Anyone reading the headlines of recent weeks could have gained the impression that the EU AI Act – the Regulation on Artificial Intelligence – had been suspended in a central part. On 7 May 2026, the Council presidency and the European Parliament reached a provisional political agreement on the so-called Digital Omnibus on AI. The core of the understanding: the obligations for certain high-risk AI systems are postponed from 2 August 2026 to 2 December 2027. For banks and insurers, this is relevant news. But it is more narrowly framed and more provisional than the headlines suggest.
For those responsible for risk and compliance, the decisive question is not "Is the deadline gone?" but "Which deadline exactly, for which systems, and from when does it even apply?" This is precisely where precision pays off. For the postponement does not affect all obligations, it differentiates between two categories of high-risk systems, and as things currently stand it is not yet legally binding. Anyone who derives a "do nothing for now" from the provisional agreement is optimising the wrong variable.
What: Provisional political agreement of 7 May 2026 on the Digital Omnibus on AI (part of the Omnibus VII simplification package) – postponement of the high-risk obligations of the EU AI Act
Annex III (stand-alone high-risk systems): deadline postponed from 2 August 2026 to 2 December 2027, that is by 16 months
Annex I (embedded in regulated products): separately postponed to 2 August 2028, that is by 12 months
Not postponed: the prohibitions (Article 5), the transparency obligations (Article 50) and the AI literacy obligation (Article 4) apply unchanged from 2 August 2026; the watermarking obligation for generative AI from 2 December 2026
Caveat: the agreement is not yet legally in force – formal votes in Parliament and Council and publication in the EU Official Journal are still outstanding (expected for June or July 2026)
What 7 May 2026 Really Means – and What Does Not Yet Apply
Let us start with what was actually agreed. The understanding of 7 May is part of the Digital Omnibus on AI, which in turn is located within the European Commission's Omnibus VII simplification package. It postpones the start of application of the obligations for stand-alone high-risk systems under Annex III of the EU AI Act from 2 August 2026 to 2 December 2027. That is 16 additional months for those systems that are most directly relevant for financial institutions, more on which shortly.
Decisive is the status of this agreement. It is a provisional political understanding, in Brussels parlance a "provisional agreement". It is not yet legally in force. Before the new deadline applies, the European Parliament and the Council of the European Union must formally vote, and the text must be published in the Official Journal of the EU. This is expected for June or July 2026. Until publication, the old deadline of 2 August 2026 continues to apply as a matter of strict law. This is not a quibble for lawyers but an operational risk: anyone basing project plans and budgets solely on the press release builds on a position that may still shift in the trilogue.
The Council's wording is deliberately restrained: "provisional agreement" and "proposal to streamline" – that is, a provisional understanding on a proposal to simplify. It is the language of an intermediate step, not of a concluded legislative procedure. It is precisely this nuance that regularly gets lost in the reporting.
Which Financial Systems Are Affected – and Which Are Not
For a financial institution, the first compulsory question is whether its own AI systems fall under Annex III at all. The EU AI Act explicitly names two finance-related use cases here, and both are more narrowly framed than is often assumed.
First: AI for assessing the creditworthiness of natural persons, that is, classic credit scoring. This is the practically most important high-risk case for banks. The exception matters: pure fraud detection is, according to the text of the regulation, not classified as high-risk. A system that exclusively detects payment fraud therefore does not automatically fall into the same category as a system that helps decide on lending to a consumer. Drawing this dividing line cleanly is the precondition for any robust classification.
Second: AI for risk assessment and pricing of natural persons, but explicitly only in life and health insurance. Property, motor, commercial and reinsurance are not covered here. An insurer using AI in pricing must therefore examine precisely which line of business is affected – the high-risk classification does not apply across the board to every actuarial model, but only to the clearly delimited personal sphere of life and health insurance.
The postponement also differentiates between two annexes. Annex III systems are stand-alone high-risk applications, for instance a dedicated scoring model. For them the new deadline of 2 December 2027 applies. Annex I systems are those embedded in products that are already regulated by other means; they are separately postponed to 2 August 2028, that is by twelve rather than sixteen months. Anyone speaking sweepingly of "16 months' postponement" overlooks this differentiation. For the financial sector, Annex III dominates in practice, yet the distinction belongs in any clean risk assessment.
What the Postponement Buys – and What It Does Not
Here lies the actual core for those responsible for risk and compliance. The postponement buys time for the conformity assessment of the high-risk systems – the technical documentation, the risk management system, the human oversight, the declaration of conformity. These onerous obligations apply to Annex III systems only from December 2027. That is a genuine relief, especially for institutions that are not yet through with classifying and documenting their models.
