Future Proof Intelligence · Published 4 June 2026 · 10 minute read

The EU AI Act delay: what SME operators actually need to know.

The Digital Omnibus proposal pushed one major deadline. Several others stayed exactly where they were. If you are running an AI agent in your business and you think the delay means you can stand down, this article is a correction.

What the Digital Omnibus actually is

In early 2025, the European Commission published its Digital Omnibus package, a legislative proposal designed to streamline overlapping digital obligations across several EU instruments. Among the changes proposed, and the one that generated the most attention in AI circles, was a postponement of certain high-risk AI obligations under Regulation (EU) 2024/1689, the EU AI Act.

The proposal followed significant pressure from European industry associations and several member state governments, who argued that compliance timelines were unrealistic given the pace at which the Commission's harmonised technical standards were being finalised. The European Parliament and the Council reached broad agreement during trilogue in spring 2026 on pushing the main high-risk AI deployer obligations to 2 December 2027, extending the original 2 August 2026 deadline by approximately sixteen months.

What has not changed is the legal status of the original deadline. Until the Omnibus is formally adopted and published in the Official Journal of the European Union, Regulation (EU) 2024/1689 applies in its original form. The Commission's proposal, even with broad political support, is not law until it completes the full legislative process. Any business that has suspended its compliance programme on the assumption that the delay is already in effect is taking a legal risk.

The deadlines that moved

The Omnibus proposal targets a specific set of obligations: those relating to high-risk AI systems as defined in Article 6 and classified under Annex III of the EU AI Act. These are the deployer obligations that have generated the most operational concern for businesses, because they require documented risk management systems, human oversight records, log retention, incident reporting, and fundamental rights impact assessments.

Under Article 26 of Regulation (EU) 2024/1689, deployers of high-risk AI systems are required to implement technical and organisational measures to support human oversight, ensure input data relevance, monitor system performance, retain logs where technically feasible, and inform workers and their representatives of AI use in employment contexts. These are substantive obligations with real documentation and process requirements.

The proposed delay pushes this Article 26 compliance requirement from 2 August 2026 to 2 December 2027. For most SMEs that deploy AI systems in sectors covered by Annex III, including employment screening, credit assessment, or certain healthcare administrative functions, this is the primary regulatory relief the Omnibus provides.

A key qualifier applies for SMEs specifically. The EU AI Act's proportionality provisions in Article 26(8) already provide reduced obligations for SMEs and microenterprises in relation to certain documentation requirements. The Omnibus delay sits on top of these existing proportionality rules. Neither replaces the other. The combined picture is that SMEs have reduced documentation obligations and an extended timeline to meet even those reduced obligations, provided the Omnibus passes into law.

The deadlines that did not move

The Omnibus delay is narrower than the coverage it has received in the press suggests. Four major categories of obligation are not affected and remain on their original schedule.

Article 5: prohibited practices

The prohibitions in Article 5 of Regulation (EU) 2024/1689 have been in force since 2 February 2025. They cover real-time remote biometric identification systems used in publicly accessible spaces by law enforcement except in strictly limited circumstances, AI systems that exploit psychological vulnerabilities or apply subliminal techniques to influence behaviour in ways that damage interests, AI-based social scoring systems used by public authorities, and certain predictive policing applications. Most SMEs are not operating in any of these categories. But the important point is that the prohibition date has passed and there is no delay to this provision.

General-purpose AI model obligations

Providers of general-purpose AI models, the foundation models that underpin most commercial AI products including large language models, have been subject to obligations under Articles 53 and 55 of the AI Act since 2 August 2025. If you run a customer-facing AI agent powered by a third-party model, your vendor is already subject to these obligations. Their compliance or non-compliance affects your deployment because Article 26 requires deployers to rely on providers who meet their own obligations. The Omnibus does not modify the GPAI timeline.

Article 50: transparency obligations

Article 50 of Regulation (EU) 2024/1689 requires that deployers of AI systems intended to interact directly with natural persons disclose to those persons that they are interacting with an AI system. The obligation applies from 2 August 2026 and is not affected by the Omnibus proposal. If you run a customer-facing chatbot, booking assistant, or any conversational AI agent, you will need to have a disclosure mechanism in place by 2 August 2026 regardless of what happens to the high-risk obligations.

The same provision requires that AI-generated content, including synthetic audio and video, be labelled as such in a machine-readable format. For businesses that use AI to generate marketing content or customer communications, Article 50 creates a specific, near-term compliance obligation that the Omnibus delay does not touch.

The revised Product Liability Directive

Directive 2024/2853 is an entirely separate instrument from the EU AI Act. It revised the European product liability framework to bring software, including AI software, within the definition of a product for strict liability purposes. The Directive applies from 9 December 2026. This means that from that date, a customer who suffers damage because an AI system you deployed was defective can bring a claim without needing to prove fault. The burden of proof shifts. The Omnibus does not modify this Directive and has no effect on the December 2026 date.

For SMEs running AI-powered services, the Product Liability Directive is in many respects a more immediate liability exposure than the AI Act's high-risk deployer regime. The strict liability standard it introduces applies to any software defect, not just systems meeting the EU AI Act's high-risk classification. And it applies from December 2026, not December 2027.

What the delay actually means for your business

The most honest framing of the Omnibus delay is this: it moves the formal compliance deadline for one set of obligations by sixteen months. It does not move the underlying risk. The commercial, consumer protection, and product liability exposure that makes AI governance preparation sensible was not created by the EU AI Act. It existed before the Act and will continue to exist whether or not any particular deadline is extended.

