It is now official: most of the EU AI Act's high-risk obligations will not apply on 2 August 2026 after all. The Digital Omnibus on AI, proposed by the European Commission on 19 November 2025, moved through a political agreement between the Parliament and the Council in May 2026, a final Parliament vote in late June 2026 (423 votes to 57, with 174 abstentions), and the Council's final green light on 29 June 2026. It enters into force three days after publication in the Official Journal. The package postpones the high-risk obligations that AI-enabled medical device manufacturers have been building toward and reshapes several other parts of the Act. Along the way, a separate proposal that would have removed medical devices from the high-risk framework altogether was rejected. Below is what changed, what did not, and what it means if you are bringing an AI-enabled device to the EU market.
A quick recap: what has already taken effect
The AI Act entered into force on 1 August 2024 with a staggered application schedule, and the early milestones arrived on time. On 2 February 2025, the Article 5 prohibitions on unacceptable-risk AI practices and the Article 4 AI literacy provision became applicable, with the Commission publishing guidelines on prohibited practices shortly after (we covered the Article 5 framework and its deadlines in our January 2025 post, linked below). On 2 August 2025, the obligations for general-purpose AI (GPAI) model providers took effect, supported by the GPAI Code of Practice published on 10 July 2025 and the Commission's mandatory template for public summaries of training content.
For medical device manufacturers, the most useful development of 2025 was MDCG 2025-6, published on 19 June 2025. That guidance answered the first set of practical questions about how the AI Act and the MDR/IVDR interact: an AI-enabled device is a high-risk AI system under Article 6(1) when it is a device (or safety component) that undergoes third-party conformity assessment by a notified body, which captures most AI-enabled devices other than Class I non-sterile devices and Class A non-sterile IVDs. MDCG 2025-6 also encouraged manufacturers to integrate AI Act requirements into their existing MDR/IVDR quality management systems and confirmed that pre-determined design changes documented at initial assessment do not count as substantial modifications. The full guidance PDF is available in our document library.
What the Digital Omnibus changes
The omnibus is the EU's response to a problem manufacturers have been flagging for two years: the harmonized standards needed to demonstrate conformity with the high-risk requirements are not ready, and compliance without them is costly and uncertain. The adopted package makes the following key changes.
New high-risk application dates
- Annex III standalone high-risk systems (AI used in areas like employment, credit, and education): obligations now apply from 2 December 2027, moved from 2 August 2026.
- Annex I embedded high-risk systems, which include AI systems in medical devices and IVDs: obligations now apply from 2 August 2028, moved from 2 August 2027.
What stays on schedule, and what else moves
Article 50 transparency obligations remain on track for 2 August 2026. These cover AI systems that interact directly with people and systems that generate synthetic content, with disclosure and machine-readable marking duties. The final text adds a grace period for the watermarking obligation, until 2 December 2026, for systems already on the market before 2 August 2026, and the Article 50 compliance toolkit is arriving now: the Commission has consulted on draft transparency guidelines, published a voluntary Code of Practice on Transparency of AI-Generated Content in June 2026 (first signing deadline 22 July 2026), and released labelling icons and FAQs for marking AI-generated content. Also on schedule: the AI Office's enforcement powers over general-purpose AI models begin on 2 August 2026, including documentation requests, independent evaluations, and fines of up to 3 percent of global turnover. The package also narrows the definition of a safety component so that functions that merely assist users or optimize performance are not automatically high-risk, reinstates a simplified registration duty for systems claiming the Article 6(3) exemption, adds a new Article 5 prohibition on AI-generated child sexual abuse material and non-consensual intimate imagery effective 2 December 2026, and extends the deadline for national regulatory sandboxes to 2 August 2027.
The medical device question: high-risk status stays
Running in parallel, the Commission's MDR/IVDR simplification proposal of 16 December 2025 (COM(2025) 1023) would have moved the MDR and IVDR from Section A to Section B of Annex I of the AI Act. Because the AI Act largely exempts Section B products from the high-risk requirements, that change would have removed most substantive AI Act obligations for medical devices in one stroke.
