Sixty-six days.
That’s how long compliance teams have before the date that legal analysts say may determine whether their organization enters the EU market with grandfathering protection, or without it. The European Commission’s Digital Omnibus on AI extended the standalone high-risk enforcement deadline from August 2, 2026, to December 2, 2027. Most compliance coverage treated that as an 18-month gift. The catch, identified in legal analysis published this week by Gibson Dunn and commentary in The Lens, is that the gift may have a fine-print condition that most organizations haven’t read.
What the original framework was built to do
The August 2, 2026 date wasn’t just an enforcement deadline. It was a market-entry reference point built into the EU AI Act’s transitional framework. Systems that were already placed on the EU market before that date would be evaluated under a grandfathering mechanism, the practical recognition that companies can’t retroactively redesign systems that were already in commercial deployment when the rules went live.
The logic was clean. If your system was on the market before the compliance clock started, you’d get a defined runway to conform. If you entered after, you’d be entering into a regime where the obligations were already live and you’d be expected to meet them.
The Omnibus, passed to simplify compliance and extend timelines for SMEs and the broader industry, moved the enforcement deadline for standalone high-risk AI systems (Article 6(2), Annex III) 16 months forward. It also moved the embedded high-risk deadline, AI integrated as safety components into products subject to Union harmonisation legislation under Article 6(1), Annex I, covering medical devices, machinery, aviation components, from August 2, 2027, to August 2, 2028.
Where the gap lives
According to legal analysis published in The Lens on May 27, 2026, the Omnibus extended the enforcement deadlines without explicitly extending the grandfathering cutoff to match. If that reading holds, the August 2, 2026 market-entry date remains the dividing line for grandfathering eligibility, even though the enforcement deadline has moved to December 2, 2027.
The consequence is a 16-month window, August 2, 2026, through December 2, 2027, during which an organization could place a high-risk AI system on the EU market and face full Annex III compliance obligations without the benefit of the grandfathering runway. They’d be entering the market under active enforcement requirements with no transitional protection.
This interpretation hasn’t been confirmed by the European Commission. It is legal analysis, not regulatory fact, and should be treated accordingly. The Gibson Dunn client alert published May 27 frames this as a planning risk, not a confirmed outcome. The distinction matters: organizations that adjust strategy based on an unconfirmed legal interpretation are making a judgment call. Organizations that ignore the analysis entirely are also making a judgment call.
Which organizations are exposed
Who This Affects
Unanswered Questions
- Has the European Commission confirmed, or denied, that the Omnibus delay extended the grandfathering cutoff date beyond August 2, 2026?
- Will Article 6 compliance obligation guidance (separate from classification guidance) be published before December 2, 2027?
- Which EU member state enforcement authorities are likely to issue early interpretive positions on market-entry grandfathering eligibility?
The exposure is defined by product roadmap, not by sector. The organizations facing the highest planning risk share a specific profile: they have a high-risk AI system (Annex III category, biometrics, employment screening, educational assessment, creditworthiness evaluation, essential services, or law enforcement) that is currently in development or late-stage testing, with an EU market entry timeline projected between Q3 2026 and Q4 2027.
Six months from EU launch. Twelve months. Eighteen months. These are the organizations the grandfathering gap analysis directly addresses. They aren’t noncompliant today. They’re building timelines that assumed the Omnibus delay applied equally to all transitional protections, and that assumption is now contested.
Embedded high-risk AI follows a different trajectory. The relevant deadline for Article 6(1), Annex I systems, AI integrated into medical devices, industrial machinery, toys, lifts, and aviation equipment subject to third-party conformity assessment, moved to August 2, 2028. The original date was August 2, 2027. The same grandfathering logic applies: organizations launching embedded high-risk AI after the original August 2027 date (in a market-entry window before August 2028) face the same analytical question on a one-year-later timeline.
