TL;DR: The EU AI Act Omnibus was formally adopted by the European Parliament on June 16, 2026 (423-57) and by the Council on June 29, 2026. Standalone high-risk AI (Annex III): December 2, 2027. High-risk AI embedded in regulated products (Annex I): August 2, 2028. These dates are now law, not provisional. Three obligation sets are unchanged: the prohibited-practices ban (since February 2, 2025), GPAI provider obligations (since August 2, 2025), and Article 50 transparency rules for chatbots, deepfakes, and AI-generated content (August 2, 2026, now 19 days away).
EU AI Act August 2026: What's delayed and what still applies
On May 7, 2026, EU institutions reached a provisional political agreement to delay high-risk AI system compliance requirements. Many compliance teams drew the wrong conclusion: that nothing under the AI Act applies until 2027 or 2028. That reading is wrong. Three significant sets of obligations still apply from August 2, 2026, unchanged by the Omnibus. This article separates what changed from what did not.
Update (July 14, 2026): The EU AI Act Digital Omnibus is now formally adopted law. The European Parliament voted 423-57 on June 16, 2026. The Council of the EU gave final approval on June 29, 2026. The delay is no longer provisional. Standalone high-risk AI systems (Annex III) have a confirmed deadline of December 2, 2027. High-risk AI embedded in regulated products subject to EU harmonization legislation (Annex I) has until August 2, 2028. The Omnibus also introduced a watermarking grace period: until December 2, 2026, content creators using generative AI for artistic or news-satire purposes may not need to apply machine-readable content attribution in all contexts. Article 50 chatbot disclosure and deepfake labeling still apply from August 2, 2026.
What the May 7 agreement actually changed
The May 7 political agreement extended compliance deadlines specifically for "Annex III" high-risk AI system deployer obligations. Under the original AI Act text, deployers of systems classified as high-risk under Annex III had to meet a series of requirements by August 2, 2026: conformity assessments, technical documentation, post-market monitoring, human oversight measures, and logging. The provisional agreement pushes all of those obligations to approximately December 2, 2027, a 16-month extension.
What the Omnibus did not touch: Article 50 transparency requirements (applying August 2, 2026), GPAI model provider obligations (already in force since August 2, 2025), and the prohibited AI practices ban (in force since February 2, 2025). These were always on separate tracks and were not part of the Omnibus negotiation.
The confusion is understandable. Media coverage used headlines like "EU delays AI Act" without specifying that the delay applies to one category of obligations. The Omnibus (the Digital Omnibus on AI, formally adopted June 29, 2026) is the instrument that confirms the delay. It amended the EU AI Act directly. The final text introduced two distinct new deadlines: December 2, 2027 for standalone Annex III systems, and August 2, 2028 for high-risk AI embedded in products covered by existing EU harmonization law.
For practical compliance planning: ignore the headlines and read the specific provisions. The August 2, 2026 date still matters for most businesses that deploy AI.
What still applies on August 2, 2026
Article 50: Transparency obligations (not delayed)
Article 50 is the provision most businesses need to act on before August 2. It applies to any company deploying an AI system that directly interacts with people, and it covers four specific situations.
First, chatbots and conversational AI must inform users they are interacting with an AI system. The requirement applies unless it is obvious from the context. "Obvious from context" is not a broad exception; a customer service chat interface that looks like a human agent does not qualify. A system clearly labeled "AI Assistant" in the interface likely does. The disclosure must happen at the beginning of the interaction, not buried in a terms of service.
Second, AI systems that generate deepfakes (synthetic video, audio, or images of real people) must label the output as AI-generated. The labeling must be machine-readable. There is no exception for satire or artistic use under Article 50, though other EU rules (including copyright law) address those contexts separately.
Third, AI emotion recognition and biometric categorization systems must inform the persons being analyzed. If your HR platform uses behavioral analysis or emotion inference, your employees must be told the system is running and what it assesses.
