On July 8, 2026, the European Parliament and the Council of the European Union signed the final act amending Regulation (EU) 2024/1689 (the AI Act) and Regulation (EU) 2018/1139 (the EASA Basic Regulation) under procedure 2025/0359(COD), known as the Digital Omnibus on AI or Omnibus VII. The Council had given its final green light on June 29, 2026, and the act is now procedure completed, awaiting publication in the Official Journal of the European Union. Once published, it will enter into force on the twentieth day after publication.
The substantive effect is a calendar reset of the central high-risk obligations of the AI Act. The general applicability date for most high-risk obligations, originally August 2, 2026, moves to December 2, 2027 for standalone high-risk AI systems listed in Annex III, and to August 2, 2028 for high-risk AI embedded in regulated products covered by Annex I (machinery, medical devices, in vitro diagnostics, vehicles, aviation, marine equipment). For every EU AI compliance lead, this is the first material amendment of the AI Act since its adoption in June 2024, and it changes the build and conformance plan for any system that was racing the August 2026 deadline.
The official source for the procedure timeline, the co-legislator references and the final act status is the European Parliament Legislative Observatory file for 2025/0359(COD). The Commission proposal is COM(2025) 0836 of November 19, 2025; the Parliament first-reading position is text T10-0198/2026 of June 16, 2026; and the Council adoption is recorded on June 29, 2026. This article unpacks what changed, who is in scope, and what to do next.
What does the Digital Omnibus VII actually change?
The omnibus is a targeted simplification, not a rewrite. It amends two existing binding EU regulations: the AI Act (Regulation (EU) 2024/1689) and the EASA Basic Regulation (Regulation (EU) 2018/1139). The political framing from both co-legislators is "simplification of the implementation of harmonised rules on artificial intelligence", and the headline legal effect is a deferral of the high-risk applicability dates, paired with limited substantive clarifications on the boundaries of the high-risk regime and on the interaction with sectoral product safety law.
The procedural anchor matters for compliance teams: the act was adopted under the ordinary legislative procedure (co-decision, Article 114 TFEU internal market legal basis), with the IMCO committee (rapporteur KOKALARI, EPP) and LIBE committee (rapporteur MCNAMARA, Renew) jointly responsible in the European Parliament. Trilogue concluded in May 2026, the Parliament voted its first-reading position on June 16, 2026, the Council adopted on June 29, 2026, and the final act was signed on July 8, 2026. Stage reached in the procedure file: "Procedure completed, awaiting publication in Official Journal."
Who has to comply, and by when?
Every provider, deployer, importer, distributor and authorised representative of an AI system placed on the EU market or whose output is used in the EU is in scope of the AI Act, regardless of where the provider is established. The omnibus does not narrow that scope. What it does is shift the dates at which the heavy high-risk obligations become enforceable, while leaving the prohibited-practices regime, the general-purpose AI (GPAI) transparency regime, and the institutional architecture (the AI Office, the AI Board, national competent authorities) on their original calendars.
Concretely, the revised applicability ladder for the high-risk regime is:
| Obligation bucket | Original applicability | Post Omnibus VII applicability | Condition |
|---|---|---|---|
| Article 5 prohibited practices (excluding intimate imagery) | February 2, 2025 (already applicable) | Unchanged, in force | None |
| Article 5 intimate imagery prohibition | February 2, 2025 | December 2, 2026 | Conditional on OJ publication before August 2, 2026 |
| Article 50(2) transparency / watermarking for AI-generated content | August 2, 2026 | December 2, 2026 | Conditional on OJ publication before August 2, 2026 |
| GPAI transparency and AI Office designation | August 2, 2025 (already applicable) | Unchanged, in force | None |
| Annex III standalone high-risk AI systems | August 2, 2026 | December 2, 2027 | Conditional on OJ publication before August 2, 2026 |
| Annex I product-embedded high-risk AI (machinery, medical devices, IVDR, vehicles, aviation, marine) | August 2, 2027 | August 2, 2028 | Conditional on OJ publication before August 2, 2026 |
The "conditional on OJ publication before August 2, 2026" tag is the legal hinge: the deferrals only bite if the omnibus is published in the Official Journal before the original August 2, 2026 applicability date. With the final act signed July 8, 2026, that condition is effectively met, but the formal trigger is the OJ publication, not the signature. Teams should track the OJ publication date in the EUR-Lex CELEX record for the final act, which will follow the signature within days.
Which AI Act obligations move, and which stay on the original calendar?
The deferral is selective. Three categories move: the Annex III standalone high-risk obligations (to December 2, 2027), the Annex I product-embedded high-risk obligations (to August 2, 2028), and two specific transparency provisions (Article 5 intimate imagery prohibition and Article 50(2) watermarking, both to December 2, 2026). Everything else, including the prohibited practices core of Article 5, the GPAI transparency and documentation duties, the GPAI Code of Practice track for models with systemic risk, and the institutional setup of the AI Office and national competent authorities, stays on its original calendar.
This selective pattern matters operationally. Providers of GPAI models still owe the Article 53 documentation and downstream-information duties that have been applicable since August 2, 2025, and providers of GPAI models with systemic risk still owe the Article 55 obligations. Deployers of emotion recognition or biometric categorisation systems still owe the Article 50 transparency duties that have been in force since August 2, 2026, except the narrower watermarking sub-provision which moves to December 2, 2026. The compliance work that was always scheduled for 2025 and early 2026 is unchanged; the omnibus buys time only for the high-risk conformity assessment, risk management system, data governance, technical documentation and post-market monitoring duties that sit on top of the high-risk classification.
