MICKAI
Article · 4 July 2026

The Omnibus Bought You Time On High-Risk AI. It Did Not Buy You Control

Brussels moved the high-risk deadline to December 2027. The audit that lands when it arrives will be harder, not softer. Here is why we build governed infrastructure now.

The Omnibus Bought You Time On High-Risk AI. It Did Not Buy You Control
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
EU AI ActAI governanceDigital Omnibushigh-risk AIcompliance

By Micky Irons

A deadline moved this summer, and a lot of compliance officers exhaled. I want to talk you out of that exhale.

On 16 June 2026 the European Parliament adopted the Digital Omnibus on AI by 423 votes to 57, with 174 abstentions. On 29 June the Council gave its final green light. The headline change is simple. The full compliance obligations for high-risk AI systems listed in Annex III of the EU AI Act, deployed on a standalone basis, no longer bite on 2 August 2026. They now apply from 2 December 2027. AI embedded in regulated products under Annex I gets even longer, to 2 August 2028.

That covers the systems that actually decide things about people. AI in hiring and exam scoring. AI in creditworthiness. AI in utilities and other critical infrastructure. AI in health services, biometric identification and law enforcement. If your organisation runs any of these, you just got roughly sixteen extra months on the parts of the AI Act that are hardest to satisfy.

Here is the honest reading. The deadline moved. The accountability did not.

What actually changed, and what did not

The Digital Omnibus is a timing instrument and a targeted simplification, not an amnesty. It is worth being precise, because precision is the difference between using this window and sleepwalking through it.

What did not change. The prohibited practices banned under the AI Act have been enforceable since 2 February 2025. The rules on general-purpose AI models have applied since 2 August 2025. Those are live, today, with penalties up to 35 million euros or 7% of worldwide annual turnover for the banned practices, and up to 15 million euros or 3% of turnover for high-risk breaches once those obligations apply. The Omnibus also added new prohibitions, including an explicit ban on AI tools that generate non-consensual intimate imagery. The floor rose while the ceiling deadline slid.

What changed. The clock on the heaviest documentation, risk-management, data-governance, human-oversight and logging duties for standalone high-risk systems. That is the workload most organisations were nowhere near ready for. Brussels looked at the readiness gap, looked at the state of the harmonised standards, and decided a market-wide failure on 2 August 2026 helped no one.

Civil-society groups read it differently, and I take them seriously. A coalition of around 60 organisations, independent authorities and trade unions asked EU lawmakers to reject the changes. European Digital Rights called the wider package a major rollback of EU digital protection. When the people who fight for fundamental rights and the people who lobby for Big Tech both have strong opinions about the same delay, you should assume the delay is politically fragile and the underlying obligations are not going anywhere.

Classical marble scene, Poseidon, gold rim light on void black

Why waiting makes your audit worse, not easier

Here is the trap. A postponed obligation feels like a lighter obligation. It is the opposite.

When high-risk compliance finally applies in December 2027, you will not be audited on the eighteen months of pressure relief you enjoyed. You will be audited on whether the system, as it runs, can prove what it did. The AI Act asks for record-keeping, traceability and human oversight that you can evidence after the fact. That evidence is only as good as the infrastructure that captured it while the system was making decisions. You cannot reconstruct a signed, tamper-evident log of a hiring decision your model made in 2026 if you did not capture it in 2026.

So the organisation that waits does not inherit an easier audit. It inherits a harder one, with a shorter runway, a colder trail, and standards that will be more mature and more demanding by the time they land. The window Brussels just opened is a build window. It is not a rest.

There is a second reason to move now, and it is commercial. Right now the pressure is off, budget committees are calm, and you can architect deliberately instead of scrambling. In late 2027, when everyone is scrambling at once, governed infrastructure will be scarce, consultants will be expensive, and your negotiating position will be worst exactly when your need is highest.

Build the record now, on your own ground

This is the case I make to every AI risk committee I sit in front of. Use the delay to build the thing the deadline was always going to demand. Infrastructure that produces the audit record as a by-product of running, not as a project you bolt on later.

Mickai is a Sovereign Intelligence Operating System. Regulated organisations own it and run it inside their own walls, air-gapped where the workload demands it, with a cryptographically-signed audit record written on every action the system takes. It is built and it is live. The point is not that it is clever. The point is that when the auditor asks how a credit or hiring decision was reached in December 2027, the answer already exists, signed and time-stamped, because the system recorded it when it happened.

