On May 7, the Council of the EU and the European Parliament reached provisional agreement on the “Digital Omnibus on AI.” Translation: the high-risk obligations under Annex III now bite on December 2, 2027, not August 2, 2026.
That’s roughly 16 months of breathing room for credit scoring, insurance underwriting, fraud detection, biometrics, and employment algorithms. AI embedded in regulated products under Annex I slips further, to August 2, 2028. Systems already on the market before August 2, 2026 get a three-month grace period on watermarking, due December 2, 2026.
The stated rationale: businesses need more time, and the technical standards underpinning compliance aren’t ready. The unstated one: industry lobbied hard, and Brussels blinked on a “world-first” framework before Day 1.
For the budgets, the math just shifted. Banks and insurers that staffed up for an August 2026 cliff edge now have a 14-week enforcement window they don’t need. Firms that already wrote the procedures and bought the monitoring stacks aren’t getting that spend back.
The teeth aren’t fully pulled. The penalty ceiling for high-risk breaches holds at €15 million or 3% of global annual turnover, whichever is higher. The AI Office gets clarified supervisory competence over GPAI-based systems when the same provider builds the model and the system. National regulators keep authority over financial institutions, so the Luxembourg CSSF stays in charge of AI inside banks and insurers. A new prohibition was added covering AI that generates non-consensual intimate imagery and CSAM.
The next cliff is December 2, 2027.