The European Union has adjusted the timeline for its landmark Artificial Intelligence regulation with a significant amendment package, the so-called AI Act Omnibus. The key takeaway from the political agreement of May 7 is that operators of high-risk AI systems (HRAIS) have been granted an extension: the compliance deadline for stand-alone systems has been pushed to December 2, 2027, while the deadline for safety components in regulated products (e.g., medical devices, vehicles, toys) is now August 2, 2028. While this move may seem like a reprieve, it demands careful strategic consideration from businesses.
The Reason and Interpretation of the Extension
The primary driver behind the deadline extension was the Commission’s failure to publish the necessary harmonised standards in time, which would have clarified the technical details of compliance. This delay now provides a full extra year for developers and operators of stand-alone HRAIS to finalise their risk classifications, build internal governance frameworks, and prepare the required technical documentation.
Do you have a question about AI security? You can reach us here:
A crucial detail is the introduction of a “grandfathering” rule: AI systems placed on the EU market before these new deadlines are not subject to HRAIS requirements unless they undergo substantial modification. The Omnibus package also clarifies the Act’s scope, removes certain industrial applications from regulation, and streamlines the bias-detection process.
From an AIQ standpoint, this extension is not a signal to pause compliance efforts. On the contrary, it is a strategic opportunity for deeper, more thorough preparation. Companies should use this time not just to tick a compliance box, but to build genuinely robust, secure, and ethical AI governance systems. Our experience from audits shows that creating proper technical documentation and risk management processes is a time-consuming task, for which valuable extra time is now available.
What Can’t Wait: The 2026 Transparency Obligations
While HRAIS compliance may seem distant, the deadline for the transparency obligations under Article 50 of the AI Act remains unchanged: August 2, 2026. This date is critically important and is fast approaching. Businesses must prepare for the following:
- Chatbots and Interactions: Users must be clearly informed when they are interacting with an AI system.
- Emotion Recognition: The use of emotion-recognition or biometric categorisation systems must be disclosed to the individuals concerned.
- Deepfake Labelling: All artificially generated or manipulated audio and visual content (deepfakes) must be clearly labelled as such.
For generative AI systems already in service, a new grandfathering rule defers watermarking requirements until December 2, 2026. Fines for breaching these transparency rules can be up to €15 million or 3% of worldwide annual turnover.
In a corporate context, this means these requirements are directly linked to vulnerabilities in the OWASP LLM Top 10. Deepfake labelling (related to LLM04: Model Poisoning and LLM09: Overreliance) helps prevent the spread of disinformation and mitigates over-reliance on system outputs. The clear identification of chatbots reduces the risk of social engineering attacks. During AIQ audits, we pay special attention to whether a company’s AI applications meet these transparency expectations, which will become mandatory in the short term.
The Broader Picture: SMEs, GDPR, and the UK’s Divergence
The Omnibus package also brought good news for medium-sized companies. The compliance simplifications intended for SMEs have been extended to companies with up to 750 employees and €150 million in revenue. This makes the regulatory burden more manageable for a wider range of businesses.
However, a warning from the law firm Latham & Watkins is extremely important: companies should not let the deadline extensions distract them from GDPR enforcement. GDPR enforcement is already active in AI contexts, and the two regulations are closely intertwined, especially regarding data processing, fairness, and non-discrimination.
The AIQ position is that AI Act compliance must be built on a solid GDPR foundation. The lawfulness of data used for training AI systems, privacy by design, and the execution of impact assessments are already mandatory, and the AI Act only reinforces these expectations.
Meanwhile, the United Kingdom is choosing a structurally different path. The King’s Speech set out a “Regulating for Growth Bill” that outlines a sectoral, rather than a prescriptive horizontal, framework. This means that UK firms with exposure to the EU market will soon face two distinct AI compliance regimes. A recent survey by Logicalis found that 62% of UK CIOs are not fully prepared for the AI Act, which should serve as a cautionary tale for European companies as well.
Conclusion: What to Do Now?
Although the strictest deadlines have been pushed back, the to-do list has not shrunk. The 2026 transparency obligations mean that preparations must begin or continue immediately. We advise companies to map their AI systems, identify applications falling under Article 50, and begin implementing the necessary technical and procedural changes. For HRAIS, the extra time should be used for a deeper, more comprehensive risk assessment and the establishment of a truly effective governance framework. AI Act readiness is increasingly becoming a competitive credential in the European market.