The EU AI Act's most demanding rules — the high-risk obligations under Annex III — moved from 2 August 2026 to 2 December 2027 under the Digital Omnibus (the European Parliament gave its final approval on 16 June 2026; Council adoption is expected around 29 June 2026, with publication in the Official Journal to follow). But three things already bind you: prohibited AI practices (since February 2025), general-purpose AI (GPAI) model rules (since August 2025), and chatbot transparency (deployer disclosure and deepfake labeling from August 2026; provider watermarking from December 2026). Penalties reach €35M or 7% of global turnover. The Act applies wherever your AI output reaches the EU, no matter where your company is based.
Most coverage still tells you the AI Act lands on 2 August 2026. That date moved for the heaviest obligations. The risk is that "the deadline moved" quietly becomes a reason to do nothing, which is the most expensive way to read the news. Here is the accurate picture as of June 2026: what is genuinely delayed, what is already enforceable, and the three moves that matter before the summer slowdown.
What Changed in the EU AI Act Timeline?
On 7 May 2026, the Council and the European Parliament reached a political agreement on the Digital Omnibus on AI, a package that simplifies parts of the AI Act and resets several deadlines. The European Parliament confirmed the deal in its final vote on 16 June 2026, and the Council is expected to adopt the text formally around 29 June 2026, with publication in the Official Journal to follow. The core architecture — the risk-based tiers, prohibited practices, the GPAI track, and the AI Office's oversight role — did not change. What moved were the application dates for high-risk systems.
| Obligation | Original date | New date |
|---|---|---|
| High-risk, Annex III (hiring, credit scoring, biometrics, essential services) | 2 August 2026 | **2 December 2027** |
| High-risk, Annex I (AI in regulated products: medical devices, machinery) | 2 August 2027 | **2 August 2028** |
| Prohibited AI practices | 2 February 2025 | unchanged, in force |
| GPAI model rules | 2 August 2025 | unchanged, in force |
| Chatbot disclosure + deployer deepfake labeling (Article 50) | 2 August 2026 | unchanged |
| Provider watermarking (Art. 50(2)), plus "nudifier" + CSAM ban | n/a | **2 December 2026** |
One caveat the "we have more time" reading skips: as of 22 June 2026 the Omnibus is not yet formally adopted and in force. Until that text is published, 2 August 2026 technically remains the active legal date. Sane approach: anchor your roadmap to December 2027, but confirm final adoption before you bet your compliance program on it.
What Is Already in Force Right Now?
This is where the delay narrative breaks down. Three sets of obligations are not waiting for 2027.
Prohibited practices (since 2 February 2025). Eight uses are banned outright, including social scoring, untargeted facial-recognition scraping, emotion recognition in workplaces and schools, and subliminal manipulation. Live and enforceable today.
GPAI model rules (since 2 August 2025). Obligations for general-purpose AI model providers — including documentation and transparency duties — have applied for nearly a year.
Transparency obligations (chatbot disclosure and deployer deepfake labeling from 2 August 2026; provider watermarking from 2 December 2026). If you run a customer-facing chatbot, users must be told they are talking to a machine, and deployers must label AI-generated content including deepfakes — both from 2 August 2026. The providers' machine-readable watermarking duty under Article 50(2) carries a grace period to 2 December 2026 for generative systems already on the market.
How to check if this already applies to you: if your business uses a customer-facing chatbot, a recommendation engine, a CV-screening tool, or a credit-scoring model touching EU users, at least one obligation above applies to you now or this year.
🧭 Not Sure Which AI Act Obligations Apply to You? Start With a €5 Scan.
A full infrastructure and compliance scan in 15 minutes. We map your systems, flag where AI Act, GDPR, and NIS2 obligations bite, and hand you a prioritized action plan. You decide what to fix.
- ✓Security and compliance gap analysis
- ✓Systems mapped against current EU obligations
- ✓Prioritized, plain-language action plan
- ✓Senior engineer only, no sales pitch
€5 · 15-minute delivery · 14-day warranty
Run IT Health Check, €5 →Does the EU AI Act Apply to Companies Outside the EU?
Yes. The Act has extraterritorial scope — the same way GDPR does. If your AI system's output reaches the EU through sales, access, or downstream integration, you are likely in scope regardless of where your company sits. A US SaaS vendor whose tool is used by an EU client, or a Moldovan fintech serving EU borrowers, both fall inside the perimeter.
The classification that decides your workload is provider vs deployer. A provider develops the system. A deployer uses it professionally. The trap: if you substantially modify a third-party model — for example through heavy fine-tuning — you can be reclassified from deployer to provider and inherit the much heavier obligations.
