On March 26, 2026, the European Parliament adopted its position on the AI Act Omnibus proposal with 569 votes in favor, 45 against, and 23 abstentions. The headline was straightforward: implementation deadlines for high-risk AI systems would be pushed back to December 2, 2027. But beneath this delay lies a more complex realityâone that creates significant regulatory uncertainty for businesses deploying AI systems in the European market.
The Omnibus proposal, part of the European Commission's broader "Digital Omnibus" simplification package unveiled November 19, 2025, was designed to address implementation challenges. However, critics argue the combination of delayed timelines and non-retroactive application creates what MEP Sergey Lagodinsky candidly described as "a loophole" and "a weak spot" in the law.
For compliance officers, product managers, and executives making AI investment decisions, understanding this regulatory evolution isn't optionalâit's essential. Here's what the new timeline means, where the risks lie, and how organizations should prepare.
The New Timeline: What Changed and When
The Omnibus proposal introduces fixed dates intended to provide "predictability and legal certainty." Here's the breakdown:
| System Category | Original Deadline | New Deadline |
|-----------------|-------------------|--------------|
| High-risk AI systems (biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice, border management) | August 2, 2026 | December 2, 2027 |
| AI systems covered by EU sectoral safety/ market surveillance legislation | August 2, 2026 | August 2, 2028 |
| AI-generated content watermarking | August 2, 2026 | November 2, 2026 |
The extension of SME support measures to "small mid-cap enterprises" (SMCs) is also significant, potentially affecting companies that have outgrown traditional SME status but still operate below large-enterprise scale.
The Non-Retroactivity Problem: The Loophole Nobody's Talking About
Here's where the analysis gets critical. Article 111 of the AI Act states that the regulation applies only to systems placed on the market after the relevant deadlines. This non-retroactivity provision, combined with the extended timeline, creates a scenario that legal experts are increasingly concerned about.
As Laura Caroli, former co-negotiator of the AI Act, explained to Tech Policy Press: "If such a system is placed on the market before December 2, 2027, it may remain outside the AI Act indefinitely, unless it is substantially altered after that date."
Bram Vranken of Corporate Europe Observatory puts it more starkly: "A large part of high-risk AI systems that have been placed on the market before December 2027 will never have to comply with the rules."
What "Placed on the Market" Actually Means
Under EU product safety law, a product is "placed on the market" when it's first made available for distribution or use in the EU. This includes:
- SaaS platforms accessible to EU users
The implications are substantial. An AI-powered hiring system deployed in November 2027 operates under different rules than an identical system deployed in January 2028. The former may never face AI Act compliance obligations unless "substantially modified."
Market Dynamics: The Race-to-Deploy Incentive
The combination of delay and non-retroactivity creates behavioral incentives that regulators may not have fully anticipated. MEP Lagodinsky warned that the framework creates "an incentive to put things on the market before the Act enters into force, and especially put on the market AI systems which are high risk or the more risky ones, because those are the ones that have most obligations."
This isn't theoretical. The cost differential between compliant and non-compliant high-risk AI systems is substantial. Conformity assessments, risk management systems, data governance requirements, transparency obligations, and human oversight measures all represent real costs. Companies facing a 2027 deadline for systems that might otherwise wait for 2028 have a clear incentive to accelerate deployment.
Corporate Europe Observatory and LobbyControl's analysis of Commission meetings in 2025 found that 69% involved business groups versus only 16% with NGOs. The organizations concluded that "the Omnibuses are born out of corporate lobby groups' wish-lists." While causation is difficult to establish, the correlation between industry pressure and regulatory delay is noteworthy.
The Nudifier Ban: A Symbolic Win with Enforcement Challenges
Not all Omnibus provisions involve loosening restrictions. Both Parliament and Council have backed a new ban on "nudifier" systemsâAI tools that create explicit or intimate images of identifiable persons without consent.
The ban represents a meaningful expansion of prohibited AI practices under Article 5 of the AI Act. However, enforcement presents significant challenges:
- Platform liability: Questions remain about responsibility for platforms hosting such content
The ban applies specifically to systems without "effective safety measures preventing users from creating such images." This creates a compliance pathway for platforms that implement content filteringâbut also creates enforcement ambiguity around what constitutes "effective" measures.
Sectoral Overlap: The Medical Device Question
A persistent tension in AI Act implementation involves systems already regulated under sector-specific legislation. The Omnibus proposal addresses this by allowing AI Act obligations to be "less stringent" where sectoral laws applyâcovering medical devices, radio equipment, toy safety, and other categories.
MEP Michael McNamara, Parliament's lead negotiator on the AI Omnibus, acknowledged that overlapping rules create compliance complexity. However, he cautioned that shifting AI governance into sectoral frameworks could "delay the implementation of harmonized standards in those sectors" and might ultimately be "deregulatory rather than simplifying."