What the postponement explicitly does not buy is a pause in the obligations that were not postponed. Three of them apply unchanged from 2 August 2026. The prohibitions on certain AI practices under Article 5 remain in force. The transparency obligations under Article 50 – such as the labelling that a person is interacting with an AI system – continue to apply. And the AI literacy obligation under Article 4, which requires providers and deployers to ensure an adequate level of AI literacy among staff, likewise remains in place. Added to this is the watermarking obligation for generative AI from 2 December 2026. An institution that ignores these four areas by reference to the Annex III postponement fundamentally misunderstands the agreement.
A second misconception concerns the allocation of roles. The EU AI Act distinguishes between the provider and the deployer. An institution that uses an AI system is a deployer – and deployers cannot delegate their responsibility to the provider. Anyone who acts as provider and deployer at the same time, that is, who deploys internally developed models themselves, bears both sets of obligations. This responsibility does not disappear through the postponement; it merely shifts in the timing of its full effect for the actual high-risk requirements.
Particularly relevant is Article 27. It requires deployers in the credit and insurance sphere to carry out a fundamental rights impact assessment and to report it to the competent national supervisory authority. This obligation is not delegable – no external service provider can assume it for an institution. It is a deployer obligation in the proper sense and belongs among the work an institution should prepare early, independently of the high-risk cut-off date.
What Institutions Should Concretely Do Now
From the provisional agreement, four measures can be derived, staggered by time horizon. They follow a simple principle: the postponement is a buffer for implementation, not a postponement for the stocktake.
Immediately, by August 2026: The obligations that continue to apply unchanged – prohibitions, transparency, AI literacy – presuppose that an institution even knows which AI systems it operates and which of them fall under Annex III. This stocktake is not suspended by the postponement; rather, it becomes all the more a precondition. Anyone who does not cleanly classify credit-scoring and pricing models can neither judge whether the old or the new deadline applies, nor whether the non-postponed obligations are already engaged.
By end-2026: The fundamental rights impact assessment for deployers in the credit and insurance sphere is a non-delegable obligation. Preparing it early, independently of the high-risk postponement, distributes the workload and avoids a bottleneck shortly before December 2027. The methodology, the data basis and the reporting channel to the national supervisory authority can be set up now, not only when the deadline presses.
2026 to 2027: External AI service providers cannot assume the deployer responsibility. Contracts with providers of scoring or pricing models should therefore clearly regulate which documentation, information and cooperation duties the provider delivers, so that the institution can meet its own deployer obligations. Clarifying this at the contractual layer is cheaper and more robust if it happens before the conformity assessment, not in parallel with it.
Strategic: The harmonised standards of the European standardisation organisations CEN and CENELEC, as well as the conformity assessment procedures, will be finalised in the postponed window. Anyone who uses the buffer to align their own documentation with these emerging standards, rather than building early on an uncertain position, saves rework. The postponement is thus not a breather but a window in which the technical basis of the later obligations becomes robust in the first place.
Risks and Open Questions
Three reservations belong to an honest contextualisation. First, the deadline differentiation: the much-cited 16 months apply only to Annex III. Annex I systems embedded in regulated products gain only twelve months, until August 2028. Anyone who lumps both together plans incorrectly for part of their systems.
Second, the legal force. As long as Parliament and Council have not formally voted and the text is not in the Official Journal, the new deadline is a political declaration of intent, not applicable law. Until then, the old deadline of 2 August 2026 remains formally in force. Those responsible who base their planning solely on the agreement should actively track the publication step rather than presuppose it.
Third, the responsibility question. The deployer responsibility is more differentiated than the debate often suggests. The division of duties between provider and deployer, the dual role for internally developed models and the non-delegable fundamental rights impact assessment all remain. The postponement moves a cut-off date for part of the obligations. It relieves no institution of the task of knowing which role it takes for which system.
For German banks and insurers, the strategic consequence is thus clearly outlined. The postponement is a real but limited relief: 16 more months for the conformity assessment of Annex III high-risk systems, no more and no less. The non-postponed obligations, the non-delegable deployer responsibility and the legal force still outstanding remain work that begins now. Anyone who reads the buffer as a pause loses it. Anyone who uses it as an orderly preparation phase enters the high-risk obligations in December 2027 prepared rather than driven.
Christian Schablitzki
Strategy & Management Consultant · Agentic AI expert for financial institutions
Over 20 years in investment banking and derivatives trading, followed by more than 10 years advising financial institutions. Currently a Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.
LinkedIn profile →Keep reading – every 14 days in your inbox.
Capital-markets insights, regulatory updates and AI trends. Concise, well-founded, free.
GDPR-compliant. Unsubscribe at any time.