Fourth, AI-generated video, audio, images, and text intended for public dissemination must carry machine-readable attribution. This goes beyond deepfakes. Marketing content, PR materials, and public-facing media that were generated by AI fall within scope if they are meant for broad distribution. The C2PA (Coalition for Content Provenance and Authenticity) standard is the leading technical implementation for machine-readable content provenance.
Who this affects in practice: any business with an AI customer service chatbot, any tool generating marketing video or audio, any HR system using emotion or behavioral analysis, and any publisher distributing AI-generated images or video at scale.
GPAI model providers (already in force)
The General Purpose AI Model (GPAI) provider requirements technically applied from August 2, 2025 and are already in effect. These apply to companies that develop and make available general-purpose AI models to downstream users, not to companies that simply deploy an API.
GPAI providers must have three things in place. First, technical documentation and transparency information that gives downstream deployers what they need to understand the model's capabilities and limitations. Second, a copyright compliance policy summarizing how training data was handled and what opt-out mechanisms are in place for rights holders. Third, a systemic risk assessment for GPAI models trained with more than 10^25 FLOPs, the threshold that identifies frontier-class models.
If your company uses a third-party AI API (OpenAI, Anthropic, Google, Mistral, and so on), your vendor bears the GPAI provider obligations, not you. What you should do is ask your vendor to confirm they are meeting GPAI requirements and keep that confirmation on file. Your vendor's GPAI compliance is part of your supply chain risk posture.
Prohibited practices (mostly already in effect)
Several prohibited AI practices have been in force since February 2, 2025. The remaining prohibitions take effect August 2, 2026. Combined, the full prohibited practices list covers:
Social scoring systems operated by public or private entities are prohibited. AI systems that manipulate people through subliminal or deceptive techniques, or that exploit vulnerabilities related to age, disability, or economic situation, are prohibited. Real-time remote biometric identification in publicly accessible spaces is prohibited, with narrow exceptions for law enforcement under judicial authorization. Emotion inference in workplaces and educational institutions is prohibited. Predictive policing based solely on profiling individuals without objective and verifiable facts linked to a specific crime is prohibited.
These prohibitions apply regardless of the May 7 provisional agreement and apply to any organization whose AI systems affect EU residents, including non-EU companies.
What is delayed: confirmed deadlines
The table below covers major obligations from the original AI Act text now governed by the Omnibus confirmed deadlines (as of June 29, 2026).
| Obligation | Original deadline | New confirmed deadline | Applies to |
|---|---|---|---|
| High-risk AI system conformity assessment (Annex III) | August 2, 2026 | December 2, 2027 | Standalone high-risk systems |
| High-risk AI embedded in products (Annex I) | August 2, 2026 | August 2, 2028 | AI in medical devices, machinery, vehicles, etc. |
| Technical documentation for high-risk systems | August 2, 2026 | December 2, 2027 | Standalone systems |
| Post-market monitoring for high-risk deployers | August 2, 2026 | December 2, 2027 | Standalone systems |
| Human oversight requirements (Article 26) | August 2, 2026 | December 2, 2027 | Standalone systems |
| Deployer logging requirements (Article 26) | August 2, 2026 | December 2, 2027 | Standalone systems |
| Fundamental rights impact assessments (Article 27) | August 2, 2026 | December 2, 2027 | Standalone systems |
These dates are confirmed law. The EU Parliament voted June 16, 2026. The Council adopted June 29, 2026. No further votes are required. Teams managing high-risk AI compliance should plan against December 2, 2027 (standalone) or August 2, 2028 (embedded in regulated products) as fixed deadlines.
Who needs to act before August 2, 2026
If you run AI chatbots, virtual assistants, or any AI that talks to users:
Add a disclosure at the start of interactions. "This response is generated by an AI assistant" meets the requirement. Review any chatbot marketing copy that implies human interaction. Update your privacy notices if they do not already describe the AI systems you deploy. This is not a high-cost change; most chat platforms support custom system prompts or disclosure banners that can be deployed in days.
