On 28 April 2026, after twelve hours of negotiations in Brussels, the trilogue on the EU AI Act Digital Omnibus collapsed without agreement. The press conference scheduled for the following morning was cancelled — which was its own signal.
The package was meant to postpone the August 2026 high-risk deadline to December 2027 for standalone systems, and August 2028 for AI embedded in regulated products. None of that passed. A follow-up trilogue is scheduled for approximately 13 May 2026.
If you have been planning your compliance program against an assumed postponement, stop.
The deadline you should be planning against is the one already in law: 2 August 2026.
What happened — and what didn't
The Digital Omnibus was proposed by the European Commission in November 2025 as a simplification package — reducing regulatory burden, postponing deadlines, integrating AI obligations with existing sectoral safety law. The political direction was broadly agreed. Both Council and Parliament had converged on the key numbers.
The trilogue collapsed on a single unresolved file: the conformity assessment architecture for AI embedded in regulated products under Annex I. Specifically, whether AI systems in machinery, medical devices, in-vitro diagnostics, and similar products should remain subject to combined AI Act and sectoral assessment, or move primarily to the sectoral track.
The Council and Parliament did not converge on this file, and that single disagreement was sufficient to block the entire package.
Everything else — the deadline extensions, the SME provisions, the GPAI simplifications — remains in limbo until the file closes.
What is still in force
The AI Act itself — Regulation 2024/1689 — is not affected by the Omnibus failure. As of 30 April 2026, no delay has been adopted. Until a revised Omnibus is agreed and published in the Official Journal, the original deadlines in Regulation 2024/1689 apply.
That means the following obligations remain on the 2 August 2026 clock:
The four scenarios between now and August
A follow-up political trilogue is scheduled for approximately 13 May 2026, two weeks after the failed 28 April session. The Cypriot Council Presidency will attempt to close the file before its term ends on 30 June 2026; otherwise the Lithuanian Presidency takes over from 1 July 2026 and may continue negotiations.
Four outcomes are possible:
Scenario 1 — Deal in May, published before August. The 13 May trilogue closes the file. Formal Parliament vote and Council endorsement follow. Publication in the Official Journal happens before 2 August. Omnibus deadlines replace original deadlines. Standalone Annex III systems get until December 2027.
Scenario 2 — Deal in May, publication misses August. Agreement is reached but the legislative machinery — formal votes, publication — cannot complete before 2 August. Original deadline applies temporarily. Politically awkward, legally clear.
Scenario 3 — No deal before June, Lithuanian Presidency takes over. Negotiations continue into Q3. Original August deadline applies with no relief in sight. Companies that planned against postponement face immediate compliance pressure.
Scenario 4 — Omnibus fails entirely. Political agreement proves impossible. Original AI Act timetable stands permanently. August 2026 for Annex III. August 2027 for Annex I.
Treating any softening as upside, and preparing for the existing AI Act timetable, remains the safer planning posture.
What Annex III actually requires — for enterprises deploying AI agents
Annex III high-risk AI systems include, among others:
- AI used in employment — recruitment, screening, performance evaluation, task allocation, monitoring, promotion, termination
- AI used in credit scoring and insurance — creditworthiness assessment, risk classification, pricing
- AI used in critical infrastructure — safety components in energy, water, transport
- AI used in essential private services — including elements of financial services and healthcare administration
- AI used in education — admission, assessment, evaluation of students
For enterprises deploying AI agents in any of these categories, the obligations from 2 August 2026 include:
Article 12 — Logging. Automatic logging of events throughout the system lifecycle. Logs must enable post-hoc verification and must be retained for a minimum of six months, or longer where required by sectoral law.
Article 14 — Human oversight. Technical and organizational measures ensuring humans can effectively monitor the system, intervene, and override. This requires a complete causal record — not just inputs and outputs, but the context in which decisions were made.
Article 26 — Deployer obligations. Deployers of high-risk AI systems must implement appropriate technical and organizational measures, designate a point of contact for competent authorities, and maintain logs for the period of operation.
Article 49 — Registration. High-risk AI systems must be registered in the EU database before deployment. Registration requires technical documentation demonstrating compliance.
The recurring theme across all these obligations is the same: you must be able to prove what your system did, why, and demonstrate that the record cannot be altered after the fact.
What enterprises deploying AI agents need to do now
Three things, regardless of what happens in May:
First, classify your systems against Annex III. Do not assume your AI tools are low-risk because they feel like internal tools. An AI agent used in recruitment decisions, credit processing, or critical operational functions is almost certainly Annex III. The classification question should be answered by legal counsel, not assumed.
Second, audit your current logging infrastructure. Provider-native logs do not constitute an independent audit trail. A log that lives on Anthropic's or OpenAI's infrastructure, signed by their keys, and accessible only through their console, is a vendor report — not the tamper-evident record Article 12 requires. If your current logging cannot demonstrate cryptographic integrity at the point of capture, it will not satisfy a competent authority.
Third, do not plan around the postponement. Companies relying on the Omnibus's extended timelines would suddenly face immediate compliance obligations for which many have not adequately prepared. The enterprises that survive August 2026 — whether the Omnibus passes or not — are the ones that treated compliance infrastructure as operational infrastructure, not a regulatory checkbox to address when the deadline becomes unavoidable.
The deeper point
The Omnibus debate is about timing, not about whether the obligations exist. Even if the deadline moves to December 2027, the requirements remain: tamper-evident logging, human oversight, causal reconstructability, independent audit trails.
Every week of preparation time is valuable. The enterprises that begin building compliant audit infrastructure now — before the political uncertainty resolves — will have it operational before enforcement begins, regardless of which date that turns out to be.
The ones waiting for regulatory clarity will still be waiting when competent authorities begin their first market surveillance reviews.
The AI Act is not conditional on Brussels reaching agreement. It is already law.
↳ KYDE
KYDE is a model-agnostic governance proxy that produces tamper-evident, cryptographically signed audit trails for every AI agent action — across every provider, from day one. August 2026 is closer than it looks.