What does the omnibus mean for high-risk AI system providers?
For a provider of an Annex III high-risk AI system (for example, a recruitment screening tool, a credit scoring system, a critical-infrastructure component, or an education or essential-services eligibility system), the practical effect is a 16-month extension of the build window: from August 2, 2026 to December 2, 2027. That is time to complete the conformity assessment, build the risk management system, assemble the technical documentation, stand up automatic logging and human oversight, and contract with a notified body where required. It is not time to defer the work: conformity assessment under the AI Act is a documentation-heavy, evidence-heavy process that takes 6 to 12 months for a non-trivial system, and the new deadline is still 17 months away.
For providers of Annex I product-embedded high-risk AI, the extension is from August 2, 2027 to August 2, 2028. This is the bucket that overlaps with sectoral product safety law: the Machinery Regulation, the Medical Devices Regulation (MDR), the In Vitro Diagnostics Regulation (IVDR), the Automotive Type Approval framework, and the EASA Basic Regulation. The omnibus amends the EASA Basic Regulation precisely to align its AI provisions with the new August 2028 date, which is why the Basic Regulation appears in the formal title of the act. Providers in this bucket should re-plan their conformity assessment to run in parallel with the sectoral CE marking process, not sequentially, and should expect the relevant sectoral authorities (notified bodies for MDR/IVDR, type approval authorities for automotive, EASA for aviation) to coordinate with the AI Office on the AI Act layer.
For deployers of high-risk AI (employers, banks, hospitals, public authorities), the extension equally delays the deployer-side duties: the fundamental rights impact assessment under Article 27, the human oversight duties, the registration in the public EU database for certain high-risk deployers, and the post-market monitoring duty to report serious incidents. Deployers who were building processes to meet August 2026 should keep the build running and use the extra time for institutional rollout, training and integration with existing compliance management systems.
How should AI compliance leads re-plan the next 18 months?
Four actions are now time-critical, and the extra 16 months do not remove any of them. First, re-baseline the compliance roadmap against the new December 2, 2027 and August 2, 2028 dates, and confirm that the OJ publication condition is met before treating the deferral as final. Second, inventory every in-scope AI system and classify it against the post-omnibus Annex III and Annex I lists, because the classification determines which deadline applies. Third, start or continue the conformity assessment preparation, including the technical documentation, the risk management system, the data governance evidence, and the notified body engagement for systems that require third-party conformity assessment. Fourth, monitor the secondary act pipeline: the AI Office and the Commission are still publishing implementing and delegated acts (the GPAI Code of Practice, the high-risk tiering guidance, the detailed Annex III technical standards) that fill in the operational detail of the high-risk regime, and those will land during the deferral window.
The lobbying record on procedure 2025/0359(COD) is a useful signal of where the next pressure points sit. The European Parliament transparency register for 2025/0359(COD) records meetings between the rapporteurs and shadow rapporteurs and Mistral AI, Google, the AI Chamber, noyb, European Digital Rights (EDRi), CCIA Europe, Allegro, Wolt, Inter Ikea, TIC Council, the International Federation of the Phonographic Industry, the ARD and ZDF Brussels bureaux, the European Tech Alliance, ALLAI, the European FinTech Association, and the European Federation of Engineering Consultancy Associations. That breadth of engagement, spanning AI builders, platforms, rights holders, civil society and sectoral associations, signals high stakeholder interest in how the high-risk regime and its implementing acts will be operationalised during the deferral window. The register records that the meetings took place; it does not record the positions taken, so this article does not attribute any.
What stayed unchanged that teams may have expected to move?
Three things the omnibus did not change are worth flagging, because the trade press has occasionally conflated them with the deferral. The prohibited practices core of Article 5 (subliminal manipulation, social scoring by public authorities, untargeted facial image scraping, emotion inference in workplaces and schools, biometric categorisation for sensitive attributes, and real-time remote biometric identification by public authorities) stays in force and is already enforceable. The GPAI transparency regime stays in force. And the institutional architecture, the AI Office inside the Commission, the European AI Board, the advisory forum and the scientific panel, stays in force. The omnibus is narrowly a high-risk deferral and a targeted alignment of the EASA Basic Regulation, not a wholesale pause of the AI Act.
This is exactly where continuous, per-jurisdiction monitoring earns its keep. A signal that moved from "trilogue agreement" to "Council adoption" to "final act signed" to "OJ publication" in the space of two months reshaped every EU AI compliance roadmap. Obsidian tracks that signal chain end to end, with the rulebook-aware lineage that ties each procedural step back to the specific article of the underlying regulation. The AI is a verified regulatory companion, never a substitute for the human expert who signs off the conformity assessment, but it is the fastest way to surface the change the moment a co-legislator moves. See monitoring and the AI companion page for how that works in practice, and pricing for the plan structure.
Follow this topic in real time with a free monitoring job
For the next 18 months, the checklist is straightforward. Confirm the OJ publication date in EUR-Lex the moment it lands, re-baseline every high-risk AI project plan against December 2, 2027 (Annex III) or August 2, 2028 (Annex I), keep the GPAI transparency and prohibited-practices work on its original 2025-2026 calendar, brief the product, legal, ML engineering and procurement teams on the new dates in writing, and track the AI Office implementing acts pipeline that will fill in the operational detail during the deferral window. Obsidian will keep flagging every substantive move on the AI Act and the Digital Omnibus track as it happens.