Is the EU AI Act Delayed? What Actually Changed in 2026
Partly. The Digital Omnibus agreed to move high-risk Annex III to 2 December 2027 — but it is not yet law. Article 5 bans and GPAI rules are unchanged.
Partly. Regulation (EU) 2024/1689 — the EU AI Act — has not been postponed wholesale. A simplification package known as the Digital Omnibus reached provisional political agreement on 6-7 May 2026, and agreed to move the high-risk application dates set out in Article 113. But as of June 2026 that change is not yet law.
Until it is published in the Official Journal, the statute legally still reads 2 August 2026 for stand-alone high-risk Annex III systems. And the parts of the Act that bite hardest — the Article 5 prohibitions and the GPAI obligations under Articles 51-55 — were never touched. They remain in force on their original dates.
So "is the EU AI Act delayed?" has a precise answer: one specific layer of obligations has been agreed to move later, that agreement is not binding yet, and most of the live regime is unchanged. This page sets out exactly what moved, what did not, and which dates you should plan against.
Short Answer: Partly Delayed, and Not Yet Law
What 'partly' means in one paragraph
The Digital Omnibus agreed to defer the stand-alone high-risk Annex III obligations (the Article 6(2) classification route) from 2 August 2026 to 2 December 2027, and the Annex I product-embedded high-risk obligations (the Article 6(1) route) from 2 August 2027 to 2 August 2028. That is the whole of the delay. The Article 5 prohibited practices, the Article 4 AI literacy duty, the GPAI obligations under Articles 51-55, and most of the Article 50 transparency duties were not deferred. So the honest summary is: one documentation-heavy layer moved later, and everything already live stayed live.
What is agreed vs what is binding today
This is the distinction that most headlines miss. The agreement is real — the COREPER (Council) text was confirmed around 13 May 2026 — but agreement is not enactment. Before the new dates are legally binding, the Digital Omnibus still needs three things:
- A European Parliament plenary vote.
- Formal adoption by the Council.
- Publication in the Official Journal of the European Union.
Until that third step happens, Article 113 of Regulation (EU) 2024/1689 is unchanged on paper. The binding statutory date for stand-alone high-risk Annex III systems is still 2 August 2026. If you are planning a compliance programme, you are planning against an agreed-but-unenacted future date — which is why the legal status of each obligation, not just its date, matters. For the deeper background, see the Digital Omnibus and the 2027 high-risk deadline.
What the Digital Omnibus Actually Changed
The Digital Omnibus is a simplification package that, among several measures, re-times the EU AI Act's high-risk application dates. It does not narrow the substantive obligations — it changes when they bite, not what they require.
Annex III stand-alone high-risk: 2 August 2026 to 2 December 2027
Stand-alone high-risk systems are those classified through Article 6(2) by reference to the use-case list in Annex III — recruitment and HR tools, credit scoring, insurance pricing, biometric identification, education evaluation, and the rest. Their application date moves from 2 August 2026 to 2 December 2027, a deferral of roughly 16 months.
Annex I product-embedded high-risk: 2 August 2027 to 2 August 2028
High-risk AI that is a safety component of a regulated product listed in Annex I — medical devices, machinery, motor vehicles, civil aviation equipment — is classified through Article 6(1). Its application date moves from 2 August 2027 to 2 August 2028.
Why the dates were moved
The deferral targets the documentation-heavy high-risk stack: the Article 9 risk management system, Article 10 data governance, the Article 11 / Annex IV technical documentation, and the Article 43 conformity assessment. These obligations depend on harmonised standards and Commission guidance that were not ready in time. Rather than force providers to build against a moving target, the runway was extended to let that infrastructure mature. Crucially, the deferral softens nothing in substance — the duties are identical, only later. You can trace the full sequence on the full EU AI Act deadline timeline.
The 'Stop the Clock' Proposal Was Rejected — These Are Fixed Dates
What 'stop the clock' would have meant
An earlier idea, nicknamed "stop the clock," would have tied the high-risk start date to the availability of harmonised standards. Under that approach the obligations would only have begun once the standards were finished — making the deadline contingent rather than calendar-based, and open-ended in practice.
That standards-contingent approach was rejected. This matters for how you describe the situation: the delay is not conditional on standards being ready, and it is wrong to tell stakeholders that the obligations "start whenever the standards land."
Why fixed dates change your planning posture
The new dates — 2 December 2027 and 2 August 2028 — are fixed calendar dates. They apply regardless of whether the harmonised standards are complete by then. The practical consequence is firm: you cannot assume a further slip if standards are still incomplete in late 2027. You plan back from a known date, not from an open-ended "whenever." That makes the planning posture clearer, not looser.
