The EU AI Act After the Digital Omnibus: What Actually Applies in 2026

The headline most executives got wrong

When news broke that the EU AI Act was "delayed", a lot of teams quietly moved AI governance back down the roadmap. That was the wrong read. The Digital Omnibus, agreed provisionally on 7 May 2026, did not pause the AI Act. It deferred one specific layer, the heaviest one, and left the parts that affect most companies exactly where they were.

This is an executive explainer, not legal advice. If you build, buy, or ship AI that touches the EU market, here is what is real, what moved, and what to do before the next deadline.

What is enforceable from 2 August 2026

These did not move. Plan as if they are live, because they are.

• General purpose AI (GPAI) enforcement. From 2 August 2026, the enforcement powers for general purpose AI models become active. If you fine tune, host, or distribute a foundation model, or build on one in a way that makes you a provider, the obligations apply.
• Transparency duties under Article 50. Core transparency obligations apply. People must be told when they are interacting with an AI system, and AI use must not be hidden behind a human mask.
• AI literacy. The obligation for organizations to ensure staff who operate AI systems have adequate AI literacy has already been in force since early 2025. The Omnibus did not touch it.
• Prohibited practices. The banned use cases, such as social scoring and certain biometric categorization, have applied since February 2025 and remain banned.

The practical message for a German Mittelstand company: if you have shipped a chatbot, a generative feature, or an AI assistant to customers or staff, the transparency and literacy obligations already apply to you. That is not a 2027 problem.

What the Omnibus actually deferred

The deferral is real, but narrow. It targets the high-risk regime, which is the most expensive and operationally heavy part of the Act.

• High-risk systems under Annex III (standalone systems in areas like employment, credit, education, critical infrastructure): compliance is postponed to 2 December 2027, a shift of roughly sixteen months.
• High-risk AI embedded in regulated products under Annex I: postponed to 2 August 2028.
• Labelling and watermarking of AI generated content: the specific duty to mark and machine-tag synthetic media moved from 2 August 2026 to 2 December 2026, a four month shift.
• Regulatory sandboxes: the deadline for member states to stand them up moved to 2 August 2027.

Why "deferred" is a trap, not a reprieve

Three reasons the extra time is not free.

1. The deferred work is the slow work. A high-risk conformity assessment, a risk management system, technical documentation, logging, human oversight design, and post-market monitoring are not a sprint. Sixteen months is the runway, not the slack. Teams that treat December 2027 as "later" will be doing the same scramble, just later.
2. The live obligations still bite now. Transparency, literacy, GPAI, and the prohibitions are enforceable. A deferred high-risk deadline does nothing for a company that has an undisclosed AI feature in production today.
3. The labelling deadline is close. If you ship any generative AI feature into the EU, you need user facing labelling, machine readable metadata on generated content, and a detection story operational by 2 December 2026. That is months, not years.

What to do before the next deadline

A pragmatic sequence, in priority order.

1. Inventory. List every AI system you build, embed, or expose to users or staff. You cannot govern what you have not named. Most organizations underestimate this list by half.
2. Classify. For each system, decide the tier: prohibited, high-risk, limited-risk with transparency duties, or minimal. The classification drives everything else.
3. Close the live gaps first. Transparency disclosures, AI literacy for operators, and labelling for generative features. These are due now or by December 2026, and they are comparatively cheap to fix.
4. Start the high-risk runway. If anything lands in Annex III, begin the risk management and documentation work against the December 2027 date. Treat it as a programme, not a checkbox.
5. Document the decisions. Regulators and enterprise buyers both ask the same question: show me how this system is governed. A decision record beats a policy PDF.

How we think about this

We build AI systems that have to live inside regulated European businesses, so we treat governance as part of the architecture, not a compliance bolt-on. Our position on the Act is deliberately hedged: the regime is still settling, and anyone selling you certainty about every edge case is selling you something. What we do commit to is concrete: decision traceability, human oversight at the points that matter, data handling that respects GDPR, and a documented account of how each system behaves. We wrote up that stance on our AI governance page, and the engineering patterns behind it in AI decision traceability and human in the loop AI.

If you want a grounded read on which of your AI systems are affected and what the realistic runway looks like, start a conversation. We will tell you where the regulation actually touches you, and where it does not.

Sources: the official EU AI Act regulatory framework. Dates reflect the Digital Omnibus provisional agreement of May 2026 and remain subject to formal adoption.