As of August 2, 2026, the EU AI Act enters full application across all 27 member states, marking a definitive shift in how European and globally operating enterprises must govern artificial intelligence. Yet even as the regulation reaches maturity, the European Commission’s proposed Digital Omnibus package introduces a significant recalibration — extending key compliance deadlines for high-risk AI systems and signalling a broader effort to rationalise the EU’s increasingly complex digital regulatory landscape.
For CFOs, General Counsel, and enterprise risk functions, this dual dynamic — a regulation now in force alongside a proposal to defer its most demanding obligations — demands careful strategic positioning rather than a wait-and-see approach.
A Regulation in Force, With Moving Goalposts for High-Risk Systems
The EU AI Act has been phased in progressively. Prohibited AI practices and AI literacy obligations applied from February 2, 2025. Rules governing General-Purpose AI (GPAI) models became applicable on August 2, 2025, with legacy GPAI models placed on the market before that date granted an extended compliance window until August 2, 2027.
The August 2026 milestone completes the framework’s entry into force — but the Digital Omnibus proposal, if adopted, would push the most operationally intensive obligations further out:
- Annex III high-risk systems (covering recruitment tools, emotion recognition, biometric categorisation, and critical infrastructure AI) — extended deadline to December 2, 2027
- Annex I high-risk systems (AI embedded in regulated products under existing EU harmonisation legislation) — extended deadline to August 2, 2028
The rationale is twofold: reducing parallel penalty exposure — the AI Act imposes fines of up to €30 million or 7% of global annual turnover for prohibited practice violations, and up to €20 million or 4% of turnover for high-risk non-compliance — and providing mid-market companies adequate runway to build governance infrastructure without simultaneous GDPR exposure.
GDPR and AI Act Convergence: A Compounding Compliance Burden
One of the most consequential dimensions of the Digital Omnibus proposal is its attempt to address the regulatory convergence between GDPR and the EU AI Act — two frameworks that increasingly intersect in AI training, automated decision-making, and data quality obligations.
Under current rules, an enterprise deploying a high-risk AI system for HR screening faces simultaneous obligations under GDPR’s data minimisation and purpose limitation principles, the AI Act’s requirements for human oversight, data governance, and fundamental rights impact assessments, and — where financial services are involved — additional AML and sectoral compliance layers. The cumulative penalty arithmetic is stark: a single non-compliant deployment could theoretically attract penalties under multiple frameworks, each calculated as a percentage of global turnover.
The Digital Omnibus draft proposes narrowing GDPR’s scope as it applies to AI training data, a move that would reduce friction for enterprise AI development while maintaining core data privacy protections. For corporate governance and enterprise risk management functions, this signals a regulatory environment in active flux — one where compliance architectures built today may require structural revision within 18 to 24 months.
Implications for Business: Governance Now, Compliance Architecture for 2027–2028
The deadline extensions should not be misread as regulatory retreat. National competent authorities are already operational, and the Commission has made clear that prohibited AI practices and AI literacy obligations are non-negotiable. Boards and executive teams should treat the extended timelines as an opportunity to build durable governance frameworks rather than defer action entirely.
Immediate priorities for decision-makers include:
- AI system inventory and risk classification: Map all deployed and in-development AI systems against Annex I and Annex III categories. This is foundational to any compliance programme and directly informs M&A due diligence and ESG reporting disclosures.
- Cross-functional governance structures: Establish AI governance committees with representation from legal, technology, HR, and risk functions. Human oversight obligations under the AI Act require documented accountability chains.
- GPAI model compliance: Organisations deploying third-party foundation models must assess transparency and systemic risk obligations — particularly relevant for enterprises using large language models in customer-facing or decision-support contexts.
- Vendor and supply chain review: High-risk AI obligations extend to deployers, not only developers. Contractual frameworks with AI vendors must reflect allocation of compliance responsibility.
Key Takeaway
The EU AI Act’s full application marks a structural inflection point in corporate governance and enterprise risk management across Europe. The Digital Omnibus proposal offers tactical relief on high-risk deadlines — but the direction of travel is unambiguous. Enterprises that use the 2026–2028 window to build robust AI governance frameworks, align GDPR and AI Act compliance programmes, and embed AI risk into board-level oversight will be materially better positioned than those treating extended deadlines as permission to delay. For organisations operating across jurisdictions, the EU framework is increasingly the de facto global reference standard — making early alignment a strategic, not merely legal, imperative.