EU AI Act Weekly Radar: Parliament Advances the Digital Omnibus and Reorders the High-Risk Timeline

The clearest EU AI Act development this week is a political and operational one: lawmakers are focusing on whether the compliance calendar matches implementation reality.

According to the European Parliament’s agenda note titled “AI Act: simplification measures, ban on ‘nudifier’ apps”, the Digital Omnibus on AI would postpone important high-risk AI obligations, while also adding a new prohibited-use measure aimed at particularly harmful synthetic content. A related European Parliament Research Service briefing, “Digital Omnibus on AI,” says Parliament approved the agreement and frames the amendments as a response to practical delays around national authority designations, harmonised standards, and high-risk compliance tools.

For lextrace readers, the takeaway is straightforward: the AI Act’s compliance architecture is not being abandoned, but Parliament is signalling that parts of the rollout may need to be re-sequenced to reflect market readiness and supervisory capacity.

The headline change: high-risk timelines may move again

The most consequential update in this window is the reported postponement of two sets of obligations.

Per the European Parliament agenda note, the Digital Omnibus on AI would:

• postpone high-risk AI use-case obligations to 2 December 2027; and
• postpone AI safety-component obligations to 2 August 2028.

That matters because high-risk classification sits at the center of many AI Act compliance programs. Whether an AI system falls into a high-risk category drives documentation, quality management, testing, oversight, and deployment planning. When the implementation date for those obligations moves, so does the timing for budget allocation, control design, vendor remediation, and board-level assurance.

The significance is amplified by the explanation provided in the EPRS “Digital Omnibus on AI” briefing. That note says the amendments respond to delays involving:

• designation of national authorities;
• availability of harmonised standards; and
• development of high-risk compliance tools.

Taken together, those points suggest Parliament is reacting not only to business pressure for simplification, but also to public-sector and ecosystem readiness problems. In other words, the issue is not merely that obligations are demanding; it is that key implementation infrastructure may not yet be sufficiently in place.

Why this matters for Article 6 and Annex III workstreams

Even though the supplied updates do not provide fresh interpretive guidance on Article 6 or Annex III, they are highly relevant to teams already building around those provisions.

For many organizations, Article 6 and Annex III analysis is the gateway question: is the system high-risk, and if so, under which route or use case? If the Parliament-backed timetable for high-risk use-case obligations shifts to December 2027, that does not eliminate the need for classification work. But it does change the pace and order in which legal, product, and operational teams may execute that work.

A practical reading of this week’s developments is:

1. Classification remains strategically important. Organizations still need a view on which systems are likely to land in a high-risk bucket.
2. Formal compliance buildouts may be re-timed. If obligations move, some control implementation deadlines may move with them.
3. Dependency tracking becomes critical. The EPRS note highlights missing or delayed ecosystem enablers, which means compliance planning cannot rely only on statutory text. It also depends on standards, authorities, and usable tooling.

For in-house teams, that creates a familiar governance challenge: continue readiness work without overcommitting to a timetable that policymakers may still be adjusting.

A simplification signal, not a deregulatory reset

The political framing matters here. The Parliament agenda item describes the package as involving “simplification measures.” That wording is important because it indicates an implementation adjustment rather than a wholesale rollback of the AI Act’s risk-based model.

The EPRS briefing reinforces that interpretation. Its description of the Omnibus as a response to delays around authorities, standards, and compliance tools suggests Parliament sees friction in the execution layer of the regime. The problem, on this telling, is not only what the law asks firms to do, but whether the surrounding system is ready to support consistent compliance and enforcement.

For AI governance teams, this distinction matters:

• a simplification agenda can still leave core accountability expectations intact;
• a postponement can create breathing room, but also prolong uncertainty; and
• a sequencing change can shift which controls need immediate investment.

This is especially relevant for companies with mixed AI portfolios that include both potentially high-risk systems and lower-risk or general-purpose capabilities. If key high-risk milestones are pushed back, organizations may choose to prioritize governance measures that remain valuable across categories, such as inventory discipline, role allocation, escalation pathways, and model-to-use-case mapping.

