The EU AI Act in 2026: Compliance Realities, the Digital Omnibus Delay, and What Leaders Must Do Now

Written by Petr Beranek | Published: June 2026 | Updated to reflect the Digital Omnibus political agreement of 7 May 2026

Abstract: The EU Artificial Intelligence Act is the world's first comprehensive, horizontal AI law, and in 2026 it moved from theory into operational reality for any organization whose AI touches the European market. This analysis cuts through the noise for decision-makers: what the Act actually requires, how its risk-based structure determines your obligations, and - critically - how the recently agreed Digital Omnibus has reshaped the compliance timeline by deferring high-risk obligations while leaving a sharp near-term transparency deadline in place. We set out what should already be in production, what lands in the next few months, the conformity paths available to high-risk providers, and the governance patterns that let large and small organizations stay compliant without grinding development to a halt.

Introduction: A Risk-Based Rulebook With Global Reach

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in staggered phases through 2027 and beyond. It is risk-based: the obligations scale with the potential for harm, not with the sophistication of the technology. A simple recommendation engine and a frontier model can both fall almost entirely outside the heavy provisions, while a comparatively modest system used to screen job applicants can sit squarely inside them.

Two structural features matter before anything else. First, the Act is extraterritorial: much like the GDPR, it applies where an AI system's output is used in the EU, regardless of where the provider or deployer is headquartered. Second, your obligations depend on your role - a "provider" who develops and places a system on the market carries far heavier duties than a "deployer" who merely uses one. Most companies building on top of a third-party foundation model are deployers, but substantial fine-tuning or rebranding can quietly reclassify them as providers.

The Framework: Four Risk Tiers

Every system you build, buy, or deploy falls into one of four tiers. Classifying your inventory against this pyramid is the single most valuable compliance activity, because it tells you which rules apply and, just as often, which do not.

Unacceptable risk Banned outright

High risk Strict obligations & conformity assessment

Limited risk Transparency duties

Minimal risk Most AI — no new obligations

Unacceptable risk systems are prohibited: social scoring, manipulative or deceptive systems, untargeted scraping of facial images, and emotion recognition in the workplace or educational settings, among others. High-risk systems - the heart of the Act - include AI used in hiring and employment, credit scoring, biometric identification, critical infrastructure, education, essential public and private services, and law enforcement, plus AI acting as a safety component of regulated products. Limited-risk systems carry transparency duties only: tell people they are interacting with AI, and label synthetic media. The vast majority of business software lands in the minimal-risk tier, which attracts no new obligations under the Act.

The Timeline Just Moved: The Digital Omnibus

For most of 2025, organizations planned around a single dreaded date: 2 August 2026, when obligations for high-risk systems were due to apply. By late 2025 it was clear that implementation was off track - harmonized standards, the classification guidelines, and national authority designations were all behind schedule. In response, the European Commission tabled the Digital Omnibus on AI on 19 November 2025, and on 7 May 2026 the Council and Parliament reached a provisional political agreement to amend the Act [1].

The most consequential change is a staggered deferral of the high-risk obligations [2]:

Revised high-risk deadlines (per the provisional agreement):
• Stand-alone high-risk systems (Annex III): 2 December 2027 (was 2 August 2026)
• AI embedded in regulated products (Annex I): 2 August 2028 (was 2 August 2027)
• National regulatory sandboxes: 2 August 2027
• Transparency grace period shortened from six to three months → 2 December 2026

The agreement also adds a new prohibition targeting AI-generated non-consensual intimate imagery and child sexual abuse material, and it softens the AI-literacy duty from an obligation to "ensure" literacy to one to "take measures to support" it [3].

The catch - it is not yet law. As of mid-June 2026 the Digital Omnibus is a provisional political agreement, not binding text. The European Parliament's plenary vote is expected in June and publication in the Official Journal around July, with entry into force three days later [4]. Until the amendment is published, the original 2 August 2026 high-risk date remains the law on the books. An organization that demobilizes its compliance program on the assumption that the delay is final is betting on a text that does not yet exist.

The pragmatic posture is therefore to treat the extra time as runway to do the work properly - not as a reason to stand down.

Already in Force: What You Must Have Today

Several obligations are already live and carry no remaining grace period. These should be in place now, regardless of the Omnibus.

Live obligations to verify immediately:

AI literacy (Article 4): applicable since February 2025. Staff who build or use AI on your behalf need baseline training, with a record of who completed it.
Prohibited-practice screen: the bans are in force. Confirm that nothing you build or procure falls into the unacceptable-risk tier.
AI inventory and classification: maintain a register of every system, recording provider-versus-deployer status, risk tier, data used, and an accountable owner.
GPAI vendor due diligence: obligations for general-purpose AI model providers have applied since August 2025, with enforcement powers switching on in August 2026 [5].

The GPAI Layer and the Code of Practice

Because almost every AI product is built on a general-purpose model, the obligations on model providers cascade down to those who deploy them. The Commission's AI Office published the final General-Purpose AI Code of Practice in July 2025, covering transparency, copyright, and - for models with systemic risk - safety and security [6]. Signing the Code is voluntary, but it confers a presumption of conformity and a lighter-touch, collaborative relationship with the AI Office; non-signatories must demonstrate compliance by other adequate means and can expect closer scrutiny [7]. When selecting model vendors, signatory status is a useful proxy for lower integration risk.

