What the Digital Omnibus is
The Digital Omnibus is a European Commission proposal, brought forward in 2026, to simplify and adjust the rollout of several EU digital rules, including parts of the AI Act. It matters because it appears to defer some of the AI Act timelines that organizations had been planning against. Two cautions before reading any date as settled. First, a proposal is not law: until it completes the legislative process, the underlying AI Act timeline remains the legal baseline, and the proposed changes can shift. Second, the proposal is selective. It reportedly moves some obligations later while leaving others exactly where they were. Treating the Omnibus as a blanket delay of the AI Act is the mistake most likely to leave an organization exposed.
What appears to move later
The headline change is to the high-risk regime. Under the proposal, obligations for high-risk systems listed in Annex III, the use-case-based high-risk category, would be deferred from their previously expected 2026 application toward the end of 2027, with the Annex I product-safety-linked high-risk obligations moving further out again. The stated rationale is that the supporting standards and guidance are not ready, so applying the obligations on the original schedule would ask organizations to comply with requirements that are not yet fully specified. If enacted, this gives compliance teams more calendar time for the most demanding part of the Act. It does not change what the high-risk obligations ultimately require, and it should be read as a deferral of the deadline, not a reduction of the duty.
What appears to stay where it is
Several obligations look unaffected by the proposal, and these are the ones to keep on the near-term plan. The prohibitions on unacceptable-risk practices, which already applied from early 2025, remain in force. The obligations on general-purpose AI models, which applied from mid-2025, are not pushed back. The Article 50 transparency obligations, which cover disclosing AI interactions and labelling AI-generated or manipulated content, still point at their 2026 application, with the technical marking of synthetic content expected to follow later that year. The practical message is that the parts of the Act dealing with transparency and with the most harmful practices are not the parts being delayed, so an organization that paused all AI Act work on news of the Omnibus would be misreading it.
Why a deferral is not a reprieve
Extra time on the high-risk clock is easy to misread as permission to wait. It is the opposite. The reason the obligations are demanding is that they require organizations to know what AI they run, control how it behaves, and evidence both. None of that is built quickly, and none of it is built by writing a policy. An organization that uses the deferred window to stand up real controls arrives at the deadline ready; one that treats the window as quiet time arrives in the same position it is in now, with less runway. The obligations that did not move, transparency in particular, also need the same underlying capability: you cannot disclose and label AI use you cannot see.
The capability the timeline keeps pointing at
Across both the deferred and the unchanged obligations, the requirement underneath is consistent: an organization has to see its AI use, control it at the moment it happens, and produce evidence of both. A control point that sits between the organization and every model provider delivers this directly. It observes and attributes every request, redacts sensitive data before it reaches a model, enforces policy at runtime and fails closed on ambiguity, and produces the durable audit trail an examiner expects. This is runtime governance rather than retroactive documentation, and it is deadline-agnostic: whether a given obligation applies in 2026 or 2027, the capability that satisfies it is the same. That is why the right response to the Omnibus is to keep building, not to pause.
How to act on the proposal now
Treat the current legal timeline as the baseline and the Omnibus as a likely but unconfirmed adjustment. Keep the unchanged obligations, prohibitions, general-purpose AI duties, and Article 50 transparency, on their existing schedule. Use any deferral on the high-risk obligations to build the controls properly rather than to defer the work. And track the proposal through the legislative process, because the dates can change again before they are final. The organizations that come out ahead will be the ones that used the uncertainty as a reason to build durable, runtime governance, since that capability holds regardless of where the final deadlines land.
Frequently asked questions
What is the EU AI Act Digital Omnibus?
It is a 2026 European Commission proposal to simplify and adjust the rollout of several EU digital rules, including parts of the AI Act. It appears to defer some AI Act deadlines, notably for high-risk systems, while leaving others unchanged. Because it is a proposal, the existing AI Act timeline remains the legal baseline until the changes are enacted.
Does the Omnibus delay the whole EU AI Act?
No. The proposal is selective. It would defer obligations for high-risk systems toward the end of 2027 and later, but the prohibitions on unacceptable-risk practices, the general-purpose AI obligations, and the Article 50 transparency obligations are not the parts being pushed back. Treating it as a blanket delay is the most likely way to leave an organization exposed.
Which deadlines appear to stay in place?
The prohibitions that applied from early 2025, the general-purpose AI model obligations that applied from mid-2025, and the Article 50 transparency obligations still pointing at their 2026 application, with technical marking of synthetic content expected to follow later that year. These are the obligations to keep on the near-term plan.
What should organizations do about the proposed delays?
Treat the current legal timeline as the baseline and the Omnibus as a likely but unconfirmed adjustment, keep the unchanged obligations on schedule, and use any high-risk deferral to build real runtime controls rather than to pause. The capability that satisfies the obligations, seeing and governing AI use at runtime with an audit trail, is the same regardless of where the final dates land.