The EU Just Gave AI Companies 16 More Months — Here’s What the AI Act Delay Actually Changes
By John
Companies building recruitment algorithms, credit-scoring models, and other high-risk AI systems for the European market had a hard deadline circled on the calendar: August 2, 2026. It’s no longer hard, and it’s no longer August 2026. The European Commission, Council and Parliament have agreed to push it to December 2, 2027 — sixteen months of breathing room that almost nobody in the industry saw coming this late in the process.
That’s the headline. The part worth actually reading past the headline is what didn’t move, because the answer is: the law everyone already has to comply with regardless of what happens to the AI Act.
What Got Pushed, and What Didn’t
The European Commission published its Digital Omnibus on AI on November 19, 2025, proposing to defer the compliance deadline for standalone high-risk systems under Annex III — the category covering recruitment tools, credit scoring, law enforcement applications, education software, and border control systems — from August 2, 2026 to December 2, 2027. AI embedded inside already-regulated products (medical devices, vehicles, industrial machinery, covered under Annex I) gets pushed even further, to August 2, 2028.
The Council and Parliament formally agreed to simplify and streamline the rules on May 7, 2026, following MEPs voting in March to support the postponement. What stayed exactly where it was: the underlying GDPR exposure. If a high-risk AI system processes biometric data or does emotion recognition, GDPR penalties of up to €20 million or 4 percent of global turnover still apply the moment that processing happens — not on some future compliance date, but now, because GDPR was never on the AI Act’s clock to begin with.
Why Brussels Blinked
The delay isn’t a political retreat from AI regulation so much as an admission that the machinery required to enforce it wasn’t ready. The stated reasoning centers on delays in designating national competent authorities in member states, and on the fact that the harmonized technical standards and conformity assessment tools that high-risk providers are supposed to test against don’t fully exist yet. You can’t credibly require a company to pass a conformity assessment against a standard that hasn’t been finalized.
That’s a real, defensible problem. It’s also one the Commission created for itself by setting an ambitious original timeline in 2024 and then discovering, as implementation deadlines approached, that the supporting infrastructure — accredited assessment bodies, published technical standards, functioning national authorities — was running well behind the legal deadline. The Digital Omnibus is, in effect, the EU acknowledging its own regulatory apparatus wasn’t going to be ready in time, and adjusting the law to match reality rather than forcing companies to comply against a system that couldn’t actually process their compliance.
The GDPR Safety Net Underneath

This is the detail that matters most for anyone tempted to treat the delay as a green light. The AI Act, GDPR, and the Digital Markets Act now converge on the same systems, particularly anything handling customer interactions or sensitive personal data at scale — and only one of those three frameworks just got a schedule extension. A recruitment AI tool that processes candidate biometric data for identity verification, for instance, doesn’t get to wait until December 2027 to worry about data protection law. It was already subject to GDPR the day it started processing that data, delay or no delay.
That distinction gets lost fast in coverage that treats “AI Act delayed” as equivalent to “AI regulation postponed.” It isn’t. Companies that read the Digital Omnibus as permission to deprioritize AI governance work entirely are conflating two different regulatory clocks — one that just moved, and one that never was on the same schedule in the first place.
Who’s Cheering, Who’s Not

Industry reaction has split along predictable lines. Companies mid-build on high-risk systems get real relief: more runway to finalize technical documentation, complete conformity assessments once standards actually exist, and avoid a compressed scramble against a deadline the supporting bureaucracy couldn’t have met anyway. For a mid-size company building, say, an AI-driven credit scoring tool for the European market, sixteen extra months is the difference between shipping compliant and shipping late.
Critics see it differently. Advocacy and policy groups have argued the delay lets high-risk systems dodge oversight during exactly the window when adoption of those systems — in hiring, lending, and law enforcement — keeps accelerating. Every month between now and December 2027 is a month a recruitment-scoring algorithm or a predictive policing tool operates under whatever governance a company voluntarily chooses to apply, rather than a legally mandated standard.
Both readings are correct at the same time, which is usually how regulatory delays work. The companies get real, defensible extra time to comply with a law whose enforcement infrastructure genuinely wasn’t ready. The systems being regulated keep operating in the meantime under lighter obligation than the original law intended. Neither fact cancels the other out — and neither one touches the GDPR exposure that was never part of this deadline to begin with.
- On May 1, 2026
- 0 Comment