If you generate AI content for public distribution:
Implement C2PA or equivalent machine-readable marking on AI-generated images and video before they go out. Add visible labels on deepfakes and synthetic media. The content pipeline review matters here. If your marketing team is using AI image tools and publishing to social media or press materials, you need a process that captures those outputs and ensures they carry attribution before publication.
If you are a GPAI model provider:
Finalize technical documentation, publish your copyright compliance summary, and complete your systemic risk assessment if your model's training compute exceeds the 10^25 FLOP threshold. These are not small tasks for frontier model providers, but most smaller organizations fall below the frontier model threshold and only need the documentation and copyright policy.
If you are a US or UK company with EU customers:
The same requirements apply to you. The AI Act has explicit extraterritorial reach: if your AI system affects EU users or EU employees, you are in scope. The prohibition on real-time biometric identification, the Article 50 transparency rules, and the GPAI provider obligations do not have a geographic carve-out for non-EU companies.
If you were preparing for high-risk compliance and now it's delayed, should you stop?
No, and there are three concrete reasons.
The first is legal certainty. The delay is confirmed law since June 29, 2026, so December 2, 2027 is a fixed target. Building compliance documentation now, while the pressure is lower, is cheaper than rebuilding it under time pressure in Q3 2027.
The second is overlap with other laws. UK AI regulation, Texas TRAIGA (effective January 1, 2026), and Colorado SB 24-205 as amended by SB 26-189 (signed May 14, 2026, with the effective date moved to January 1, 2027) all have overlapping requirements around AI risk assessment, human oversight, and documentation. The compliance work is not wasted; it maps to multiple frameworks simultaneously.
The third is institutional readiness. Companies that have never documented their AI systems, mapped their risk levels, or implemented human review processes cannot do so quickly when a deadline arrives. The organizations that use the delay productively are the ones that will be able to demonstrate a compliance posture when the December 2027 date becomes enforceable.
What to do in the next 30 days
Start with an inventory. List every AI system your company uses or deploys that touches EU users, EU employees, or processes EU personal data. For each one, answer two questions: does it interact with people directly, and does it generate content for public distribution? Those two questions determine your August 2 exposure.
For any chatbot or conversational AI you operate, write and deploy a disclosure. This should be done in the next two weeks, not the next thirty days. The lead time is minimal and the risk of not having it in place is real.
For AI-generated content pipelines, audit what is going out and whether it carries machine-readable attribution. If not, implement a labeling step before August 2.
For your vendor relationships, send a short questionnaire to your AI API providers asking for their Article 50 and GPAI compliance confirmation. File the responses. If a vendor cannot confirm compliance, that is a supply chain risk you need to document.
For high-risk AI compliance work that was already underway, do not dismantle it. Adjust your internal deadline to Q4 2027, but keep the documentation current and the process running. A team that already has logging and human oversight in place faces minimal incremental work when December 2027 arrives.
Related reading: EU AI Act GPAI compliance checklist, August 2 deadline | EU AI Act Article 50 watermarking and deepfake disclosure | AI regulation deadline calendar 2026
Related Reading
- EU AI Act GPAI compliance checklist, August 2 deadline
- EU AI Act Article 50 watermarking and deepfake disclosure
- EU AI Act compliance guide for small teams
- Board AI governance reporting template 2026
- AI regulation deadline calendar 2026
- Colorado AI Act SB 189 employer guide 2027
- EU AI Act GPAI Code of Practice final June 2026
- EU AI Act SME sandbox support measures 2026
- EU AI Act conformity assessment process 2026
- One Big Beautiful Bill AI preemption 2026
- EU AI Act GPAI codes of conduct 2026
- EU AI Act August 2026 Compliance Checklist: 72 Days Left (Updated May 20
- EU AI Act August 2026 Deadline Extended to December 2027: What It Means
- EU AI Act enforcement starts August 2, 2026: what it means and what to d
- EU AI Act Deadline Extended to December 2027: What the Digital Omnibus Agre
