The EU Just Delayed the AI Act. Don't Celebrate Yet.
Brussels pushed back the high-risk AI deadlines by more than a year. But the deadline that catches almost every business was left exactly where it was. Here is what actually changed, and why you can't relax.
If you run any part of a business that touches AI, you probably saw the headline: the EU delayed the AI Act. The high-risk rules that were supposed to bite in August 2026 have been pushed back to late 2027 and 2028. Relief all round.
Read the fine print and the relief gets thinner. The one deadline that catches almost everyone was not moved at all. The prohibitions are already law. The rules for general-purpose AI models have applied since last summer. And the package that "simplifies" everything quietly rewrites parts of the GDPR to feed AI training, which is why data-protection regulators are furious.
So no, you can't down tools. Here is what the Digital Omnibus actually does, and what it means for the next six months.
It is law now, not a proposal
First, the status. This is done. The Digital Omnibus on AI reached a provisional political agreement on 7 May 2026. Parliament adopted it on 16 June by 423 votes to 57. The Council gave final sign-off on 29 June. It enters into force three days after publication in the Official Journal, which means it is live as you read this.
That matters because a lot of the commentary from late 2025 talked about a "proposed" delay and a "conditional trigger." Both are gone. The final deal replaced the vague "rules apply once standards are ready" idea with fixed calendar dates. You get certainty instead of an open-ended wait. Use it.
What actually got delayed
The genuine relief is real, and it is worth understanding precisely.
Stand-alone high-risk systems, the Annex III category, cover the sensitive stuff: biometrics, critical infrastructure, hiring and employment, education, essential services, law enforcement, migration, and justice. The compliance deadline moved from 2 August 2026 to 2 December 2027.
High-risk AI baked into regulated products, the Annex I category, covers things like medical devices and machinery already governed by EU safety law. That deadline moved from 2 August 2027 to 2 August 2028.
If you are building an AI hiring tool or a diagnostic system, you now have twelve to sixteen extra months. That is not nothing. But notice what those categories have in common: they are the heavy, expensive builds. The delay targets exactly the work that was never going to be finished on the old timeline anyway.
The trap: transparency was not delayed
Here is the part the headlines skipped.
Article 50 transparency duties still apply from 2 August 2026. Unchanged. If your system talks to people, you have to tell them they are talking to an AI. If you generate or manipulate content, whether that is text, images, audio, or deepfake video, you have to mark it as AI-generated.
Watermarking under Article 50(2) gets a short grace period to 2 December 2026 for systems already on the market. That is four months, not four years.
This is the deadline that catches almost every business, because almost every business now runs a chatbot or generates content with AI. And it is roughly a month away from being live. The expensive high-risk work got its extension. The cheap, easy-to-forget transparency work did not.
What was already law and stays that way
Two more things never moved, because they were already in force.
Prohibited practices under Article 5 have applied since 2 February 2025. These are the outright bans: social scoring, manipulative systems, certain biometric surveillance. If you are doing any of it, you were already breaking the law, and the Omnibus changes nothing.
General-purpose AI model obligations have applied since 2 August 2025. If anything the AI Office got its enforcement powers reinforced, not loosened.
And the package added a new prohibition. Article 5 now bans AI that generates non-consensual intimate imagery, the so-called nudifiers, and child sexual abuse material, where that output is a reasonably foreseeable result of the system. So while Brussels relaxed the timelines, it tightened the rules where it counts.
The controversial bit: GDPR and your training data
The AI Act delay grabbed the headlines. The data changes deserve more attention than they got.
The wider Omnibus rewrites parts of the GDPR to make AI training easier. Two changes stand out. Pseudonymised data may no longer count as personal data when the holder is not reasonably likely to re-identify anyone, which narrows what the GDPR covers. And AI development gets treated as a presumptively legitimate interest for processing personal data, which opens the door to broader re-use of data you already hold.
The European Data Protection Board and its Supervisor called this "far beyond a technical amendment." Amnesty International and academic critics warned it weakens digital-rights protections and effectively grandfathers many existing public-sector high-risk systems for extra years.
Whatever you think of the politics, the practical point is this: if your business trains or fine-tunes models on customer data, the legal ground under you just shifted. Get your data protection people in the room before you assume the new rules help you.
Can we relax? A straight answer
No. But you can plan calmly instead of panicking.
Here is the deadline calendar that matters:
- Feb 2025: prohibitions in force (already live)
- Aug 2025: GPAI model rules in force (already live)
- 2 Aug 2026: Article 50 transparency (about a month away)
- 2 Dec 2026: watermarking grace period ends, nudifier and CSAM ban applies
- 2 Dec 2027: Annex III high-risk systems
- 2 Aug 2028: Annex I high-risk systems
And here is what to do with the next six months, which every major law firm agrees on:
- Treat August 2026 as a live deadline. Inventory every place your business shows an AI-generated response or AI content to a customer, and make sure it is disclosed.
- Build one inventory of every AI system you use, including vendor and third-party tools. Risk-classify each use case.
- Stand up basic governance: clear roles across business, technical, and compliance, plus documentation and monitoring for when models or data change.
- Track the standards and sector codes as they land, so you can map to them early instead of scrambling.
- Fix your supplier contracts so AI Act responsibilities are actually allocated to someone.
- Train your staff anyway. The Act softened the hard AI-literacy requirement into a "encourage it" duty, but literacy is still the cheapest risk reduction you can buy.
The extra time is a gift for the hard, expensive work. It is not a signal to lean back. The near-term deadline that most businesses will actually trip over is transparency, and that one is still staring at you from August.
Read the delay as breathing room to get it right. Not as permission to stop.
Sources
- Gibson Dunn: EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines - Precise breakdown of revised high-risk deadlines, watermarking grace period, and new prohibitions
- Consilium: Council and Parliament agree to simplify AI rules - Official Council announcement of the 7 May 2026 provisional agreement
- Morrison Foerster: EU Digital Omnibus on AI — What Is in It and What Is Not - Scope of the package, goals, and administrative burden-reduction targets
- Inside Privacy (Covington): AI Act Update — Timeline Relief and New Prohibitions - Balanced summary of timeline relief plus the new nudifier/CSAM prohibitions
- iubenda: Parliament adopts the AI Omnibus, Council sign-off next - Vote counts and the June/July 2026 procedural timeline through to entry into force
- IAPP: EU Digital Omnibus amendments to GDPR miss the mark - Detailed critique of the GDPR/data changes that facilitate AI training
- Amnesty International: EU simplification laws - Civil-society objections and digital-rights concerns about the package
- Orrick: EU's Digital Omnibus on AI — 7 Key Changes You Need to Know - Concise practitioner checklist of the seven key changes for business