What Is NOT Delayed and Is Already in Force
The deferral is narrow. It touches only the high-risk application dates. The already-live layer of the Act is untouched — and a company behind on it is not "early" for 2027, it is non-compliant today.
Article 5 prohibitions (since 2 February 2025)
The Article 5 prohibited practices have applied since 2 February 2025: social scoring by public authorities, untargeted facial-image scraping to build recognition databases, certain biometric categorisation inferring sensitive attributes, subliminal manipulation causing harm, and the other banned uses. These were already unlawful and were not affected by the Digital Omnibus. Review the Article 5 prohibitions already in force if you are unsure whether a system crosses a line.
GPAI Articles 51-55 (since 2 August 2025)
Obligations on providers of general-purpose AI models under Articles 51-55 have applied since 2 August 2025 — technical documentation, downstream information, a copyright policy, and a training-data summary, plus systemic-risk duties for the largest models. The Digital Omnibus did not change them.
Article 50 transparency duties (largely unchanged)
Most Article 50 transparency duties are unchanged: telling a person they are interacting with an AI system, and marking certain AI-generated content. The Article 4 AI literacy obligation, also live since 2 February 2025, was likewise not part of the deferral. None of this layer moved.
A New 2 December 2026 Deadline Appeared
The package did not only push dates back — it added a new obligation date that is easy to miss in headlines about "delay."
CSAM and 'nudifier' ban
From 2 December 2026, the package introduces a ban on AI-generated child sexual abuse material (CSAM) and so-called "nudifier" applications. This is a genuinely new near-term obligation, closer than either of the deferred high-risk dates.
Content-marking and watermarking from 2 December 2026
Also from 2 December 2026, content-marking and watermarking obligations for synthetic and AI-generated content take effect on this aligned date. The takeaway is that "the AI Act was delayed" is misleading shorthand: one obligation set was given a new, earlier-in-practice 2026 date while the high-risk layer moved later. The net picture is a re-timing, not a pause.
Before-and-After Deadline Table
Deadlines at a glance
| Obligation | Original statutory date | New agreed date | Current legal status |
|---|---|---|---|
| Article 5 prohibitions | 2 Feb 2025 | unchanged | Binding — in force |
| Article 4 AI literacy | 2 Feb 2025 | unchanged | Binding — in force |
| GPAI provider obligations (Art 51-55) | 2 Aug 2025 | unchanged | Binding — in force |
| CSAM / 'nudifier' ban + content-marking / watermarking | — | 2 Dec 2026 (new) | Agreed — not yet law |
| High-risk Annex III stand-alone (Art 6(2)) | 2 Aug 2026 | 2 Dec 2027 | Agreed — statute still reads 2 Aug 2026 |
| High-risk Annex I product-embedded (Art 6(1)) | 2 Aug 2027 | 2 Aug 2028 | Agreed — not yet law |
Reading the 'legal status' column
The status column is the part to read carefully. "Binding — in force" means the duty applies now and missing it is current non-compliance. "Agreed — not yet law" means the new date has political agreement but no Official Journal publication, so it is not yet enforceable as written. Footnote, restated because it is the whole point: until the Digital Omnibus is published in the Official Journal, the old statutory dates remain the binding law — including 2 August 2026 for stand-alone high-risk Annex III systems.
Why the 18-Month Runway Is Research Time, Not Idle Time
The extra months for high-risk are working time, not a reason to defer all action. Two obligations are already live regardless of the deferral, and the high-risk programme itself is long.
What to do in the runway
- Close the live gaps first. Article 5 and Article 4 apply today. If you are behind on either, that is current non-compliance — start there, not in 2027.
- Inventory and classify every AI system. Determine which fall under Annex III (Article 6(2)) and which are Annex I product-embedded (Article 6(1)), because the two carry different dates.
- Start the long poles now. Build Article 10 data governance and the Article 11 / Annex IV technical documentation while standards and guidance settle — data-governance remediation is consistently the slowest item to fix.
- Stage the conformity evidence ahead of the Article 43 assessment so nothing is compressed into early 2027.
The cost of waiting until 2027
A realistic high-risk programme runs several months. Because the new dates are fixed, not standards-contingent, there is no rational case for waiting on standards to begin — they may never be finished early enough to matter. Compressing the whole programme into the months before 2 December 2027 costs more in external hours and raises the risk of corner-cutting in exactly the hardest-to-fix areas. The runway is the cheap way to comply; the deadline rush is the expensive one. See how enforcement is phasing in and the EU AI Act implementation timeline for the surrounding sequence.
Penalties Have Not Changed
The enforcement and penalty architecture under Article 99 was not altered by the Digital Omnibus. Because penalties are unchanged and the prohibitions are live, the cost of treating "delay" as "pause" is unchanged too.
