The AI Act high-risk delay is not a reprieve

On 7 May 2026, the European Parliament and Council reached a political agreement on the Digital Omnibus on AI, the package that amends the AI Act (Regulation (EU) 2024/1689). The headline is a delay. Rules for high-risk systems in areas such as biometrics, critical infrastructure, employment, and migration will now apply from 2 December 2027, and rules for AI integrated into regulated products such as lifts or toys from 2 August 2028 (European Commission, "EU agrees to simplify AI rules", 2026-05-07). Most of the regulation was otherwise due to apply from 2 August 2026, with high-risk systems embedded in regulated products already on a later 2 August 2027 track (European Commission, AI Act regulatory framework page). So the standalone high-risk clock moved roughly sixteen months, and the embedded-product track gained a further twelve.

The agreement is not yet law. It has been struck between the co-legislators but not formally adopted or published in the Official Journal. The direction is settled enough to plan around, and that is exactly where teams are about to make a mistake.

The mistake is reading sixteen months as a reprieve. It is not. A delay tells you three things, and only one of them is "you have more time." The other two are what moved alongside the deadline, and why the deadline moved at all. Read those two first, and the picture inverts.

Read what actually moved, not just the date

The high-risk timeline moved. The parts of the AI Act that already bite did not.

The prohibited practices in Article 5 have applied since 2 February 2025, alongside the AI literacy obligations. The governance rules and the obligations for general-purpose AI models have applied since 2 August 2025 (European Commission, AI Act regulatory framework page). Neither application date was moved by the omnibus. If your organization builds on a general-purpose model, or operates anything that brushes a prohibited practice, your obligations are live today and have been for the better part of a year. The 7 May agreement would also add a new prohibition rather than remove any: a ban on AI systems used to generate non-consensual intimate imagery, the so-called nudification apps (European Commission, 2026-05-07). The direction of travel on the immediately-applicable rules is additive, not subtractive.

So the delay is narrow. It applies to one tier of the regime, high-risk classification and its conformity obligations, and leaves the prohibitions and the GPAI duties exactly where they were. A team that hears "the AI Act is delayed" and stands down its whole AI governance program has misread a targeted timeline change as a general amnesty. That is the first trap.

Read why it moved, because the reason is the warning

The deadline did not move because the obligations turned out to be easy. It moved to sequence application so that the technical standards and support tools for high-risk systems are in place before the rules apply, which on the original schedule they were not (European Commission, 2026-05-07). The harmonized standards that high-risk providers are supposed to build against are still being finished.

Sit with what that means for scoping. You are not being handed a finished rulebook plus extra time to apply it. You are being handed extra time precisely because the rulebook is unfinished. The work of classifying your systems, mapping them to obligations, and building the risk-management and data-governance practices around them now has to happen against a moving target. That is harder than complying with a settled standard, not easier. The teams that treat 2 December 2027 as "revisit next year" will arrive in late 2027 holding the same unscoped problem they hold today, with less runway and a standard that only just stopped moving.

The honest read of the delay is the opposite of comfort. The regulator is telling you the operable detail is still being written, and the reason it gave you more time is the reason you should start the durable, standard-agnostic parts of the work now: an inventory of where AI sits in your products and processes, a defensible classification of each use against the Annex III categories, and the risk and data-governance practices that any version of the final standard will demand. None of that depends on the last clause being settled.

Do not confuse this delay with the other omnibus

There is a second package moving through Brussels under a similar name, and conflating the two is its own trap. The wider Digital Omnibus proposes to simplify the GDPR and adjacent digital-data rules, and one of its proposed changes would narrow the definition of personal data, reducing what the law covers.

That package is not agreed. It is a contested proposal, and the people who enforce the GDPR are pushing back hard on it. In Joint Opinion 2/2026 (adopted 10 February 2026), the European Data Protection Board and the European Data Protection Supervisor urged the co-legislators not to adopt the proposed change to the definition of personal data, warning that it would result in significantly narrowing the concept of personal data (EDPB and EDPS, Joint Opinion 2/2026, adopted 2026-02-10). Their message was that simplification should not narrow the protection the GDPR exists to provide.

The practitioner lesson is to keep the two tracks separate in your planning. The AI high-risk delay is close to law and you can rely on the new dates. The GDPR "simplification" is a draft your own supervisory authorities are contesting, and pre-emptively thinning your records of processing or your DPIA practice on the strength of it would be planning around a clause that may not survive. Do not de-comply against a proposal. Wait for the text.

The rule worth keeping

When a regulator delays a rule, the date is the least informative thing in the announcement. Before you touch your roadmap, read the other two facts: what did not move alongside the deadline, and why the deadline moved. Here, the prohibitions and GPAI duties did not move, and the high-risk clock moved because the standard was not finished. Put together, those two facts turn a sixteen-month delay from a reason to slow down into a reason to start the parts of the work that never depended on the deadline in the first place.

If your near-term task is the unglamorous middle of this, mapping where AI sits in your estate and classifying each use against the Annex III categories and the obligations that follow, that is exactly the standard-agnostic groundwork worth doing now, and the kind of cross-referencing work ISMS Copilot is built to speed up. The deadline moved. The work did not.