EU AI Act high-risk obligationsapply 2 Dec 2027/Are you using the time?Check readiness →
← Back to blog
EU AI Act·7 May 2026·11 min

Why the Digital Omnibus Trilogue Collapsed — and What It Actually Changes for Nordic Financial Deployers

The 28 April collapse wasn't about postponement — it was about Annex I sectoral overlap. For Nordic banks, lenders, and insurers, the practical answer is simpler than the headlines suggest.

By Thomas Eriksen

Why the Digital Omnibus Trilogue Collapsed — and What It Actually Changes for Nordic Financial Deployers

A short, practical read for Nordic compliance, risk, and finance leaders trying to separate the signal from the LinkedIn noise.

The negotiations broke down on 28 April. Most of the headlines say the same thing: "deadline holds". The truth is more nuanced — and for a Nordic financial deployer, more concrete than the LinkedIn takes let on.

The short version: the trilogue did not collapse over the postponement. The three institutions had already agreed on that. It collapsed over how AI rules interlock with EU sectoral safety law — medical devices, machinery, toys, vehicles, pressure equipment, PPE. None of which is your problem if you're a bank, a lender, or an insurer.

This post walks through what actually happened, what it means for Annex III financial deployers, and what we recommend you do about it.

What happened on 28 April

On 28 April 2026 the second political trilogue on the Digital Omnibus on AI ended without agreement after roughly twelve hours of negotiation. A further trilogue is anticipated in early to mid-May, but at the time of writing the date has not been formally confirmed.

The Cypriot Council Presidency wants to close the file before its term ends on 30 June 2026. If it does not, the Irish Presidency takes over from 1 July 2026 and inherits the negotiation.

That is the procedural picture. The substantive picture is more interesting.

The collapse was not about postponement

Going into the trilogue, the three institutions had already converged on the centrepiece of the file. The Council adopted its general approach on 13 March 2026, broadly aligning with the Commission's proposal. The European Parliament followed on 26 March 2026, adopting its negotiating mandate by a 569-to-45 vote. Both institutions had moved away from the Commission's original conditional mechanism (which would have tied application to the availability of harmonised standards) toward fixed dates:

  • 2 December 2027 for stand-alone Annex III high-risk systems
  • 2 August 2028 for AI embedded in Annex I regulated products

That convergence is what makes the collapse striking. The dispute was not about whether to delay. It was about how the AI Act interlocks with existing EU sectoral safety law.

The unresolved file at the close of the 28 April session was the conformity assessment architecture for AI systems embedded in Annex I products — Section A products such as machinery, medical devices, in-vitro diagnostics, and similar regulated categories. The Parliament position would move those products toward primarily sectoral handling. The Council position keeps them on the combined regime, where the sectoral conformity assessment applies and the AI Act layers on top. Under trilogue logic — "nothing is agreed until everything is agreed" — that single open file blocked the entire package, including the postponement that everyone agrees on.

Why this is not your fight (if you are a Nordic financial deployer)

Nordic financial deployers are not in Annex I.

If you are a bank using AI in a creditworthiness workflow, an insurer pricing life or health products with AI, or a fintech making decisions that affect natural persons — you are in Annex III, point 5. Specifically point 5(b) for creditworthiness and credit scoring (with the explicit exception of fraud detection), or point 5(c) for risk assessment and pricing in life and health insurance. (If the provider/deployer distinction is the layer beneath this you want to understand first, that's the previous post.)

The conflict that blocked the trilogue is about products under sectoral safety law. Your AI use case is not a regulated product. The Section A discussion does not apply to you.

What that means in practice: if the Omnibus eventually passes, your applicability date moves to 2 December 2027. If it does not, the original 2 August 2026 date stands. The substantive dispute that broke the trilogue is irrelevant to your situation. Either way, the obligations themselves do not change.

Three realistic scenarios

It's worth setting expectations across three scenarios. None of these is a precise probability estimate — anyone who tells you they have one is overselling certainty in a moving political file. They are useful as a planning frame.

The most likely outcome: a deal before 2 August 2026. The next trilogue lands an agreement, Parliament endorses, Council formally adopts, the text is published in the Official Journal before the original deadline. Annex III high-risk obligations apply from 2 December 2027. You have an extra sixteen months to mature your compliance posture.

Plausible: a split deal. Negotiators carve the Annex I conformity question out of the Omnibus and leave it to a separate instrument (a Commission delegated act, a sectoral amendment, a future Omnibus iteration). The rest of the package — including the Annex III postponement — is adopted on the converged terms. Same outcome for financial deployers: 2 December 2027.

