The EU AI Act Digital Omnibus: the high-risk delay is real, and the 2 August 2026 obligations it leaves standing are not what most enterprises think

On 7 May 2026 the European Parliament and the Council of the European Union reached a provisional political agreement on the Digital Omnibus, the simplification package the European Commission proposed on 19 November 2025 to amend and streamline the AI Act (Council of the EU, Artificial intelligence: Council and Parliament agree to simplify and streamline rules, 7 May 2026). The headline that travelled fastest was the delay: the high-risk obligations everyone had been pointing at for 2 August 2026 are moving out by more than a year.

The headline is correct. It is also the half of the agreement that matters least to most enterprises.

What moved

The agreement postpones the obligations for high-risk AI systems and gives them fixed revised dates: 2 December 2027 for standalone high-risk systems under Annex III, and 2 August 2028 for high-risk systems embedded in regulated products under Annex I. These are the heaviest obligations in the Act. For each high-risk system, a provider has to stand up a risk-management system, data governance, technical documentation, event logging, human oversight, accuracy and cybersecurity measures, a quality-management system, and a conformity assessment. The stated justification for the delay was legal certainty and the time needed for the supporting harmonised standards and tooling to mature, not a judgement that the obligations are excessive (White & Case, EU agrees Digital Omnibus deal to simplify AI rules).

One provider transparency duty moved with it. The Article 50(2) obligation on providers to mark AI-generated output in a machine-readable format is postponed to 2 December 2026, a shorter delay than the six months originally floated. The wider package reduces administrative burden, notably through a new small mid-cap enterprise category, and tries to avoid double-regulation by channelling AI Act compliance through frameworks that already exist (Taylor Wessing, The EU Digital Omnibus on AI).

The package also adds one obligation rather than removing it: a new prohibited practice covering AI systems used to generate non-consensual intimate or sexual content, including child sexual abuse material, applicable from 2 December 2026.

What did not move

Everything an enterprise running generative and agentic AI is most likely to be touched by first.

The deployer transparency obligations under Article 50 still apply from 2 August 2026. A deployer that uses AI to generate or manipulate image, audio, or video constituting a deepfake has to disclose that the content is artificially generated. A deployer of an emotion-recognition or biometric-categorisation system has to inform the people exposed to it. These are not high-risk obligations; they sit in a separate transparency chapter that reaches a far broader population of systems than the high-risk classification does.

The GPAI obligations and the governance regime have applied since 2 August 2025. The prohibited practices and the Article 4 AI literacy duty have applied since 2 February 2025. The AI Office’s role was strengthened rather than weakened in the compromise. And the penalty ceiling that backs the whole regime, up to 35 million euros or 7% of global turnover, is unchanged.

Why the delay is not a reprieve

The mechanism is simple and it is the part the delay headline obscures. The part of the Act that was postponed and the part that bites the typical enterprise first are different parts.

High-risk conformity is the heaviest obligation, but it applies to a defined and relatively narrow set of systems. The Article 50 deployer transparency duties, by contrast, reach the much larger surface of generative and agentic AI that an enterprise has already deployed across marketing, customer service, HR, and internal tooling, almost none of which is classified high-risk. That surface did not get a delay. Neither did the GPAI and governance regime the enterprise is already inside, nor the AI literacy duty it has been subject to since February 2025 and that many programmes have still not operationalised.

An enterprise that mapped its AI Act programme to a single 2 August 2026 cliff edge now has to reconcile two facts at once. The heaviest obligation moved out by 16 to 24 months. The obligation that touches the most systems did not move at all. Reading the first fact as permission to slow the whole programme is how a deployer arrives at 2 August 2026 out of compliance on the transparency duties while congratulating itself on the high-risk reprieve it was entitled to ignore.

The provisional caveat

The 7 May 2026 agreement is a provisional political compromise, not adopted law. It still requires formal approval by the Parliament and the Council, and the final text can differ from the compromise. The defensible posture is to plan to the agreed revised dates, because they are the best available signal, while treating formal adoption as a live trigger that could change them. The detailed reading of the provisional compromise published by the law firms tracking it (Dentons, The Digital Omnibus on AI: a short guide to the provisional compromise) is the right level of detail for a programme owner who needs to brief a board on what is and is not settled.

The IT leadership agenda before 2 August 2026

Three actions are tractable in the window that remains.

The first is the deployer-transparency pass. Inventory every place the enterprise uses AI to generate or manipulate content that a person will see, and every emotion-recognition or biometric-categorisation system in use, and confirm the Article 50 disclosure is in place before 2 August 2026. This is the obligation that did not move and the one most programmes deferred behind the high-risk work. The publication’s Article 50 transparency analysis is the detailed version of this pass.

The second is the re-timing of the high-risk budget rather than its cancellation. Keep the high-risk inventory and gap analysis live, because the systems in scope have not changed, only the deadline. Slow the capital spend on conformity tooling until the harmonised standards the assessment will reference stabilise, and document the re-timing decision so the audit committee sees a deliberate plan rather than a quiet slip. The high-risk readiness budget piece is the planning baseline the new dates re-time.

The third is the AI literacy duty, in force since February 2025 and the cheapest of the obligations to close. A documented programme of AI literacy for the staff who operate AI systems is an obligation many enterprises have not evidenced, and it is the kind of gap a competent authority can probe without a complex investigation.

The reading to leave with the CIO and the general counsel is short. The Digital Omnibus moved the heaviest obligation and left the broadest one standing. The programme that treats 7 May 2026 as a reason to slow down has read the press release; the programme that treats it as a re-timing of the heavy work and a sharpening of the near-term transparency work has read the agreement.

Related reading

For the obligation that did not move, see the Article 50 transparency-disclosure analysis. For the high-risk readiness budget the new dates re-time, see the EU AI Act high-risk readiness budget. For the broader caution that enforcement priorities set practical scope as much as the dates do, see what the corpus says about the 90-day enforcement window and vendor MSA renewal in the post-enforcement window.

The operators-section sibling, oriented to solo founders and small businesses that are deployers rather than providers, is at OPS-080.