
Regulation
The EU AI Act deadline moved. Your obligation did not.
The Digital Omnibus on AI deferred high risk obligations to December 2027. Here is what to do with the extra runway.
The Digital Omnibus on AI pushed high risk AI Act obligations from August 2026 to December 2, 2027. Within a week of the announcement, three of our clients had deprioritised their compliance programs and reassigned the budget elsewhere. That is the wrong instinct, and the organisations that act on it will find themselves in a worse position in late 2027 than they would have been in mid 2026.
An additional sixteen months is not a reprieve. It is the difference between a compliance posture you assembled in panic and one that genuinely operates. Treat it as runway, not relief. The organisations that use the window well will look back on it as the period in which they actually understood what AI they were running. The ones that defer will spend the second half of 2027 doing what they would have done in 2026, only with a smaller market for the consultants and engineers who can help them.
What actually moved, and what did not
The deferral applies specifically to the high risk system obligations under Article 6 and Annex III. Prohibited practices remain in force. Transparency obligations for general purpose AI models remain on their original schedule. The governance structures around the AI Office and the national competent authorities continue to stand up. If you are deploying a system that touches employment decisions, credit scoring, education access, or any of the other Annex III categories, the substantive obligation is unchanged. Only the enforcement date has moved.
This distinction matters because it changes what defer means. You cannot defer the design of a high risk system. By the time you know whether the obligation applies, the architectural decisions that determine compliance have already been made. What you can defer is the formal documentation, the conformity assessment, and the registration. Everything upstream of those steps still needs to happen on roughly the original timeline if you want the documentation to reflect reality rather than fiction.
Use the runway for the inventory you have been avoiding
Almost every organisation we work with has a gap between the AI systems procurement told them about and the AI systems that are actually running in production. The gap is usually large. Shadow AI, embedded AI features in tools that were procured for other purposes, models built by individual teams without central registration, and pilots that quietly became production all contribute to it.
The first thing to do with the extra time is to close this gap honestly. Walk every team, list every model and every AI-enabled feature, and record the use case, the data sources, the decision the system influences, and the human in the loop, if any. Most organisations discover three to five times as many in-scope systems as they had registered. The inventory is not glamorous work. It is the foundation of every subsequent decision about scope, classification, and control.
Classify against Annex III with someone who has read the working group notes
Annex III classification looks deterministic until you actually try it. The categories are written in legal language that interacts with deployment context, and the working group guidance that clarifies the edge cases is dispersed across multiple documents, several of which are still in draft. A system that influences a hiring decision is high risk. A system that suggests interview questions to a hiring manager is, depending on how the suggestions are framed and how the manager uses them, sometimes high risk and sometimes not.
The right way through this is to classify with someone who has spent time inside the working group materials, and to document the reasoning behind each classification decision. The classification itself matters less than the reasoning. When the regulator asks why a system was classified the way it was, the reasoning is what you present. A classification without recorded reasoning is indistinguishable, in audit, from no classification at all.
Build governance before the audit framework
There is a strong temptation, with sixteen months in hand, to begin with the audit framework. Pick a standard, map the controls, fill in the evidence. This is backwards. The audit framework is a way of demonstrating that governance exists. If governance does not yet exist, the audit framework will be a description of a fictional organisation.
Build the governance layer first. Decide who owns AI risk. Establish the review cadence. Set the escalation path. Run it for a quarter against your real inventory. Only then begin to map the governance you have built onto the standard you intend to certify against. Done in this order, the controls will reflect what you actually do, and the certification process will be relatively painless. Done in the reverse order, the certification process is a six month project of pretending.
Watch the GPAI obligations
The general purpose AI obligations were not deferred. If your organisation deploys foundation models, either directly or embedded in third party products, the transparency and documentation requirements are already binding. Many organisations have been so focused on the high risk system timeline that they have missed this entirely. A quick scan of which foundation models you depend on, and what each provider has published about training data, evaluations, and known limitations, is a useful exercise to run in the next quarter.
What the next sixteen months should look like
A practical sequence is: inventory in the first quarter, classification in the second, governance design in the third, governance operation through the fourth and fifth, and formal documentation and conformity assessment in the sixth. That leaves the final two quarters before the deadline for the work that is genuinely difficult to predict in advance: responding to regulatory clarifications, integrating with national supervisory authorities, and remediating the gaps that only become visible once governance has been running long enough to surface them.
Organisations that follow roughly this sequence will arrive at December 2027 with a system that works, documented in a way that the regulator can read, owned by people who understand it. Organisations that wait will arrive in the second half of 2027 to discover that the consultants who can help them are booked, the auditors are saturated, and the gap between their current state and a defensible compliance posture is larger than the time remaining to close it.
The deadline moved. The obligation did not. The runway is a gift, but only if you spend it.



