Key takeaways:
- The Digital Omnibus AI pushes back the "high risk" obligations of the AI Act to December 2027, but this postponement is not a general pause: several obligations remain fully applicable as of 2026.
- AI Literacy (article 4), prohibited practices and transparency obligations (article 50) are active. Ignoring them exposes companies to sanctions that can reach 35 million euros or 7% of global turnover.
- As of June 2026, the Digital Omnibus AI has not yet been definitively adopted: as long as publication in the Official Journal has not taken place, the original deadlines of the AI Act remain legally in force.
- 18 months is short for a complete audit: mapping of systems, documentation, team training and governance take months, not weeks, to complete.
- 71% of employees use AI tools not approved by their employer: Shadow AI is the first project to address before any compliance approach.
- AI Act compliance is becoming a contractual criterion in B2B. A company unable to demonstrate its mastery of the subject risks being excluded from calls for tender.
The Digital Omnibus AI, provisionally adopted in May 2026, pushes back the “high risk” obligations of the AI Act to December 2027. But this postponement does not suspend everything. Several obligations remain applicable as of 2026, with sanctions at stake. Understanding what is really changing allows companies to anticipate rather than endure. Here is our expert reading of the timeline and the concrete actions to undertake.
Digital Omnibus AI: what has really changed?
The AI Act, or European regulation on artificial intelligence, came into force on August 1st, 2024. This regulation (EU) 2024/1689 classifies AI systems according to four risk levels and imposes graduated obligations. The major change of the Digital Omnibus AI concerns the timeline for applying the “high risk” obligations.
Why the European Commission voted for a postponement
The postponement is a pragmatic observation. The implementation of the AI Act was falling behind. Two blockages stood out. First, the designation of competent national authorities was lagging in several member states. Second, the harmonized standards essential to the compliance of high risk systems were not finalized.
Without these tools, companies faced obligations without technical instructions. The Digital Omnibus AI therefore responds to a problem of operability, not a desire to deregulate.
- Sapin II Law: anti-corruption prevention and third-party vetting.
- GDPR: data protection and data processing governance.
- Duty of Care (Devoir de vigilance): identification of violations of fundamental rights.
- CSRD: sustainability reporting and reliability of ESG information.
- AI Act: risk classification and compliance of AI systems.
The new AI Act timeline after the Digital Omnibus
- According to the provisional agreement, the obligations applicable to standalone high risk systems (annex III) move from August 2nd, 2026 to December 2nd, 2027.
- For AI integrated into regulated products (annex I) (medical devices, machinery, vehicles), the deadline is set at August 2nd, 2028.
- Note however: as of June 2026, the text has not yet been definitively adopted. Several steps remain to be completed: a plenary vote by the European Parliament, adoption by the Council, then publication in the Official Journal of the European Union. All of this is expected before August 2nd, 2026. As long as this publication has not taken place, the original dates remain legally in force.
Which obligations are affected by the postponement to December 2027
The postponement precisely targets high risk systems. Annex III covers sensitive uses. These include:
- Recruitment
- Credit scoring
- Education
- Law enforcement
- Border management.
These are the systems that benefit from the extension until December 2nd, 2027. The deadline granted to member states to create regulatory sandboxes is also pushed back to August 2nd, 2027. Everything else continues to move forward according to the original timeline.
The trap of the postponement: what remains applicable as of 2026
This is the point that many companies overlook. The Digital Omnibus AI pushes back high risk, but a significant part of the AI Act remains fully applicable. Reading the postponement as a general pause is a costly misinterpretation.
AI Literacy (article 4): subject to sanctions from August 2nd, 2026
Article 4 has imposed a clear obligation since February 2nd, 2025. Providers and deployers must ensure a sufficient level of AI literacy among their teams. The Digital Omnibus AI softens the wording: it is now about supporting the development of this culture, rather than guaranteeing a precise level. The obligation nonetheless remains real and enforceable.
Prohibited AI practices: in force since February 2025
Unacceptable risk practices have been prohibited since February 2nd, 2025:
- Social scoring
- Behavioral manipulation
- Real time biometric identification in public spaces
The Digital Omnibus AI adds to this the prohibition of systems generating non consensual intimate images and child sexual abuse content. These prohibitions carry the heaviest sanctions under the regulation.
GPAI obligations: active since August 2025
The obligations applicable to general purpose AI models (GPAI) have applied since August 2nd, 2025. This date coincides with the entry into operation of the European AI Office. The Digital Omnibus AI clarifies the scope of authority of this office and strengthens its powers of investigation and on site inspection.
Transparency obligations (article 50)
Article 50 requires informing users when they interact with an AI and marking artificially generated content. These transparency obligations apply as of August 2nd, 2026, independently of the postponement. Only a four month grace period, until December 2nd, 2026, is provided for marking systems already on the market.
4 concrete risks in waiting until December 2027 to become AI Act compliant
Treating the Digital Omnibus AI as permission to wait exposes companies to several tangible dangers. Here are the four main ones.
Increased legal risk in the event of an inspection
The AI Act’s sanctions are among the most dissuasive in European law:
- Article 99 provides for up to 35 million euros or 7% of global annual turnover for prohibited practices.
- Failure to meet high risk obligations exposes companies to 15 million or 3%.
