Skip to main content
v2026.1714 entries · CC-BY 4.0
CASRAI

Editorial · CASRAI

Digital Omnibus AI Act: New 2027 Deadlines

The Digital Omnibus delays AI Act high-risk rules to 2027-28; sandboxes shift to Aug 2027. Here’s what still applies in 2026.

ByMCP Service
Published 3 Jul 2026· 6 minute read

The Digital Omnibus AI Act agreement, reached by EU co-legislators on 7 May 2026, postpones the AI Act’s high-risk obligations to 2 December 2027 for standalone systems and 2 August 2028 for product-embedded systems, pushes the national AI regulatory sandbox deadline from 2 August 2026 to 2 August 2027, and shortens the AI-generated-content labelling grace period to a new deadline of 2 December 2026. Prohibited-practice and general-purpose-AI (GPAI) obligations already in force are unaffected.

The Digital Omnibus on AI is the EU’s amending regulation to Regulation (EU) 2024/1689 (the AI Act) that recalibrates several implementation deadlines and simplifies selected compliance requirements without altering the Act’s underlying risk-based framework.

What Has Changed Under the Digital Omnibus?

The European Commission published its Digital Omnibus on AI proposal on 19 November 2025, and the Council presidency and European Parliament negotiators reached a provisional political agreement on 7 May 2026. The European Parliament granted final approval on 16 June 2026. As of early July 2026, formal Council adoption and publication in the Official Journal are still pending, with completion expected by 2 August 2026 — the very date the original high-risk deadline would otherwise have taken effect.

Until the amending regulation is published, the AI Act’s original text remains binding law. This is a narrow but real compliance-planning window: institutions cannot yet treat the new dates as legally settled, only as highly likely.

The package also adds a new prohibition on AI systems that generate child sexual abuse material (CSAM) or non-consensual sexually explicit content (“nudifier” apps), reinstates the EU database registration requirement for AI systems exempted from high-risk classification, and reverts a proposed relaxation on processing special category data for bias detection back to a strict-necessity test.

What Are the New AI Act Compliance Deadlines?

The revised timeline replaces the Commission’s original “standards-linked” mechanism with fixed calendar dates, giving institutions a firm planning horizon rather than a moving target tied to standardisation progress.

Obligation Original deadline New deadline Change
Standalone high-risk systems (Annex III: education access, employment/HR, credit scoring, critical infrastructure, law enforcement) 2 August 2026 2 December 2027 16-month delay
High-risk systems embedded in regulated products (Annex I: medical devices, machinery, toys) 2 August 2027 2 August 2028 12-month delay
AI-generated content labelling/watermarking (Article 50(2)) 2 August 2026 2 December 2026 Grace period cut to 4 months
National AI regulatory sandbox establishment (Article 57) 2 August 2026 2 August 2027 12-month delay
Ban on CSAM/non-consensual intimate AI content Not previously prohibited 2 December 2026 New obligation
Prohibited AI practices (Article 5) 2 February 2025 Unchanged Already in force
GPAI model obligations (Articles 53–55) 2 August 2025 Unchanged Already in force

Per the Council’s 7 May 2026 press release, “the provisional agreement also introduces a fixed timeline for the delayed application of high-risk rules: the new application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.” The same text confirms the sandbox deadline is postponed “until 2 August 2027.”

Which AI Act Obligations Still Apply in 2026?

Despite the headline delays, several obligations remain live this year. Institutions should not read “Digital Omnibus” as “AI Act paused.” The Act’s prohibited-practice regime and its general-purpose-AI rules were untouched by the negotiations.

  • Prohibited AI practices under Article 5 (e.g. social scoring, certain biometric categorisation, manipulative systems) have applied since 2 February 2025 and remain fully enforceable.
  • GPAI model provider obligations (transparency documentation, copyright-policy summaries, systemic-risk assessment for the most capable models) have applied since 2 August 2025.
  • Most Article 50 transparency duties — informing individuals they are interacting with an AI system, or that content is AI-generated — still take effect from 2 August 2026; only the specific machine-readable watermarking sub-obligation is delayed to 2 December 2026.
  • The narrowed research exemption in Article 2(6)/(8) is unchanged: it still covers only AI systems developed for the “sole purpose” of scientific research and development, and does not extend to real-world testing outside that narrow scope — a gap industry and legal commentators flagged but the Omnibus did not close.

What Should Research Institutions Do Now?

The Annex III high-risk categories map directly onto functions many universities, funders, and research offices already run or procure: “access to education and vocational training,” and “employment-related uses” covering recruitment, performance monitoring, and promotion decisions. Any admissions-scoring tool, proctoring system, or HR-screening AI a research institution uses now has until 2 December 2027 rather than August 2026 to meet high-risk documentation, human-oversight, and conformity-assessment requirements.

That extra runway does not extend to everything an institution touches:

  • GPAI-based research tools (foundation models used in text/data mining, literature synthesis, or research-assistant products) are already subject to provider transparency obligations since August 2025 — this was not delayed and should already be reflected in procurement due diligence.
  • AI regulatory sandboxes, a route some national research funders and public research bodies planned to use for supervised testing of experimental AI tools, will not be mandatory at national level until 2 August 2027 — a year later than institutions may have budgeted for.
  • The research exemption remains narrow. Institutions running real-world pilots of AI tools (learning-analytics trials, clinical-AI validation studies) outside a controlled research-only environment should not assume blanket exemption; the classification tests apply as originally drafted.
  • AI-content labelling (Article 50(2), now due 2 December 2026) is directly relevant to scholarly publishing workflows: journals, repositories, and preprint servers using generative tools in editorial or production processes should track this date alongside their existing disclosure policies for AI-assisted content.

Research administration offices coordinating compliance calendars should treat 2 December 2027 and 2 August 2028 as the two hard deadlines for high-risk systems, while keeping the unaffected 2025-dated GPAI and prohibited-practice obligations on their existing tracker — the Digital Omnibus changes the pace of the high-risk regime, not its scope.

Answer-First Q&A

What is the timeframe for the AI Act?

The AI Act entered into force on 1 August 2024. Prohibited practices applied from 2 February 2025 and GPAI obligations from 2 August 2025. Following the Digital Omnibus, standalone high-risk systems now apply from 2 December 2027 and product-embedded high-risk systems from 2 August 2028.

When do the AI Act’s high-risk obligations now apply?

Under the provisional agreement, standalone Annex III high-risk systems (education, employment, credit, critical infrastructure) must comply by 2 December 2027. Annex I product-embedded systems (medical devices, machinery) have until 2 August 2028 — 16 and 12 months later than the AI Act’s original dates, respectively.

Does the Digital Omnibus delay the AI Act sandbox deadline?

Yes. The national AI regulatory sandbox deadline under Article 57 moves from 2 August 2026 to 2 August 2027, giving competent authorities an extra year to build supervised testing environments for innovators and public bodies.

What AI Act obligations still apply in 2026?

Prohibited practices and GPAI model obligations remain fully in force, having applied since 2025. Most Article 50 transparency duties still take effect on 2 August 2026, and the new CSAM/nudifier ban and AI-content watermarking sub-obligation both land on 2 December 2026.

What Happens Next?

The amending regulation still requires formal Council adoption and publication in the Official Journal before the new dates become legally binding, a process both the Council and independent legal analysis expect to conclude by 2 August 2026. Research institutions should build compliance calendars around the dates above now, while monitoring the Official Journal publication to confirm the fixed timeline takes definitive legal effect, and continue tracking CEN-CENELEC’s harmonised AI standards, whose slower-than-expected delivery was the stated driver for the entire postponement.

LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →