eu-ai-act

The EU AI Act Deadline Has NOT Changed. Here Is What Actually Happened.

Petru Constantin
--6 min lectura
#eu-ai-act#compliance#digital-omnibus#regulation#devidevs

The EU AI Act Deadline Has NOT Changed. Here Is What Actually Happened.

The Headlines Are Wrong

If you opened LinkedIn this week, you probably saw some version of "EU delays AI Act by 16 months." The European Parliament's IMCO and LIBE committees adopted their negotiating mandate on March 18, 2026. The Council agreed its position on March 13. Headlines everywhere announced the delay.

Here is the part they left out: none of this is law yet.

The Digital Omnibus is a legislative proposal. Both institutions adopted negotiating positions, which means they can now start trilogue talks. Those talks have not started. The earliest realistic adoption date is late 2026. Until the Omnibus formally passes through trilogues, gets voted on in plenary, and enters into force, August 2, 2026 remains the legally binding deadline for high-risk AI system obligations.

Read that again. August 2, 2026 is still the law.

What the Digital Omnibus Actually Proposes

The proposal is more nuanced than "delay everything by 16 months." Here is what it says:

Annex III high-risk systems (standalone AI in HR, finance, law enforcement, education): enforcement moves to the earlier of December 2, 2027 or six months after the Commission confirms that harmonized standards are available.

Annex I high-risk systems (AI embedded in regulated products like medical devices, vehicles): enforcement moves to the earlier of August 2, 2028 or twelve months after standards availability.

The word "conditional" matters here. The delay only kicks in after the Commission confirms that CEN/CENELEC harmonized standards or equivalent compliance support exists. Those standards missed their own August 2025 deadline and are not expected before Q4 2026 at the earliest.

So the delay is conditional on something that does not exist yet, proposed in a law that has not been adopted yet, and depends on trilogue negotiations that have not started yet.

That is three layers of "not yet."

What Is Already Enforceable Right Now

While companies debate whether the deadline moved, they are missing what already applies:

Since February 2, 2025: All prohibited AI practices are illegal. Social scoring, manipulative AI, predictive policing, untargeted facial recognition scraping, workplace emotion recognition. Fines: up to EUR 35 million or 7% of global turnover.

Since August 2, 2025: GPAI model obligations are in force. Transparency requirements, copyright due diligence, safety evaluations for systemic risk models. The EU AI Office already issued formal document retention orders to X (Grok) in January 2026 and opened an investigation into Meta.

August 2, 2026 (NOT delayed by Digital Omnibus): Article 50 transparency obligations for AI-generated content. If your marketing team uses generative AI, you need machine-readable labels and disclosure workflows by this date. The Omnibus does not touch Article 50.

So even in the best-case scenario where the Omnibus passes and high-risk deadlines shift, companies still need to comply with prohibited practices (already live), GPAI obligations (already live), and transparency requirements (August 2026, not delayed).

Why Pausing Compliance Is the Worst Move

I have talked to CTOs who saw the headlines and told their teams to "wait and see." That is a mistake for three specific reasons.

Reason 1: If trilogues run late, August 2026 applies by default. The Omnibus needs to complete trilogue negotiations, pass a plenary vote in Parliament, get formal Council adoption, and be published in the Official Journal. If any of these steps drag past August 2026, you are non-compliant on that date. Taylor Wessing's analysis puts it bluntly: the EU risks entering a period where high-risk obligations technically apply while lawmakers are still debating whether to postpone them.

Reason 2: The compliance work is the same regardless of deadline. Whether you face August 2026 or December 2027, you need the same things: an AI system inventory, risk classification per Annex III categories, technical documentation, a quality management system, and conformity assessment processes. The Commission was supposed to publish Article 6 classification guidelines by February 2, 2026. They missed that deadline. Harmonized standards are delayed. None of this reduces the compliance workload. It just means you are doing it without official guidance, which takes longer, not less time.

Reason 3: Companies that start early spend less. A 2-week structured assessment done calmly now costs a fraction of what a last-minute scramble costs under deadline pressure. Notified body queues will fill up. Every compliance consultancy will be booked. If you are starting your compliance work when the Omnibus is adopted, you are already competing for limited assessment capacity.

What You Should Actually Do

Stop reading headlines. Start with these three steps:

Step 1: Build your AI inventory. List every AI system your company develops, deploys, or uses. Include third-party models (yes, ChatGPT API calls count). This takes 1-2 days depending on your organization's size.

Step 2: Classify risk. For each system, determine whether it falls under Annex III high-risk categories. The Commission's guidelines are late, but the regulation text and Annex III categories are clear enough for practical classification. A half-day per AI system gives you a defensible determination.

Step 3: Check what already applies. Prohibited practices audit (half a day). GPAI compliance review if you deploy or fine-tune third-party models. Article 50 transparency assessment for AI-generated content.

You do not need to wait for Brussels. The regulation text, the recitals, and the existing ISO 42001 framework give you enough to start building a compliance posture that works regardless of which deadline lands.

The Real Risk Is Not the Fine

The maximum fine for high-risk non-compliance is up to 3% of global turnover. That gets the headlines. But the real risk for most companies is simpler: you cannot sell into the EU market without compliance.

Companies that have their AI systems classified, documented, and assessed will be operating freely while their competitors are scrambling through notified body queues. The CE mark cliff is real. Products without conformity assessment cannot enter the market. First movers do not just avoid fines. They capture market share.

The Omnibus gives you more time on paper. But paper is not law yet. And even if it becomes law, the work starts now.

About DeviDevs: We build ML platforms, secure AI systems, and help companies comply with the EU AI Act. devidevs.com

Ai nevoie de ajutor cu conformitatea EU AI Act sau securitatea AI?

Programeaza o consultatie gratuita de 30 de minute. Fara obligatii.

Programeaza un Apel

Weekly AI Security & Automation Digest

Get the latest on AI Security, workflow automation, secure integrations, and custom platform development delivered weekly.

No spam. Unsubscribe anytime.

Related Articles

eu-ai-act

The EU Went After X and Meta for GPAI Compliance. Your Integration Is Next.

The EU is now enforcing GPAI compliance rules against X and Meta. If you integrate GPT, Claude, or Llama in production, you have deployer obligations.

6 min read
eu-ai-act

Your AI System Triggers Both GDPR and the AI Act. Here Is How to Handle It.

Your AI system processing personal data triggers both GDPR and the AI Act. Learn how to run a unified DPIA plus FRIA assessment and avoid double penalties.

7 min read
mlops

Your ML Model Registry Is Your EU AI Act Compliance Foundation

EU AI Act Annex IV demands full model lineage and versioning. Your ML model registry is the compliance foundation. Here is how to build one that passes audit.

7 min read
← Inapoi la Blog