The timeline moved. The governance burden did not.
On 7 May 2026, the European Parliament and the Council reached a provisional political agreement on the AI portion of the EU’s Digital Omnibus package. The headline was immediate and widely welcomed: the most demanding obligations for high-risk AI systems under the EU AI Act would be pushed back.
For many pharma and biotech leaders, that sounded like relief. In one sense, it is. The industry has been preparing against a difficult implementation path, with legal uncertainty, unfinished standards, unresolved questions about overlap with sectoral rules and uneven readiness across both companies and regulators. More time matters.
But the postponement is already being misread in boardrooms and leadership meetings.
The postponement changes the deadline. It does not materially change the governance problem. It does not reduce the substance of what companies must prove. It does not resolve the most difficult operational questions for AI-enabled medical devices and IVDs. And it does not turn the EU AI Act into a problem only for companies headquartered in Europe.
For pharma leaders, especially in large multinational organizations, the practical message is simple – use the extra runway to build operating capability, not to delay it.
First, an Important Caveat: The Deal Is Still Provisional
Before getting into the business implications, it is worth stating the legal status clearly.
The May 2026 deal is a provisional political agreement, not yet the final published amended law. Multiple summaries of the agreement note that the text still requires formal adoption by the European Parliament and the Council. The institutions have indicated that they intend to complete this before 2 August 2026, which matters because that is the date on which the original Annex III high-risk obligations would otherwise begin to apply.
That distinction is not just technical. It matters for how companies communicate internally.
If the agreement is adopted in time, then the revised dates described below will become the planning baseline. Until then, the original legal deadlines remain the formal statutory position. In practice, most businesses will treat the provisional agreement as the likely direction of travel. But leadership teams should avoid communicating this as if all uncertainty has already disappeared.
That said, the provisional deal is significant enough that it should influence planning immediately.
What Changed in the Timeline
Three changes matter most to pharma and life sciences companies.
1. Annex III high-risk systems move to 2 December 2027
Under the original AI Act timetable, obligations for stand-alone high-risk AI systems under Annex III were due to apply from 2 August 2026. Under the provisional agreement, those obligations are expected to apply instead from 2 December 2027.
That is a delay of 16 months.
Annex III covers high-risk use cases in a range of areas, including employment, education, certain biometric use cases, law enforcement, border management, critical infrastructure and other sensitive contexts.
For pharma companies, the most immediately relevant Annex III category is often not product AI but internal enterprise AI, especially in HR and workforce contexts. AI used in recruitment, screening, selection, promotion, performance monitoring, or termination decisions may fall into this track long before some product-related AI questions arise. That matters because many companies still think of the EU AI Act primarily as a product or medtech issue, when in reality, some of the earliest practical exposure may sit in corporate functions.
2. Annex I product-related high-risk systems move to 2 August 2028
The second major shift is for Annex I systems: AI used as a safety component of a product, or otherwise governed by EU harmonized product legislation, including medical devices and in vitro diagnostics.
These obligations were originally expected to apply from 2 August 2027. The provisional agreement pushes that to 2 August 2028.
That is a 12-month delay and for life sciences companies, it is arguably the most commercially important change in the package.
Why? This is where the AI Act intersects most directly with regulated healthcare products. For companies developing AI-enabled medical devices, software as a medical device, in vitro diagnostics, or embedded AI functionality within regulated products, the Annex I track is the one that could trigger the heaviest compliance burden.
It also gives companies more time to prepare for conformity assessment, technical documentation, post-market monitoring and interaction with existing product safety and healthcare regulatory frameworks.
3. Certain watermarking/transparency obligations are delayed to 2 December 2026
The third timing change relevant to AI providers concerns the transparency requirement around machine-readable marking of certain AI-generated or manipulated outputs under Article 50(2).
The detail here matters. This is not best described as a blanket postponement of all transparency obligations. Rather, for certain systems already placed on the market or put into service before 2 August 2026, the compliance date for the relevant marking requirement is pushed to 2 December 2026. Systems placed on the market after 2 August 2026 may still need to comply from the point they are placed on the market or put into service.
