Elena Novak, YuSMP Group
Elena Novak Principal Consultant, AI Governance & Compliance, YuSMP Group · EU AI Act and data-protection readiness for US/EU products
Classical institutional columns overlaid with a glowing calendar grid, clock faces and circuit-board lines in blue and amber on a deep navy background, suggesting a shifting regulatory timeline

The short answer

On 29 June 2026 the Council of the EU gave final approval to the Digital Omnibus, delaying the AI Act's high-risk obligations for stand-alone systems from 2 August 2026 to 2 December 2027, and to 2 August 2028 for high-risk AI embedded in regulated products. It followed the European Parliament's endorsement on 16 June. The Act is not repealed, and the bans and general-purpose AI rules already in force were not touched. The new dates bind only once the text is published in the Official Journal, expected within weeks.

For teams building or buying software for US and EU markets, the headline is breathing room: the August 2026 scramble is off, but the obligations are still coming. The advantage now goes to teams that use the extra eighteen months to build AI governance into the product rather than treating 2027 as a distant problem.

What the EU actually approved

The measure is the Digital Omnibus — a simplification package that amends the AI Act rather than rewriting it, and the first substantive change to the Act since it was adopted in 2024. It reached a provisional trilogue agreement on 7 May 2026, was endorsed by the European Parliament on 16 June, and received the Council's final green light on 29 June. Once published in the EU's Official Journal, it enters into force on the third day after publication; until then, the old dates technically remain the law, which is why the Council flagged adoption "in advance of the 2 August 2026 deadline."

The core of the package is timeline relief for high-risk AI — the systems the Act treats as most consequential, such as those used in hiring, credit scoring, education, essential services, and critical infrastructure. Rather than a single cliff on 2 August 2026, obligations for stand-alone Annex III systems now start on 2 December 2027, and obligations for AI embedded in products already regulated under Annex I — medical devices, machinery, vehicles — start on 2 August 2028. Alongside the delay, the package trims paperwork for systems that self-assess as non-high-risk and extends the Act's lighter-touch SME regime to "small mid-cap" firms of up to 750 employees, widening the pool of companies that get simplified documentation and reduced penalties.

The new deadlines, in one table

Here is the shape of the timeline after the Omnibus. The two high-risk dates moved; the earlier obligations did not.

ObligationOriginal dateNew date
High-risk AI — stand-alone (Annex III)2 Aug 20262 Dec 2027
High-risk AI — embedded in regulated products (Annex I)2 Aug 20262 Aug 2028
Prohibited-practice bans2 Feb 2025Unchanged (in force)
General-purpose AI (GPAI) obligations2 Aug 2025Unchanged (in force)
Marking of AI-generated content (grace cut 6→3 months)2 Dec 2026
National regulatory sandboxes established2 Aug 20262 Aug 2027
New ban: non-consensual intimate imagery & CSAMTransitional to 2 Dec 2026

One caveat worth putting in every planning deck: these dates are contingent on publication in the Official Journal. The Council approved the text, but it is not binding law until it appears there. Plan around the new dates, but confirm publication before you formally rebaseline a compliance programme.

What did not move

The delay is narrower than the headlines suggest, and reading it as "the AI Act is on hold" is the mistake that will bite. The prohibited practices — social scoring, certain biometric categorisation, manipulative systems — have been enforceable since February 2025. The general-purpose AI transparency and documentation obligations that model providers have faced since August 2025 are equally untouched. If you fine-tune or deploy a foundation model, or if your product falls into a banned category, none of that changed on 29 June.

Two items actually pull work closer. The grace period for marking AI-generated content was shortened from six months to three, landing on 2 December 2026, and a new prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material was added with a transitional window to the same date. Any team shipping generative features into the EU — image, audio, or text generation — should treat content-provenance marking as a 2026 task, not a 2027 one.

What it means for US & EU software teams

Strip away the Brussels procedure and this is a planning signal. The August 2026 fire drill that had product and legal teams racing to classify systems is off — but the underlying obligation to inventory, classify, document, log, and add human oversight to high-risk AI is exactly the same, just due in December 2027. The teams that win are the ones that convert relief into groundwork instead of quietly deprioritising the whole file.

