The Digital Omnibus deal reached this week extends the high-risk AI compliance deadline to December 2027. Here is what changed, what did not, and what Irish organisations should do now.
A deal on the EU's Digital Omnibus regulation was reached in the early hours of this morning, closing a file that collapsed in trilogue just one week ago. The headline outcome is a significant extension to the high-risk AI compliance deadline under the EU AI Act. The details matter more than the headline.
What changed
The original AI Act required full compliance with high-risk AI obligations on 2 August 2026. The Omnibus deal moves that date in two directions:
- Stand-alone AI systems: compliance deadline extended to 2 December 2027
- AI embedded in regulated products (machinery, medical devices, toys, vehicles covered by Annex I Section A): deadline extended to 2 August 2028
The reason for the extension is technical, not political. The harmonised standards — the detailed technical specifications that providers need to demonstrate conformity — are not finished. Compliance without standards would have required organisations to interpret obligations against a moving target. The institutions had informally converged on this timeline in March; the Omnibus formalises it.
One structural question broke the final round of talks on 28 April: whether products already governed by EU sectoral safety law should exit the AI Act's horizontal framework entirely and comply only under their own sectoral rules. Germany pushed hard for that position. The final deal grants it only for machinery. Medical devices, in-vitro diagnostics, and toys remain within the AI Act's scope, subject to dual conformity requirements. The Commission has until August 2027 to clarify, by delegated act, how AI Act requirements integrate with sectoral procedures.
On generative AI, the deal makes a narrow intervention. Article 50 watermarking obligations — the requirement for machine-readable content marking on AI-generated material — get a four-month grace period. The AI Office's guidance on implementation will not be final until June, which means providers had weeks to comply against still-moving technical guidance. The four-month window addresses that. It does not remove the obligation.
The one substantive prohibition the deal adds is a ban on AI systems generating non-consensual intimate imagery and child sexual abuse material, with a December 2026 compliance window. That provision responds to a documented harm rather than a calendar problem.
What did not change
The extension applies specifically to the high-risk AI obligations in Chapter III of the Act — conformity assessments, technical documentation, human oversight mechanisms, registration requirements. It does not touch the rest of the framework.
The following remain in force on their original timelines:
Article 5 — Prohibited practices: in force since February 2025. Social scoring, real-time biometric surveillance in public spaces, and manipulation of vulnerable groups remain prohibited now. The Omnibus does not alter this.
Article 4 — AI literacy obligation: providers and deployers of AI systems must ensure their staff have sufficient AI literacy. This obligation applies regardless of the high-risk classification of the system in use. It has not been extended.
Articles 51–55 — General-purpose AI models: GPAI obligations, including transparency and copyright compliance requirements for model providers, remain on the original timeline, modified only by the watermarking grace period above.
Ireland's AI Office: the Regulation of Artificial Intelligence Bill 2026 establishes Ireland's AI Office with an operational date of 1 August 2026. That date is driven by Ireland's domestic implementing legislation, not by the EU's high-risk compliance calendar. The AI Office opens in August regardless of the Omnibus deal. Enforcement powers activate on the same date.
What this means in practice for Irish organisations
For organisations that have been focused on the August 2026 high-risk compliance deadline, the extension creates planning room. Conformity assessments, technical documentation packages, and formal registration can now be planned for 2027 rather than completed by August.
That does not mean the compliance work goes away. It means the sequence changes. The foundations that were worth building before August — AI inventory, risk classification, governance frameworks, oversight policies — remain the right starting point. Understanding which of your AI systems are high-risk, and what that classification requires, is a prerequisite for the 2027 work regardless of when that work formally begins.
Three practical implications:
First, the literacy and governance obligations are unaffected. Boards still need to govern AI. Staff still need adequate AI literacy. The AI Office still opens in August. The governance and literacy work is not a precursor to high-risk compliance — it is a separate obligation on a separate timeline.
Second, the extension applies to operators and providers of high-risk systems. Organisations that are not deploying high-risk AI are not directly affected by the change either way. For many Irish SMEs and professional services firms, the more immediate obligations remain prohibited practices and literacy requirements rather than high-risk conformity assessments.
Third, the deal is not settled. The Commission will not finalise the Annex I A delegated acts by August 2027. A second, narrower Omnibus is expected before the end of the Lithuanian Presidency. Organisations tracking this closely should not treat December 2027 as a fixed date.
The governance work still makes sense
The argument for building AI governance now was never purely about beating an August 2026 enforcement deadline. It was about the operational reality that ungoverned AI adoption creates risk before any regulator issues a fine — reputational exposure, data handling failures, hallucination risk in client-facing outputs, and liability for decisions made on the basis of opaque automated processes.
Those risks exist now. The Omnibus extends a compliance window; it does not reduce those risks.
For Irish organisations with high-risk AI in scope, the extension creates time to build compliance properly rather than hurriedly. That is worth using. For organisations across the broader population, the literacy and governance obligations that were already in force remain the near-term priority.
If you want an independent assessment of how the Omnibus deal affects your specific AI use, Acuity AI Advisory offers an EU AI Act readiness review — fixed-fee, vendor-neutral, updated to reflect the current regulatory position. We also provide ongoing independent EU AI Act consulting for organisations working through the compliance implications over time.