The parallel policy move: a new ban on abusive synthetic-content tools

The other major development in the Parliament agenda note is not about timing at all. It is about scope.

According to “AI Act: simplification measures, ban on ‘nudifier’ apps,” the package would add a ban on AI systems that create:

• non-consensual intimate material; or
• child sexual abuse material.

This is a notable signal for at least two reasons.

First, it shows that even as Parliament explores simplification and delay for some compliance tracks, it is also willing to sharpen the prohibition side of the AI Act where harms are viewed as acute and socially intolerable.

Second, it underlines a broader trend in AI regulation: lawmakers may be open to easing timing pressure in difficult implementation areas while simultaneously drawing harder lines around clearly abusive use cases.

For product, trust and safety, and platform teams, this means compliance cannot be understood only as a scheduling question. The same legislative package can both defer some obligations and harden others.

What the EPRS framing says about enforcement readiness

One of the most useful details in the EPRS “Digital Omnibus on AI” briefing is its explanation of why Parliament moved. The note points to delayed national authority designations, harmonised standards, and high-risk compliance tools.

That combination has direct enforcement significance.

An AI regime is not operational merely because the legal text exists. It also requires:

• competent authorities with defined responsibilities;
• standards or technical references that firms can work against; and
• practical compliance mechanisms that allow providers and deployers to translate legal duties into operational processes.

If those pieces are delayed, enforcement becomes harder to apply consistently. Companies face uncertainty about what “good” implementation looks like, and regulators face a matching problem when trying to supervise markets that lack mature benchmarks and support infrastructure.

So while this week’s news may look like a narrow timetable amendment, it also reveals something more structural: Parliament appears to be acknowledging that implementation capacity is itself part of AI regulation.

Practical implications for providers, deployers, and compliance leads

For professional readers following the AI Act closely, the most useful response to this week’s updates is probably not to pause all work. It is to re-prioritize.

1. Revisit roadmap assumptions

If your program plan assumes fixed deadlines for high-risk use-case obligations or safety-component obligations, those assumptions may need updating. Parliament materials point to later dates, and that should trigger a formal review of milestone dependencies, internal resourcing, and vendor expectations.

2. Separate classification from implementation timing

Even where obligations move, high-risk identification work remains necessary. Teams should distinguish between:

• the question of whether a system is likely high-risk; and
• the question of when full statutory controls must be in place.

That separation helps avoid two opposite mistakes: treating postponement as irrelevance, or treating preliminary classification as if every downstream compliance duty were already fixed and imminent.

3. Track ecosystem dependencies, not just legal text

The EPRS explanation is a reminder that AI Act readiness depends on more than law. Standards, supervisory structures, and usable tools affect delivery. Governance teams should therefore maintain a dependency register that includes external implementation factors, not only internal policy tasks.

4. Review prohibited-use screening

The reported ban on systems creating non-consensual intimate material or child sexual abuse material should prompt immediate product and policy review in any environment where image generation, editing, or synthetic media tooling is available. Even without adding assumptions beyond the Parliament note, the policy direction is clear enough to justify heightened scrutiny.

5. Communicate carefully with leadership

This week’s developments are easy to misread as either deregulation or delay without consequences. Neither framing is especially helpful. The better executive message is that Parliament is adjusting sequencing in response to implementation bottlenecks while also tightening controls for specific harmful uses.

The bigger picture for the AI Act implementation timeline

This week’s AI Act radar points to a familiar reality of major digital regulation: implementation calendars are political instruments as well as legal ones. When lawmakers confront delays in standards, authorities, and compliance tooling, the timetable itself becomes a policy lever.

The Parliament and EPRS materials together suggest that the current phase of the AI Act is less about redefining the whole framework and more about making the framework executable. That may disappoint observers who wanted immediate certainty, but it is also a pragmatic acknowledgment that ambitious governance systems need functioning infrastructure.

For now, the most credible read is that the EU remains committed to the AI Act’s risk-based structure, while accepting that some of the most operationally demanding elements of high-risk compliance may need more time.

That is not the end of the compliance story. It is the latest reminder that AI governance in Europe will be shaped not only by what the Act says, but by when institutions, standards, and tools are ready to make it work.