The extraterritorial reach makes this a US problem too, not only an EU one. A US SaaS vendor is in scope the moment it places an AI system on the EU market or its model's output is used in the EU — the Act does not care where the company is incorporated. That is why teams selling into Europe should classify their systems now and treat data governance as inseparable from AI governance; the same discipline that underpins GDPR compliance — data mapping, lawful basis, minimisation, records — is the foundation the AI Act builds on.

The embedded-AI split matters most in regulated verticals. In HealthTech, an AI feature inside a medical device follows the Annex I track to 2 August 2028 and rides on top of existing MDR conformity work; in FinTech, an AI credit-scoring model is classic stand-alone Annex III high-risk with a 2 December 2027 date. Same company can face two different clocks depending on where the model lives, so a single "AI Act deadline" line in a roadmap is usually wrong. Map each system to its own track, and design the controls — risk management, logging, human oversight, technical documentation — into the build rather than retrofitting them under time pressure in 2027.

How to use the extra runway

Treat the eighteen extra months as budgeted engineering and governance time, not slack. A practical sequence:

  1. Inventory every AI system. List what you build, embed, fine-tune, and buy, including third-party models inside your product. You cannot classify what you have not catalogued.
  2. Classify against the risk tiers. Sort each system into prohibited, high-risk (Annex III vs Annex I), limited-risk, or minimal — and record the reasoning. This is the step that sets every downstream deadline.
  3. Ship the 2026 items first. Content-provenance marking and the new intimate-imagery prohibition are 2 December 2026 obligations. Do not let the 2027 date pull attention away from them.
  4. Stand up the high-risk controls. Risk management, data governance, logging, human oversight, and technical documentation are engineering work. Build them into the product now so 2027 is a checkpoint, not a rebuild.
  5. Tie it to your data-protection programme. AI governance and GDPR overlap heavily; run them as one workstream so evidence, mapping, and controls are reused, not duplicated.
  6. Name an owner and confirm publication. Assign accountability for the AI Act file, and re-baseline the plan only once the Omnibus appears in the Official Journal.

None of this is legal advice, and the exact obligations depend on your systems, your markets, and the final published text. But the strategic signal is clear: the EU blinked on timing, not on substance. High-risk AI rules are coming, the earliest obligations are already here, and the advantage belongs to teams that engineer for governance now rather than sprinting for a deadline in late 2027.

Frequently asked questions

Did the EU delay the AI Act?

The EU delayed part of it, not the whole Act. On 29 June 2026 the Council gave final approval to the Digital Omnibus, which postpones the high-risk compliance deadline and simplifies some obligations. The AI Act remains in force, and the bans and general-purpose AI rules already applying were not moved.

What is the new EU AI Act high-risk deadline?

Stand-alone high-risk systems in Annex III now apply from 2 December 2027 instead of 2 August 2026; high-risk AI embedded in regulated products under Annex I applies from 2 August 2028. The dates bind only once the regulation is published in the Official Journal.

Which AI Act rules are still in force in 2026?

The prohibited-practice bans from February 2025 and the general-purpose AI obligations from August 2025 were not delayed. A new ban on AI-generated non-consensual intimate imagery and CSAM was added with a transitional period to 2 December 2026, and the grace period for marking AI-generated content was cut from six months to three, giving a 2 December 2026 date.

Does the EU AI Act apply to US companies?

Yes. The Act applies extraterritorially: a US company is in scope if it places an AI system on the EU market or if its system's output is used in the EU, regardless of where it is based. The moved deadline does not change that reach.

What should software teams do with the extra time?

Inventory your AI systems, classify each against the risk tiers, and build the data governance, logging, risk-management, and human-oversight controls high-risk systems require. Ship the 2 December 2026 items first, and design compliance into the product rather than retrofitting it in 2027.

Sources

Council of the EU — Artificial Intelligence: Council gives final green light to simplify and streamline rules, 29 June 2026 (primary source)
Gibson Dunn — EU AI Act Omnibus Agreement: Postponed High-Risk Deadlines and Other Key Changes, 2026
White & Case — EU agrees Digital Omnibus deal to simplify AI rules, 2026