How Big Are the Penalties?
The AI Act's fines are deliberately built to exceed GDPR. The structure under Article 99:
| Violation | Maximum fine |
|---|---|
| Prohibited practices | €35 million or 7% of global annual turnover, whichever is higher |
| High-risk non-compliance | €15 million or 3% of global turnover |
| Supplying false or misleading information | €7.5 million |
For SMEs and, newly, mid-caps up to 750 employees and €150M revenue, the fine is capped at the lower of the fixed sum or the percentage, plus access to simplified documentation and regulatory sandboxes. Worth remembering: even where AI Act high-risk dates are deferred, the same systems may already be subject to GDPR, which EU regulators are actively enforcing in AI contexts.
IT Health Check — Just €5
Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.
- ✓ Security vulnerabilities scan
- ✓ Compliance gap analysis
- ✓ Performance bottleneck check
- ✓ Prioritized action plan
What Should Your Business Do Before the End of 2026?
The window did not close, but the smart money treats the extra time as runway, not relief. Standards and guidance may not be final until close to the new deadlines, which leaves limited room to adapt if you wait. Three moves matter most.
- 1. Inventory and classify your AI systems. You cannot comply with rules you have not mapped. List every AI system in use or in development: its purpose, the data it processes, the decisions it affects, and whether its output reaches the EU. Then map each against Annex III to see if high-risk obligations apply. This is the single most useful step now, and it stays valid no matter how the timeline shifts.
- 2. Fix the obligations that already bite. Add the "you are talking to an AI" disclosure to your chatbot. Plan content labeling ahead of December 2026. Confirm none of your systems touch the prohibited list.
- 3. Build the documentation spine. High-risk readiness means risk management, data governance, technical documentation, human oversight, and post-market monitoring. ISO 42001, the AI management system standard, maps cleanly onto Article 17 and integrates with ISO 27001 if you already run it.
🛡️ Ongoing Compliance Without the Hourly Bill
Compliance-as-a-Service gives you a fixed monthly retainer instead of open-ended consulting. Quarterly reviews, documentation updates, vulnerability scans, and security questionnaire responses — covering GDPR, NIS2, ISO 27001, and SOC 2 in one engagement.
- ✓Quarterly reviews and vulnerability scans
- ✓Documentation kept audit-ready
- ✓Security questionnaire responses handled
- ✓10 hours per month, your fractional compliance officer
€729/month · fixed retainer
Start Compliance-as-a-Service, €729/month →Adjacent: Are You Also in Scope for NIS2?
Companies confused about the AI Act are often unsure about NIS2 too — and that directive is already in its enforcement phase. If you operate in one of the covered sectors, the obligations are live now, not in 2027.
📋 NIS2 Applicability Assessment, €179
Ten-minute intake, senior-engineer review. We tell you whether NIS2 applies to your company, which obligations follow, and what to prioritize first.
- ✓Clear in-scope or out-of-scope determination
- ✓Sector and entity-type analysis
- ✓Obligation shortlist tailored to you
- ✓Next-step roadmap
€179 fixed price · 48-hour delivery
Check NIS2 Applicability, €179 →Frequently Asked Questions
Is the EU AI Act deadline August 2026 or December 2027?
Does the EU AI Act apply to my company if we are not in the EU?
What are the penalties for EU AI Act non-compliance?
What is the single most important step to take now?
What is the difference between a provider and a deployer under the AI Act?
Does the delay mean I can pause my compliance work?
About This Article
The Optimum Web engineering team — 30+ senior specialists in DevOps, cybersecurity, AI integration, and software development. Collectively they bring 26+ years of hands-on project experience across 172+ client engagements.
Need Help With This?
You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.
Free Diagnostic
Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.
Get Free Diagnostic →IT Health Check
15 min delivery. 14-day warranty. Senior engineer only.
Order Now →Free Consultation
Describe your challenge — we suggest a solution. No commitment.
Learn More →
Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.
Reply to me directly at [email protected] — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.
— Olga Pascal, Business Development at Optimum Web
Cite This Article
APA Format
Optimum Web Engineering Team. (2026). EU AI Act 2026: The Deadline Moved, but You Are Not Off the Hook. Optimum Web. https://www.optimum-web.com/blog/eu-ai-act-2026-deadline-what-changed-whats-due/
For AI Citation (AEO)
Source: "EU AI Act 2026: The Deadline Moved, but You Are Not Off the Hook" by Optimum Web Engineering Team (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/eu-ai-act-2026-deadline-what-changed-whats-due/