The deadline moved. Use the extra time well.
On 7 May 2026, the EU Council and Parliament reached a provisional political agreement on the Digital Omnibus on AI. This pushes the application date for high-risk AI systems under Annex III - including AI used in assessment - from 2 August 2026 to 2 December 2027. High-risk AI embedded in regulated products receives a further extension, to 2 August 2028.
For European universities, that is sixteen extra months of runway on what had already been an uncomfortably tight deadline. But the key point is this: the deferral is conditional, and the underlying obligations have not changed. Only the date on which non-compliance starts to bite has moved - not the requirements themselves.
At UNIwise, we follow this legislation closely and are happy to share our perspective on what this agreement means in practice - both for institutions and for our shared work to ensure responsible use of AI in assessment.
WHAT THE DIGITAL OMNIBUS ON AI ACTUALLY CHANGED
The agreement, proposed by the Commission on 19 November 2025 and provisionally adopted on 7 May 2026, does three things that matter directly to higher education:
-
The deadline for high-risk AI under Annex III moves from 2 August 2026 to 2 December 2027. This covers AI used to evaluate learning outcomes, screen applicants, and monitor candidates during examinations.
-
High-risk AI embedded in regulated products receives a longer transition period - to 2 August 2028.
-
There is a conditional trigger that is easy to overlook: the Commission can pull the deadline forward to six months after it formally concludes that the necessary standards, common specifications, or guidance are in place. December 2027 is an outer limit - not a guarantee.
WHAT DID NOT CHANGE
The substance of the obligations is intact. Article 26 still places duties on the deployer - your institution - for human oversight, monitoring, logging, and informing affected individuals. Article 27 still requires a Fundamental Rights Impact Assessment (FRIA) before a high-risk AI system goes into use. Annex III still classifies AI used in assessment as high-risk.
The European Commission’s updated ethical AI guidelines for education from May 2026, and the EU Council’s conclusions from 11 May on a human-centred approach to AI in education, both point in the same direction: more rigour, not less.
Students, data protection authorities, auditors, and the press are not waiting for December 2027.
WHAT SIXTEEN EXTRA MONTHS ARE GOOD FOR
Used well, the extra runway gives institutions the opportunity to do three things that were simply not realistic to accomplish in ten weeks.
Build a genuine register of AI in assessment. Most institutions are guessing today - a shadow IT problem with marks attached. Use the time to inventory every tool, locally or centrally procured, that scores, screens, monitors, or generates feedback, and establish whether the institution is the deployer or merely a downstream user.
Run proper Fundamental Rights Impact Assessments. A FRIA produced under deadline pressure is a tick-box exercise. A FRIA produced with time is an actual decision-making document - one that can change which tools you renew and which you walk away from.
Build the governance structure that survives staff turnover. The institutions making real progress have a single accountable owner for AI in assessment (typically a Pro-Vice-Chancellor for Education), a standing group including the DPO, the head of assessment, and a senior academic, and a recorded meeting cadence with written minutes.
HOW UNIwise THINKS ABOUT THIS - AND WHAT WE DO
WISEflow is built around the assumption that assessment needs a defensible audit trail - every action by a candidate, marker, moderator, or AI-assisted function captured, time-stamped, and exportable. That brief does not change regardless of when the legislation comes into force.
At UNIwise, we have made a number of concrete choices in our platform and in how we work with institutions:
that comply with GDPR, with clear allocation of responsibilities and transparency about what happens to data.
documented in the UNIwise Trust Centre including ISO 27001 certification, penetration testing, and access management.
as an architectural principle - not a retrospective checklist. This includes data minimisation, geographic data centre placement, and clear retention policies.
The deferral does not change that brief. If anything, it gives everyone a little more room to do it properly.
WORKING TOGETHER - BECAUSE SILOS DON'T WORK
One of the things we have learned through dialogue with our institutions across Europe is that compliance challenges cannot be solved one-to-one between a vendor and a university. It requires something broader.
At UNIwise, we actively work to create spaces for dialogue that span institutions and markets - not just in formal vendor relationships, but in genuine partnerships. That means institutions can learn from one another: which FRIA templates actually work? Which governance models hold up over time? Which AI features are acceptable in one country but problematic in another?
We see ourselves as a facilitator of that conversation - not merely as a technology provider. Our network of universities across the Nordic countries, UK, EU and other markets gives us a unique view of what works in practice across different legislative and cultural contexts.
That is a resource we share openly - through joint user group, cross-institutional knowledge sharing via our partner programme, or simply by making our own impact assessments available.
“WAIT AND SEE” IS THE WRONG INSTINCT
Two reasons:
First, the deadline can move forward. The conditional trigger in the Omnibus means a Commission decision on standards readiness can compress the transition to six months. If standards land in mid-2027, the effective deadline is late 2027 . but the work has to be done already.
Recent Times Higher Education reporting on AI-related academic misconduct cases in the UK - thousands recorded in the 2023–24 academic year - is a reminder that the conversation does not pause because Brussels does.
NEXT STEPS
If your institution is using the next sixteen months to map and govern its assessment AI, we are ready to assist you as your supplier. And if you would like to join a broader conversation with other institutions about navigating these challenges together - get in touch. That is exactly the kind of dialogue we are here to facilitate. You can also review our security and data protection posture in the UNIwise Trust Centre.
STAY UPDATED ON THE LATEST DEVELOPMENTS
FREQUENTLY ASKED QUESTIONS
The deadline for high‑risk AI systems in assessment has been postponed from August 2026 to December 2027, giving institutions more time to prepare while keeping all compliance obligations unchanged.
No. The postponement only delays enforcement, not the requirements. Institutions are still expected to ensure transparency, oversight, and responsible use of AI in assessment well before the deadline.
AI used to evaluate learning outcomes, screen applicants, or monitor students during exams is classified as high risk and must meet strict regulatory and ethical standards.
Institutions should map their use of AI, conduct Fundamental Rights Impact Assessments (FRIA), and establish governance structures that ensure long‑term compliance and accountability.
To scale oral exams, institutions need dedicated tools and workflows that manage the full assessment process—from planning and scheduling to execution and review—reducing administrative burden and ensuring consistency.
By building clear governance, maintaining audit trails, ensuring transparency in AI‑assisted processes, and aligning with GDPR and security standards, institutions can create trustworthy and future‑ready assessment practices.