I want to be careful and honest about the market, because over-claiming helps no one. The AI Act does not bar you from the cloud. Neither does DORA, the FCA and PRA regimes, the EBA guidelines or GDPR. Almost every one of these frameworks permits cloud with the right controls. The genuine no-cloud line sits at the workload level. Classified or secret material, ITAR-controlled data, isolated operational technology and SCADA networks, or a data-protection impact assessment that comes back negative. For most organisations this is a matter of sovereignty preference, not legal prohibition. What I am arguing for is control and provenance, held on ground you own, so that whatever the regulator, the standard, or the next omnibus decides, your evidence trail does not depend on a third party's roadmap.

That is the difference between time and control. The Omnibus gave you time. Only the infrastructure you build gives you control.

Classical marble scene, Poseidon, gold rim light on void black

The takeaway for boards weighing a pause

If your board is asking whether to pause high-risk AI work because the deadline moved, my answer is direct. Pause the panic, not the build. The right move in a pressure-off window is to lay the governed foundation you will otherwise have to retrofit under duress. Capture the signed record now. Decide your sovereignty posture now, workload by workload, honestly. Treat December 2027 as the date your evidence gets read, not the date you start writing it.

The deadline was a gift of time. Waste it and you will pay it back with interest at audit.

Frequently asked questions

What exactly did the Digital Omnibus change about the AI Act high-risk deadline?

It postponed the full compliance obligations for standalone high-risk AI systems under Annex III from 2 August 2026 to 2 December 2027, and pushed AI embedded in regulated products under Annex I to 2 August 2028. Parliament adopted the package on 16 June 2026 and the Council signed it off on 29 June 2026. Prohibited practices and general-purpose AI rules were unaffected and remain enforceable now.

Does the delay mean we are not accountable until December 2027?

No. Prohibited practices have been enforceable since February 2025 and general-purpose AI model rules since August 2025, with penalties reaching 35 million euros or 7% of worldwide turnover for banned practices. When high-risk obligations apply in 2027, you will be assessed on records your systems captured while running. Accountability was deferred in timing, not in substance.

Should we pause our AI governance programme to save budget?

We would advise against it. The audit that lands in December 2027 will be harder if the evidence trail is cold. Building governed infrastructure now, while pressure and cost are low, is cheaper and lower-risk than retrofitting it in a market-wide scramble later. See our writing on AI governance for the fuller framework.

Does the AI Act force high-risk AI off the cloud and on-premise?

No, and we will not tell you it does. The AI Act, DORA, the FCA and PRA regimes and GDPR all permit cloud with appropriate controls. A genuine no-cloud requirement exists only at the workload level, for classified, ITAR, isolated operational technology or DPIA-negative cases. Most on-premise decisions rest on sovereignty preference and control over the audit record, not a blanket legal bar.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/digital-omnibus-high-risk-delay-2027. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Spain Just Made AI Provenance a Legal Duty. Owning the Stack Settles It
Spain has moved to one of the strictest national AI regimes in the EU, making the labelling of AI-generated and AI-altered content a legal duty backed by its supervisory agency AESIA and fines up to 35 million euros. When AI runs inside your own walls with a cryptographically-signed audit record on every action, provenance and disclosure stop being a promise and become something you can prove.
4 Jul 2026
The GPAI Enforcement Switch Flips On 2 August 2026: What Regulated Buyers Should Actually Do
On 2 August 2026 the European Commission can start fining general-purpose AI providers up to 15 million euros or 3 percent of global turnover. Most coverage treats this as a model-maker story. For the regulated buyer it is a supply-chain story. I explain why, and what changes when the model runs inside your own walls with a signed audit record on every action.
4 Jul 2026
CADA Draws A Line Through The Public-Sector Cloud. Here Is Where Owned Infrastructure Sits
On 3 June 2026 the European Commission proposed the Cloud and AI Development Act, a four-tier sovereignty framework for public-sector procurement. It is not a blanket cloud ban. It is a graduated preference that runs from EU data residency at the baseline to effective immunity from foreign law at the top. I explain where each tier sits, and where owned infrastructure belongs.
4 Jul 2026
DORA Named The 19 Critical Providers. Now Every Bank Has To Explain Its Concentration Risk
The EBA, EIOPA and ESMA designated 19 Critical ICT Third-Party Providers under DORA, with AWS, Azure and Google Cloud among them. For a CRO, that list turns "we use the cloud" into a filing that names your systemic dependency. Here is what changed, and how running critical intelligence inside your own perimeter rewrites the exposure.