Consider what the Air Canada chatbot case tells us. That decision, handed down in February 2024 by the British Columbia Civil Resolution Tribunal, did not require the EU AI Act to establish that a business is responsible for statements made by its AI agent. It applied existing consumer protection principles that have been part of European law for decades. The delay does nothing to that liability.

The practical consequence for SMEs is that the Omnibus creates additional time to prepare properly, not permission to skip preparation. Businesses that use the sixteen-month window to document their AI systems, build incident response procedures, establish log retention practices, and review their existing insurance coverage will be in a substantially better position than those that treat the delay as a reason to wait.

Insurance is a particular area where the delay has an effect that runs opposite to what most operators expect. Insurers developing AI-specific products are already using EU AI Act documentation requirements as the baseline for their underwriting criteria. A business that presents an insurer with a documented risk management system, a human oversight register, and a log of AI decisions will receive a better quote than one that cannot produce those records. The extra time is an opportunity to build those records before the insurance market crystallises its underwriting standards. It is not an opportunity to avoid the documentation work entirely.

The three things SME operators get wrong about the delay

Three misconceptions are circulating in SME communities that are worth addressing directly.

The first is that the delay applies universally to all AI Act obligations. It does not. As described above, Article 5 prohibitions, GPAI model obligations, Article 50 transparency requirements, and the Product Liability Directive are all on their original schedules. A business that stops reviewing its compliance position because it heard there was a delay may discover that it is already non-compliant with obligations that predate or fall outside the Omnibus proposal.

The second misconception is that the delay is already law. It is not. The Omnibus must complete the full EU legislative process before it takes effect. If it is not adopted before 2 August 2026, the original deadline remains binding. Treating the proposed delay as a done fact is a legal risk that compliance advisors are flagging across Europe.

The third misconception is that the delay removes the need for any AI governance work in the near term. This misunderstands why governance preparation matters. A company that documents its AI decision-making processes, trains its staff on AI oversight, and builds an incident response plan is not doing this primarily to satisfy a regulatory checklist. It is doing this because customers can sue when AI agents give them wrong information, because employment law applies to AI-assisted hiring decisions, and because product liability covers defective software regardless of the regulatory classification. These pressures existed before the Act and will continue regardless of its enforcement timeline.

The practical action list for June 2026

Given the current state of the law, the following priorities are appropriate for SME operators running AI agents in mid-2026.

Check whether Article 5 applies to anything you run. The prohibited practices are not subject to any delay. Most SMEs are not running real-time biometric identification or social scoring systems, but the category of subliminal influence and vulnerability exploitation is broad enough that some marketing AI applications may warrant scrutiny.

Prepare for Article 50 by 2 August 2026. If your business operates a conversational AI agent, a customer service chatbot, or any AI system that interacts with customers, you need a disclosure mechanism in place by that date. This is a specific, near-term requirement that the Omnibus delay does not affect.

Assess your exposure under the Product Liability Directive before December 2026. If you deploy AI software to customers, review whether a defect in that software could cause recoverable damage under the strict liability standard the Directive introduces. This is not primarily an AI Act compliance question. It is a product liability question.

Use the extended timeline for Article 26 preparation properly. Do not treat the sixteen-month extension as free time. Use it to document your AI systems, establish your human oversight procedures, build a log retention policy, and write an incident response plan. These records will be required by both regulators and insurers when the compliance window closes in December 2027.

Review your existing insurance for AI exclusions. Most business insurance policies were written before AI agents became operational tools. Many contain exclusions, either explicit or through legacy wording, that leave AI-related losses uncovered. Understanding the gap now is considerably more useful than discovering it after a claim. Our guide on whether business insurance covers AI mistakes walks through the most common exclusion patterns.

If you want the full regulatory picture on what the Omnibus delay means at the EU level, the detailed analysis is available at agentliability.eu. If you want to understand the coverage pathway once your governance documentation is in place, the coverage pathway on this site explains the steps.

Frequently asked questions

Did the EU AI Act get delayed?

The European Commission's Digital Omnibus package proposes to push the main high-risk AI deployer obligations from 2 August 2026 to 2 December 2027. The Council and European Parliament reached broad agreement on those dates during trilogue in spring 2026. However, the delay has not yet been formally adopted and published in the Official Journal. Until that happens, the original 2 August 2026 deadline remains the legally binding deadline.

Which EU AI Act rules are not affected by the delay?

Four major obligations are not affected. Article 5 prohibited practices have been in force since 2 February 2025. General-purpose AI model obligations under Articles 53 and 55 applied from 2 August 2025. Article 50 transparency obligations for AI-generated content and conversational agents apply from 2 August 2026. The revised Product Liability Directive (Directive 2024/2853) applies from 9 December 2026 regardless of the Omnibus.

As an SME, do I need to do anything before the delay comes into force?

Yes. Article 50 transparency disclosures apply from 2 August 2026. Article 5 prohibited practices are already in force. If you use a general-purpose AI model, your vendor's obligations under Articles 53 and 55 already apply. And the Product Liability Directive from December 2026 makes AI software subject to strict product liability. The delay does not remove these obligations.

What does the Digital Omnibus delay mean for AI insurance?

The delay extends the window for preparing documentation that insurers will use when underwriting AI agent risk. Businesses that use the extra time to build governance records, log AI decisions, and document incident response procedures will be in a far stronger position when dedicated AI insurance products become available in Europe. The delay does not remove the risk; it shifts the formal enforcement timeline while leaving the commercial and consumer protection exposure unchanged.