The EU has postponed AI Act deadlines — but only for one category: high-risk systems. Their obligations now apply from 2 December 2027 (standalone systems under Annex III) and from 2 August 2028 (AI embedded in regulated products). Everything else stays as it was: the AI prohibitions and the literacy duty have applied since February 2025, the rules for large AI models since August 2025, and the labelling duties arrive in August 2026 as planned. Postponed does not mean cancelled.
Let’s take it in order. The original timetable couldn’t be kept — the harmonised standards that high-risk systems are supposed to be assessed against still aren’t finished. Nobody gains from an obligation taking effect that can’t yet be fulfilled. So in late 2025 the Commission proposed an amendment package, the “Digital Omnibus”. Parliament adopted it on 16 June 2026, the Council confirmed it on 29 June (the deadlines in detail at Gibson Dunn). It’s expected in the Official Journal before the old 2 August 2026 deadline would have hit.
So much for the news. The problem is what many people make of it: “AI Act delayed” gets read as “the topic will sort itself out later”. For most businesses that’s wrong, because the obligations that actually touch daily work have applied for a while.
As always in this spot: a technical assessment, not legal advice. The legal evaluation of your case belongs with a professional.
What applies when?
| From when | What |
|---|---|
| February 2025 | AI prohibitions: no social scoring, no manipulative systems, no emotion recognition in the workplace — plus the literacy duty for everyone deploying AI |
| August 2025 | Obligations for the providers of large AI models. That hits OpenAI, Google and friends, not you as a user |
| 2 August 2026 | Labelling: chatbots have to identify themselves as AI, AI-generated content has to be marked |
| 2 December 2026 | New prohibition: AI-generated abuse material and non-consensual intimate imagery |
| 2 December 2027 | Moved here: high-risk obligations for standalone systems — recruiting, credit scoring, critical infrastructure (Annex III) |
| 2 August 2028 | Moved here: high-risk AI embedded in regulated products, such as medical devices (Annex I) |
The postponement covers the last two rows. If you have ChatGPT in sales, a translation service in support and a chatbot planned for the website, you live in the top four — and those either already applied or arrive on schedule.
The literacy duty is smaller than it sounds
Few obligations attract as much nonsense as Article 4. Some vendors construct a certification requirement with mandatory courses out of it — that’s not in the text. What’s required is that people who work with AI understand the tool: what it can do, where it systematically goes wrong, which data may go in and which may not.
For a typical SME that’s one afternoon. An internal training session, a few written rules, an attendance list — done. The core of it isn’t an AI question anyway, it’s a data question: which data classes may go into which systems. Draw up that matrix once and you’ve nearly written the training material, and knocked out most of your GDPR homework along the way.
The classic: high-risk in-house without noticing
The AI Act distinguishes providers (who develop an AI system or market it under their own name) from deployers (who use it). As a deployer your list of duties is short — until a high-risk system enters the picture. And that happens faster than expected: employment is explicitly listed in Annex III. If an AI pre-sorts or scores your job applications, you are operating a high-risk system, even as a ten-person firm.
The new December 2027 deadline exists precisely for cases like this. Enough time to set up human oversight, clean input data and logging — if you start. A gift, not a free pass.
How to use the time well
The first step costs nothing but honesty: a list of which AI runs in the company. The official kind and the unofficial kind — the private ChatGPT account someone in sales set up counts too. Without that inventory, every compliance discussion is guesswork.
Then the data question: what goes into which systems, and what shouldn’t end up on someone else’s server in the first place? Finally the Article 4 training, documented. Three manageable steps, none of which needs a law firm.
Taking the topic lightly is still a bad idea: breaches of the AI prohibitions cost up to 35 million euros or 7 percent of worldwide annual turnover (Regulation (EU) 2024/1689, Art. 99). Deployer duties sit below that — still existential for an SME. If you want support with the classification, get independent consulting once; it’s a contained project, not a retainer.
Want to know where your AI use sits in the AI Act and what remains to be done by when? Get in touch — we’ll go through your use cases and make an honest list.