EU AI Act Deadlines: What's Due and When After the Omnibus Delay

The EU AI Act doesn’t land all at once. It entered into force on 1 August 2024, but its obligations phase in over several years. Some are already enforceable. The date most businesses fixated on was 2 August 2026 — and that date has now moved. The Digital Omnibus, agreed on 7 May 2026, pushed the largest block of obligations, those for high-risk AI systems, out to 2 December 2027.

That makes the timeline easy to misread in the other direction. The delay does not mean nothing is due before 2027. Several obligations have already been in force for over a year, and one near-term date — Article 50 transparency on 2 November 2026 — barely moved. Here’s what’s actually happening, and when.

What’s already in force

Prohibited practices — since 2 February 2025

The Act’s outright bans took effect first. Article 5 prohibits AI systems that:

• Manipulate behaviour through subliminal, deceptive, or exploitative techniques that cause significant harm
• Exploit vulnerabilities of specific groups (age, disability, social or economic situation)
• Score people socially — evaluating individuals based on social behaviour or personal characteristics, where that score leads to detrimental treatment in unrelated contexts
• Assess or predict criminal offence risk based solely on profiling or personality traits (with narrow exceptions for law enforcement augmenting human assessments based on objective facts)
• Scrape facial images from the internet or CCTV to build facial recognition databases
• Infer emotions in workplaces or educational institutions (except for medical or safety purposes)
• Use real-time remote biometric identification in public spaces for law enforcement (with tightly defined exceptions)

If any of your AI systems do these things, you’re already in breach. These prohibitions carry the highest penalties under the Act: up to €35 million or 7% of global annual turnover, whichever is greater.

Most mainstream business AI systems won’t fall foul of these bans. But they’re worth checking against, particularly the manipulation and vulnerability exploitation clauses, which are broad enough to catch aggressive personalisation engines or dark-pattern-adjacent AI features.

AI literacy — since 2 February 2025

Article 4 requires that organisations ensure their staff and other persons dealing with AI systems on their behalf have a sufficient level of AI literacy. This is already applicable.

The Act doesn’t prescribe a specific training programme. It requires that people working with AI understand enough about how it works, what it can and can’t do, and what the risks are. The appropriate level of literacy depends on the context. An AI engineer needs different knowledge than a customer service manager who oversees a chatbot.

In practice, this means you should already have some form of AI awareness training in place, documented and proportionate to how your organisation uses AI. If you don’t, this is low-hanging fruit to address immediately.

General-purpose AI models — since 2 August 2025

Providers of general-purpose AI (GPAI) models, the foundation models that many applications are built on, have been subject to their own obligations since 2 August 2025:

• Technical documentation
• Copyright policy and compliance with the EU Copyright Directive
• A detailed summary of training data content
• Additional obligations for models with “systemic risk” (those trained with more than 10²⁵ FLOPs of compute, or designated by the Commission): model evaluation, adversarial testing, incident tracking and reporting, and adequate cybersecurity protections

The EU AI Office’s codes of practice for GPAI providers give practical detail on how to meet Articles 53 and 55, particularly around training-data transparency and systemic-risk mitigation.

If you’re building applications on top of GPAI models (using the OpenAI API, Claude API, Gemini API, or similar), the model provider carries these obligations. But you still carry deployer obligations for the application you’ve built on top — and those follow the high-risk timeline below if your application qualifies as high-risk.

Governance and penalties — since 2 August 2025

The EU AI Office, which oversees GPAI model compliance, is operational. The penalty regime is in force, so authorities can already act on the obligations that apply. National competent authorities are standing up their market-surveillance functions ahead of the high-risk obligations landing.

The near-term date: Article 50 transparency — 2 November 2026

This is the deadline to watch first. The Omnibus moved Article 50 transparency obligations by only three months, from 2 August 2026 to 2 November 2026 — so while high-risk work has 16 extra months, transparency work barely shifted.

Article 50 applies to AI systems that interact with people, regardless of risk classification:

• AI interaction disclosure: If your AI system interacts directly with people (chatbots, virtual assistants, AI phone agents), you must inform them they are interacting with AI. The disclosure must happen at first contact, before or at the beginning of the interaction.
• Synthetic content labelling: AI-generated or manipulated images, audio, video, and text must be marked as artificially generated or manipulated, in a machine-readable format where technically feasible.
• Emotion recognition and biometric categorisation: If your system performs these functions, you must inform the people it’s applied to.

These obligations are straightforward to describe but easy to underestimate. Machine-readable provenance marking, in particular, is an engineering task that needs to be design-complete by mid-2026 to be live in November. A chatbot without an AI disclosure label is a compliance violation from that date.

The main deadline moved: high-risk obligations — 2 December 2027

This was the 2 August 2026 deadline. The Parliament voted to delay it in March, the April trilogue collapsed, and the resumed trilogue settled it on 7 May at 2 December 2027 — a 16-month extension. Until the agreed text is published in the Official Journal the original date technically governs, but national authorities are not expected to enforce a 2 August 2026 deadline against companies relying on a confirmed delay queued for adoption.

