EU AI regulation

EU's AI Act High-Risk Postponement Confirms the Standards Infrastructure Was Never Ready for 2026

Omnibus VII's 16-month deferral for standalone high-risk AI is a pragmatic correction — but the regulatory scaffolding still has to be built.

EU AI Act: Omnibus VII Timeline Shifts People of Internet Research · EU 16 months Standalone deferral Annex III deadline pushed from Aug… Aug 2028 Embedded AI deadline Annex I systems in regulated produ… 3 months Transparency grace period Cut from six months; effective Dec… Aug 2024 AI Act in force Regulation 2024/1689 published Jul… peopleofinternet.com

Key Takeaways

The EU Council's June 29, 2026 adoption of the AI Act simplification regulation — the seventh instalment of the Commission's broader Omnibus simplification package — officially postpones the high-risk AI compliance deadline that was, for many companies, already a practical fiction.

Under Omnibus VII, operators of high-risk standalone AI systems (those listed in Annex III of the original AI Act) now have until December 2, 2027 to comply — a 16-month deferral from the original August 2, 2026 deadline. AI systems embedded in regulated products governed by sectoral legislation (Annex I — medical devices, machinery, toys) get an additional year, with obligations now applying from August 2, 2028 rather than August 2, 2027. The European Parliament and Council reached a provisional political agreement on May 7, 2026; Parliament formally endorsed the package on June 16, and the Council's vote two weeks later sealed it into law.

The Case for Delay

The strongest argument for postponement is also the most honest: the harmonized technical standards that operators need to demonstrate compliance hadn't been published. The standardisation bodies CEN and CENELEC — tasked with producing harmonized standards under the AI Act — have been running significantly behind schedule. Without those standards, conformity assessments for high-risk AI systems couldn't follow a defined path.

Member states were simultaneously required to designate national competent authorities by August 2025, but the readiness of those bodies to handle Annex III filings by August 2026 was inconsistent across the bloc. The postponement buys time not just for industry, but for regulators themselves.

For SMEs — which the Commission's own impact assessment flagged as disproportionately burdened — the reprieve is material. A small medical AI firm validating a diagnostic tool cannot absorb the compliance cost of an undefined conformity pathway. Omnibus VII adds formal SME-specific provisions including simplified technical documentation requirements and proportionate quality-management-system obligations, reflecting an acknowledgment that the original text was calibrated for large deployers. Marilena Raouna, Cyprus's Deputy Minister for European Affairs and presiding over the Council vote, described the package as "creating conditions for innovation and growth to thrive in the single market" — a formulation that accurately describes the immediate effect, even if it underplays the structural problems that made the deferral necessary.

Why This Still Deserves Scrutiny

Granting that the delay is defensible doesn't make it consequence-free. The AI Act entered into force on August 1, 2024, published in the Official Journal on July 12, 2024, following the European Parliament's adoption on March 13, 2024 by 523 votes to 46. Companies have had the statutory text for nearly two years. The argument that nobody was ready carries less weight when the preparation window was that long.

More fundamentally, the categories most affected by the Annex III high-risk deadline include biometric identification systems, law enforcement AI, employment screening tools, and credit-scoring models — areas where the risk of harm is real and concentrated among people with limited recourse. Civil society groups including AlgorithmWatch and the European Digital Rights network (EDRi) have argued that the delay effectively means another 16 months of unregulated use in high-stakes domains.

The shortening of the transparency grace period — from six months to three — is presented in Omnibus VII as a tightening, and technically it is. But transparency requirements are comparatively lower-cost to implement than full high-risk conformity assessments. Tightening the smaller obligation while loosening the larger one is not a symmetrical trade.

The Deepfake and CSAM Prohibitions

The most unambiguous element of Omnibus VII is its addition of two new prohibitions, both taking effect December 2, 2026: AI-generated non-consensual intimate imagery (so-called "nudifiers") and AI-generated child sexual abuse material (CSAM). These were absent from the original AI Act text, and their inclusion addresses a gap that became harder to ignore as the tools to generate this content proliferated across consumer platforms.

These prohibitions follow the pattern of Article 5 of the original AI Act — hard bans with no research or beneficial-use carve-outs. That design choice is correct. Non-consensual intimate imagery and CSAM have no legitimate use cases that require regulatory accommodation; they belong in the same categorical prohibition framework as social scoring and real-time biometric surveillance in public spaces. Enforcement will fall to national competent authorities and, for cross-border cases, the European AI Office. The legal foundation being in place before the end of 2026 is meaningful progress, even if enforcement machinery takes time to stand up.

Structural Clarity on the AI Office and Sector Overlaps

Omnibus VII also resolves a practical ambiguity that had complicated compliance planning: it clarifies the AI Office's competencies with respect to general-purpose AI (GPAI) models and addresses overlaps with sectoral legislation — notably medical devices under MDR/IVDR, machinery, and toys. The exemption of products already subject to the Machinery Regulation from direct AI Act application eliminates a genuine source of double compliance burden.

This technical tidying is unglamorous but necessary. The original AI Act was negotiated at speed through the trilogue process, and intersections with existing product safety frameworks were not fully resolved. Omnibus VII corrects that.

What the Package Actually Signals

Read as a whole, Omnibus VII is a pragmatic correction to a regulation drafted with political ambition but insufficient attention to implementation logistics. The postponements are honest rather than principled — they acknowledge that the standards machinery and supervisory infrastructure weren't going to be ready by the original dates. That is better than pretending otherwise and then tolerating widespread non-compliance.

The deeper lesson is about regulatory design. Deadlines in technology regulation need to be contingent on supporting infrastructure — harmonized standards, regulatory guidance, supervisory capacity — being in place, not merely on the law being published. When that infrastructure is absent, legislative deadlines become notional, and revision becomes inevitable.

The EU has a genuine opportunity to use the time Omnibus VII has bought to harden that infrastructure. If December 2027 arrives and the CEN/CENELEC harmonized standards are still pending, the question won't be whether another deferral is justifiable. It will be whether EU AI regulation is capable of being meaningfully enforced at all.

Sources & Citations

  1. Gibson Dunn — EU AI Act Omnibus: postponed high-risk deadlines
  2. EUR-Lex — Regulation (EU) 2024/1689 (AI Act)
  3. European Commission — AI regulatory framework
  4. Gibson Dunn — Omnibus VII high-risk deadline analysis
  5. Tech Policy Press — AI Omnibus deal breakdown