Is high-risk AI compliance now actually delayed?

Provisionally, yes — but it is not law yet. On 7 May 2026, EU lawmakers reached a provisional agreement on the Digital Omnibus that moves stand-alone Annex III high-risk obligations from 2 August 2026 to 2 December 2027, and AI embedded in regulated products (Annex I) to 2 August 2028. The deal still needs formal adoption by Parliament and Council, and is expected to be published in the Official Journal before 2 August 2026. Until that happens, the original dates remain the operative law.

What still applies on 2 August 2026?

The 2 August 2026 date stays active for several obligations that the Digital Omnibus does not defer. Most importantly that includes the Article 50 transparency duties — chatbot disclosure, synthetic-content marking and deepfake labelling — and the governance and penalty architecture. General-purpose AI model rules have also been enforceable since 2 August 2025. So this is a partial delay of the high-risk regime, not a pause on the whole Act.

Does this affect Indian and UK builders?

Yes. The EU AI Act applies extraterritorially, so any Indian or UK firm placing AI systems on the EU market, or whose system output is used in the EU, is in scope regardless of where the company sits. The UK has not adopted a single cross-economy AI law and relies on existing regulators; India's DPDP is a separate data-protection regime, not an AI Act. Neither lets you off the EU obligations once you sell into Europe.

What new prohibition does the Digital Omnibus add?

Alongside the deadline changes, the package adds a new Article 5 prohibition targeting AI-generated non-consensual intimate imagery — so-called nudifiers — and AI-generated child sexual abuse material. These join the list of outright-banned practices, so if any part of your pipeline could produce such output, that is a prohibition to design against now, not a deferred obligation.

EU's Digital Omnibus delays high-risk AI rules to December 2027

What changed

The big high-risk deadline moved. On 7 May 2026, EU lawmakers reached a provisional agreement on the "Digital Omnibus" that defers high-risk obligations for stand-alone Annex III systems from 2 August 2026 to 2 December 2027.
Product-embedded AI gets even longer. For AI embedded in regulated products covered by Annex I, the deadline moves out to 2 August 2028.
It is not law yet. The deal is provisional. It still needs formal adoption by the European Parliament and the Council, and is expected to be published in the Official Journal before 2 August 2026. Until then, the original dates stand.
2 August 2026 is not cancelled. Transparency duties and the governance and penalty architecture remain active on that date. General-purpose AI (GPAI) model rules have been enforceable since 2 August 2025. This is a targeted delay of the high-risk regime, not a pause on the whole Act.
A new ban arrives. The package adds a new Article 5 prohibition on AI-generated non-consensual intimate imagery — "nudifiers" — and AI-generated child sexual abuse material.

If you have been working towards an August 2026 high-risk deadline, this is the breathing room you asked for. It is also the moment teams most often make a mistake — reading "delay" as "stand down" and quietly shelving the classification and documentation work that the extra time was meant to let them do properly. This is an update to our earlier read of the August 2026 countdown, and the headline correction is simple: the high-risk clock slipped, the transparency clock did not.

Watch out

The agreement is provisional. It has been negotiated but not formally adopted, and it only becomes binding once Parliament and Council sign it off and it lands in the Official Journal. Do not move a single internal deadline on the strength of a press release. Plan to the current law, track the adoption, and shift your dates only when the deferral is published — not when it is reported.

The deadlines, mapped: old versus new

The Digital Omnibus does not rewrite the obligations themselves — a high-risk system still needs the same risk file, documentation, logging and human oversight. What it changes is when those duties become enforceable, and only for some categories. The table below maps obligation and system type to the old deadline and the new one, so you can see at a glance what slipped and what did not.