That approach did not survive the negotiations. Under the final omnibus text, the MDR and IVDR remain in Section A, and AI-enabled medical devices remain high-risk AI systems. The compromise is a deduplication mechanism: the Commission is empowered to limit the application of specific AI Act requirements through implementing acts where sectoral legislation already imposes equivalent obligations. In practice, this means the overlap between MDR/IVDR technical documentation, risk management, and post-market surveillance and their AI Act counterparts should be resolved by regulators rather than argued device by device, and the single combined conformity assessment described in MDCG 2025-6 remains the model: notified bodies will assess AI Act requirements alongside MDR/IVDR requirements in one process.
What this means for developers
Do not treat the delay as a pause. The two extra years exist because harmonized standards are late, not because the requirements shrank. Data governance, technical documentation, logging, transparency to users, human oversight, and accuracy/robustness/cybersecurity requirements are still coming, and they are hard to retrofit into a device that was not designed for them.
Run the classification analysis now. The Article 6(1) logic from MDCG 2025-6 is unchanged: if your AI-enabled device goes through a notified body, plan on high-risk obligations. The Commission's draft guidelines on high-risk classification, consulted on through 23 June 2026, will add practical examples when finalized. If you are claiming a device or function is out of scope, note that the narrowed safety-component definition may help, but document the rationale and expect the simplified registration duty if you rely on Article 6(3).
Integrate, do not duplicate. MDCG 2025-6 explicitly encourages folding AI Act elements into your existing MDR/IVDR QMS. Manufacturers who map AI Act requirements onto their existing design controls, risk management, and PMS processes now will be positioned to absorb the implementing acts as they arrive rather than rebuilding.
Check your Article 50 exposure before August 2026. The transparency obligations were not delayed. If your product includes a patient- or clinician-facing conversational interface or generates synthetic content, disclosure and marking duties may apply on the original schedule.
Watch the standards and the implementing acts. The value of the extra time depends on when CEN-CENELEC delivers the harmonized standards and how far the Commission's deduplication acts go. The first standard is already through: EN 18286, the quality management system standard written for AI Act Article 17 purposes, passed its Formal Vote in July 2026 and is headed to publication, the first AI Act harmonized standard to complete the process. We break down what it means for AI/ML device makers in a companion post, EN 18286 Passes the Formal Vote: What the First EU AI Act QMS Standard Means for AI/ML Device Makers. Together, the standards pipeline and the deduplication acts will determine what your notified body actually asks for in a combined assessment.
Caveats
The omnibus itself is done: both institutions have approved the final text, and it takes effect three days after publication in the Official Journal. Two related tracks are still moving, though. The Commission's separate MDR/IVDR simplification proposal (COM(2025) 1023) remains under negotiation in the Parliament and Council, and the implementing acts that will deduplicate overlapping MDR/IVDR and AI Act requirements have not yet been issued. Anchor detailed planning to the published texts as they land. Nothing here changes obligations that are already applicable, including the Article 5 prohibitions and the GPAI rules.
The bigger picture
The EU has chosen pragmatism over schedule: keep the high-risk framework for medical AI, but give the standards ecosystem time to catch up and commit to removing duplicated requirements. For manufacturers, the strategic picture is stable for the first time in two years. The destination is a single, notified-body-led conformity assessment covering both frameworks; only the timing moved. For background on the Act's structure and the deadlines as originally enacted, see our earlier post, EU AI Act: Key Deadlines and Article 5 Compliance Explained.
How Cosm Can Help
Cosm helps medical device and SaMD companies build regulatory and quality strategies for AI/ML-enabled products on both sides of the Atlantic, from classifying your system under the AI Act and MDR/IVDR, to integrating AI Act requirements into your QMS, to planning notified body engagement and FDA submissions. If you are re-planning your EU roadmap in light of the omnibus, reach out or visit cosmhq.com.
Disclaimer - https://www.cosmhq.com/disclaimer

.png)