This distinction is important because some commentary on the Omnibus risks making the overall timeline sound more relaxed than it really is. It is not the case that every relevant obligation has moved in parallel.
What Did Not Change
This is where the business interpretation often goes wrong. The Omnibus deal changes timing in some important respects, but it does not redesign the AI Act’s core architecture.
The following remain intact in substance:
● The risk-based structure of the AI Act
● The categorization logic for prohibited, high-risk and other systems
● The core high-risk obligations
● The conformity assessment model
● The governance and enforcement role of the AI Office
● the broader compliance expectations around documentation, oversight, accuracy, robustness, logging and post-market controls
For pharma leadership teams, that means the hardest part of the problem remains the same. The work was never just about surviving a date. It was always about building a system that can identify, classify, validate, document, approve, monitor and govern AI across a regulated enterprise. That work is still required.
The Hard Part Was Never the Date
In many organizations, there is a tendency to interpret regulatory deadlines as the main source of difficulty. In reality, for AI governance, the date is often the least difficult part.
The hard part is operational:
● Finding all AI systems across the enterprise
● Distinguishing actual AI from marketing language or conventional automation
● identifying where vendor-embedded AI is already in use
● Classifying systems against the AI Act
● Deciding which function owns each system
● Building traceable documentation
● Aligning legal, quality, IT, regulatory, security, data, procurement and business teams
● creating processes that still work when systems change, models update, or vendors alter functionality
That challenge does not become smaller because the deadline has moved. It becomes more manageable only if the company uses the added time to build maturity.
GPAI Is Not Part of This Relief Narrative
Another point worth making clearly: not every major AI Act workstream is paused by the Omnibus.
The high-profile delay concerns the bulk of the high-risk AI system obligations, not every provision that companies care about. General-purpose AI issues remain on their own tracks of implementation and enforcement. Transparency obligations remain relevant. New prohibited practices have their own dates. In other words, leadership teams.
Why USA and Japanese Pharma Leaders Should Care Just as Much as European Ones
Before going further, an important clarification is needed for every US pharma and biotech reader of this piece. The phrase “EU AI Act” still reads to many US pharma executives as someone else’s regulatory problem. That instinct is understandable, but it is wrong – and it is costing US companies the runway they think they have.
Article 2 of the AI Act sets out the applicability rules, and those rules are deliberately extraterritorial. The Act applies to three categories of actors: providers placing AI systems on the EU market or putting them into service in the EU, wherever the provider is established; deployers of AI systems that have their place of establishment or are located in the EU; and providers and deployers established outside the EU where the output produced by the AI system is used in the EU.
That third category – Article 2(1)(c) – is the one US pharma consistently misses. A US company can fall within the scope of the EU AI Act not only where its AI systems are placed on or used in the EU market, but also where the outputs of those systems – including predictions, decisions, recommendations, or generated content – are used in the EU, regardless of where the company, model, or servers are located.
In other words, jurisdiction follows the output, not the corporate entity. A US pharma company’s HR AI system in Indianapolis that screens applicants for a Basel commercial role is in scope. A clinical operations AI hosted in North Carolina that supports trial enrolment in Germany is in scope. A regulatory submission AI in New Jersey that drafts content for an EU marketing authorisation is in scope. A pharmacovigilance signal-detection AI in Boston that processes adverse events involving EU patients is in scope. The physical location of the model or infrastructure is not the determining factor; what matters is whether the output is used in the EU.
This reach is broader than many US teams assume, and broader in important ways than GDPR. As the IAPP noted in August 2025, the AI Act’s extraterritorial scope exceeds the GDPR’s because it does not depend on a targeting requirement, a personal data processing nexus, or an intent test. If your AI output reaches an EU customer, employee, regulator, healthcare professional, or patient, you may be in scope.
Article 22 makes the practical implication more concrete. Providers of high-risk AI systems established in third countries – including the United States – must designate an authorised representative established in the EU before making those systems available on the EU market. That representative carries specific obligations under the Act, including maintaining documentation availability and cooperating with national competent authorities.
