The EU delayed its AI Act deadline: what the Digital Omnibus means for AI governance everywhere

Key takeaways  Introduction: the AI compliance deadline GRC teams have been racing toward just moved  For eighteen months, “2 August 2026” has been a fixed point on the calendar for compliance, risk and AI governance teams across Europe, and well beyond. This was the date the EU AI Act’s toughest obligations, covering high-risk AI systems, were due to bite: conformity assessments, technical…

Corey Avatar
EU flags against city building

Key takeaways 

  • The Council of the EU gave final approval on 29 June 2026 to push AI Act high-risk compliance back to 2 December 2027, and to 2 August 2028 for embedded systems. 
  • Official Journal publication, which triggers entry into force, is expected within days, just weeks before the original 2 August 2026 deadline. 
  • ISACA’s 2026 AI Pulse Poll of 3,400+ digital trust professionals found only 38% of organizations have a formal AI policy, up from 28% in 2025. 
  • EDRi, Access Now, ECNL and Amnesty International warn the delay pushes back accountability for AI systems already used in health, education and employment. 
  • The Act’s extraterritorial reach means UK and US organizations placing AI systems on the EU market remain in scope regardless of the delay. 

Introduction: the AI compliance deadline GRC teams have been racing toward just moved 

For eighteen months, “2 August 2026” has been a fixed point on the calendar for compliance, risk and AI governance teams across Europe, and well beyond. This was the date the EU AI Act’s toughest obligations, covering high-risk AI systems, were due to bite: conformity assessments, technical documentation, human oversight requirements and registration in an EU-wide database, all backed by fines of up to €15 million or 3% of global annual turnover for high-risk non-compliance, whichever is higher. 

That date has now moved. On 29 June 2026, the Council of the European Union gave its final approval to the Digital Omnibus on AI, following the European Parliament’s endorsement two weeks earlier. Formal publication in the EU’s Official Journal, the step that brings the change into force, is expected imminently. For any organization that has spent the last year building toward an August deadline, the practical question changes from “are we ready?” to “what do we do with the extra time?” 

What changed for GRC teams under the Digital Omnibus on AI, and when 

The headline change is straightforward. Obligations for high-risk AI systems under the AI Act (covering Annex III use cases such as AI in recruitment, credit scoring, law enforcement and critical infrastructure) are deferred from 2 August 2026 to 2 December 2027 for stand-alone systems. For AI embedded in products already regulated under EU harmonization law, such as machinery and medical devices, the deadline moves further still, to 2 August 2028. 

Not everything has shifted. Prohibited AI practices and the AI Act’s transparency duties, including labeling requirements for AI-generated content, remain on their original timetable. So do the rules governing general-purpose AI models. Henna Virkkunen, the European Commission’s Executive Vice-President for Tech Sovereignty, Security and Democracy, framed the change as a balancing act

“Our businesses and citizens want two things from AI rules. They want to be able to innovate and feel safe. Today’s agreement does both. With simpler and innovation-friendly rules, we make it easier to innovate without lowering the bar on safety.” 

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, European Commission 

For GRC teams, the changes mean that a project plan built around a single deadline now needs rebuilding around several, not shelving. 

Why a longer runway doesn’t mean less urgency for governance professionals 

The risk here is not the delay itself. It’s what organizations do with it. ISACA’s 2026 AI Pulse Poll, a global survey of more than 3,400 digital trust professionals across IT audit, governance, cybersecurity, privacy and emerging technology roles, found that: 

  • Only 38% of organizations have a formal, comprehensive AI policy in place (up from 28% in 2025).  
  • Just 38% of professionals said they were confident in their board’s understanding of AI risk.  
  • 45% named AI risk an immediate priority.  
  • Over half (56%) did not know how long it would take to halt an AI system in the event of a security incident. 

Those figures make a compelling case that the market is not yet at governance maturity. An extra 16 to 24 months of runway is genuinely useful … but only if it is actively used to close that gap. The AI Act cannot simply be filed away as next year’s problem, particularly when, according to Baringa Partners:  

“For every £1,000 invested in AI, only 20p (0.02%) is invested in governance. This compares to data privacy technology that has 5-10% governance investment spend.”  

