Compliance teams have been living in a suspended state for months. The Omnibus amendment process held out a credible possibility that the August 2, 2026 deadline for high-risk AI systems under Annex III of the EU AI Act might shift, that some obligations might be deferred, that the high-risk classification criteria might be narrowed, that the compliance runway might quietly lengthen. That possibility ended on April 28.
After approximately 12 hours of trilogue negotiations, the European Parliament, the Council, and the Commission ended talks without agreement on the proposed Omnibus changes. Per Reuters reporting, the three institutions could not bridge differences on proposed simplifications to the high-risk classification framework. The EU Commission’s digital strategy page states the Act became fully applicable two years after its August 1, 2024 entry into force, August 2, 2026. No amendment in the Official Journal, no change to that date.
One more trilogue window may open in May. That possibility is real. But it doesn’t change the compliance calculus the way it might have six months ago.
The Situation as of April 30, 2026
The legal status is straightforward. The EU AI Act is in force. Annex III lists the use cases that qualify AI systems as high-risk. Providers of those systems must meet full obligations by August 2, including Article 11 technical documentation, conformity assessment, EU database registration, and post-market monitoring. These are not new requirements. They have been in the text since the Act passed. What’s new is that the last plausible mechanism for deferring them has collapsed.
According to TNW reporting, more than 40 civil society organizations had lobbied against the Omnibus proposals, characterizing them as a rollback of fundamental rights protections. Civil society opposition was one structural factor in the collapse; political disagreement between Parliament and Council on classification scope was another. The specific dynamics of the April 28 failure aren’t the compliance team’s problem. The outcome is.
The May Window: What It Can and Cannot Do
A May trilogue is possible. Whether a deal reached in May could realistically be published in the Official Journal and take legal effect before August 2 is a question legal analysts have not yet resolved with certainty. The EU legislative process requires Official Journal publication before any amendment becomes binding. The time between a political agreement and OJ publication is not instantaneous, it involves legal-linguistic review across all official EU languages, institutional sign-off, and scheduling.
This isn’t an argument that a May deal is impossible or irrelevant. It’s a constraint on how much a May deal can actually do for organizations with August 2 obligations. Even in the most optimistic scenario, any Omnibus changes would arrive with minimal implementation runway. For compliance teams, this means a May deal functions more as a signal about future obligations than as relief from current ones.
Two-Scenario Compliance Framework
The table below structures the decision space. Build your compliance program for Scenario B. If Scenario A materializes, the work you’ve done still applies, it was never wasted effort.
| Scenario A: May Deal Reached | Scenario B: No Deal Before August 2 | |
|---|---|---|
| Who is affected | Providers and deployers of Annex III systems; changes depend on what the deal modifies | All providers and deployers of Annex III systems as currently listed |
| What changes | Potentially: narrowed high-risk classifications, modified conformity assessment pathways, or extended timelines for specific categories, specific changes unknown until a deal is announced | Nothing. August 2 is the compliance date. Full Annex III obligations apply as written. |
| Recommended action | Complete your gap analysis and documentation now. If a deal modifies your classification, the work is mostly transferable. If it doesn’t, you’re compliant. | Complete your gap analysis and documentation now. There is no alternative action. |
| Key uncertainty | Whether a May deal could take legal effect before August 2, and which Annex III categories it would affect | None, the uncertainty is resolved. The date is the date. |
| Risk of waiting | High. A May announcement, if it comes, gives minimal implementation runway even if it modifies obligations. | Certain non-compliance if preparation hasn’t begun. |
The decision in both scenarios is the same: act now.
What Annex III Actually Requires
This is where abstract compliance language needs to become operational. Per the EU AI Act reference, providers of high-risk AI systems listed in Annex III must:
Article 11, Technical Documentation. Before placing a high-risk system on the market or putting it into service, providers must establish and maintain technical documentation demonstrating conformity with Act requirements. This documentation must be established before market placement, not after.
Conformity Assessment. Most Annex III systems require either internal conformity assessments or, for certain categories (notably AI systems used in biometric identification and certain critical infrastructure contexts), third-party conformity assessments. Identifying which pathway applies to your systems requires reading your specific Annex III classification against the Act’s conformity assessment provisions.
EU Database Registration. Providers and deployers must register their high-risk AI systems in the EU database before market placement. The database is operated by the EU AI Office.
Post-Market Monitoring. Providers must establish post-market monitoring systems proportionate to the nature of the AI technology and the risks of the high-risk system.
Article 27, Fundamental Rights Impact Assessments. This obligation is scoped, not universal. Deployers of certain Annex III systems, specifically those used by public authorities or in contexts affecting access to essential services, face FRIAs. If your organization is a deployer in those contexts, this is an additional obligation on top of the provider-side requirements. If you’re a provider but not a public-sector deployer, this does not automatically apply to you.
94-Day Compliance Checklist
These five actions are appropriate regardless of which political scenario materializes:
– [ ] Risk classification audit. Confirm which of your AI systems fall within Annex III use cases. This is the threshold question. If a system isn’t Annex III, the obligations below don’t apply. If it is, everything else flows from this. – [ ] Article 11 documentation gap analysis. Map your current technical documentation against Article 11 requirements. Identify gaps. Assign owners and deadlines. This workstream takes weeks, not days. – [ ] Conformity assessment pathway determination. For each Annex III system, determine whether internal conformity assessment suffices or whether a third-party notified body is required. If third-party assessment is required, the lead time to engage a notified body must be factored into your 94-day plan. – [ ] EU database registration preparation. Confirm your organization has the access and data needed to complete EU database registration. Understand what information the registration requires before you’re in the final weeks. – [ ] Article 27 FRIA scoping (for applicable deployers). If your organization deploys Annex III systems in public-authority contexts or essential-services contexts, determine whether Article 27 FRIAs are required and begin that workstream separately from provider-side compliance.
What to Watch
The May trilogue session is the only remaining political variable. Watch for: an official announcement of a May session date, any indication of the specific Annex III categories under negotiation, and, if a deal is announced, the timeline to Official Journal publication. Those three data points determine whether a May deal has any practical effect on August 2 obligations.
The demand signal worth noting: the combination of a confirmed August 2 deadline and a two-scenario environment is creating measurable interest in compliance automation tooling. Whether that market signal translates into viable solutions at the speed compliance teams need is an open question.
TJS Synthesis
The Omnibus process produced months of genuine ambiguity. The April 28 collapse resolves it, and the resolution is that the Act applies as written. The compliance teams best positioned for August 2 aren’t the ones that predicted the Omnibus would fail. They’re the ones that ran dual-track programs: Omnibus-contingent planning alongside base-case compliance preparation. If your organization ran only one track, the remaining 94 days are recoverable, but only if the workstreams that were deferred in anticipation of the Omnibus actually start this week.