA) under Art 27 — now track to 2 December 2027.

But two deployer-facing duties are not deferred:

1. AI literacy (Art 4) has applied since 2 February 2025. If your staff use AI in their work, you owe them a baseline of training and competence today.
2. Prohibited practices (Art 5) bind you regardless of role. You cannot deploy a banned system and point at the vendor.

What this means for GPAI model providers

The GPAI track is the part of the Act most people underestimate because it's already live. Since 2 August 2025, providers of general-purpose AI models have owed technical documentation, a copyright policy, and a public summary of training content (Art 53). Providers of models with systemic risk (Art 55) owe additional model evaluation, adversarial testing, and serious-incident reporting. The Omnibus did not touch any of this. If you've been waiting for "the AI Act to kick in" — for GPAI, it already did, ten months ago.

What this means for SMEs and small mid-caps

This is where the Omnibus quietly does the most for European startups. Beyond the timeline shift, it introduces proportionality relief: reduced documentation, conformity-assessment, and post-market-monitoring burdens for smaller players, with the small-mid-cap threshold set around under 750 employees and €150M turnover. It also explicitly permits processing personal data for bias detection in high-risk systems — a practical fix that previously sat in a legal grey zone.

For a startup-stage company, the message is: the heaviest high-risk obligations are 18 months out, the burden is lighter than the headline text implies, and the prohibited-practices and literacy duties you already owe are cheap to meet. The risk is not over-compliance — it's discovering in 2027 that you were in scope all along and did nothing.

What to do now

The deferral is a planning gift, not an excuse to close the file. A sane post-Omnibus sequence:

1. Confirm scope. Are you a provider, deployer, or GPAI provider — and is any system high-risk? Use the applicability checker.
2. Close the obligations that are already live. AI literacy (Art 4) and prohibited-practice screening (Art 5) are due today. If you ship generative output, plan watermarking for Dec 2026.
3. Size the exposure. Run the penalty calculator — fines reach up to €35M or 7% of global turnover, and that ceiling did not move.
4. Build the high-risk file on the new clock. Use the 2 Dec 2027 runway to do conformity assessment properly rather than in a panic.
5. Get a baseline. The free AI Act assessment maps your obligations against the current, post-Omnibus dates in minutes.

When do high-risk AI obligations apply now?

For standalone Annex III high-risk systems, the obligations apply from 2 December 2027 — postponed from the original 2 August 2026 by the Digital Omnibus. For high-risk AI embedded in regulated products under Annex I (medical devices, machinery, vehicles), the date is 2 August 2028. Any source still citing August 2026 for high-risk is out of date.

Is the "comply by August 2026" advice still correct?

No — not for high-risk systems. The 2 August 2026 high-risk deadline was moved to 2 December 2027 by the Omnibus deal of 7 May 2026. However, 2 August 2026 is still a real date for governance bodies becoming operational and most transparency duties — so the date isn't gone, it just no longer means "high-risk obligations begin."

Did the Digital Omnibus delay the whole AI Act?

No. Prohibited practices (Art 5) have applied since 2 February 2025 and GPAI model obligations (Art 53/55) since 2 August 2025 — none of that moved. The Omnibus is targeted relief on the high-risk track plus proportionality measures for smaller companies. It also added new Art 5 prohibitions (nudifiers, AI CSAM).

When are the AI watermarking / content-marking rules in force?

The transparency and marking of AI-generated content obligations under Article 50 apply from 2 December 2026. The same date brings the new bans on AI-generated non-consensual intimate imagery and AI-generated child sexual abuse material.

Are these new dates legally binding yet?

The political agreement (7 May 2026) is firm, and these are the dates to plan against. They become legally binding on formal adoption and publication in the EU Official Journal, expected before 2 August 2026. Track the status on the live Omnibus tracker.

The deadlines moved, the obligations didn't disappear, and the €35M / 7% penalty ceiling is exactly where it was. The companies that win the next 18 months are the ones who use the deferral to comply properly — not the ones who use it to forget.

Get your current, post-Omnibus obligation map in minutes with the free Legalithm AI Act assessment.