 Baringa Partners

Not everyone welcomes the extra time. EDRi, Access Now, the European Center for Not-for-Profit Law and Amnesty International argued jointly that the delay has real consequences for the people the AI Act was designed to protect: 

“Delaying safeguards is not a neutral administrative step. It delays accountability and extends the period in which people affected by AI systems lack the protections the AI Act was supposed to provide.” 

Joint statement from EDRiAccess NowECNL and Amnesty International.  

That critique is useful guidance for GRC leaders. It’s a reminder that the underlying risks in AI systems used in hiring, health, education and financial services have not gone anywhere. Only the regulatory backstop has moved. 

How does the delay change compliance for UK and US organizations? 

The AI Act was never a purely European story, and the delay doesn’t change that. The regulation applies to any organization that places an AI system on the EU market or whose AI outputs are used by people in the EU, regardless of where that organization is headquartered. 

A UK company selling AI-enabled software or services into the EU, or processing the data of EU users through an AI system, remains in scope on the new timetable of December 2027 and August 2028. That sits alongside a UK domestic approach that is deliberately different in shape: rather than a single AI law, the UK continues to lean on existing regulators, including the ICO, FCA and CMA, applying existing powers to AI within their own sectors. The government’s new advisory AI Growth Lab, launched on 8 June 2026 with legal services as its first sector, lets firms test AI applications under regulatory supervision without changing the underlying rules. UK organizations with any EU-facing AI activity will need to track two governance clocks rather than one, with different logic behind each. 

US organizations face the same extraterritorial reach. A US company with no EU office, staff or servers can still fall within the AI Act’s scope if its AI system is placed on the EU market or its outputs affect people there. As leading international law firm Morgan Lewis, advising clients on the EU AI Act changes, says: 

“We would suggest that businesses treat these developments primarily as an extension of time to complete their AI Act compliance efforts, rather than as a material relaxation of the underlying obligations as such.” 

Vishnu Shankar and Katherine Gibson, Partners, Morgan Lewis 

For US teams, that means the priority stays the same: map which AI systems reach the EU market, classify them against the Act’s risk tiers, and build the governance evidence to back that classification up. The delay buys time to do that work properly. It doesn’t remove the need to do it. 

In a previous news and insights piece, we outlined what the USA’s fragmented legal landscape regarding AI means for businesses: “AI obligations in the US are emerging through laws and regulators that long pre-date the technology. Federal agencies such as the Federal Trade Commission, the Department of Justice, financial supervisors and healthcare authorities are applying existing statutes to AI systems. When harm occurs, they do not wait for a bespoke AI law, as they might in the EU. They use the rulebook they already have” 

Building an AI governance program that survives the next regulatory change 

The practical lesson of the Digital Omnibus is that AI regulation is not going to sit still. Between the original AI Act, the Omnibus amendments, the UK’s sector-led approach and the parallel debate over US federal AI legislation, the compliance target has already moved more than once. A governance program built to hit one fixed date is fragile by design. One built around ongoing visibility, clear ownership and evidence that can be updated as rules change, is not. 

As Paul Cadwallader, GRC Strategy Director at CoreStream GRC, puts it:  

“A regulatory delay is not a reason to stand down. It’s a chance to build AI governance that means something, rather than a policy that only gets tested when a regulator finally asks to see it. Organizations that use this extra runway to connect their AI inventory, their risk assessments and their board reporting into one picture will be in a completely different position in December 2027 than the ones who simply filed the old deadline away. Taking the value-based approach to risk and compliance is always our recommendation.” 

Paul Cadwallader, GRC Strategy Director, CoreStream GRC 

How can risk and compliance leaders prepare for the AI Act? 

Create an AI inventory 

The starting point is a clear AI inventory. Identify where AI is being used across the organization, who owns each system, what data it draws on, what decisions it supports, and whether it could fall into a high-risk category under the Act’s Annex III. This exercise alone often surfaces AI tools adopted by individual teams outside formal procurement or IT oversight, the shadow AI that never made it onto anyone’s risk register. 

Classify each AI system against the AI Act’s risk tiers 

Once that inventory exists, classify each system against the AI Act’s risk tiers rather than treating “AI risk” as one undifferentiated category. Prohibited practices and the rules for general-purpose AI models are already enforceable and untouched by the delay, so this classification work cannot wait for the high-risk deadlines to get closer. Getting it right early avoids expensive rework later. 