The three Article 99 tiers
| Tier | Maximum penalty | Applies to |
|---|---|---|
| Top (Art 99(3)) | EUR 35,000,000 or 7% of total worldwide annual turnover | Article 5 prohibited-practice breaches |
| Middle (Art 99(4)) | EUR 15,000,000 or 3% of turnover | Most other operator obligations |
| Third (Art 99(5)) | EUR 7,500,000 or 1% of turnover | Supplying incorrect, incomplete or misleading information to notified bodies or authorities |
The third tier is 1% — never 1.5%. Each tier takes the higher of the fixed amount and the percentage for most undertakings. You can see the tiers worked through in detail in the penalty tiers under Article 99.
The SME and start-up proportional cap
For SMEs and start-ups, Article 99(6) flips the comparison: each fine is capped at the lower of the fixed amount or the percentage figure, whichever is smaller. The prohibition itself is not reduced — only the ceiling on the fine — so a small company that breaches Article 5 is still acting unlawfully today.
How Confir Helps
Knowing that the high-risk dates moved is only useful once you know which of your systems carries which date. Confir's classification and scoping logic is deterministic and rule-based: it asks plain-English questions about what each AI system does, derives the risk tier under Articles 5 and 6, and separates Annex III stand-alone systems (Article 6(2), agreed for 2 December 2027) from Annex I product-embedded systems (Article 6(1), agreed for 2 August 2028). The engine runs the same logic every time — no model inference, no hallucination, no "AI Draft" guesswork.
From that classification, Confir shows you which obligations are live today (Article 5, Article 4, GPAI Articles 51-55) versus which sit on the deferred high-risk runway, so you start with current non-compliance rather than future paperwork. For high-risk systems it generates the Article 11 / Annex IV technical documentation pack and the Article 47 / Annex V EU Declaration of Conformity, and an immutable audit log records every classification decision and its rationale — the evidence trail an Article 73 or market-surveillance investigation expects. When the Digital Omnibus is finally published, Confir's rule set updates to the enacted dates; until then it surfaces both the agreed date and the binding statutory date so you are never planning against the wrong one.
Frequently Asked Questions
Is the EU AI Act delayed?
Partly. The Digital Omnibus, politically agreed on 6-7 May 2026, moves stand-alone high-risk Annex III obligations from 2 August 2026 to 2 December 2027, and product-embedded high-risk from 2 August 2027 to 2 August 2028. But it is not yet law. The Article 5 prohibitions and the GPAI rules already in force are unchanged.
When does the EU AI Act apply now?
It already applies in part. Article 5 prohibitions and Article 4 AI literacy have applied since 2 February 2025, and GPAI obligations since 2 August 2025. The agreed new high-risk dates are 2 December 2027 (Annex III) and 2 August 2028 (Annex I products), plus a new 2 December 2026 deadline for the CSAM/nudifier ban and content marking.
Is the Digital Omnibus law yet?
No. As of June 2026 the Digital Omnibus is a provisional political agreement, with the COREPER text confirmed around 13 May 2026. It still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal before it becomes binding. Until then, the statute legally still reads 2 August 2026 for high-risk Annex III.
What parts of the AI Act are still in force?
The Article 5 prohibited practices (since 2 February 2025), Article 4 AI literacy duties (since 2 February 2025), GPAI obligations under Articles 51-55 (since 2 August 2025), and most Article 50 transparency duties remain in force and were not deferred. The Digital Omnibus only re-times the high-risk application dates.
Did the AI Act high-risk deadline move?
It has been agreed to move, but not yet in law. Stand-alone high-risk Annex III systems (Article 6(2)) would shift from 2 August 2026 to 2 December 2027, and Annex I product-embedded high-risk (Article 6(1)) from 2 August 2027 to 2 August 2028. Until Official Journal publication, 2 August 2026 remains the binding statutory date.
Is the EU AI Act high-risk delay tied to harmonised standards?
No. An earlier 'stop the clock' proposal would have linked the high-risk start date to the availability of harmonised standards, but that approach was rejected. The new dates — 2 December 2027 and 2 August 2028 — are fixed calendar dates that apply regardless of whether the standards are finalised by then.
What are the EU AI Act penalties in 2026?
Penalties are unchanged. Article 99 sets up to EUR 35 million or 7% of worldwide turnover for Article 5 breaches, up to EUR 15 million or 3% for most other obligations, and up to EUR 7.5 million or 1% for supplying incorrect or misleading information to authorities. SMEs and start-ups are capped at the lower figure.
Related guides
- The Digital Omnibus and the 2027 high-risk deadline
- The full EU AI Act deadline timeline
- The EU AI Act implementation timeline
- How enforcement is phasing in
- The Article 5 prohibitions already in force
- The penalty tiers under Article 99
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →