EU Parliament delays AI Act high-risk deadline to December 2027

Last Updated on June 23, 2026 by Hafsa J.

On June 16, 2026, the European Parliament gave final approval to the Digital Omnibus, a package that pushes the EU AI Act’s high-risk compliance deadline from August 2, 2026 to December 2, 2027. The amendment passed by 423 votes to 57, with 174 abstentions. The reprieve does not lower the stakes: penalties under the regulation still reach up to 35 million euros or 7 percent of global annual turnover for the most serious breaches.

The facts

The vote closes a process that began earlier in the year. In March 2026, the Parliament’s Internal Market and Civil Liberties committees backed a postponement of several AI Act obligations. That position moved to the full chamber, and on June 16 the Parliament adopted the final text of the Digital Omnibus, the Commission’s simplification package for the AI Act.

The central change concerns high-risk AI systems. Under the original calendar, providers and deployers faced a single enforcement date of August 2, 2026. The amended timeline splits that obligation in two. High-risk systems listed in Annex III of the regulation, covering biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and the administration of justice, now have until December 2, 2027. High-risk systems that act as safety components of products already governed by EU sectoral legislation move to August 2, 2028.

The package also introduced an explicit prohibition on AI tools that generate non-consensual intimate imagery, with compliance required by December 2, 2026. Before the law enters into force, the Council of the EU still has to adopt the text formally, a step expected in the weeks that follow the vote. The regulation keeps its extraterritorial reach: any organization whose AI systems are placed on the EU market or whose outputs affect people in the EU falls within scope, regardless of where the company is based.

What the amended timeline actually changes

The delay buys time, but it does not narrow the obligations attached to high-risk systems under Articles 9 to 17 of the AI Act. Those requirements remain demanding: a documented risk management system, data governance controls, technical documentation, automatic record-keeping, human oversight, and a defined level of accuracy, robustness and cybersecurity. Article 26 keeps a separate set of duties on deployers, including monitoring and logging once a system is in use.

One part of the regulation does not move. The transparency duties in Article 50, which require disclosure when users interact with AI or with AI-generated content, still apply from August 2, 2026. A four-month grace period runs to December 2, 2026 for watermarking obligations on systems already on the market. In practice, an organization can face the transparency rules in 2026 while its high-risk conformity work runs to 2027, so a single internal deadline is no longer enough. The classification of each system, rather than the headline date, now determines when its controls must be ready.

What this means for quality managers

For compliance and quality functions in US companies that serve EU customers, the new calendar is an opening, not a pause. The first step is to confirm which systems are in scope and how each one classifies, because the Annex III and Annex I distinction sets two different deadlines for the same portfolio. The second is to keep the transparency and watermarking work on the 2026 track, since those duties were not delayed. The third is to use the extra eighteen months to build the management-system backbone the high-risk articles assume: documented risk assessment, data governance, human oversight and incident logging. Organizations that already run an information security or AI management system will recognize most of these controls, which makes ISO/IEC 27001 and ISO/IEC 42001 a practical foundation rather than a parallel project. Treating December 2027 as the moment to start, instead of the moment to finish, is the difference between a controlled rollout and a late scramble.