For two years the EU AI Act was held up as the world's toughest AI law — the regulation that would finally put hard rules around high-risk artificial intelligence. In May 2026, Brussels blinked.
Through a package called the Digital Omnibus on AI, EU institutions reached a provisional political agreement to postpone the law's most consequential obligations by more than a year. The high-risk rules that were supposed to bite in August 2026 now won't apply until 2027 and 2028. It's the clearest sign yet that the gap between writing ambitious AI law and actually enforcing it is wider than regulators admitted.
What the EU AI Act was supposed to do
A quick refresher. The AI Act entered into force on 1 August 2024 as the world's first comprehensive, horizontal framework for AI. It sorts systems by risk: a thin layer of outright prohibited uses, a heavily regulated high-risk tier (recruitment, credit scoring, law enforcement, education, border control, medical devices), and lighter transparency duties for everything else.
The obligations were designed to roll out in phases:
| Date | What kicked in |
|---|---|
| 2 Feb 2025 | Prohibitions on "unacceptable-risk" AI; AI literacy duties begin |
| 2 Aug 2025 | Rules for general-purpose AI (GPAI) models; EU AI Office becomes operational |
| 2 Aug 2026 | (Original) High-risk obligations for stand-alone systems; transparency rules |
| 2 Aug 2027 | (Original) High-risk rules for AI embedded in regulated products |
The high-risk tier was always the heart of the law. That's where impact assessments, risk management, human oversight, and documentation requirements live. And that's exactly the part Brussels just pushed back.
What the Omnibus actually changed
By late 2025, implementation was visibly off track — the standards, guidance, and supervisory infrastructure needed to make the high-risk rules workable simply hadn't materialized. The Commission tabled the Digital Omnibus on 19 November 2025. A first round of trilogue talks collapsed on 28 April 2026; institutions returned and struck a provisional deal on 6 May, confirmed by member states in the Council on 13 May.
The headline changes:
High-risk obligations delayed by over a year. Stand-alone high-risk systems (Annex III — recruitment, credit, law enforcement, education) now apply from 2 December 2027. AI embedded in regulated products (Annex I — medical devices, machinery, vehicles) applies from 2 August 2028. Crucially, the agreement replaced an earlier conditional trigger with these fixed dates.
A new prohibition on "nudifiers" and CSAM. A fresh Article 5 ban targets AI that generates non-consensual intimate imagery or child sexual abuse material — and it reaches beyond tools intended for that purpose to any general-purpose image or video generator where such output is a "reasonably foreseeable and reproducible outcome" without adequate safeguards. Providers get a transitional period until 2 December 2026.
A watermarking grace period. Systems already on the market before 2 August 2026 get four extra months — until 2 December 2026 — before the Article 50(2) machine-readable watermarking duty applies.
Softened AI literacy duty. The Article 4 obligation shifts from guaranteeing a level of staff AI literacy to merely supporting its development.
A stronger EU AI Office. The office gains exclusive competence over systems built on GPAI models by the same provider, plus new powers to investigate, conduct on-site inspections, accept binding commitments, and impose fines.
The part that didn't move
Here's what businesses keep getting wrong: 2 August 2026 is still a live compliance date.
The Article 50 transparency obligations largely proceed on schedule. From that date, providers must disclose when users are interacting with an AI system and must mark AI-generated content as such. Only the watermarking sub-requirement gets the four-month grace period for legacy systems. Anyone reading "high-risk delayed" as "the AI Act is paused" is setting themselves up for a compliance miss.
Is delay a retreat — or realism?
This is where reasonable people split, and it's worth airing both cases honestly.
The case that this is a quiet retreat. Critics see a familiar pattern: write a landmark law to set the global standard, then defer the teeth once industry pushes back and the deadlines loom. Each delay erodes the law's credibility and signals that ambitious dates are negotiable. If the toughest provisions keep sliding, the "world's strictest AI law" risks becoming a framework that mostly regulates paperwork while the high-risk uses it was built to govern operate unchecked for years longer.
The case that this is responsible governance. Defenders argue a rule you can't actually implement isn't protection — it's theater. The technical standards and conformity-assessment bodies that high-risk compliance depends on weren't ready. Forcing companies to certify against standards that don't exist yet would have produced confusion and box-ticking, not safety. On this view, a deferral with fixed dates (not an open-ended pause) plus a new prohibition on some of the most harmful uses — nudifiers and CSAM — is the system working: triage the genuine harms now, give the complex machinery time to be built right.
Both readings contain truth. The Omnibus is, in the words of one legal analysis, "a deferral rather than a dismantling" — the risk-based architecture, governance structure, and core obligations all survive intact. But it is also undeniably a concession that the original timeline was aspirational.
What it means if you build or deploy AI
The smart move is to treat the extra time as runway, not reprieve.
Three practical takeaways. First, don't relax for August 2026 — the transparency duties are coming regardless, and "this is AI" disclosures plus content marking need to be in place. Second, use the 2027/2028 headroom to actually build a high-risk compliance framework; these things take longer than they look, and the dates are now fixed rather than conditional. Third, watch for formal adoption — none of the new dates legally bind until the Omnibus is published in the EU's Official Journal, expected before 2 August 2026.
The Bottom Line
The EU AI Act hasn't been gutted, but it has been humbled. Brussels has conceded that landmark legislation is the easy part and that enforcement infrastructure — standards, assessors, supervisory capacity — is what actually constrains AI, and that infrastructure wasn't ready. Whether you read the Omnibus as a sensible course correction or the first crack in the world's flagship AI law depends largely on whether the new 2027 and 2028 dates hold or become the next set of deadlines to slip. For now, the lesson for every other government drafting AI rules is sobering: writing the law is the part you can do on schedule. Making it real is not.
