The Council of the European Union gave final approval on June 29, 2026 to the "Digital Omnibus on AI," the largest rewrite of the EU AI Act since the regulation entered into force in 2024. The package, which followed the European Parliament's approval on June 16, 2026 by a vote of 423 to 57 with 174 abstentions, pushes back the AI Act's core enforcement clock by up to two years while fast-tracking one narrow, genuinely urgent prohibition. The law takes effect three days after publication in the Official Journal.
The headline change: standalone high-risk AI systems — those used in hiring, credit scoring, education, law enforcement and critical infrastructure under Annex III — now have until December 2, 2027 to comply, instead of August 2, 2026. High-risk systems embedded in regulated products, like medical devices and machinery, get until August 2, 2028. National AI regulatory sandboxes, meant to let companies test systems under supervision, were also pushed back a year, to August 2, 2027. One obligation moved in the opposite direction: providers of AI-generated content tools must implement watermarking and labeling within three months of the law's entry into force rather than six, with a hard deadline of December 2, 2026. The same date brings a new prohibition on "nudifier" apps — tools that generate non-consensual intimate imagery or CSAM, including by digitally stripping clothing from real photos.
A Real Compliance Problem, Not a Manufactured One
The strongest case for the delay is not political spin. The AI Act's high-risk provisions were always designed to lean on harmonized technical standards drafted by CEN and CENELEC, the EU's standards bodies — and those standards are badly behind schedule. The original 2025 delivery target slipped repeatedly, and the standards needed to operationalize Annex III compliance are not expected to be finalized until late 2026 at the earliest, according to industry and standards-body tracking. Enforcing an August 2026 deadline against standards that don't yet exist would have forced companies to guess at compliance, then retrofit systems once the real technical bar was published — a worse outcome for safety than a delay tied to actual standard availability. DigitalEurope, representing the bloc's tech industry, cites the European Commission's own estimate that an SME building a single high-risk AI system could face up to €319,000 in initial compliance costs and €150,000 annually thereafter — a genuine burden the original timeline never priced in.
The Loophole the Omnibus Left Open
But the extension has a design flaw civil society flagged before the vote and that survived it. The AI Act's high-risk obligations are not retroactive: systems placed on the market before the new deadline generally don't need to comply unless they're later "substantially modified." Legal analysts have warned that a hiring-AI system deployed in 2027, just ahead of the new cutoff, could remain outside the Act's reach indefinitely. MEP Sergey Lagodinsky cautioned during debate that the extended timeline creates "an incentive to put things on the market before the Act enters into force," and researcher Bram Vranken argued it lets companies "quickly push risky AI systems onto the market without having to comply." That is a legitimate objection, not activist noise — and it was avoidable. A grandfather clause tied to deployment volume or a tighter definition of "substantial modification" could have preserved the delay's practical logic (standards aren't ready) without creating a permanent escape hatch for anything shipped before the clock runs out.
"[High-risk hiring AI] may remain outside the AI Act indefinitely," legal expert Laura Caroli warned, per Tech Policy Press reporting on the non-retroactivity gap.
The lobbying imbalance around the package is also worth naming plainly, even from a pro-innovation outlet: Tech Policy Press reporting found that 69% of the European Commission's 2025 meetings on the Omnibus involved business groups versus 16% with NGOs. A regulator hearing overwhelmingly from one side of a debate is more likely to miss loophole risks like the one above — not because industry input is illegitimate, but because it's not a substitute for adversarial scrutiny.
The Part the EU Got Right, Fast
The nudifier-app ban is the clean counter-example to the rest of the package: a narrowly targeted prohibition, tied to a concrete and well-evidenced harm — non-consensual intimate imagery and CSAM generation — moved on a genuinely fast track (December 2026) while the broader, more contested obligations were slowed down. That's proportionate regulation working as intended: match the urgency of the rule to the certainty and severity of the harm, rather than treating every AI Act provision as equally time-critical.
The Right Instinct, Executed Incompletely
Delaying enforcement until the technical standards it depends on actually exist is the correct call, not deregulatory theater — regulation without a compliance floor to measure against is regulation nobody can actually meet. But the Council and Parliament had the same window to close the pre-deadline dodge that civil society flagged in April and did not use it. The Commission should issue interpretive guidance on "substantial modification" before December 2027, not after the first hiring-AI vendor tests how far the loophole stretches.