AI Act Delay Adopted, CBAM Deadline 31 March, and CSRD Scope Officially Narrowed

ByAlessio

Parliament adopts AI Act high-risk delay mandate

The European Parliament adopted its negotiating mandate on the Digital Omnibus on AI on 26 March with 569 votes in favour. The Council had agreed its own mandate on 13 March. Both institutions want to push high-risk AI system deadlines to 2 December 2027 for standalone systems and 2 August 2028 for AI embedded in regulated products. Trilogue negotiations begin immediately. First technical meetings started the same day, with the Cypriot Presidency aiming for a deal by May. The original 2 August 2026 deadline for high-risk obligations is effectively dead. Companies should still classify their AI systems against Annex III now. That work doesn’t change regardless of which deadline survives trilogue.

CBAM authorisation deadline: 31 March 2026

If your company imports more than 50 tonnes of CBAM-covered goods (cement, iron, steel, aluminium, fertilisers, hydrogen) into the EU per year, the application for authorised CBAM declarant status must be submitted by 31 March 2026. Importers who apply before the deadline can continue importing while their application is processed. Those who miss it face import restrictions and penalties of €100 per undeclared tonne of CO2. Certificate purchases don’t start until 1 February 2027, but authorisation cannot wait. A €100-per-tonne penalty for missing a form is peak EU regulation: the paperwork deadline arrives a full year before the actual payment.

CSRD Omnibus I now in force

The Omnibus I Directive entered into force on 18 March 2026. CSRD scope is narrowed to companies with over 1,000 employees and more than €450 million in net turnover. Listed SMEs are out of mandatory scope entirely. Wave 2 companies don’t report until 2028 (covering FY2027). Member states have until 19 March 2027 to transpose. The Commission must adopt simplified ESRS within six months. Thousands of compliance teams spent 2024 and 2025 building CSRD reporting processes for requirements that no longer apply to them. Nobody is getting that budget back.

CRA guidance open for feedback until 31 March

The Commission published draft implementation guidance for the Cyber Resilience Act on 3 March 2026, with the feedback period closing 31 March. CRA vulnerability reporting obligations start on 11 September 2026. From that date, manufacturers of products with digital elements sold in the EU must report actively exploited vulnerabilities within 24 hours. If you make connected hardware or software and don’t have a vulnerability management process ready by September, you’re already late.

EUDR simplification review due by end of April

The Commission’s mandatory simplification review of the EU Deforestation Regulation is due by 30 April 2026. Commissioner Roswall has signalled no reopening of the core text. Expect revised FAQs, guidance updates, and amendments to the information system. The enforcement deadline remains 30 December 2026 for large operators. The Commission managed to delay EUDR twice and is now reviewing how to simplify the thing it delayed.

Next week: AI Act AI literacy obligations. In force since February 2025. Most companies still haven’t touched them.

Sources:

Similar Posts