- An inaccurate declaration can cost up to 7.5 million or 1%.
SMEs benefit from proportionate application, never an exemption. A calibrated fine remains potentially fatal for a small structure.
An operational risk: 18 months is short for a complete audit
Building a solid compliance framework takes time. Mapping systems, documenting, assessing compliance, training teams: a complete audit takes months, not weeks. The 18 months separating today from December 2027 seem comfortable, but they shrink quickly once the project is underway. Waiting for the final stretch amounts to improvising under pressure.
A commercial risk: contractual pressure from your B2B clients
AI Act compliance is becoming a contractual argument. More and more principals are demanding written guarantees from their providers on the use and governance of AI. A company unable to demonstrate its mastery of the subject risks being excluded from calls for tender or seeing its contracts renegotiated.
A competitive risk: your competitors are already moving forward
The market is moving. Organizations that structure their approach as soon as the Digital Omnibus AI is published turn a regulatory constraint into an advantage. Those who wait until December 2027 will start with a delay that is difficult to make up against already seasoned competitors.
What to do right now? The 5 step action plan
Here is a structured approach, applicable regardless of your sector, to turn the delay offered by the Digital Omnibus AI into a strategic advantage.
Mapping your AI systems and identifying your Shadow AI
- Step 1
The first step consists of knowing where AI is actually used within your organization. Beyond official tools, “Shadow AI” must be tracked : the unsupervised use of AI tools by employees. The phenomenon is massive.
According to a 2025 Microsoft study, 71% of employees use AI tools not approved by their employer. Each unmonitored interaction exposes sensitive data to external servers, escaping all traceability.
Determining your status: deployer, provider or both
- Step 2
The AI Act distinguishes several roles:
- The provider designs and places the system on the market: it bears technical compliance, documentation and CE marking.
- The deployer uses a system under its own authority: it must follow instructions, ensure human oversight and keep logs.
The same company can hold both statuses. Precisely identifying your role determines all your obligations.
Training your teams in AI literacy
- Step 3
Article 4 requires an AI culture within teams. Training is also the best antidote to Shadow AI: a trained employee understands the risks and spontaneously adopts the right reflexes. Short, regular sessions, adapted to job roles, are worth more than a single theoretical module. The goal is not to ban AI, but to channel its use within a secure framework.
Structuring your AI governance (charter, committee, registry)
- Step 4
Solid AI governance rests on three pillars:
- A usage charter, accessible to all, that sets out the rules
- A multidisciplinary committee bringing together the legal, technical, security and business departments
- A registry of AI systems, which ensures the traceability essential in the event of an inspection.
This structuring is the foundation on which your entire compliance approach will rest.
Anticipating high risk requirements before December 2027
- Step 5
Even though the high risk deadline is pushed back, the requirements are known. Risk management, data quality, technical documentation, human oversight, robustness: these are all projects to initiate now for systems likely to be classified as high risk. Undertaking this work in advance with the help of an AI Act compliance firm smooths out the effort and avoids last minute rushing.
Anticipating rather than waiting: the right strategic calculation
The Digital Omnibus AI offers a window, not an exemption. Companies that use this delay to structure their compliance gain a head start. Those who read it as permission to wait will accumulate legal, operational and commercial delay. The Digital Omnibus AI must serve as a starting point, not a pretext for postponement. This is precisely where Eterra’s expertise takes on its full meaning.
Indeed, to be AI Act compliant without mobilizing disproportionate internal resources, structured support remains the best lever. Dedicated tools such as Themio also facilitate the operational tracking of your approach.
Summary
The Digital Omnibus AI offers a window, not an exemption. The postponement of “high risk” obligations to December 2027 is real, but conditional on the definitive publication of the text in the EU Official Journal, expected before August 2nd, 2026. In the meantime, prohibitions on unacceptable risk practices, GPAI obligations and transparency requirements remain fully enforceable with active sanctions.
Waiting until December 2027 to begin compliance means choosing to start under pressure, with legal, operational and commercial delay that is difficult to make up. The right reading of the Digital Omnibus AI is a structured starting point: mapping systems, identifying provider or deployer status, training teams in AI literacy, documented governance, and anticipating high risk requirements, ideally with the support of a specialized firm such as Eterra.
YOUR QUESTIONS
FAQ - Digital Omnibus and AI Act compliance
Before contacting us, you may have these questions. Here are direct answers from our senior consultants.
—
Is the Digital Omnibus AI final?
No. As of June 2026, the agreement remains provisional. The text must still be voted on in plenary by the European Parliament, then adopted by the Council. It will then be published in the Official Journal of the European Union, normally before August 2nd, 2026. As long as this publication does not occur, the original deadlines of the AI Act remain legally applicable.
Who is affected by AI Literacy as of August 2nd, 2026?
All providers and deployers of AI systems.
Which sanctions are already applicable in 2026?
Prohibited practices (article 5), GPAI obligations and transparency obligations (article 50) carry active sanctions. Fines can reach 35 million euros or 7% of global turnover for the most serious infringements, under article 99 of the regulation.
How can you get support to anticipate AI Act compliance?
Relying on an AI Act compliance firm such as Eterra makes it possible to secure every step: mapping, qualification of your status, governance, training.


