The original EU AI Act compliance calendar was hard enough. A single August 2026 date anchored most planning efforts for Annex III stand-alone high-risk systems, employment AI, biometric identification, education tools, law enforcement applications. That date is gone. Under the provisionally agreed Digital Omnibus on AI, which is based on Council Document 9247/26 and whose formal consolidated text is still pending official publication, the Annex III deadline moved to December 2, 2027. That’s a 16-month extension. It sounds like relief. The compliance architecture it creates is more demanding, not less.
Here’s the problem: the extension didn’t reduce the number of deadlines. It added sequencing complexity. Four distinct compliance obligations now fall at four different dates across a 26-month window, covering different entity types, different technical requirements, and different regulatory tracks. Running them in parallel, while planning against provisional agreement terms that haven’t yet been formally enacted, is the compliance challenge that most coverage of the Digital Omnibus has underplayed.
Section 1: What the Digital Omnibus Changed
The provisional Digital Omnibus on AI revised four deadlines from their original EU AI Act positions. The table below shows the shift:
Original → Revised Deadline Comparison
Article 50(2) watermarking and synthetic content disclosure obligations: original deadline August 2, 2026; revised to December 2, 2026. That’s a four-month compression from what was already a short runway. Providers of AI systems that generate or manipulate synthetic content, images, video, audio, text, who placed those systems on the EU market before August 2, 2026, now have until December 2, 2026, to comply. The grace period shrank from six months to three.
National AI regulatory sandboxes: original deadline August 2, 2026; revised to August 2, 2027. This is a member state obligation. EU member states that had planned sandbox establishment programs for 2026 now have a full-year extension, which has planning implications for companies seeking regulatory engagement or conformity assessment support through national sandbox mechanisms.
Annex III stand-alone high-risk AI system compliance: original deadline August 2, 2026; revised to December 2, 2027. The 16-month extension is the headline number, but it covers the broadest category of affected organizations, deployers and providers of employment AI, biometric identification systems, credit scoring tools, education and vocational training applications, and law enforcement AI. Per the European Commission’s Article 6(5) guidelines package, the classification methodology for these stand-alone systems is exactly what’s under public consultation right now.
Annex I product-regulated high-risk AI system compliance: original deadline August 2, 2027; revised to August 2, 2028. Providers of AI systems that function as safety components within products already subject to EU harmonisation legislation, medical devices, machinery, civil aviation equipment, vehicles, now have until August 2028. The longer runway reflects the additional conformity assessment complexity for product-integrated systems.
An important limitation to state directly: the full, consolidated text of the Digital Omnibus on AI has not yet been formally published. All four deadline dates above are drawn from provisional agreement reporting and Council Document 9247/26 cross-references. Compliance planning should proceed against these terms, but the formal text should be verified upon publication before finalizing program documentation.
Section 2: Two Classification Tracks, Annex I vs. Annex III
The deadline structure reflects two fundamentally different compliance tracks, and organizations need to know which one applies before they can plan to any of the four dates above.
Annex I covers AI systems used as safety components in products already regulated under EU harmonisation legislation, the Machinery Regulation, the Medical Device Regulation, the Radio Equipment Directive, and comparable frameworks. If your AI system is embedded in a product that already goes through EU conformity assessment, you’re on the Annex I track. Your compliance deadline is August 2, 2028.
Annex III covers stand-alone AI system use cases that the EU AI Act identifies as inherently higher risk due to their domain of application. Eight categories are enumerated under Annex III. The ones that generate the most compliance traffic for enterprise organizations are Article 6(2)(a) through (d): biometric identification and categorization systems; systems used in critical infrastructure management; educational and vocational training tools that determine access or assess performance; and employment, recruitment, and HR management systems.
The employment and HR category deserves specific attention. The Article 6(5) guidelines provide practical examples specifically treating recruitment and human resource management systems, tools that screen candidates, rank applicants, evaluate performance, or influence employment decisions. The examples are non-exhaustive by design. The Commission is providing a methodology, not a closed list. That distinction matters enormously: an AI system not named in the practical examples isn’t necessarily outside Annex III. It has to be assessed against the methodology. Legal analysis from Debevoise & Plimpton confirms that the Article 6(5) guidelines’ methodology overview is the operative reference for this classification determination.
Timeline
Verification
Partial European Commission T1 source + provisional Council Document 9247/26 Formal consolidated Digital Omnibus text pending official publication, deadline dates are provisional agreement terms, not yet enacted lawThe Article 6(5) guidelines’ three-document structure reflects this division: a methodology overview applicable to both tracks, an Article 6(1) section for Annex I product-safety-regulated systems, and an Article 6(2) section for Annex III stand-alone use cases. Start with the methodology overview. Then go to the section that matches your track.
Section 3: The Consultation Window, Why It Matters for Planning
The classification methodology isn’t final. That’s the point.