Build the required governance evidence 

For systems that do fall into a high-risk category, use the extra time to build the governance evidence behind them: documented risk management processes, human oversight arrangements, technical documentation and training records. Regulators, customers and partners will expect this evidence ready and auditable, not assembled in a rush against a fixed date. 

Connect to board-level reporting and track 

Finally, connect that evidence to board-level reporting and keep watching how the rules themselves continue to move. With UK regulators taking their own sector-led approach and US obligations emerging through existing statutes rather than a single law, AI governance now needs to track several regulatory timetables at once, not just the EU’s. 

Policy Management solution download

Keep on top of your GRC timetable, even when it moves 

CoreStream GRC helps organizations bring AI governance, risk and compliance activity into a single connected view, rather than tracking AI inventories, risk assessments, policies and regulatory deadlines across separate spreadsheets and systems. That means, when a regulatory timetable or deadline moves, teams can quickly see what has changed, who owns it and what evidence already exists. 

Similarly, where organizations are seeking leading AI that’s governed as a strategic capability, Baringa Partners recommends having risk, compliance and technology operating in a single ecosystem to enable innovation and better accountability.  

Keep the learning going, discover our news insights on what happens when your preferred AI model is suddenly shut off.  

Frequently asked questions about the EU AI Act delay 

What did the Digital Omnibus on AI actually change? 

It delayed the AI Act’s high-risk system obligations from 2 August 2026 to 2 December 2027 for stand-alone systems, and to 2 August 2028 for AI embedded in regulated products. Prohibited AI practices, transparency duties and general-purpose AI model rules are unaffected and remain on their original timetable. 

What counts as a high-risk AI system under the EU AI Act? 

High-risk AI systems include AI used in areas such as recruitment, education, credit scoring, law enforcement, critical infrastructure, and access to essential public or private services. 

What should organizations do first to prepare for AI Act compliance? 

The first step is to build a clear AI inventory: identify where AI is being used, who owns each system, what data it uses, what decisions it supports, and whether it could fall into a high-risk category. 

Does the delay mean UK and US organizations no longer need to worry about the AI Act? 

No. The AI Act applies to any organization placing an AI system on the EU market, or whose AI outputs affect people in the EU, regardless of where that organization is based. UK and US businesses with EU-facing AI activity remain in scope on the new timetable, and should use the extra time to confirm which of their AI systems are caught and how each is classified, rather than treating the delay as a reason to deprioritize that work. 

Why are civil society groups critical of the delay if it gives businesses more time? 

Groups including EDRi and Access Now argue that delaying safeguards delays accountability for AI systems already used in sensitive areas such as health, education and employment, extending the period before affected people have the AI Act’s protections. 

What should GRC and compliance teams do differently now? 

Rebuild AI governance project plans around the new dates without treating the extra time as reduced urgency. ISACA’s 2026 research found only 38% of organizations have a formal AI policy, so the priority is closing that gap: building a complete AI inventory, classifying systems against the Act’s risk categories, and connecting AI risk to board-level reporting well before the new December 2027 and August 2028 deadlines arrive.

  • UK Corporate Governance Code

    UK Corporate Governance Code

    What is the UK Corporate Governance Code? The UK Corporate Governance Code is the Financial Reporting Council’s corporate governance framework for listed companies in the UK. It sets out principles and provisions covering board leadership, company purpose, division of responsibilities, board composition, succession, evaluation, audit, risk, internal control, and remuneration. The Financial Reporting Council explains…

  • AI governance

    AI governance

    What is AI governance? AI governance is the system an organization uses to direct, oversee, control, and evidence the way artificial intelligence is developed, bought, deployed, monitored, and used. It covers who can approve AI use, what risks need to be assessed, what data can be used, how outputs are reviewed, how decisions are documented,…

  • The EU delayed its AI Act deadline: what the Digital Omnibus means for AI governance everywhere

    The EU delayed its AI Act deadline: what the Digital Omnibus means for AI governance everywhere

    Key takeaways  Introduction: the AI compliance deadline GRC teams have been racing toward just moved  For eighteen months, “2 August 2026” has been a fixed point on the calendar for compliance, risk and AI governance teams across Europe, and well beyond. This was the date the EU AI Act’s toughest obligations, covering high-risk AI systems, were due to bite: conformity assessments, technical…