For US pharma companies with European operations, the test is therefore not whether the parent company is headquartered in Europe. The test is whether the company’s AI touches Europe. For most major US pharma organizations – with commercial offices in Basel, Dublin, London, or Paris; manufacturing sites in Italy or Spain; clinical trial activity across EU member states; partnerships with European biotechs; AI shared with European joint venture partners; or AI-enabled medical devices marketed in the EU – the answer is almost certainly yes, and in more than one way.
The practical implication is straightforward: US pharma needs to be in this conversation alongside European companies. The extended compliance runway applies to US companies as well. The substantive obligations apply as well. The conformity assessment work, authorised representative designation, documentation requirements, and post-market monitoring obligations are not limited to EU-headquartered businesses. If your AI output is used in the EU, these issues belong on your operating agenda.
Several US pharma teams I have spoken with over the past two weeks have read the Omnibus news and concluded that it pushes their EU AI Act work to 2027. They are right about the timing. They are wrong if they think that makes this merely a European subsidiary issue.
Why I Think the Postponement Is Being Misread
In the days since the postponement, I have seen many pharma teams begin to treat AI governance as less urgent. That reaction is understandable, but it is mistaken. The delay changes the compliance timetable; it does not reduce the underlying work or the level of scrutiny companies should expect.
● First, the new dates do not relax the obligations. December 2, 2027 remains December 2, 2027. The same requirements still apply: risk management systems, data governance documentation, technical documentation, conformity assessments, post-market monitoring, and related controls. The substantive standard has not moved. Only the date by which companies must be ready has changed.
● Second, the substantive bar remains high. For each high-risk AI system, providers will still need to demonstrate documented risk management across the AI lifecycle, data governance showing the quality of training and validation data, technical documentation sufficient for third-party review, record-keeping and event logging, transparency for users, human oversight mechanisms, appropriate levels of accuracy, robustness, and cybersecurity, conformity assessment before placement on the EU market, and post-market monitoring with serious incident reporting. This is not light work, and it cannot be assembled credibly in the final weeks before the deadline.
● Third, the work exposes operational realities that many companies have not fully planned for. Once pharma organizations begin serious inventory work, most discover that their AI footprint is larger than expected. They often find vendor-embedded AI in platforms such as Veeva, Microsoft, Salesforce, and ServiceNow, including capabilities that have already entered validated or regulated environments without being formally classified. They also tend to uncover shadow AI use across functions that no central team has been tracking. These findings take time to assess, govern, and remediate. Compressing that effort into the final months before a deadline is exactly the pattern that tends to produce control failures and audit findings.
● Fourth, pharma AI is operating within a broader regulatory environment that is not driven by a single deadline. The EU AI Act sits alongside the FDA’s January 2025 draft guidance on AI to support regulatory decision-making, the EMA’s September 2024 reflection paper on AI in the medicinal product lifecycle, the joint FDA / Health Canada / MHRA Good Machine Learning Practice guiding principles for medical devices, the ISPE GAMP Guide on Artificial Intelligence published in July 2025 and building on Appendix D11 in GAMP 5 Second Edition, 21 CFR Part 11, ICH Q9(R1), ISO/IEC 42001:2023, and the NIST AI Risk Management Framework. Each of these frameworks continues to evolve on its own timetable. None of them was paused by the Omnibus.
What Companies That Started in 2025 Are Now Positioned to Do
Companies that began this work in 2025 did not waste the effort. They are now materially better positioned than they were even a few months ago, because governance capability improves with operating time, not just with documentation.
By December 2027, those companies could have governance frameworks that have been functioning for 18 to 24 months. They could have classified their AI systems with documented reasoning that stands up to regulatory review. They could have policies and SOPs that have already been tested through real intake, approval, and escalation decisions. They could have validation playbooks for GxP-relevant AI that have already been applied to live production use cases. They could also have training programs that have been rolled out across the organization and refined through practice.
