Regulatory guide
The EU AI Act timeline just changed. Here is what moved and what did not.
In June 2026 the EU finished adopting the Digital Omnibus on AI: the European Parliament voted it through 423 to 57 on June 16, and the Council gave its final green light on June 29, with publication in the Official Journal expected shortly after. Once in force, the headline high-risk obligations move to December 2, 2027 (standalone Annex III systems) and August 2, 2028 (AI embedded in regulated products). But August 2, 2026 did not become a free pass: core transparency obligations under Article 50 still apply from that date, enforcement powers activate, and until the Omnibus is actually published, the original timeline technically remains the legal baseline.
What the Omnibus changed
The Digital Omnibus on AI amends Regulation (EU) 2024/1689 in targeted ways. Standalone high-risk AI systems under Annex III, which covers areas like recruitment, credit scoring, education, and law enforcement tools, now must comply by December 2, 2027 instead of August 2, 2026. High-risk AI embedded in regulated products under Annex I, such as medical devices and machinery, moves to August 2, 2028. Generative AI systems already on the market before August 2, 2026 get a grace period on machine-readable watermarking until December 2, 2026. The national regulatory sandbox deadline shifts to August 2, 2027. And a new prohibition enters Article 5: AI systems that generate non-consensual intimate imagery or child sexual abuse material are banned as of December 2026.
What did not move
Three things still land on August 2, 2026. First, the core transparency obligations of Article 50: telling people when they are interacting with an AI system and disclosing deepfakes. Second, market surveillance and enforcement powers activate across member states, ending the guidance-only era for obligations already in effect. Third, nothing about the earlier waves changes: prohibited practices have applied since February 2, 2025, and general-purpose AI model obligations since August 2, 2025. Penalties scale up to 35 million euros or 7 percent of global turnover for prohibited practices, and 15 million euros or 3 percent for most other violations. The Act reaches any provider or deployer whose AI output is used in the EU, wherever the company sits.
The one-sentence rule for right now
Until the Omnibus is published in the Official Journal, the original AI Act timeline remains the legal baseline, so a company that demobilized its compliance program in July 2026 would be betting on a text that is not yet law. Publication is expected imminently and the new dates are the sensible planning baseline, but the disciplined posture is to treat the extra time as room to build properly, not permission to stop. That is not our opinion alone; it is the consistent guidance across the major law firm analyses linked below.
What the Act asks for that no delay changes
Strip the dates away and the high-risk obligations are stable: risk management, technical documentation, record-keeping and logging, transparency, and effective human oversight. Those are not novel demands to us; they are the shape of what we already operate in public. Receipts are record-keeping made checkable: append-only, hash-linked entries for actions, denials, and corrections. Tiered human oversight with quotas and a kill switch is Article 14's demand rendered as working infrastructure rather than a policy paragraph. The audit trail standard shows the whole evidence layer, and the checkable AI definition explains why publishing it beats promising it. None of this makes anyone EU AI Act compliant by itself, and we do not claim otherwise. It is the documentation discipline the Act keeps pointing at, running live where you can verify it.
Sources
Primary sources: the Council press release of June 29, 2026, the European Commission's AI Act Service Desk timeline, and the Future of Life Institute's implementation timeline. Last verified: July 8, 2026; this area is moving, so check the sources for anything after that date. This page is plain-language education, not legal advice; for compliance decisions, consult counsel. Related reading: the NIST AI RMF explainer, ISO/IEC 42001 explained, and the procurement checklist.