EU Digital Omnibus political agreement — AI Act high-risk Annex III compliance deadline extended to 2 December 2027

On 7 May 2026 the EU Parliament and Council reached provisional political agreement under the Digital Omnibus package to amend the AI Act. The headline change for operators running high-risk AI systems (Article 6(2) + Annex III: biometrics, critical infrastructure, education, employment, law enforcement, border management) is that the compliance deadline shifts from 2 August 2026 to 2 December 2027 — 16 months of additional runway. High-risk systems embedded in regulated products under Annex I (medical devices, machinery) receive even more time, to 2 August 2028. The co-legislators acknowledged that harmonised technical standards and Commission guidance required for conformity assessments do not yet exist in final form (TechPolicy.Press; Lexology / Stephenson Harwood).

For AI security teams the cybersecurity obligations under Articles 8–15 (adversarial-robustness including prompt injection, data poisoning, model extraction; mandatory logging; CE marking; EU database registration) still apply from the revised 2 December 2027 deadline for Annex III systems. Separately, the deal adds a new prohibited practice covering AI systems generating non-consensual sexual content (including CSAM), effective 2 December 2026, and clarifies AI Office competence boundaries versus national authorities for GPAI models. Formal adoption is expected before the original 2 August 2026 deadline lapses. Swiss and EU public-sector entities deploying AI for recruitment, benefits decisions, risk scoring, or law-enforcement analytics should update compliance roadmaps but should not interpret the extension as relief from the underlying obligations.