Obligation / system type	Old deadline	New deadline (provisional)
High-risk — stand-alone Annex III systems (biometrics, employment, credit scoring, etc.)	2 Aug 2026	2 Dec 2027
High-risk — AI embedded in regulated products (Annex I)	2 Aug 2026	2 Aug 2028
Transparency duties (Article 50 — chatbot, synthetic-content, deepfake labelling)	2 Aug 2026	Unchanged (2 Aug 2026)
GPAI (general-purpose AI model) rules	Enforceable since 2 Aug 2025	Unchanged (legacy models: 2 Aug 2027)
Prohibited practices (Article 5 bans)	In force since 2 Feb 2025	Unchanged — plus a new nudifier / CSAM ban

Provisional dates reflect the 7 May 2026 political agreement on the Digital Omnibus, which is pending formal adoption by the European Parliament and the Council and expected publication in the Official Journal before 2 August 2026. Until adoption, the original 2 August 2026 dates remain operative law.

What Annex III actually covers

Annex III is the list of sensitive-use cases that the Act treats as high-risk because of where the system is deployed, not how clever it is. It is worth knowing precisely, because this is the category that just got an extra sixteen months. It covers AI used in biometrics; critical infrastructure; education and vocational training; employment, worker management and access to self-employment — which includes recruitment and CV-screening tools; access to essential private and public services, including credit scoring and creditworthiness assessment; law enforcement; and migration, asylum and border control.

If your product lands in one of those buckets, you are the team this delay was written for. A recruitment-screening model, a credit-decisioning API, a biometric verification flow — each of those would have faced the full Chapter III stack on 2 August 2026, and now has until 2 December 2027 to be ready, assuming the text is adopted. The duties themselves do not change: a documented risk-management system, technical documentation, automatic logging, meaningful human oversight, conformity assessment before market entry and registration in the EU database. You simply get more runway to build them properly rather than scrambling.

Pro tip

Use the extra runway for the work that genuinely takes time, not for delay. Classification and the documentation spine — the risk file, the technical documentation, the logging design — are the parts you cannot fake at the deadline and cannot buy off the shelf in the final fortnight. Spend the next quarter writing a one-page classification memo per product (which Annex III category you considered, why you do or do not fall in it, who signed off) and standing up the logging architecture. That is exactly the work the deferral was meant to enable, and it is the first thing an EU customer's procurement team will ask to see.

Why you should not down tools

There are three concrete reasons the responsible move is to keep working, even with December 2027 on the horizon.

First, the provisional status itself. An agreement reached by negotiators is not a regulation in force. The Digital Omnibus still has to clear formal adoption by Parliament and Council and appear in the Official Journal, and the realistic expectation is that this happens before 2 August 2026. Plans built on "it is going to be delayed" are plans built on a forecast. If anything slips in the legislative process, the original August 2026 dates are what a market-surveillance authority will hold you to.

Second, transparency and GPAI still bite this year. The Article 50 transparency duties — telling people they are talking to an AI, marking synthetic audio, image, video and text in a machine-readable format, labelling deepfakes — are not in the deferral. They remain on track for 2 August 2026. So do the governance and penalty structures. And GPAI model rules have applied since 2 August 2025, with models already on the market before that date given until 2 August 2027 to comply. If you ship a chatbot, a generative feature or build on a general-purpose model, your 2026 obligations did not move at all.

Third, classification cannot wait for the deadline. The hardest part of high-risk compliance has never been the deadline-week paperwork; it is establishing with evidence whether you are high-risk at all, and then building the documentation that proves your design choices. That work takes quarters, not weeks. A longer runway is only an advantage if you actually use it.

What this means for IN and UK builders

The extraterritorial reach of the Act is the part that catches teams outside the EU off guard, and the Digital Omnibus changes none of it. If you place an AI system on the EU market, or your system's output is used in the EU, you are in scope — wherever your company is registered. So this delay is genuinely useful for builders in India and the UK, but only if they remember they were in scope to begin with.

Take a UK builder shipping a recruitment-screening tool into the EU. That product is squarely in Annex III — employment and recruitment — so on the old timeline it faced the full high-risk stack on 2 August 2026. With the deferral, it has until 2 December 2027, assuming adoption. The UK itself has not passed a single cross-economy AI law; it relies on existing regulators applying sector principles, which is a lighter regime at home but does nothing to lift the EU duties the moment that tool screens a candidate for a German employer.

