On 7 May 2026, the EU Council and European Parliament reached a provisional agreement under the Omnibus VII legislative package to extend key compliance deadlines under the EU AI Act. For boards and executive teams navigating an already complex regulatory landscape — where GDPR, the AI Act, AML directives, and ESG reporting obligations increasingly intersect — this development demands a calibrated response. The extensions are real, but they are not a reprieve. Penalties remain unchanged, and the compliance infrastructure required is substantial.
What Has Changed: A Differentiated Compliance Timeline
The provisional agreement introduces a bifurcated deadline structure that organisations must map precisely against their AI system portfolios:
- Stand-alone high-risk AI systems (Annex III: biometrics, critical infrastructure, employment screening, credit assessment, public-sector functions) now face full obligations from 2 December 2027, a 16-month extension from the original August 2026 deadline.
- Product-embedded high-risk AI systems — those integrated into regulated products such as medical devices, industrial machinery, and toys — receive until 2 August 2028, a 12-month extension. Critically, the definition of ‘safety component’ has been narrowed: AI that merely assists users without creating direct health or safety risks may fall outside the high-risk classification entirely.
- AI-generated content transparency requirements — including watermarking and provenance labelling — carry an accelerated deadline of 2 December 2026, leaving organisations fewer than seven months to implement compliant content identification systems.
Registration obligations remain mandatory for all high-risk systems in the EU database, including those seeking exemption from the high-risk classification, though with reduced information requirements. National regulatory sandboxes must be operational by August 2027, providing a structured pathway for organisations wishing to test innovative AI applications under supervisory oversight.
Enterprise Risk Management Implications: Enforcement Has Not Been Delayed
The extended timelines should not be misread as a signal that regulatory scrutiny is softening. The penalty architecture remains among the most severe in global digital regulation: up to €35 million or 7% of global annual turnover for prohibited AI practices, and up to €15 million or 3% of global turnover for other violations. For mid-market and large-cap organisations operating across the EU, these figures represent a material financial risk that belongs squarely on the enterprise risk management agenda.
Equally significant is the regulatory overlap with data privacy obligations. The AI Act does not replace or supersede GDPR; both frameworks apply independently and simultaneously wherever AI systems process personal data. The agreement does clarify one area of tension: special-category personal data may now be processed for bias detection and correction where strictly necessary — a meaningful concession for organisations deploying AI in HR, credit, and public-sector contexts. However, this carve-out requires documented necessity assessments and does not diminish broader GDPR accountability obligations.
For General Counsel and Chief Compliance Officers, the dual-compliance burden — maintaining GDPR data governance frameworks while building AI Act conformity assessment documentation, human oversight protocols, and incident reporting mechanisms — represents a structural challenge that cannot be addressed through existing legal and compliance headcount alone.
Immediate Priorities for Decision-Makers
The extended deadlines create a window of opportunity, not a basis for deferral. Organisations that use this period strategically will be better positioned for both compliance and competitive differentiation. Three priorities stand out:
- Conduct a high-risk AI system inventory now. Mapping your AI portfolio against Annex III categories and the revised ‘safety component’ definition is the foundational step. This exercise also surfaces systems that may qualify for reclassification under the narrowed definition — a material compliance cost reduction for product manufacturers.
- Prioritise AI-generated content compliance by Q4 2026. The December 2026 transparency deadline is the most immediate obligation. Organisations producing or deploying AI-generated content — in marketing, legal, financial communications, or public-interest contexts — must implement watermarking and provenance-labelling infrastructure within months, not years.
- Integrate AI governance into corporate governance and ESG reporting frameworks. Boards are increasingly expected to provide oversight of AI-related risks. Embedding AI Act compliance into existing corporate governance structures, board-level risk reporting, and ESG disclosures signals institutional maturity to investors, regulators, and counterparties alike.
Key Takeaway
The EU AI Act’s revised timeline is a structural adjustment, not a relaxation of regulatory intent. For CFOs, General Counsel, and CTOs, the 2027–2028 compliance horizon provides necessary breathing room to build robust, audit-ready AI governance frameworks — but only if that work begins now. Organisations that treat the extensions as a delay risk arriving at the deadline with inadequate documentation, unregistered systems, and exposure to penalties that are, by design, existentially significant. The regulatory direction of travel is clear; the only variable is how prepared your organisation will be when it arrives.