The full set of obligations for high-risk AI systems under Articles 6–27 and Articles 40–49 applies from this date. This includes:

For providers:

• Risk management systems (Article 9)
• Data governance (Article 10)
• Technical documentation (Article 11, Annex IV)
• Record-keeping and automatic logging (Article 12)
• Transparency and information to deployers (Article 13)
• Human oversight capabilities (Article 14)
• Accuracy, robustness, and cybersecurity (Article 15)
• Quality management systems (Article 17)
• Conformity assessments (Articles 40–49)
• EU Declaration of Conformity (Article 47, Annex V)
• CE marking (Article 48)
• Registration in the EU database (Article 49)

For deployers:

• Use according to instructions (Article 26)
• Human oversight implementation (Article 26)
• Input data relevance (Article 26)
• Monitoring in operation (Article 26)
• Log retention (Article 26)
• Fundamental Rights Impact Assessment (Article 27)
• Serious incident reporting (Article 73)

If you’re a deployer of high-risk AI, December 2027 is when regulators can start asking to see your FRIA, your monitoring procedures, your human oversight arrangements, and your incident reporting processes. That sounds distant — but building this infrastructure takes longer than the calendar suggests, which is the point of the section below.

Penalties for non-compliance with the high-risk obligations:

• Up to €15 million or 3% of global turnover for violations of AI system obligations
• Up to €7.5 million or 1% of global turnover for supplying incorrect or misleading information to authorities

What comes later

Sectoral safety-component systems — 2 August 2028

High-risk AI systems that are regulated as safety components of products covered by existing EU harmonised legislation (listed in Annex I, Section A) get longer still. The Omnibus moved this from 2 August 2027 to 2 August 2028. It applies to AI embedded in:

• Machinery and equipment
• Toys
• Lifts
• Radio equipment
• Pressure equipment
• Medical devices and in vitro diagnostics
• Civil aviation systems
• Motor vehicles
• Agricultural and forestry vehicles
• Marine equipment

If your AI system is embedded in one of these product categories and is subject to third-party conformity assessment under the relevant sectoral legislation, the high-risk obligations apply from August 2028 rather than December 2027. This extension doesn’t apply to standalone AI systems in these sectors — only to those that function as safety components of the physical products.

Legacy and public-sector systems — 2030

High-risk systems already on the market before the high-risk obligations apply generally only need to comply if they undergo significant design changes afterwards. The exception is high-risk systems used by public authorities, which must comply by 2 August 2030 regardless.

Why the delay doesn’t mean stop

The phased rollout, and now the Omnibus delay, create a false sense of security. The logic runs: “The high-risk deadline is December 2027, we have years.” Several factors compress that:

You’re already behind on some things. AI literacy training (Article 4) and prohibited practices checks (Article 5) should already be in place. GPAI obligations have applied since August 2025. If any of these aren’t handled, address them now — the delay didn’t touch them.

Article 50 is near-term, not distant. The transparency deadline is November 2026, and the engineering window for machine-readable marking is shorter than the date implies. This is the deadline that should be on your roadmap right now.

Compliance infrastructure takes time to build. A Fundamental Rights Impact Assessment isn’t something you write in an afternoon. Human oversight processes need to be designed, staffed, and tested. Monitoring systems need to be instrumented. Incident reporting workflows need to be defined and rehearsed. Sixteen extra months sounds generous until you cost out building all of this from scratch alongside everything else.

Your providers need time too. If you’re a deployer of high-risk AI, you need documentation from your providers: instructions for use, conformity declarations, technical details about the system’s capabilities and limitations. The delay applies to them as well, which means provider documentation may arrive later, not sooner. That conversation still needs to start early.

The delay buys depth, not a holiday. Risk management under Article 9, logging under Article 12, human oversight under Article 14, and technical documentation under Annex IV are no simpler now than they were before. A longer runway is best spent on rigour and first-audit preparation, not on pausing.

A practical timeline

Two horizons matter: November 2026 for transparency, December 2027 for high-risk.

Now:

• Complete your AI system inventory
• Classify each system by risk level
• Determine your role (provider or deployer) for each system
• Verify AI literacy training is in place
• Confirm no prohibited practices are in use
• Confirm GPAI obligations are covered for any models you provide

Through mid-2026 (for the November 2026 Article 50 deadline):

• Implement AI interaction disclosures (chatbot and voice-agent labels)
• Build machine-readable synthetic-content marking where you generate or manipulate media
• Add emotion-recognition and biometric-categorisation notices where relevant
• Test these in production before November

2026 into 2027 (for the December 2027 high-risk deadline):

• Begin Fundamental Rights Impact Assessments for high-risk deployments
• Request documentation from providers of high-risk AI systems
• Design and staff human oversight processes
• Set up monitoring and logging infrastructure
• Document everything: processes, assessments, decisions
• Review and stress-test all measures, and conduct dry runs of incident reporting, well ahead of the deadline

The businesses that will have the smoothest transition are the ones that use the extra time to discover the hard problems (the AI system nobody inventoried, the provider who can’t supply adequate documentation, the high-risk classification that triggers obligations nobody budgeted for) while there’s still room to solve them. The deadline moved. The work didn’t.