EXPLAINER

The AI Act Deadline Just Moved 16 Months.
Three Obligations Didn’t.

The Digital Omnibus pushes high-risk AI rules to December 2027. That is exactly why teams are about to miss what is still due in 2026.

EU AI Act · CELEX 32024R1689·Digital Omnibus on AI·Published 30 Jun 2026
// ai_act_high_risk.deadlineDELAYED
2 Aug 20262 Dec 2027
+16 months
on stand-alone high-risk (Annex III) — but transparency, watermarking, and two new prohibitions still hit in 2026.

The headlines were clear enough. “EU delays AI Act.” “High-risk compliance pushed to 2027.” “Relief for AI builders.”

All true. The Digital Omnibus on AI, the amending regulation the Parliament approved and the Council adopted in June 2026, moves the big deadline. Obligations for stand-alone high-risk AI systems (Annex III) slip from 2 August 2026 to 2 December 2027. That is sixteen months of room on the heaviest part of the regulation.

Here is the problem with reading the headline and downing tools. Three obligations did not move, and two of them are brand new. And underneath the switch-on dates sits a second set of operational deadlines that no “AI Act timeline” graphic shows, which the Omnibus does not touch at all. If your plan was “the AI Act is a 2027 problem now,” you have a 2026 problem you have not noticed.

On the dates below — not yet legally binding
The Digital Omnibus was approved by the European Parliament (16 June 2026) and adopted by the Council (29 June 2026), amending the AI Act, Regulation (EU) 2024/1689. The dates here take effect only when the amending regulation is published in the Official Journal (L series), at which point its final CELEX is assigned. Primary sources: COM(2025) 836 (CELEX 52025PC0836), procedure 2025/0359(COD) on the EP Legislative Observatory, and the AI Act itself (CELEX 32024R1689, EUR-Lex).

What still bites in 2026

01

Transparency disclosure — 2 August 2026, unchanged

Provider and Deployer · Art 50

Article 50 is the obligation most teams forget is separate from the high-risk regime. If your system interacts with people (chatbots), generates or manipulates content (deepfakes, synthetic media), or does emotion recognition or biometric categorisation, you owe disclosure: users must know they are dealing with AI or AI-generated output. It falls on both the provider that builds the system and the deployer that puts it in front of people.

The Omnibus left this date exactly where it was: 2 August 2026. It is not a high-risk obligation, so the high-risk delay does nothing for it.

Article 50, AI Act — transparency obligations for providers and deployers of certain AI systems.

02

Synthetic-content marking (watermarking) — grace ends 2 December 2026

Provider · Art 50(2)

If your system generates synthetic audio, image, video, or text, its output has to be marked as artificially generated in a machine-readable way. This applied from 2 August 2026 with the rest of Article 50; the Omnibus adds a short grace period for systems already on the market before that date, closing 2 December 2026. A four-month reprieve, not a year.

Article 50(2), AI Act — marking of AI-generated or manipulated content.

03

Two new prohibitions — 2 December 2026

Any operator · Art 5

This part is not a delay. It is an expansion. The Omnibus adds new prohibited practices to Article 5: AI systems that generate or manipulate non-consensual intimate imagery of identifiable people (“nudifier” apps), and systems that produce child sexual abuse material (within the meaning of Directive 2011/93/EU). Prohibited from 2 December 2026. A prohibition binds everyone in the chain: you may not build, place on the market, or use such a system.

Article 5, AI Act (as amended) — prohibited AI practices.

What genuinely got more time

So you can plan deliberately rather than react to a headline, here is the other side of the ledger:

ObligationOld deadlineNew deadline
High-risk, stand-alone (Annex III)2 Aug 20262 Dec 2027
High-risk, embedded in regulated products (Annex I)2 Aug 20272 Aug 2028
AI regulatory sandboxes operational2 Aug 20262 Aug 2027
Transparency disclosure (Art 50)2 Aug 20262 Aug 2026, unchanged
Synthetic-content marking (Art 50(2))2 Aug 2026grace to 2 Dec 2026
New Art 5 prohibitions (nudifiers, CSAM)2 Dec 2026

The delayed high-risk obligations are not spread evenly. The bulk fall on the provider (Arts 8–22: risk management, data governance, documentation, logging, human oversight, accuracy). Deployers carry their own set (Arts 26–27, including a fundamental-rights impact assessment), and importers (Art 23) and distributors (Art 24) inherit checks of their own. Knowing which of those is yours is the difference between sixteen months of preparation and sixteen months of assuming someone else owns it.

