← Back to the blog

July 8, 2026 · 4 min read

EU AI Act Delayed: Which Rules Still Apply in 2026

High-risk obligations move to late 2027, but the AI literacy duty, banned practices and GPAI rules have applied since 2025. The new AI Act timeline.

AA
Anton Anders
IT consultant & developer

The EU has postponed AI Act deadlines — but only for one category: high-risk systems. Their obligations now apply from 2 December 2027 (standalone systems under Annex III) and from 2 August 2028 (AI embedded in regulated products). Everything else stays as it was: the AI prohibitions and the literacy duty have applied since February 2025, the rules for large AI models since August 2025, and the labelling duties arrive in August 2026 as planned. Postponed does not mean cancelled.

Let’s take it in order. The original timetable couldn’t be kept — the harmonised standards that high-risk systems are supposed to be assessed against still aren’t finished. Nobody gains from an obligation taking effect that can’t yet be fulfilled. So in late 2025 the Commission proposed an amendment package, the “Digital Omnibus”. Parliament adopted it on 16 June 2026, the Council confirmed it on 29 June (the deadlines in detail at Gibson Dunn). It’s expected in the Official Journal before the old 2 August 2026 deadline would have hit.

So much for the news. The problem is what many people make of it: “AI Act delayed” gets read as “the topic will sort itself out later”. For most businesses that’s wrong, because the obligations that actually touch daily work have applied for a while.

As always in this spot: a technical assessment, not legal advice. The legal evaluation of your case belongs with a professional.

What applies when?

From whenWhat
February 2025AI prohibitions: no social scoring, no manipulative systems, no emotion recognition in the workplace — plus the literacy duty for everyone deploying AI
August 2025Obligations for the providers of large AI models. That hits OpenAI, Google and friends, not you as a user
2 August 2026Labelling: chatbots have to identify themselves as AI, AI-generated content has to be marked
2 December 2026New prohibition: AI-generated abuse material and non-consensual intimate imagery
2 December 2027Moved here: high-risk obligations for standalone systems — recruiting, credit scoring, critical infrastructure (Annex III)
2 August 2028Moved here: high-risk AI embedded in regulated products, such as medical devices (Annex I)

The postponement covers the last two rows. If you have ChatGPT in sales, a translation service in support and a chatbot planned for the website, you live in the top four — and those either already applied or arrive on schedule.

The literacy duty is smaller than it sounds

Few obligations attract as much nonsense as Article 4. Some vendors construct a certification requirement with mandatory courses out of it — that’s not in the text. What’s required is that people who work with AI understand the tool: what it can do, where it systematically goes wrong, which data may go in and which may not.

For a typical SME that’s one afternoon. An internal training session, a few written rules, an attendance list — done. The core of it isn’t an AI question anyway, it’s a data question: which data classes may go into which systems. Draw up that matrix once and you’ve nearly written the training material, and knocked out most of your GDPR homework along the way.

The classic: high-risk in-house without noticing

The AI Act distinguishes providers (who develop an AI system or market it under their own name) from deployers (who use it). As a deployer your list of duties is short — until a high-risk system enters the picture. And that happens faster than expected: employment is explicitly listed in Annex III. If an AI pre-sorts or scores your job applications, you are operating a high-risk system, even as a ten-person firm.

The new December 2027 deadline exists precisely for cases like this. Enough time to set up human oversight, clean input data and logging — if you start. A gift, not a free pass.

How to use the time well

The first step costs nothing but honesty: a list of which AI runs in the company. The official kind and the unofficial kind — the private ChatGPT account someone in sales set up counts too. Without that inventory, every compliance discussion is guesswork.

Then the data question: what goes into which systems, and what shouldn’t end up on someone else’s server in the first place? Finally the Article 4 training, documented. Three manageable steps, none of which needs a law firm.

Taking the topic lightly is still a bad idea: breaches of the AI prohibitions cost up to 35 million euros or 7 percent of worldwide annual turnover (Regulation (EU) 2024/1689, Art. 99). Deployer duties sit below that — still existential for an SME. If you want support with the classification, get independent consulting once; it’s a contained project, not a retainer.


Want to know where your AI use sits in the AI Act and what remains to be done by when? Get in touch — we’ll go through your use cases and make an honest list.

Frequently asked questions

Has the EU AI Act been delayed? +

Partially. The Digital Omnibus moves the obligations for high-risk AI under Annex III to 2 December 2027 and for AI embedded in regulated products to 2 August 2028. The prohibited practices, the AI literacy duty under Article 4 and the GPAI rules remain in force unchanged.

Which AI Act obligations already apply? +

Since February 2025: the prohibited practices (Article 5) and the AI literacy duty (Article 4). Since August 2025: the obligations for providers of general-purpose AI models. From 2 August 2026 the transparency duties under Article 50 follow as planned, such as labelling chatbots.

What does the AI literacy duty in Article 4 require? +

Anyone deploying AI has to make sure their people have sufficient AI competence: they should know what the tool can do, where it systematically fails and which data they may give it. A certified course is not required — a documented internal training session covers it in most cases.

Does the AI Act apply to small companies? +

Yes. The obligations depend on your role (provider or deployer) and on the system's risk class, not on company size. A ten-person firm that pre-screens job applications with AI is operating a high-risk system.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.