What the draft guidelines do and don’t address
The 167-page Article 6 consultation document published May 19 covers classification scope, how to determine whether a system is high-risk in the first place. It focuses heavily on biometrics, employment and recruitment, and creditworthiness domains. CMS Law’s analysis notes the guidelines address what Article 6 covers, not what the obligations are for providers and deployers once classified. Those obligations appear in separate guidance the Commission hasn’t published yet.
That’s a critical distinction for organizations trying to understand their full compliance position. Classification guidance and compliance obligation guidance are different instruments. An organization can now read 167 pages of draft text on whether their system is high-risk and still not have official guidance on what specific documentation, testing, and audit requirements they’d face if it is. The public consultation closes June 23, 2026. Submit comments if your organization has input on the classification framework, that window is 27 days out.
What legal analysts recommend for organizations in the gap
Per the Gibson Dunn and Lens analysis, both carrying “ attribution, not Commission confirmation, the practical recommendations for organizations with EU market entry timelines in the August 2026–December 2027 window break down by scenario.
Organizations that can launch before August 2, 2026: accelerate. A system on the EU market before August 2 falls under the original grandfathering framework regardless of how the Omnibus gap resolves. This is the lowest-risk path if the product is ready.
Warning
The grandfathering gap is legal analysis, not confirmed regulatory fact. But the asymmetry is clear: organizations that assume the more protective interpretation and are wrong face administrative recalibration costs. Organizations that assume the less protective interpretation and are wrong face enforcement exposure. Build the compliance timeline for the tighter scenario.
Pre-August 2, 2026 Compliance Planning Steps
- Determine whether system qualifies as Annex III standalone or Annex I embedded high-risk
- Get legal counsel on record with a formal grandfathering eligibility position
- Assess whether accelerated pre-August 2 market entry is technically feasible
- Begin Annex III conformity assessment if August 2026–December 2027 launch is planned
- Submit consultation comments by June 23 if organization has views on Article 6 classification scope
Organizations that cannot launch before August 2, 2026: treat the August 2 date as a compliance trigger, not a delay. Begin the conformity assessment process, risk management system, technical documentation, human oversight mechanisms, as if the December 2027 deadline requires full compliance from the moment of market entry. Build the timeline backward from December 2, 2027, and don’t assume grandfathering provides a runway.
Organizations with embedded high-risk AI: the same logic applies, deferred by one year. Watch the August 2, 2027 original deadline as a potential grandfathering cutoff under the same analytical framework.
What to watch
Three signals matter in the next 90 days. First, whether the European Commission issues any clarifying communication on the grandfathering cutoff date before August 2, either through formal guidance, a FAQ document, or a statement from the AI Office. The AI Office hasn’t issued such clarification as of the date of this brief. Second, whether the June 23 consultation produces industry comment letters that formally raise the grandfathering gap question, those letters become part of the public record and may accelerate Commission response. Third, whether any EU member state authority takes a formal enforcement position on market-entry timing before December 2027.
The real question is whether the Commission’s silence on the grandfathering cutoff before August 2 creates a de facto ambiguity that enforcement bodies could later interpret either direction. Ambiguity in transition provisions is not neutral, it tends to resolve in enforcement proceedings, not in pre-launch legal opinions. Organizations that build compliance programs assuming the more protective interpretation and turn out to be wrong face administrative costs. Organizations that assume the less protective interpretation and turn out to be wrong face enforcement exposure. The asymmetry favors caution on planning, not on launching.
TJS Synthesis
The Omnibus delay was a simplification measure. For organizations with EU market entry scheduled after August 2, 2026, it may have simplified the enforcement headline while complicating the transitional protection math. The grandfathering gap isn’t confirmed. It hasn’t been litigated. But it’s been identified by multiple independent legal practices reading the same primary text. Compliance teams with product roadmaps in the August 2026–December 2027 window shouldn’t wait for Commission clarification that may not arrive before August 2. Get legal counsel on record with a grandfathering position before the window opens.