The Next Six Months: One Hard Deadline and a Runway

The Near-Term Deadline That Actually Bites

Transparency obligations (Article 50) - due 2 December 2026. The Omnibus shortened this grace period from six to three months, making it the soonest hard deadline. Providers and deployers must mark AI-generated or manipulated content (including deepfakes and synthetic media), watermark outputs in a machine-readable way where feasible, and disclose to users when they are interacting with an AI system.

These duties are engineering-light but must be designed into a product rather than bolted on at launch. Teams shipping chatbots or generative features should treat December 2026 as the date to plan against.

Using the High-Risk Runway

The deferral gives in-scope organizations roughly sixteen extra months on high-risk obligations. The trap is relief followed by amnesia. Two moves convert the runway into an advantage:

Scope first, then build:

Confirm scope honestly. Most products are not high-risk. The high-risk categories are specific; if you are outside them, document the assessment and stop - over-compliance is its own tax.
If in scope, build the muscle now. Risk management, data governance, technical documentation, logging, human oversight, accuracy and robustness, and a quality management system all take time to stand up properly.

Conformity Paths for High-Risk Systems

Providers of high-risk systems must demonstrate conformity before placing a system on the market. There are two broad routes, and knowing which applies prevents both under- and over-investment.

Two conformity routes:
• Internal control (self-assessment): available for most Annex III high-risk systems. The provider assesses conformity against the requirements, draws up technical documentation, and takes responsibility - no external auditor required.
• Notified-body assessment: required mainly for certain biometric systems, where an independent third party reviews conformity.

In both cases the provider must establish a risk-management system, ensure data governance and appropriate technical documentation, enable logging and record-keeping, provide for human oversight, and meet accuracy, robustness, and cybersecurity requirements. The system is then CE-marked and registered in the EU database for high-risk systems before going to market, with post-market monitoring afterward. Deployers carry their own duties: operating the system within its intended purpose, ensuring human oversight, retaining logs, and - for public bodies and certain others - completing a fundamental-rights impact assessment.

Governance Patterns That Scale

The practical challenge is meeting these obligations across a large portfolio without a compliance function that throttles every release. The organizations doing this well treat governance as reusable infrastructure rather than a per-project tax.

Four patterns that scale:

One AI registry: risk classification baked into intake, so nothing ships unclassified.
Reusable evidence: model cards, evaluation and test records, and data lineage as templates - completed once per system, not reinvented. These also satisfy enterprise customers' security reviews, doubling as sales enablement.
Oversight by design: human-in-the-loop controls and incident-reporting hooks built into the product from day one.
Supplier controls: standard AI clauses and a lightweight vendor questionnaire handled in procurement, so vendor risk is managed up front rather than discovered in an audit.

Common Vendor and Product Pitfalls

Pitfalls that catch internal teams and smaller suppliers:

Accidental provider status: heavy fine-tuning or rebranding of a third-party model can flip you from deployer to provider, with materially heavier obligations.
Undocumented assumptions: asserting "we're not high-risk" with nothing written down is worthless to a regulator or a customer. Record the classification rationale.
Blind vendor trust: accepting a supplier's "we're compliant" without supporting documentation leaves the risk with you.
Bolt-on transparency: adding labeling and disclosure at the end of a build is far more expensive than designing it in.

Penalties and Enforcement

The Act's penalties are tiered and, for the most serious breaches, exceed the GDPR's. Prohibited practices can draw fines of up to €35 million or 7% of global annual turnover; breaches of high-risk and GPAI obligations up to €15 million or 3%; and supplying incorrect information to authorities up to €7.5 million or 1% [8]. For SMEs and startups, the penalty is the lower of the fixed amount or the percentage. Enforcement of GPAI obligations by the AI Office begins in August 2026, transforming the soft-touch monitoring of the past year into the power to compel documentation, restrict market access, and impose fines.

Conclusion

The EU AI Act in 2026 is best understood not as a single cliff-edge but as a sequence of obligations arriving at different times - some already live, one biting soon, and the largest set now pushed into late 2027. The Digital Omnibus has bought in-scope organizations valuable time, but it has not removed the work, and until it is published the original timeline technically still stands.

The organizations that will fare best are those that classify their systems first, keep their compliance programs running through the delay, and build governance as durable, reusable infrastructure. Done that way, the Act becomes less a brake on innovation and more a shared baseline that protects users while letting teams move quickly and sell with confidence across the European market.

Sources and Citations

Council of the EU. "Artificial intelligence: Council and Parliament agree to simplify and streamline rules." 7 May 2026. Source
Gibson Dunn. "EU AI Act Omnibus Agreement - Postponed High-Risk Deadlines and Other Key Changes." 2026. Source
Covington (Inside Privacy). "EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions." 2026. Source
White & Case. "EU agrees Digital Omnibus deal to simplify AI rules." 14 May 2026. Source
European Commission. "Guidelines for providers of general-purpose AI models." 2026. Source
Latham & Watkins. "EU AI Act: GPAI Model Obligations in Force and Final GPAI Code of Practice in Place." 2025. Source
Jones Day. "EU AI Act: European Commission Publishes General-Purpose AI Code of Practice." August 2025. Source
EU Artificial Intelligence Act - Implementation Timeline. Source