Most boards are quietly debating whether to slow EU AI Act readiness. The deferral debate in Brussels has given them an easy reason. The problem is that pause is a bet, and it is the wrong one.

The deferral debate, in plain English

On November 19, 2025, the European Commission published the Digital Omnibus on AI. The Omnibus would push the high-risk obligations of the EU AI Act from their current effective date of August 2, 2026 to December 2, 2027 for standalone systems, and to August 2, 2028 for systems embedded in products governed by existing sectoral safety regimes.

The trilogue negotiations between the Commission, the European Parliament, and the Council have been difficult. The April 28 trilogue ended without agreement, primarily over how to treat AI systems already covered by sectoral rules in industries like medical devices, industrial machinery, toys, and connected cars. The next trilogue is scheduled for May 13. The Cypriot Council Presidency has stated its intent to close the file before its term ends on June 30, 2026.

Two things are now widely understood. First, the Parliament and the Council appear aligned on December 2, 2027 as the new deadline for standalone high-risk systems if the Omnibus passes. Second, if the Omnibus does not pass before August 2, 2026, the original timeline applies. The high-risk obligations enter enforcement on the original date, with penalties up to €15 million or 3 percent of global turnover.

Companies looking at this from the outside see a regulatory deadline that may slip 16 months. Their natural conclusion is that the urgency has come off. They are wrong, and the next 12 months are when that becomes painfully apparent.

Why companies are quietly slowing

The case for slowing is not unsophisticated.

The first reason is opportunity cost. AI governance work competes for the same internal resources as AI deployment work. If the deadline slips, leaders can shift those resources to growth-side initiatives without sacrificing legal posture.

The second is program fatigue. Many enterprises spent the second half of 2025 standing up the first version of an AI governance program. The teams running that work are tired. A reprieve is welcome.

The third is the read on Brussels. The political will for August 2 enforcement looks weak. National competent authorities are not yet designated in many member states. Harmonised standards remain incomplete. Compliance tools are immature. If the regulators are not ready, the argument goes, why should we be?

Each of these arguments has texture. Each is also, on inspection, a reason to slow tactically rather than abandon the program.

Why pause is the wrong call

The deferral is not certain. The April 28 trilogue failed. The May 13 trilogue could fail too. The Cypriot Presidency runs out on June 30. If no Omnibus is adopted by August 2, the original timeline applies, and the original penalty regime applies. The companies that spent the spring slowing readiness will spend the summer in crisis mode. Pause is a bet. Many leaders have not been told that.

The deferral does not eliminate the work, it sequences it. The high-risk obligations under the AI Act are not going away. They are being negotiated for a later trigger date. Every hour of risk taxonomy work, control library work, assurance work, and inventory work that you do today still matters in December 2027. The only thing the deferral changes is how much rework you pay if you stop and restart. Rework on governance work is expensive in budget. It is more expensive in credibility, because every restart resets the trust the function has built with the business.

Other regulators are not waiting. The Commission, the AI Office, sectoral regulators in finance and health, and member state competent authorities have been actively preparing all year. The next 96 days are when their teams begin scoping which deployers they want to ask questions of. The questions they will ask, the documentation they will request, the system specifications they will expect, all of this is being designed now. The Omnibus debate is happening at the legislative level. The supervisory machinery is moving on the original schedule.

The work that matters most is not deadline-specific. It includes risk taxonomy, use case classification, control inventory, model and system documentation, vendor governance, incident response, and board reporting. None of this is unique to August 2, 2026. All of it is mandatory in any future regime, regardless of when the AI Act high-risk obligations technically apply. Companies that confuse the deadline with the work end up doing neither.

What stays true regardless

Step back from the deadline question. The companies that will be in defensible posture in any future regime, including the original AI Act timeline, the deferred timeline, and any of the state-level frameworks taking effect this year, share four traits.

  • A complete inventory of AI systems in use, with each system classified by risk tier and intended use. They have not been surprised by an AI use case in months.
  • A control library mapped to multiple regulatory regimes, not just one. The same control set satisfies the EU AI Act, NIST AI RMF, ISO 42001, GDPR Article 22, and the relevant sectoral rules. Build once, satisfy many.
  • A risk-tiering protocol that determines, for any given AI use case, what level of rigor is required. Not every chatbot needs board-level oversight. Not every credit decisioning model can be approved by a single product owner. Rigor must be proportionate to risk.
  • A working monitoring and assurance posture that produces evidence on a continuous basis, not in a sprint before an audit. Audit readiness is a property of how you operate, not a project you run.

None of this depends on August 2. None of it gets easier in December 2027. All of it compounds.

The tactical debate is about timing. The strategic one is about whether your governance holds in any future regime. Boards that argue the first give up the second.

The board frame

The right question for the board this month is not "should we slow our EU AI Act readiness?" That framing makes the deadline the strategic variable. It is not.

The right question is "are we building governance infrastructure that works in any plausible regulatory scenario?"

If the answer is yes, the deferral debate is interesting but irrelevant. The work continues as planned. If the answer is no, the deferral debate is a temporary reprieve from a problem that returns with interest.

The companies that emerge from this period in the strongest competitive position will be the ones whose leaders refused to let the deadline question hijack the strategic question. They will not have been the fastest. They will have been the most deliberate. That distinction will define the next ten years of this market.

This is the layer EMG Advisory was built to deliver, regardless of how the regulatory clock runs.

Andrea Elliott is the Founder & Managing Partner of EMG Advisory.
To explore how this applies to your organization, request a meeting.