Digital Omnibus 2026 — what 16 months of high-risk delay actually changes

The European Commission published the Digital Omnibus implementing acts in March 2026. The headline number — high-risk Annex III obligations pushed from 2 August 2026 to 2 December 2027, Annex I to 2 August 2028 — is real, but most teams are mis-reading what it covers.

What got delayed

• Article 6 + Annex III — the high-risk classification trigger. Now 2 Dec 2027.
• Articles 9-15 — the high-risk requirements bundle (RMS, data governance, technical documentation, record-keeping, transparency, oversight, accuracy/robustness/cybersecurity).
• Article 26 — deployer obligations including 26(9) FRIA. Same deadline.
• Article 43 + Annex VI/VII — conformity assessment + CE marking.
• Articles 71/72/73 — EU database registration, post-market monitoring, incident reporting (15-day / 2-day deadlines).
• Annex I high-risk — those tied to existing EU product safety legislation (medical devices, machinery, vehicles). Pushed further to 2 Aug 2028.

What did NOT get delayed

This is the part most teams miss:

• Article 4 — AI literacy. In force since 2 February 2025. No grace period. Every provider AND every deployer needs a documented AI literacy programme covering staff who use, oversee, or are affected by AI. Detail.
• Article 5 — prohibited practices. Fully in force. Manipulative subliminal techniques, exploitation of vulnerabilities, social scoring, real-time biometric ID in public spaces (with narrow exceptions): banned now.
• Article 50 — transparency / watermarking. Now 2 November 2026. Generative AI providers + deployers need C2PA-class provenance markers. Detail · £99 starter kit.
• Articles 51-55 — GPAI obligations. Already in force since 2 August 2025. Foundation-model providers need technical docs, training-data summaries, copyright policies, systemic-risk assessments where applicable.
• Articles 99-101 — penalties. Effective per the original timeline for whichever obligations the penalties attach to.

What the delay does NOT solve

Three traps:

1. Article 50 is 4 months out, not 16. Watermarking infrastructure is not a sprint — C2PA manifest generation, key custody, robust per-output marker integration, and end-user disclosure UI all need real engineering. Teams banking on the delay haven't read the right line.
2. National implementation is moving. Member states are using the delay to refine national supervisory authority structures and notified body lists. France, Germany, Italy, Spain, Netherlands have all started consultations. The substantive obligations don't change with national transposition; the enforcement regime does.
3. NIS2 + DORA + CRA aren't deferred. NIS2-UmsuCG (Germany) lands 17 October 2026 with €10M / 2% turnover penalty ceilings. DORA Reg 2022/2554 has been fully applicable since 17 January 2025. EU CRA (Reg 2024/2847) phases in from 11 December 2027. None of those moved.

What to do this quarter

1. Article 4 literacy programme — document training, identify affected roles, log completion. Already overdue.
2. Article 50 watermarking — pick a C2PA-compatible provider, integrate, test, ship before 2 Nov 2026. Starter kit.
3. Annex III scoping — even though obligations are deferred, classification work is not. Knowing now whether you're in scope is what lets you budget for 2027.
4. NIS2-DE entity classification — German operations or German revenue: you're likely in scope. £499 kit.
5. Take the readiness scorecard if you don't know where to start. Free, 90 sec, signed attestation: meok.ai/scorecard.

Source: Regulation 2024/1689 · Digital Omnibus implementing acts March 2026 · MEOK AI Labs · CSOAI LTD · UK Companies House 16939677