Thinking · EU AI Act
The EU AI Act just bought you 16 months.
That doesn't mean you should wait.
On 7 May 2026, the Council and Parliament reached a provisional agreement to simplify and streamline the EU AI Act as part of the Digital Omnibus VII package. Deadlines moved. The obligations behind them didn't. Here is what the deal means for organisations deploying high-risk AI — and what the extended timeline is actually for.
What the deal actually changed
The provisional agreement extends the compliance deadline for the most significant category of AI obligations. High-risk AI systems listed in Annex III — tools used in recruitment, credit scoring, biometric identification, law enforcement, education, and access to essential services — now face an enforcement date of 2 December 2027, not 2 August 2026 as originally set. That is a 16-month extension.
For AI systems regulated under Annex I — product-safety frameworks covering radio equipment, lifts, medical devices, and similar — the deadline moves from August 2027 to August 2028, a one-year extension. The SME exemption threshold has also been raised: simplified documentation requirements now apply to companies of up to 500 employees, which the regulation calls "small mid-caps", up from the previous 250-employee threshold.
Two other adjustments round out the agreement. National regulatory sandboxes — which Member States are required to establish for AI developers — have their setup deadline extended by one year to August 2027. A new prohibition takes effect on 2 December 2026: AI systems used to generate or manipulate non-consensual intimate imagery or child sexual abuse material are banned outright. Formal adoption by both institutions is expected between June and July 2026.
What hasn't moved
The substance of the regulation is unchanged. If your organisation deploys AI in any of the high-risk contexts covered by Annex III, the obligations remain exactly as written. Before high-risk AI systems go into service, organisations must demonstrate:
- A functioning risk management system, documented and maintained throughout the system's lifecycle
- Data governance practices for training, validation, and test datasets
- Technical documentation and logs sufficient to enable supervisory authority review
- Transparency measures for users and, where applicable, affected individuals
- Human oversight mechanisms ensuring that the system can be monitored, corrected, and overridden
Penalties are unchanged. Non-compliance with obligations for high-risk AI systems can result in fines of up to €35 million or 7% of global annual revenue — whichever is higher. That number did not move.
The trap most organisations will fall into
Deadline extensions tend to be misread. The announcement that obligations have been postponed registers — in boardrooms and compliance teams alike — as the problem being postponed. Projects that were gaining momentum lose their urgency. Budgets get reallocated. Governance initiatives drop off the quarterly review agenda.
In 16 months, those organisations will face the same compliance gap they have now, plus an additional problem: national supervisory authorities will be fully operational and actively looking for clear cases to establish enforcement precedent. The organisations that treated the extension as a pause will arrive with a scramble and no margin.
The organisations that treat it as a race condition will arrive at December 2027 with governance infrastructure that is tested, embedded, and working — and with documented evidence of the kind that regulators are specifically required to assess.
What this window is actually for
The original August 2026 deadline forced a compliance-first posture. The question was: can we document our AI systems well enough to pass an audit? The extended timeline creates space for a better question: how do we build AI governance that is actually useful, not just defensible?
Good AI governance is not a set of documents filed in a folder. It is a set of practices — how your organisation decides which AI systems fall in scope, how it assesses and mitigates risk, how it records decisions, monitors outcomes, and responds to incidents. Done properly, it is infrastructure that makes every AI initiative faster to approve, safer to deploy, and more credible to the regulators, customers, and investors who will ask to see it.
Sixteen months is enough time to build that infrastructure properly, embedded in how your teams actually work — not assembled under pressure in the weeks before an audit deadline. The organisations that use this window well will not only be compliant; they will be demonstrably better at AI governance than their competitors, and they will be able to prove it.
What this means for Verdix customers
Verdix is built for exactly this period. It gives governance, risk, and compliance teams the infrastructure to register AI initiatives, track regulatory obligations by system type, document risk assessments, record human oversight processes, and maintain compliance status across the organisation — everything regulators will ask to see when enforcement begins.
The extended timeline does not reduce the need for this infrastructure. It gives organisations the opportunity to build it thoughtfully rather than reactively — and to have it working before the deadline, not on the day of it.
The provisional agreement between the Council and Parliament was reached on 7 May 2026 as part of the Digital Omnibus VII legislative package. Formal adoption by both institutions is expected in June or July 2026. Until formally adopted, the original compliance deadlines remain in force. This article is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel on the specific obligations applicable to their AI systems.