datascale
DE EN
Contact
AI Analytics

The EU AI Act Just Slipped: What the Digital Omnibus Means for Marketing Teams

The Digital Omnibus defers the EU AI Act's high-risk obligations to December 2027. What stays, what moves, and why it's no reason to park your AI inventory.

Juri Saloid By Juri Saloid 3 min read

Related service: AI readiness & data strategy

By November 2025 it was clear the EU AI Act rollout wasn't keeping pace: too many technical standards and delegated acts that the high-risk rules depend on were still missing. The Commission tabled the Digital Omnibus, a package that adjusts several digital laws at once. For the AI Act it comes down to one thing. The sharpest obligations arrive later.

If you already know the risk classes, the entry point into AI readiness and data strategy is here. If you're starting fresh, the short version is below.

What changed

The original plan set the high-risk obligations from 2 August 2026 (Annex III) and from 2 August 2027 for AI embedded in regulated products (Annex I). The Omnibus replaces the previously discussed conditional trigger with fixed dates and pushes both back:

  • Annex III (stand-alone high-risk systems): from 2 December 2027.
  • Annex I (high-risk AI in regulated products): from 2 August 2028.

There's also a substantive addition: a new Article 5 prohibition on AI-generated non-consensual intimate imagery and abuse material. It doesn't touch marketing analytics directly, but it belongs in the full picture.

What stays the same

The high-risk part moved. The rest holds.

  • Prohibited practices have been banned since February 2025. Social scoring, manipulative subliminal techniques, real-time biometrics in public spaces. Penalties up to €35 million or 7 percent of global annual turnover.
  • General-Purpose AI has carried its own obligations since August 2025. If you run GPT, Claude or Gemini inside tools or products, you fall under them.
  • Transparency obligations for most marketing applications remain the practically relevant topic. Chatbots, AI copy and synthetic media have to be recognisable to users.

The new timeline at a glance

EU AI Act timeline after the Digital Omnibus

The Digital Omnibus moves only the high-risk part. Prohibitions and GPAI obligations stay in force.

  1. Feb 2025In force

    Prohibited practices

    In force. Social scoring, manipulative techniques, real-time biometrics. Penalties up to €35M or 7%.

  2. Aug 2025In force

    General-Purpose AI

    In force. GPT, Claude, Gemini in tools or products fall under the GPAI obligations.

  3. Dec 2027was Aug 2026Deferred

    High-risk, Annex III

    Deferred. Stand-alone high-risk systems: mandatory documentation, conformity assessment, EU registration.

  4. Aug 2028was Aug 2027Deferred

    High-risk, Annex I

    Deferred. High-risk AI embedded in regulated products.

As of June 2026. Politically settled, not yet published in the EU Official Journal.

What it means for marketing teams

Deferred, not dropped. The extra time is lead time, not a reason to table the topic. If you run Smart Bidding, predictive audiences, lookalike audiences or attribution models, you operate AI systems in the sense of the Act. Risk classification decides which obligations apply, and the delay doesn't change that.

EU AI Act risk pyramid. 4 tiers

Click or tab through the tiers for marketing examples and obligations.

Limited risk

Obligation

Transparency obligation: users must know they're interacting with AI. AI-generated content must be labelled.

Marketing examples

  • AI chatbot on the website
  • GenAI blog or ad copy
  • AI-generated images / deepfakes
  • Emotion analysis (e.g. for UX optimisation)

2026 status

Transparency obligations from August 2026. Active enforcement by the EU AI Office across DE/AT/FR.

Three things are worth doing now, regardless of the moved deadlines:

  • AI inventory. Which AI components sit in the marketing stack, including the invisible ones like Smart Bidding or HubSpot AI?
  • Risk classification per use case. Most marketing setups land in Minimal or Limited Risk. Establishing that is cheap and ends the speculation.
  • Transparency and documentation obligations. These apply today and are the most common blind spot in an audit.

The benefit of the delay is in the pace, not the scope. Instead of a last-minute exercise before August 2026, there's room to build a clean first-party data architecture as the foundation. That's exactly what any AI use case beyond a compliance checkbox needs.

Need help with your setup?

Audit Sprint in two weeks, prioritised report, concrete action steps.

Request an audit →
  • Q01
    Does the EU AI Act no longer apply at all now?

    It does. Only the high-risk obligations moved. The prohibitions have applied since February 2025, the GPAI obligations since August 2025, both unchanged. The Act is in force, only the sharpest parts arrive later.

  • Q02
    Do we have to do nothing until December 2027?

    No. Transparency obligations and the AI inventory are relevant today, and risk classification is the basis for everything else. The delay buys lead time for a clean implementation, it doesn't replace it.

  • Q03
    Is the delay final yet?

    As of June 2026 it's politically settled but not yet published in the EU Official Journal. The dates are treated as fixed, the final legal text may differ in detail. Before any binding decision, have the current status checked by a lawyer.

  • Q04
    What is the Digital Omnibus anyway?

    A legislative package from the EU Commission, tabled in November 2025, that simplifies and disentangles several digital laws at once. For the AI Act it mainly carries the deferred high-risk deadlines and a few substantive clarifications.

About the author

Juri Saloid

Juri Saloid

Founder & Managing Director

Founder & Managing Director of Datascale One. Combines 10+ years of MarTech and analytics depth with the pragmatic pace of his agency years.

View profile → LinkedIn ↗

Read next