AI Regulation Data Sovereignty EU AI Act

EU delays high-risk AI rules to Dec 2027 (Digital Omnibus): why sovereign AI still matters

European Union flag waving against a blue sky

On 29 June 2026 the Council of the EU cleared the "Digital Omnibus on AI" package — postponing compliance obligations for high-risk AI systems under Annex III from 2 Aug 2026 to 2 Dec 2027 (embedded-in-product systems to 2 Aug 2028). What is delayed is the Annex III obligations, not the whole Act: the ban on "prohibited AI practices" (Article 5, since 2 Feb 2025) and general-purpose AI (GPAI) model duties (since 2 Aug 2025) remain in force, and the penalty framework of up to EUR 35M or 7% of global turnover stays intact.

Quick summary

  • What is delayed: high-risk AI (Annex III) obligations — from 2 Aug 2026 to 2 Dec 2027 (embedded-in-product: 2 Aug 2028).
  • Who cleared it, when: the European Parliament approved it on 16 June 2026 (423/57/174); the Council of the EU cleared it on 29 June 2026. Binding once published in the EU Official Journal.
  • NOT delayed: the Article 5 bans (since 2 Feb 2025) and GPAI model duties (since 2 Aug 2025).
  • Penalties unchanged: up to EUR 35M or 7% of global turnover (SMEs take the lower figure).
  • Vietnamese firms: extraterritorial reach — if the AI output is used in the EU, you are in scope. On-premise AI remains the safest path.

What just happened in the EU?

Short answer: The EU has postponed the application date for obligations on "high-risk" AI systems under Annex III of the EU AI Act — from 2 Aug 2026 to 2 Dec 2027 for stand-alone systems, and to 2 Aug 2028 for AI embedded in regulated products. This is the result of an amending package called the "Digital Omnibus on AI."

The legislative path (per the European Parliament Legislative Train and Gibson Dunn's analysis): the European Commission proposed it on 19 Nov 2025; co-legislators reached a trilogue agreement in early May 2026, confirmed by Member State representatives on 13 May 2026; the European Parliament's plenary approved it on 16 June 2026 (423 in favour, 57 against, 174 abstentions); and the Council of the EU gave its final green light to the simplification package on 29 June 2026. The new dates only become legally binding once the Omnibus is published in the Official Journal — expected before 2 Aug 2026.

Lady Justice statue holding scales — a symbol of law
The Annex III delay does not change the AI Act's penalty framework. Photo: dpsinghbhullar / Pexels

What is delayed — and what is NOT

The most common misreading: the whole Act is not delayed. Only the Annex III high-risk obligations are pushed back. The parts already in force remain:

  • Prohibited AI practices (Article 5) — applicable since 2 Feb 2025, unchanged. Examples: social scoring by public authorities, exploiting vulnerabilities of at-risk groups, certain real-time biometric identification.
  • General-purpose AI (GPAI) model obligations — applicable since 2 Aug 2025, unchanged.
  • The Omnibus also adds a ban on AI-generated non-consensual intimate imagery and child sexual abuse material to Article 5, with a transition until 2 Dec 2026; the mandatory marking of AI-generated content is likewise re-timed (to 2 Dec 2026 for systems placed on the market before 2 Aug 2026).

In other words: companies get more time for the high-risk compliance paperwork — but the red lines and transparency duties are not loosened.

How large are the penalties?

The Article 99 penalty framework is unchanged by the Omnibus. Three caps:

Type of infringementMaximum fine
Prohibited AI practices (Article 5)EUR 35M or 7% of global turnover (whichever is higher)
Non-compliance with other obligations (provider/deployer/importer…)EUR 15M or 3% of global turnover (whichever is higher)
Supplying incorrect/misleading information to bodies/authoritiesEUR 7.5M or 1% of global turnover (whichever is higher)

For SMEs and startups, the law takes the lower of the two figures (not the higher) — a deliberate relief for smaller firms. Even so, the Annex III delay does not dissolve the risk: a misused AI system can still fall under the "prohibited practices" that are already being enforced.

Why this matters for Vietnamese firms

The EU AI Act has extraterritorial reach: it applies to organisations outside the EU when the output of the AI system is used in the EU. Vietnamese companies shipping AI-enabled software, doing AI outsourcing for EU clients, or embedding AI into products sold into Europe can all fall in scope. The Annex III delay gives them roughly 16 extra months to prepare conformity documentation — but the Article 5 bans and transparency duties are in force today.

Domestically, Vietnam already has its own framework — see our piece on Decree 142/2026 on AI for how risk classification and high-risk obligations look in Vietnam. Firms operating on both sides (EU + VN) should read the two frameworks in parallel.

The sovereign-AI angle: why data control stays the safe path

Every AI legal framework — EU or Vietnamese — converges on the same demands: data control, operational logging, human oversight and traceability. This is exactly where on-premise AI has a structural advantage: when the model runs entirely inside your own infrastructure, input data never leaves the organisation, logs stay local, and access control and oversight are yours — not dependent on a cloud vendor that can change its terms, shift its storage region, or switch the service off remotely.

A technician working on a motherboard — on-premise AI infrastructure
On-premise AI: data and logs stay within your organisation's control. Photo: Mikhail Nilov / Pexels

The EU's Annex III delay should not be read as "you can relax." The window to Dec 2027 is a chance to prepare properly: build AI whose architecture already satisfies the control requirements, rather than bolting on compliance at the last minute. For sensitive data (HR files, customer data, trade secrets), keeping AI in-house is the most direct way to shrink your legal risk surface across every jurisdiction at once.

What should companies do in the next three months?

  • Inventory the AI you use (including "shadow AI" — staff using external chatbots): know what data is leaving your walls.
  • Do a first-pass risk classification: which systems might fall under Annex III (hiring, credit scoring, essential infrastructure…) — to prepare documentation before the Dec 2027 deadline.
  • Screen for Article 5 red lines: make sure nothing touches the prohibited practices (enforced since 2025).
  • Consider moving sensitive workloads on-premise: where data and logs stay within your control.

Frequently asked questions

Until when has the EU delayed high-risk AI rules?

Annex III high-risk obligations move from 2 Aug 2026 to 2 Dec 2027 (embedded-in-product systems: to 2 Aug 2028), under the Digital Omnibus. New dates bind once published in the EU Official Journal (expected before 2 Aug 2026).

Is the entire EU AI Act delayed?

No. Only the Annex III obligations. The ban on prohibited practices (Article 5, since 2 Feb 2025) and GPAI model duties (since 2 Aug 2025) remain in force.

What is the maximum fine under the EU AI Act?

Prohibited practices (Article 5) can incur up to EUR 35M or 7% of global turnover, whichever is higher; for SMEs/startups, the lower figure applies.

Are Vietnamese companies covered by the EU AI Act?

Possibly, if the AI system's output is used in the EU (extraterritorial reach). The delay adds preparation time, but Article 5 and transparency duties already apply.

How does on-premise AI help with compliance?

When AI runs on-premise, data never leaves the organisation, logs stay local, and oversight/access control are yours — aligning with the control and traceability demands of both EU and Vietnamese frameworks.

Prepare properly for the window to Dec 2027

Namtech deploys a private in-house AI platform that helps you control data, keep logs and supervise — making it easier to comply with both the EU AI Act and Decree 142/2026.

Book a free consultation

Note: This article is compiled from publicly available sources as of 08/07/2026; the information is for reference, does not replace reading the original texts, and may change.

Get started

Start with a free assessment

To define the right package and detailed scope, Namtech offers a short, no-cost assessment.

We reply within 1 business day. No spam, we never share your info.