Now take an Indian SaaS team selling credit-scoring AI into Europe. Credit scoring is Annex III too, so the same sixteen-month reprieve applies. India's DPDP framework governs that team's handling of personal data domestically, but DPDP is a data-protection regime, not an AI Act — it does not substitute for the EU's high-risk obligations and it does not cover them. The instant that credit-scoring model is used on an EU applicant, the AI Act is the binding standard, and the Digital Omnibus has simply moved the date by which the model must meet it.

The practical takeaway is the same for both: the breathing room is real, but the scope is unchanged. Neither the UK's lighter regulatory model nor India's DPDP regime takes a dual-market builder out of the EU AI Act. Design to the strict standard once and it travels; build to the local minimum and you will be retrofitting under time pressure in 2027.

From a verified Builder

"The teams I see get burned are the ones that treat a delay as permission to stop. We used the equivalent slack on a credit-decisioning build to do classification properly and write the logging in from the start. When the German customer's legal team came asking, we had the memo and the audit trail ready. That is what the extra time is for — not for shelving the work until 2027."

— Rishi, Verified Builder · London, United Kingdom

Every article here is written by a Verified Builder. Want your name on the next one?

AI Tech Connect lists AI engineers, founders and researchers across India and the UK — and the people hiring browse it to find them. Adding your profile is free.

Become a Verified Builder →

The new Article 5 prohibition you cannot defer

Buried under the deadline headlines is a substantive expansion of the banned-practices list. The Digital Omnibus adds a new Article 5 prohibition on AI-generated non-consensual intimate imagery — the so-called "nudifier" applications — and on AI-generated child sexual abuse material. Unlike the high-risk obligations, prohibitions are not the kind of thing you phase in over years; they sit at the top of the penalty ladder and they are designed to bite hard.

For most builders this is not a new constraint so much as a sharper one. If your generative pipeline could plausibly produce that category of output — a general-purpose image model, a face-editing feature, an avatar generator — this is a prohibition to design against now. The safest posture is the same one good teams already take: robust content filters, refusal behaviour on the obvious abuse vectors, and a documented record of the safeguards you put in place. A deferred deadline elsewhere does not buy you any slack here.

Your next-quarter checklist

The deferral resets the high-risk timeline, but it sharpens rather than removes your near-term to-do list. Work through these in order.

Classify every system now. Decide, per product, whether it is prohibited, high-risk under Annex III, limited-risk under Article 50, or minimal. Write down the reasoning and have someone sign it. This does not become easier by waiting.
Ship your transparency labelling for 2026. Chatbot disclosures, synthetic-content marking and deepfake labels are not deferred. If you have anything in Article 50 scope sold into the EU, that work is still on the 2 August 2026 clock.
Audit your GPAI exposure. If you build on or distribute general-purpose models, the GPAI rules already apply. Confirm your provider's compliance and your own downstream obligations.
Design against the new prohibition. If any pipeline could generate intimate imagery, put filters and refusals in place and document them. Prohibitions carry the steepest fines.
Build the high-risk documentation spine over the runway, not at the deadline. Stand up the risk file, technical documentation and logging architecture now so the December 2027 date is comfortable rather than frantic.
Track the adoption. Assign one person to watch whether the Digital Omnibus is formally adopted and published in the Official Journal, and move your high-risk dates only when it is law.

If you are weighing how all this regulatory overhead interacts with the cost of building on frontier models, our note on how Anthropic's metered agent billing changes the economics is a useful companion read, and for getting your compliance evidence trustworthy we cover running LLM-as-judge evals in production. For the primary sources here, bookmark the official EU AI Act implementation timeline at artificialintelligenceact.eu/implementation-timeline and the law-firm analysis of the Digital Omnibus at gibsondunn.com. Cross-check the binding dates against EUR-Lex once the text is published.