The AI Act Delay: What the Digital Omnibus Actually Changes for Banks
On 29 June 2026 the Council gave its final green light to the Digital Omnibus on AI. Most of the coverage since has said the same thing: the AI Act has been delayed. That is half true, and the half it gets wrong is the half that matters to a bank this summer.
The high-risk obligations did move, and they moved a long way. But the deadline that lands first was not touched at all, and the Omnibus quietly added two obligations while it was deferring others. If your reading of the news was "we have another year", the calendar below is going to be uncomfortable.
What actually moved
| Obligation | Was | Now | Status |
|---|---|---|---|
| Stand-alone high-risk systems (Annex III) — credit scoring, insurance pricing, HR screening | 2 Aug 2026 | 2 Dec 2027 | Deferred |
| AI embedded in products already regulated under Annex I legislation | 2 Aug 2027 | 2 Aug 2028 | Deferred |
| National AI regulatory sandboxes | 2 Aug 2026 | 2 Aug 2027 | Deferred |
| Transparency obligations (Art. 50) | 2 Aug 2026 | 2 Aug 2026 | Unchanged |
| New prohibition: AI generating non-consensual intimate imagery | — | 2 Dec 2026 | Added |
| Machine-readable marking of AI-generated content (grace period) | 6 months | 3 months, ending 2 Dec 2026 | Shortened |
What the Omnibus added rather than delayed
Two things, both landing on 2 December 2026.
First, a new prohibited practice under Article 5: AI systems designed to generate non-consensual intimate imagery. This is not a financial-sector concern in most institutions, but it is worth knowing that the prohibition list is not frozen. Article 5 is the one part of the Act with no conformity route out of it, and it just grew.
Second, the grace period for content marking was cut from six months to three. Providers of systems that generate synthetic content must implement machine-readable marking by 2 December 2026. If you have a generative assistant drafting customer communications, that is a technical workstream, not a policy one, and it has a real date on it.
What it softened
The Commission originally proposed removing the Article 4 AI literacy obligation from providers and deployers entirely, replacing it with a duty on the Commission and Member States to "foster" literacy. Parliament pushed back. The final text keeps the obligation on you, but lowers the bar: you must take measures to support the development of AI literacy among your staff, rather than ensure a sufficient level, and you are explicitly not required to guarantee any particular level for any individual.
In practice: your AI training programme still needs to exist. It no longer needs to be defensible as having produced a measurable competence level in every person who touches a model.
What it dropped
The Commission had proposed removing the EU-database registration requirement for systems that a provider self-assesses as not high-risk under the Article 6(3) exemption. That proposal did not survive. Registration stays. If you were counting on the self-assessment route to keep a system out of the database, recheck it.
The Omnibus did extend the legal basis for processing special-category personal data for bias detection and correction — previously available only to providers of high-risk systems — to all AI systems and general-purpose models, subject to a strict necessity test. That is a genuine easing for anyone trying to test a model for discriminatory outcomes without a lawful basis to look at the protected attributes.
So what should a bank do with the sixteen extra months?
The temptation is to reprioritise the AI Act down the list. That is a mistake for a simple reason: conformity assessment on a high-risk system is not a quarter of work. It is a quality management system, a technical documentation file to Annex IV, a data governance regime over your training and validation sets, designed-in human oversight, and an EU database entry. Institutions that have done this for other regimes will tell you it is a year, not a sprint.
A sensible sequencing for the next six months:
- Inventory first, classify second. Most institutions cannot yet list every AI system touching a regulated activity. You cannot classify what you have not found. Your DORA ICT asset register is the right starting point — the models are already in your estate.
- Deal with Article 50 now. It is six weeks away. Disclosure that a customer is talking to an AI is a UX and copy change; content marking is an engineering change. Both are small compared to high-risk conformity, and both have already run out of runway.
- Find your Article 25 exposure. The most expensive mistake available under this Act is not a missed deadline — it is discovering that fine-tuning a bought model made you its provider. We cover that in the provider-versus-deployer question.
- Then start the high-risk file. With the pressure off the 2026 date, do it properly rather than fast.
Run our free AI Act exposure check to see which tier each of your systems actually falls into — it walks the tiers in the order the Act imposes them, which is where most internal scoping exercises go wrong. The full mapping of what the AI Act adds to an existing DORA programme is on our AI Act hub for financial institutions.
For the text of the Act itself — all 113 articles, article by article, in 24 languages — see our sister site regulation-ai.eu, and its dedicated Omnibus deadline tracker.
This article is analytical guidance for compliance and legal teams, not legal advice. References: EU AI Act (Regulation (EU) 2024/1689), the Digital Omnibus on AI (Council green light, 29 June 2026), DORA (Regulation (EU) 2022/2554), and the Commission guidelines on GPAI of 18 July 2025.