EU AI Act High-Risk Deadlines Pushed Back Up to Two Years Under Digital Omnibus
Summary: The EU's Digital Omnibus package received final Council approval on June 29, postponing key high-risk AI compliance deadlines by up to two years and adding new prohibitions on AI-generated CSAM and non-consensual intimate imagery.
Key Facts
- Annex III standalone high-risk AI (recruitment, credit scoring, education, law enforcement, border control): deadline moved from August 2026 → December 2, 2027
- Annex I AI embedded in regulated products (medical devices, machinery, vehicles): deadline moved to August 2, 2028
- New explicit prohibitions added to Article 5 for AI-generated non-consensual intimate images and child sexual abuse material
- Penalties remain unchanged: up to 7% of global annual turnover or €35M — exceeding GDPR's 4% maximum
- As of April 2026, 78% of organizations had not taken meaningful compliance steps
Why It Matters
The extension is runway, not immunity. Companies operating AI in EU-facing markets now have a clearer timeline, but the obligation and its fines remain unchanged. Non-EU companies deploying AI services in Europe — including Korean and US providers — should treat this as the moment to map their compliance roadmap, not defer further.
Read More
- Gibson Dunn legal analysis — Gibson Dunn
- EU Council press release — EU Council