By contrast, companies that delay governance work until 2027, assuming the Omnibus relief means they can wait, will be trying to build all of this under compressed timeframes. They will be working with less maturity, less internal learning, and less opportunity to correct design weaknesses. They are also likely to be doing so while the AI Office, sector-specific guidance, and harmonized technical standards are still being finalized, which means they will be chasing moving targets while trying to stand up a defensible program.
That is the pattern I expect across 2026 and 2027 – companies that started early will build operating capability that compounds; companies that defer will build deadline-driven compliance projects that do not.
What the Omnibus Genuinely Improves
The Omnibus does provide tangible benefits, but they need to be understood correctly. It improves the conditions for implementation; it does not reduce the implementation burden.
Three benefits are worth highlighting:
● It provides legal certainty. The compliance dates are now clearer, allowing companies to plan against a more stable timetable.
● It gives harmonized standards time to catch up. The CEN-CENELEC work was materially behind schedule. The additional time gives standards bodies more room to finalize technical standards and gives companies a better opportunity to align their governance models to finalized texts rather than draft expectations.
● It gives national competent authorities more time to become operational. Several member states had not designated their national competent authorities by the original timeline. The postponement creates space for that regulatory architecture to be put in place before the substantive obligations apply.
These are meaningful improvements. But they are improvements to the regulatory ecosystem, not substitutes for internal governance work. Companies still need to build compliant operating models, on a clear timeline, against a substantive bar that has not changed.
What Pharma Leadership Teams Should Do Now
For senior leaders, the right response is not abstract. Leadership teams should focus on three priorities in order.
1)Complete AI inventory and risk classification within the next 6 months
This work is foundational and should not be deferred. In most organizations, the inventory reveals more AI use cases than leadership expects, particularly once vendor-embedded capabilities and decentralized experimentation are included. Doing this work now gives the business time to absorb the findings and respond deliberately.
For US companies in particular, the inventory should explicitly identify every AI system whose output is used in the EU, including systems built and operated in the United States but supporting European functions.
2)Build the governance framework that will be needed to operate after the deadline
This should be designed as an operating model, not as a one-time compliance project. It should be resilient enough to absorb future regulatory developments, including finalization of the FDA’s January 2025 draft guidance, additional Commission guidance under the AI Act, possible MDR or IVDR developments, and broader international harmonization efforts.
A focused framework design effort undertaken in 2026 can create a structure that remains useful through 2028 and beyond.
3)Validate the GxP-relevant AI already in production
This backlog exists independently of the EU AI Act timetable. Retrospective validation is already supported by existing expectations under GAMP 5, ALCOA+, 21 CFR Part 11, and ICH Q9(R1). Many pharma companies already have AI or AI-like functionality influencing GxP-relevant work without validation that meets current expectations.
Addressing that over the next 12 – 18 months is materially easier than attempting to remediate everything at once in response to an inspection, audit, or regulatory trigger.
The Strategic Point
The Omnibus did not change what good pharma AI governance looks like. It changed when it became mandatory.
That distinction matters. When the Annex III obligations apply on December 2, 2027, and the Annex I obligations on August 2, 2028, companies that used the extra time to build governance capability will be ready. Companies that wait until the final months to assemble documentation and controls will be playing catch-up.
Eighteen months is enough time to build a strong governance model. It is also enough time to waste. The choice will reflect how a company approaches regulation more broadly – whether AI governance is treated as a long-term operating capability or simply as a deadline-driven compliance exercise.
Conclusion
The right approach is clear: treat it as an operating capability. The deadline is the forcing function, not the destination. And for US pharma in particular, the point is straightforward – if your AI output is used in Europe, this matters to you. The headquarters location is secondary; the output is what counts.
The timeline moved. Your governance exposure did not.
Found this article interesting?
If you need a clear view of which AI systems create regulatory risk, where your current governance model will fail under scrutiny, and what has to be fixed first, Eularis helps pharma and biotech leaders build AI governance that is board-defensible, operationally credible, and designed for regulated reality.
If you want a clearer view of your AI governance gaps and what needs attention first, email me at abates@eularis.com. to book a governance discussion or fill in our contact us form here https://eularis.com/contact-us/