If your engineering team has been treating the EU AI Act deadline as already pushed to 2027, you are taking a serious legal risk. The delay is not final. The original August 2, 2026 deadline is still the law, especially for high-risk systems.

Here is what actually happened, what it means for your system, and what you should be doing right now.

What the Digital Omnibus Actually Says

On November 19, 2025, the European Commission proposed the Digital Omnibus on AI, a package of amendments to the EU AI Act that included, among other changes, a proposed delay to high-risk AI enforcement deadlines. The headline proposal was to push the compliance deadline for standalone high-risk AI systems from August 2, 2026 to December 2, 2027.

On May 7, 2026, the Council of the EU and the European Parliament reached a provisional political agreement on those amendments, locking in fixed dates rather than the standards-linked timeline the Commission originally proposed.

That sounds like the delay is settled. It is not.

A provisional political agreement is not adopted law. The formal adoption process, including legal-linguistic review and official publication in the EU Official Journal, has not been completed. As compliance experts have noted, any executive treating the 2027 date as settled law is operating on legislative optimism rather than legal fact.

The Two EU AI Act Deadlines You Need to Know

Here is the current state of play:

August 2, 2026, the legally binding deadline today. This is when high-risk AI obligations under Annex III of the EU AI Act apply, unless and until the Digital Omnibus is formally adopted. If the Omnibus does not clear the formal adoption process before this date, the original provisions apply as written.

December 2, 2027, the proposed new deadline for standalone high-risk systems. This is the backstop date agreed in the provisional political deal. It is not yet law. A second deadline of August 2, 2028 applies to high-risk AI embedded in products under the proposed amendments.

The smart position is to prepare for August 2026 and treat December 2027 as a potential bonus, not the other way around.

Which AI Systems Are Actually High-Risk

Annex III of the act lists eight categories of high-risk AI systems. If your product falls into any of these, the EU AI Act deadline directly applies to you:

  • Biometric identification and categorization systems
  • AI used in critical infrastructure management
  • AI used in education, access, admission, or assessment decisions
  • AI used in employment, hiring, promotion, task allocation, performance evaluation, termination
  • AI used in access to essential services, creditworthiness, insurance, social benefits
  • AI used in law enforcement
  • AI used in migration, asylum, and border control
  • AI used in the administration of justice

For US SaaS companies, the most common exposure points are employment AI (hiring tools, performance management, workforce analytics) and financial services AI (credit scoring, fraud detection, insurance underwriting). If your product touches either of these areas and serves EU users, you are in scope regardless of where your company is incorporated.

What High-Risk Compliance Actually Requires

The obligations for high-risk AI systems are substantive. They are not checkbox compliance. Here is what the EU AI Act requires engineering teams to actually build:

Risk management system (Article 9). A continuous, iterative process for identifying, evaluating, and mitigating risks throughout the system’s lifecycle. Not a one-time assessment, an ongoing operational process.

Data governance (Article 10). Training, validation, and testing datasets must meet specific quality criteria. You need documentation of data provenance, relevance, and any known biases.

Technical documentation (Article 11). Detailed documentation covering system design, development methodology, training data, performance metrics, and known limitations. This must exist before you deploy, not after.

Automatic logging (Article 12). Every inference event must be automatically logged with timestamps, input references, model version, confidence scores, and human oversight events. Logs must be durable and tamper-evident.

Transparency (Article 13). Deployers must be able to explain how the system works and what its limitations are. Black-box systems with no explainability mechanism do not comply.

Human oversight (Article 14). The system must be designed to enable meaningful human review and override of its outputs. This is not a UI requirement, it is a system design requirement.

Accuracy and robustness (Article 15). Documented, measurable performance standards with ongoing monitoring to detect degradation.

Why Engineering Teams Are the Critical Path

Most of these obligations are not legal problems. They are engineering problems. Your legal counsel can advise on interpretation, but the actual work of building a risk management system, instrumenting automatic logging, implementing human oversight workflows, and producing technical documentation falls entirely on your engineering team.

This matters for timeline. Building compliant infrastructure takes time, not because the individual components are technically complex, but because integrating them into a production system, testing them, documenting them, and operating them reliably takes months of engineering work. Teams that start now, even with the possibility of a deadline extension, will be in a fundamentally stronger position than teams that wait.

The Hidden Trap: Assuming You Are Not in Scope

The most dangerous position is assuming your system is not high-risk without verifying it. The Annex III categories are broader than most teams initially assume. An AI system that “assists” a human in making an employment decision can fall under the employment category even if a human makes the final call. A system that influences credit limits or loan terms can fall under the essential services category even if it is not making the final lending decision.

If you have not done a formal risk classification of your AI systems against the EU AI Act’s risk tiers, that is the first thing you should do. It takes less than 15 minutes and it tells you exactly where you stand.

Aiella’s free risk assessment classifies your AI system against the EU AI Act’s risk tiers and identifies your specific compliance obligations in under 2 minutes. No account required.

What To Do Right Now

Regardless of whether the Digital Omnibus is formally adopted before August 2, 2026, here is the right posture for engineering teams:

First: classify your systems. Know which of your AI systems are high-risk, limited-risk, or minimal-risk. This determines your compliance obligations.

Second: prioritize Article 12. Automatic logging is the most technically measurable requirement and the one auditors will check first. Instrument your inference pipeline now. It is the easiest win and it gives you months of clean logs before enforcement begins.

Third: start your technical documentation. Article 11 documentation takes time to write properly. Start now while the system is fresh in your team’s minds.

Fourth: design for human oversight. If you have a fully automated decision pipeline with no human review capability, you need to architect one. This is not a quick change.

Fifth: do not wait for the Omnibus. If the delay is formally adopted, you have gained time. If it is not, you are compliant. There is no scenario in which preparing early makes you worse off.

The Bottom Line

The EU AI Act deadline for high-risk systems may move to December 2027. It may not. The provisional political agreement of May 7, 2026 is a strong signal that a delay is coming, but it is not law yet. Engineering teams that treat the delay as certain are making a bet that regulators and legal experts are explicitly warning against.

The companies that will be best positioned, whether enforcement begins in August 2026 or December 2027, are the ones building compliant infrastructure now. The delay, if it arrives, becomes bonus runway. Not the starting gun.

Aiella provides technical AI compliance monitoring software. Our free risk assessment identifies your EU AI Act obligations in under 2 minutes at assessment.aiella.com. This post is for informational purposes only and does not constitute legal advice.