A real risk that should not be discounted: no deal before 2 August 2026. Trilogue logic, the political fracture visible after the cancelled 28 April press conference, and the calendar wall (Cypriot Presidency ends 30 June; Irish Presidency inherits a difficult file in the middle of summer recess) all increase this scenario's weight relative to where it stood three months ago. If this happens, the AI Act applies from 2 August 2026 as written. There is no transitional grace built into the Regulation. You would be operating against the original deadline with no harmonised standards in place — but operating against it nonetheless.

The asymmetry is what matters. If you plan against 2 August 2026 and the delay lands, you have time to spare. If you plan against 2 December 2027 and the deal does not land, you are non-compliant from day one.

The same logic, as a timeline:

Digital Omnibus timeline — two scenarios for Nordic financial deployersHorizontal timeline showing the 28 April 2026 trilogue collapse, anticipated mid-May trilogue, 1 July Irish presidency handover, and the 2 August 2026 original deadline as a branch point. Two scenarios fan out: Scenario A if the Omnibus is adopted (Annex III applies 2 December 2027) and Scenario B if no deal is reached (Annex III applies 2 August 2026 with no grace period).Scenario A — Omnibus adopted before 2 Aug2 Dec 2027Annex III applies16 extra months28 AprCollapseMid-MayNext trilogue1 JulIrish presidency2 AugOriginal deadline2 Aug 2026Annex III appliesNo grace periodScenario B — No deal before 2 AugConfirmedAnticipated

What enters force on 2 August 2026 if the Omnibus does not pass

It is worth being concrete about what the original deadline actually triggers, because the conversation usually flattens this into "high-risk obligations" and skips the breadth.

If 2 August 2026 stands as written:

  • Article 26 deployer obligations for Annex III high-risk systems — instructions for use, human oversight assignment, input data quality where the deployer controls it, monitoring, log retention for at least six months, worker notice, individual notice, cooperation with authorities
  • Article 27 Fundamental Rights Impact Assessment — for every deployer using AI for creditworthiness/credit scoring (Annex III 5(b)) or for risk assessment and pricing in life and health insurance (Annex III 5(c)), regardless of whether the deployer is public or private
  • Article 49 EU database registration — Annex III systems must be registered before being put into service
  • Article 50 transparency obligations — including AI-system disclosure to natural persons interacting with AI and the marking of AI-generated content (in the form ultimately adopted)
  • Article 99 penalty regime — the framework that backs all of the above with administrative fines

This is broader than many teams have planned for. "High-risk obligations" gets the headline, but Article 50 transparency and Article 49 registration apply on the same date and catch a wider universe of systems.

What we recommend

Build compliance as if 2 August 2026 holds.

If the delay lands, you have time to spare — that is the gift, not the plan. If it does not, you are ready. The asymmetry of the two outcomes points clearly to one strategy: plan against the deadline that is in the law, not the deadline you hope is coming.

Concretely, in the next four to eight weeks:

  1. Confirm your role. Are you a deployer of an Annex III high-risk system? For most Nordic financial deployers using third-party LLMs in credit or insurance workflows, the answer is yes. Document the rationale.
  2. Inventory your high-risk AI systems. One register, owner per system, intended purpose, Annex III classification, FRIA status. Without this, none of the downstream obligations have a defensible artefact.
  3. Stand up an evidence layer. Article 26(6) requires automatically generated logs retained for at least six months under the deployer's control. Vendor logs that you cannot independently access, query, or export do not satisfy this.
  4. Schedule the FRIA. Article 27 catches every credit and insurance deployer. The AI Office has not yet published its template — but the substantive elements (processes, affected persons, specific risks, oversight measures, complaint mechanisms) are already in the text and can be built today.

These four are the same workstreams under either deadline. Eight months earlier or sixteen months later, the artefacts are the same.

The deeper point

Regulatory uncertainty is compliance risk. The trilogue may land in May. It may land under the Irish Presidency in October. It may land split. It may not land at all before the original deadline.

The audit and evidence work needed for Article 26 and Article 27 is the same in every one of those scenarios. So is the evidence work needed for Article 50 transparency, which is on a fixed milestone independent of the Omnibus negotiation. The only strategy that does not need to be rewritten when the next trilogue concludes — whenever and however it does — is the one that builds the artefacts the law actually requires, on the timeline the law actually states.

That is the boring answer. It is also the one that ages best.

If you would like to talk through how to build compliance that holds up regardless of how the Omnibus negotiation lands, we offer a 30-minute walkthrough that maps your situation against the EU AI Act's evidence obligations. Book a time →

The full text of the AI Act (Regulation (EU) 2024/1689) is on EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj. The Commission's Digital Omnibus on AI proposal (COM(2025) 836) is also available there.

This article is informational and is not legal advice. Application of the EU AI Act and the proposed Digital Omnibus to a specific organisation depends on facts that should be reviewed with qualified counsel.