MEP Lagodinsky's concern is more fundamental: "Existing product laws do not include AI-specific safeguards. It's really a way to exempt sectoral legislation from the scope of the AI Act."
The Connected Car Example
Consider AI systems in connected vehicles. Under the Omnibus approach, such systems might fall primarily under vehicle safety regulations rather than the AI Act's specific provisions on automated decision-making, bias monitoring, and human oversight. The practical implications for consumer protection are unclear.
Laura Caroli illustrated the risk with a striking example: "A chatbot in a doll could tell a child to do something harmful, and nobody would be able to hold the manufacturer accountable" until underlying product safety law is updated.
Strategic Implications for Businesses
Immediate Actions (2026)
Audit Current and Planned Deployments: Identify AI systems that might qualify as high-risk under Annex III of the AI Act. Systems currently in development with planned deployment dates between now and December 2027 warrant particular attention.
Evaluate Timeline Acceleration: For systems genuinely ready for deployment, there's a legitimate strategic question about whether to accelerate launch to secure non-retroactive status. This isn't about evading regulationâit's about operating within the framework the regulation creates.
Monitor Technical Standards: The delay is partly attributed to incomplete technical standards. Organizations should track CEN-CENELEC progress on harmonized standards, as compliance with these standards will create presumption of conformity.
Medium-Term Planning (2027-2028)
Build Compliance Infrastructure: Even if immediate deployment isn't planned, building the risk management systems, data governance frameworks, and human oversight mechanisms required by the AI Act is prudent preparation.
Sector-Specific Analysis: For organizations in regulated industries (healthcare, financial services, transportation), analyze how sectoral requirements interact with AI Act obligations. The Omnibus creates uncertainty that requires legal interpretation.
Supply Chain Due Diligence: The AI Act places obligations on deployers, not just providers. Organizations using third-party AI systems need to understand their vendors' compliance status and potential liability exposure.
Documentation and Evidence
Regardless of deployment timeline, maintain comprehensive documentation:
- Incident reporting procedures
This documentation serves both compliance and defensive purposes if regulatory scrutiny increases.
The Broader Regulatory Context
The AI Act Omnibus doesn't exist in isolation. It's part of a comprehensive simplification package that includes proposals on data protection and the establishment of European Business Wallets. The coordinated approach suggests the Commission is serious about reducing regulatory burdenâbut also risks creating inconsistencies across digital policy frameworks.
The Parliament-Council negotiation that will determine final Omnibus language remains ongoing. While the December 2027 date for high-risk systems appears relatively settled, details around sectoral overlap, SME/SMC thresholds, and enforcement mechanisms could shift.
What Compliance Officers Should Tell Their Boards
The delay is real, but temporary: The 16-month extension is meaningful, but the fundamental obligations aren't disappearing. AI Act compliance remains a when, not if, question.
The non-retroactivity creates strategic options: The current framework creates legitimate incentives for earlier deployment. This isn't regulatory arbitrageâit's rational response to regulatory design.
Sectoral overlap requires legal analysis: Organizations in regulated industries need specific guidance on whether AI Act obligations are modified or supplemented by existing frameworks.
Documentation is protection: Even for systems not yet in scope, building compliance infrastructure and maintaining records provides defensive value and operational readiness.
The Global Dimension
The AI Act's extraterritorial reachâapplying to AI systems affecting EU markets regardless of provider locationâmeans these delays affect global AI deployment strategies. US, UK, and Asian companies targeting EU markets face the same timeline calculations as European competitors.
The regulatory gap created by the delay also affects international harmonization efforts. As other jurisdictions (UK, Canada, Singapore, Japan) develop their own AI governance frameworks, the EU's implementation timeline influences global standards development.
Conclusion: Navigating Uncertainty
The AI Act Omnibus creates a paradox: it extends timelines to provide certainty, while simultaneously introducing new uncertainties through non-retroactivity provisions and sectoral overlap questions. For businesses, this isn't a reason to pause AI initiativesâit's a reason to approach them with strategic sophistication.
The organizations that thrive in this period will be those that:
- Monitor actively: The Parliament-Council negotiations and subsequent implementation guidance will clarify ambiguities
The December 2027 deadline is now fixed in the Parliament's position. The Council's position aligns broadly. While final text may shift, organizations should plan around these dates as the operative regulatory timeline.
The AI Act was always going to be a marathon, not a sprint. The Omnibus proposal has simply extended the course. For compliance teams, the task remains the same: build governance structures that can accommodate AI's transformative potential while managing its risks. The timeline has shifted, but the destination hasn't.
--
- Published on April 17, 2026 | Category: Policy