The Article 6(5) guidelines published May 19, 2026, are draft guidelines open for public comment through June 23, 2026. The Commission will review submissions and adopt a final version after the consultation closes. The final guidelines are the document that conformity assessment bodies and national supervisory authorities will reference when evaluating whether an organization has correctly classified its AI systems.
Getting the classification wrong has consequences. An organization that concludes its system doesn’t fall under Annex III, and therefore doesn’t build the required compliance program, based on a misreading of the draft guidelines could find itself out of compliance when the final guidelines apply a stricter interpretation to the same use case.
The consultation window is the mechanism for reducing that risk. If the practical examples in the current draft create ambiguity about how your system category will be treated, submitting feedback to the Commission before June 23 puts your interpretation on the record and can directly influence how the final guidelines handle that ambiguity. Organizations operating HR AI, biometric systems, and law enforcement tools should prioritize this review now.
Section 4: Compliance Sequencing by Deadline
Four deadlines in sequence. Here’s what each one requires, who it covers, and what must begin now to meet it.
December 2, 2026, Article 50(2) Watermarking and Synthetic Content Disclosure
Who it covers: providers of AI systems that generate or manipulate images, audio, video, or text in ways that could deceive users about the synthetic nature of the content. Systems placed on the EU market before August 2, 2026 have until December 2, 2026, under the provisional Digital Omnibus terms. What must be built: technical mechanisms for content labeling and disclosure at the point of generation. This is the most immediate deadline in the revised calendar. If your organization generates synthetic media at scale, this compliance program needs to be in execution now.
August 2, 2027, National AI Regulatory Sandboxes
Who it covers: EU member states, not private organizations directly. But companies planning to use regulatory sandboxes for pre-market validation or conformity assessment support should understand which member states are on track for August 2027 and factor sandbox availability into their Annex III compliance planning.
December 2, 2027, Annex III Stand-alone HRAIS Compliance
Who This Affects
What to Watch
Unanswered Questions
- How will the Article 6(5) methodology treat AI systems that span both Annex I product categories and Annex III stand-alone use cases?
- What evidence of consultation engagement, if any, will conformity assessment bodies treat as favorable during audits?
- How will the Commission handle practical examples for use cases not addressed in the current draft guidelines?
Who it covers: deployers and providers of stand-alone high-risk AI systems in employment, biometrics, credit scoring, education, and law enforcement. What compliance by December 2027 requires: completed high-risk classification determination (using the final Article 6(5) guidelines once published), risk management system documentation, technical documentation package, data governance records, logging and traceability mechanisms, transparency and human oversight provisions, and registration in the EU AI Act database. None of these are rapid deliverables. A compliance program targeting December 2, 2027 needs to begin classification work in 2026, starting with the Article 6(5) guidelines now in consultation.
August 2, 2028, Annex I Product-Regulated HRAIS Compliance
Who it covers: providers of AI systems embedded in products subject to EU harmonisation legislation. The longer runway reflects the more complex conformity pathway, these systems typically require third-party conformity assessment because they’re safety components. Don’t treat August 2028 as distant. Product conformity assessment processes routinely take 12–18 months. The runway is appropriate, not generous.
Section 5: What to Do Now, Action Items by Stakeholder Type
For Annex III deployers (employment AI, biometric systems, education tools): Complete your preliminary classification determination using the draft Article 6(5) guidelines. Flag any systems for which the practical examples create ambiguity and submit consultation feedback before June 23. Begin scoping the documentation requirements for a December 2027 compliance program, the requirements are established; the 16-month extension gives you more runway, not a reason to defer scoping.
For Annex I integrators (product-safety-regulated AI): Determine which of your product categories trigger overlap with EU harmonisation legislation and whether AI components in those products function as safety components under the relevant directive or regulation. Identify your notified body and begin the conformity assessment engagement timeline now, given the 12–18 month process window typical for third-party assessments.
For synthetic content providers (Article 50(2)): December 2, 2026, is six months away. Your content labeling and disclosure technical implementation needs to be in progress, not in planning.
For all EU AI Act entities: Monitor formal publication of the Digital Omnibus consolidated text. Planning against provisional terms is appropriate and necessary now. But your formal compliance documentation should reference the enacted text once it publishes. Build in a review checkpoint for that publication event.
TJS synthesis
The real compliance risk in the Digital Omnibus revision isn’t the extended deadlines – it’s the sequencing trap. Organizations that take the Annex III extension as a signal to reduce urgency in 2026 will discover in early 2027 that classification determination, documentation scoping, and conformity assessment preparation each require lead time that the revised calendar doesn’t accommodate if work starts late. The Article 6(5) final guidelines, being shaped by this consultation right now, are the foundation document for all of that work. Every month of delay in engaging with those guidelines is a month of lead time consumed before the compliance program formally starts. The organizations that submit consultation feedback in the next 32 days, anchor their classification work to the final guidelines as soon as they publish, and sequence documentation work against the December 2027 date are the ones that won’t be scrambling in mid-2027. Expect the Commission to publish the final guidelines in Q3 2026, and expect the window between final publication and the December 2027 deadline to feel shorter than it looks today.