For the past two years, the EU AI Act's August 2026 deadline has functioned as a fixed point around which many UK software agencies and their clients quietly oriented their compliance planning. Risk classifications were mapped, documentation frameworks drafted, and internal governance reviews scheduled. Then, in early 2025, Brussels introduced the Digital Omnibus package — a broad legislative proposal that, among other things, would delay or water down several of the Act's core obligations. Suddenly, a deadline that felt immovable is looking considerably more negotiable.
For UK organisations, the timing is particularly awkward. Post-Brexit Britain is still deciding whether to mirror the EU's approach, carve out its own path, or quietly wait and see. That ambiguity, layered on top of a potentially shifting EU timeline, leaves technical leads and senior decision-makers in an uncomfortable position: do you press ahead with compliance work based on a deadline that may slip, pause and risk being caught flat-footed, or step back and reconsider the whole strategic framing?
What the Digital Omnibus Package Actually Proposes
The Digital Omnibus is not a wholesale repeal of the AI Act — it is better understood as a recalibration driven by competitiveness concerns. European businesses, particularly SMEs, raised sustained objections that the Act's compliance burden was disproportionate and would disadvantage EU-based developers relative to their US and Chinese counterparts. The package responds to that pressure by proposing extended transition periods, simplified conformity assessment routes for certain risk categories, and potential adjustments to which systems fall under the high-risk classification in the first place.
The practical effect, if the package passes in something close to its proposed form, would be to push meaningful enforcement of high-risk AI obligations beyond the August 2026 window. Prohibited practices provisions came into force in February 2025 and are unlikely to be touched, but the obligations that most UK product teams were actively building towards — transparency requirements, technical documentation, human oversight mechanisms for high-risk systems — may land on a different, later timeline. That is not a reprieve; it is a moving target.
The UK's Deliberately Ambiguous Position
The UK government has consistently declined to introduce AI-specific primary legislation, favouring instead a principles-based, sector-led approach coordinated through existing regulators. The AI Safety Institute, now rebranded as the AI Security Institute, has focused its energy on frontier model evaluation rather than the broader compliance architecture the EU Act establishes. For organisations operating across both jurisdictions, this creates a genuine governance gap: EU-facing products or services may fall under the AI Act regardless of where the developer is based, while domestically-focused UK systems operate in a lighter-touch environment with little binding enforcement.
The temptation for UK-only operators is to treat the EU Act as someone else's problem. That temptation is understandable but short-sighted. The history of GDPR offers an instructive precedent: many UK organisations initially assumed that post-Brexit divergence would reduce their compliance obligations, only to discover that serving EU customers, using EU-based data infrastructure, or employing staff in EU member states kept them firmly within scope. The same jurisdictional logic applies to AI systems. If your product touches EU users, EU data, or EU-regulated sectors, the Act is relevant — regardless of where your development team sits.
Why Pausing Your Compliance Roadmap Is the Wrong Response
The instinctive reaction to regulatory uncertainty is often to pause and wait for clarity. In this case, that instinct is likely to prove costly. The compliance work that the August 2026 deadline was driving — risk classification, documentation of training data and model behaviour, human oversight protocols, incident logging — is not wasted effort if the deadline shifts. It is foundational governance work that responsible AI deployment requires irrespective of any particular regulatory timetable. Organisations that have done this work will be better positioned to respond quickly when final obligations are confirmed, while those who paused will face a compressed implementation window.
There is also a commercial dimension worth considering. Enterprise procurement teams, particularly in regulated sectors such as financial services, healthcare, and public sector, are increasingly asking AI vendors and software partners to demonstrate governance maturity as a condition of engagement. That expectation is not going away because Brussels is debating transition timelines. If anything, the uncertainty reinforces the value of being able to show that your compliance posture is robust and proactive rather than deadline-driven.
Recalibrating Without Starting Over
For teams who built their roadmaps around the August 2026 date, the Digital Omnibus development does warrant a recalibration — but not a restart. The priority should be identifying which elements of your existing compliance work are structurally durable regardless of timeline changes, and which were specifically timed to hit a regulatory gate that may now move. Documentation, risk tiering, and human oversight mechanisms fall in the first category. Certain external audit and conformity assessment steps, which are more resource-intensive and time-specific, may warrant reprioritisation.
UK organisations should also be monitoring the Digital Omnibus legislative process closely. The European Parliament and Council negotiations will likely extend into late 2025, and the final shape of any delay or modification will not be known quickly. Establishing a watching brief — ideally with input from EU regulatory counsel if you have EU-facing products — is prudent. In parallel, engaging with the UK government's ongoing AI governance consultations ensures that when domestic obligations do crystallise, your organisation is not starting that conversation from scratch.
