The wait is over. On June 29, 2026, the Council of the EU formally adopted the Digital Omnibus on AI Regulation at first reading, closing the legislative loop that Parliament opened with its June 17 confirmation vote. The Omnibus isn’t a proposal anymore. It’s law.
For compliance teams, the Council’s action matters because it’s the step that makes everything binding. Parliament’s vote was necessary but not sufficient, under the EU’s ordinary legislative procedure, both institutions must act. Now they have. Every deadline change, every new prohibition, and every machinery clarification in the Digital Omnibus is now operative.
What changed, and for whom
The Omnibus restructures compliance obligations across four categories, and which one applies to a given AI system determines everything about the timeline.
Standalone high-risk AI systems listed under Annex III, biometric identification tools, employment screening software, education and vocational training systems, critical infrastructure AI, get the largest reprieve. Their compliance deadline moves from August 2, 2026, to December 2, 2027, a 16-month deferral confirmed via institutional sources. Organizations that were racing toward an August deadline can now work with a December 2027 target, but the classification work still has to happen.
High-risk AI systems embedded in regulated products under Annex I, medical devices, machinery, toys, face a different timeline. According to legal analysis of the adopted Digital Omnibus text, their deadline shifts from August 2, 2027, to August 2, 2028, a 12-month extension. Manufacturers in the medical device and industrial equipment sectors get additional runway, but the underlying conformity assessment requirements don’t get simpler.
Who This Affects
A third category covers AI systems already on the EU market as of August 2, 2026, that generate synthetic content subject to Article 50 watermarking and content-labeling requirements. Those systems have until December 2, 2026 to comply, a four-month grace period per analysis of the enacted text. That window is shorter than many organizations may have assumed.
EU Member States now have until August 2, 2027, to establish at least one national AI regulatory sandbox under Article 57. That deadline is confirmed via the EU AI Act Service Desk’s implementation timeline.
Why it matters
The Council adoption isn’t just a formality, it’s the moment the regulation becomes enforceable. Every compliance program that was treating deadline changes as provisional can now treat them as fixed. The harder question, raised by the four-tier structure, is whether organizations have correctly identified which tier covers each AI system they operate or deploy. Many haven’t. The Omnibus creates a genuine classification trap: a system incorrectly categorized as Annex I embedded when it actually qualifies as Annex III standalone faces a December 2027 deadline, not August 2028, and vice versa. Getting the classification wrong in either direction creates compliance risk.
Don’t expect the grace periods to reduce the audit burden. The European Commission’s AI Act implementation guidance makes clear that documentation, risk assessments, and technical conformity work must be completed before the applicable deadline, not begun at it.
What to watch
The new prohibition on AI systems that generate non-consensual sexually explicit content, intimate imagery, or child sexual abuse material, including AI “nudification” applications, takes effect December 2, 2026, per analysis of the adopted text. Any provider operating such a system in the EU needs to have shut it down or brought it into compliance before that date. This isn’t a reporting requirement or a registration step. It’s a hard prohibition with no grace period for non-compliance after the effective date.
The machinery clarification is also now operative. AI embedded in machinery products no longer faces overlapping EU AI Act obligations on top of existing sectoral safety rules, the Omnibus clarifies that those products comply through their product-specific regulatory frameworks. Manufacturers who had been double-tracking compliance obligations across both regimes can now consolidate.
TJS synthesis
The real question isn’t whether the deadlines moved, they did, and they’re confirmed. The catch is that the four-tier structure creates a classification decision that compliance teams can’t defer. Every organization deploying or providing AI in the EU now needs to audit its portfolio against the Annex I / Annex III / Article 50 / exempt framework before it can know which deadline actually applies. The Omnibus gave the market more time; it also made the preliminary work more complex. Organizations that treat the deadline extensions as an invitation to pause are likely to find the classification audit takes longer than the extension they thought they gained.