The deadlines that aren’t on any timeline

Switch-on dates are only half the clock. The AI Act also carries operational deadlines inside the obligations, and the Omnibus changed none of them. These are the duties teams miss, because they never appear on a timeline graphic:

  • Serious-incident reporting
    Art 73, provider and deployer — report within 15 days of becoming aware; 2 days for a widespread incident; 10 days where a death is involved. The market-surveillance authority then acts within 7.
  • Documentation retention
    Keep technical documentation, the EU declaration of conformity, and GPAI documentation for 10 years (Arts 18, 22, 23, 47, 54); keep high-risk system logs for at least 6 months (Arts 19, 26).
  • Certificate validity
    Notified-body certificates last ≤ 5 years (Annex I) or ≤ 4 years (Annex III); if a notified body’s designation is withdrawn, its certificates stay valid only 9 months (Arts 44, 36).

Timing matters: these durations do not move, but they go live with their parent obligation. GPAI documentation retention is already in force (since August 2025). The high-risk ones (incident windows, log and document retention) switch on with the high-risk regime, now December 2027. Either way they are runbook duties, not calendar entries you can defer.

Why it moved, and why that is not a reprieve on substance

The delay is not a softening of intent. It is a readiness problem. Implementation was visibly off track, and the harmonised technical standards that tell you how to satisfy the high-risk requirements (risk management, data governance, technical documentation, logging) were not ready in time. You cannot hold companies to a conformity deadline when the conformity yardstick does not exist yet.

That distinction matters for how you use the sixteen months. The requirements did not shrink. The high-risk obligations that land in December 2027 are the same obligations. Retrofitting them into a system already in production takes far longer than sixteen months. Teams that treat this as a deadline that vanished will spend late 2027 doing in a panic what they could have done deliberately.

A date change is a work change

Most coverage of the Omnibus stops at the date table. A date table tells you when. It does not tell you what to build differently, or who in your organisation owns it.

RuleMesh holds the AI Act as engineered rules: each obligation traced from the statutory article, to the actor it binds, to the engineering control that satisfies it, to the evidence an auditor would ask for. Read through that lens, a sixteen-month shift is not a calendar update. It is a re-prioritisation:

  • The 2026 obligations are stable.
    Transparency, content marking, and the two new prohibitions do not wait on standards. You can start the engineering for them now, with little risk of rework.
  • The high-risk obligations that moved to 2027 are where the standards uncertainty sits.
    The durable parts (data lineage, logging, documentation discipline) hold regardless of how the standards land. Start the evidence trail there, and let the standards-dependent detail follow.

Much of this is not new work. The 2026 obligations lean on the same controls GDPR already asks of you: security of processing, data governance, logging, records. If you are implementing GDPR with RuleMesh today, you are already building the substrate the AI Act will need. Not sure where you stand? The scope interview walks you through what applies, by role, against the live rules engine.

Sixteen months is not time off. It is a head start, if you spend it building the evidence record instead of waiting for the new deadline to feel urgent.

Frequently asked

Did the EU delay the AI Act?
Yes. The Digital Omnibus on AI moves stand-alone high-risk obligations (Annex III) from 2 August 2026 to 2 December 2027, and high-risk embedded in regulated products (Annex I) to 2 August 2028. The dates bind on Official Journal publication.
What AI Act obligations still apply in 2026?
Article 50 transparency disclosure (2 August 2026), synthetic-content marking (grace to 2 December 2026), and two new Article 5 prohibitions (2 December 2026).
Did the AI Act transparency deadline move?
No. Article 50 transparency stays at 2 August 2026; the high-risk delay does not apply to it.
What are the new AI Act prohibitions in 2026?
AI systems generating non-consensual intimate imagery of identifiable people, and systems producing child sexual abuse material — prohibited from 2 December 2026.

Informational, not legal advice. The Digital Omnibus dates above are not yet legally binding — they take effect only on publication of the amending regulation in the Official Journal of the European Union (L series); confirm against the published text before relying on any specific date. Primary sources: AI Act — Regulation (EU) 2024/1689 (EUR-Lex, CELEX 32024R1689); Digital Omnibus on AI — COM(2025) 836 (CELEX 52025PC0836), procedure 2025/0359(COD) and report A10-0073/2026 (European Parliament Legislative Observatory). Obligation, actor, and deadline mappings are drawn from RuleMesh’s structured model of the AI Act.

The AI Act rides on the GDPR work you can start now.

The 2026 obligations lean on the same controls GDPR already asks of you. Point your coding agent at GDPR today and you build the substrate the AI Act will need.