Regulatory uncertainty is uncomfortable, but it is not a reason to disengage. The organisations that will navigate the coming period most effectively are those that treat AI governance as an ongoing capability rather than a compliance sprint. The specific deadlines will shift; the underlying need to demonstrate trustworthy, well-governed AI will not.
If your team is currently reviewing its AI compliance roadmap in light of the Digital Omnibus developments, or wrestling with how the UK's divergent approach affects your obligations, iCentric's technical and governance advisory work is designed precisely for this kind of strategic uncertainty. The right move is not to wait for Brussels to make up its mind — it is to build the internal clarity that lets you respond decisively when it does.
Does the EU AI Act apply to UK companies that don't have an EU office?
Yes, in many cases. The AI Act applies on the basis of where AI systems are deployed or where their outputs are used, not solely where the developer is incorporated. If your system is made available to users in EU member states or used within EU-regulated contexts, the Act's obligations are likely to apply regardless of your company's location.
What is the Digital Omnibus package and when will it be finalised?
The Digital Omnibus is a European Commission legislative proposal that would amend several digital regulations, including elements of the EU AI Act, primarily to reduce the compliance burden on businesses and SMEs. As of mid-2025, it is subject to negotiation between the European Parliament and Council, with a final outcome not expected until late 2025 at the earliest.
Which EU AI Act obligations are most likely to be delayed by the Digital Omnibus?
The obligations most likely to be affected are those applying to high-risk AI systems, including technical documentation requirements, conformity assessments, and human oversight mandates. The prohibited practices provisions, which came into force in February 2025, are generally considered off the table for delay.
If the UK isn't introducing its own AI Act equivalent, do UK companies face any binding AI obligations domestically?
Currently, there is no single binding AI law in the UK. However, sector-specific regulators — including the FCA, ICO, and CQC — are developing AI-related guidance and expectations within their existing remits. UK organisations in regulated sectors may therefore face meaningful AI governance obligations through their sectoral regulator even without primary AI legislation.
How does the UK's AI governance approach compare practically to the EU's risk-based model?
The EU AI Act uses a prescriptive, risk-tiered classification system with defined obligations for each category. The UK's approach is principles-based and sector-led, meaning obligations are interpreted and enforced through existing regulators rather than a single unified framework. The UK approach offers more flexibility but also less certainty about what 'compliance' looks like in practice.
What is the minimum viable compliance posture for a UK software agency building AI-enabled products?
At a minimum, agencies should maintain clear documentation of how their AI systems work, what data they were trained on, and where human oversight is exercised. Risk classification against the EU Act's categories is advisable even for UK-based teams, as is a record of testing and validation procedures. This baseline supports both regulatory readiness and client due diligence requirements.
Will the Digital Omnibus affect the AI Act's rules on general-purpose AI models?
The general-purpose AI model provisions, which apply to foundation model providers, are a separate chapter of the AI Act and are not widely expected to be significantly altered by the Digital Omnibus. The package's focus has primarily been on relieving the compliance burden on downstream deployers and SMEs rather than on large model developers.
How should procurement teams assess AI vendors' compliance readiness given the current uncertainty?
Rather than asking whether a vendor is 'AI Act compliant' — a binary framing that the current uncertainty makes unhelpful — procurement teams should ask vendors to demonstrate their governance processes: how risks are classified, how models are documented, and how human oversight is maintained. Process maturity is a more reliable signal than a compliance certificate in a shifting regulatory landscape.
Is there a risk that the UK ends up with stricter AI rules than the EU if Brussels delays its own deadlines?
It is possible, though currently unlikely. The UK government has signalled a preference for a lighter regulatory touch to encourage AI investment and innovation. However, if sector-specific regulators move ahead with binding AI expectations in high-stakes sectors before EU obligations are clarified, UK organisations in those sectors could face tighter practical constraints than their EU counterparts in the near term.
What should a senior technology leader do in the next 90 days given this regulatory uncertainty?
Three concrete steps are advisable: first, audit which AI systems in your portfolio would fall into high-risk categories under the current EU Act text; second, identify which compliance workstreams are durable regardless of deadline changes and continue those; third, establish a watching brief on the Digital Omnibus negotiations and engage with any relevant UK government consultations so that your organisation can respond quickly when clarity arrives.
More from iCentric Insights
View all
Get in touch today
Book a call at a time to suit you, or fill out our enquiry form or get in touch using the contact details below