EU AI Act August 2026: What's delayed and what still applies
TL;DR: The May 7, 2026 provisional agreement delayed high-risk AI system obligations by roughly 16 months (to around December 2027), but it did not touch three obligation sets that still apply: the prohibited-practices ban (in force since February 2, 2025), GPAI provider obligations (since August 2, 2025), and Article 50 transparency rules for chatbots, deepfakes, and AI-generated content (from August 2, 2026). The delay is provisional and not yet formally adopted, so do not treat it as final.
On May 7, 2026, EU institutions reached a provisional political agreement to delay compliance requirements for high-risk AI systems by approximately 16 months. The announcement spread quickly, and many compliance teams drew the wrong conclusion: that nothing under the AI Act applies until 2027 or 2028. That reading is wrong. Three significant sets of obligations still apply from August 2, 2026, unchanged by the May agreement. This article separates what changed from what did not, with a decision table covering each major obligation.
One clarification before the details: the May 7 agreement is provisional. As of late May 2026, it has not been formally adopted by the Council or published in the Official Journal. The high-risk delay is widely expected to hold, but it is not yet law. Treating it as finalized would be a mistake.
What the May 7 agreement actually changed
The May 7 political agreement extended compliance deadlines specifically for "Annex III" high-risk AI system deployer obligations. Under the original AI Act text, deployers of systems classified as high-risk under Annex III had to meet a series of requirements by August 2, 2026: conformity assessments, technical documentation, post-market monitoring, human oversight measures, and logging. The provisional agreement pushes all of those obligations to approximately December 2, 2027, a 16-month extension.
What the agreement did not touch: Article 50 transparency requirements (applying August 2, 2026), GPAI model provider obligations (already in force since August 2, 2025), and the prohibited AI practices ban (in force since February 2, 2025). These were always on separate tracks and were not part of the May 7 negotiation.
The confusion is understandable. Media coverage used headlines like "EU delays AI Act" without specifying that the delay applies to one category of obligations. Some outlets conflated this with the separate EU Digital Omnibus proposal (which also proposed extensions for certain requirements), adding another layer of ambiguity. The two are different instruments. The Digital Omnibus proposal was still moving through EU legislative process as of late May 2026 and is not yet law in any form.
For practical compliance planning: ignore the headlines and read the specific provisions. The August 2, 2026 date still matters for most businesses that deploy AI.
What still applies on August 2, 2026
Article 50: Transparency obligations (not delayed)
Article 50 is the provision most businesses need to act on before August 2. It applies to any company deploying an AI system that directly interacts with people, and it covers four specific situations.
First, chatbots and conversational AI must inform users they are interacting with an AI system. The requirement applies unless it is obvious from the context. "Obvious from context" is not a broad exception; a customer service chat interface that looks like a human agent does not qualify. A system clearly labeled "AI Assistant" in the interface likely does. The disclosure must happen at the beginning of the interaction, not buried in a terms of service.
Second, AI systems that generate deepfakes (synthetic video, audio, or images of real people) must label the output as AI-generated. The labeling must be machine-readable. There is no exception for satire or artistic use under Article 50, though other EU rules (including copyright law) address those contexts separately.
Third, AI emotion recognition and biometric categorization systems must inform the persons being analyzed. If your HR platform uses behavioral analysis or emotion inference, your employees must be told the system is running and what it assesses.
Fourth, AI-generated video, audio, images, and text intended for public dissemination must carry machine-readable attribution. This goes beyond deepfakes. Marketing content, PR materials, and public-facing media that were generated by AI fall within scope if they are meant for broad distribution. The C2PA (Coalition for Content Provenance and Authenticity) standard is the leading technical implementation for machine-readable content provenance.
Who this affects in practice: any business with an AI customer service chatbot, any tool generating marketing video or audio, any HR system using emotion or behavioral analysis, and any publisher distributing AI-generated images or video at scale.
GPAI model providers (already in force)
The General Purpose AI Model (GPAI) provider requirements technically applied from August 2, 2025 and are already in effect. These apply to companies that develop and make available general-purpose AI models to downstream users, not to companies that simply deploy an API.
GPAI providers must have three things in place. First, technical documentation and transparency information that gives downstream deployers what they need to understand the model's capabilities and limitations. Second, a copyright compliance policy summarizing how training data was handled and what opt-out mechanisms are in place for rights holders. Third, a systemic risk assessment for GPAI models trained with more than 10^25 FLOPs, the threshold that identifies frontier-class models.
If your company uses a third-party AI API (OpenAI, Anthropic, Google, Mistral, and so on), your vendor bears the GPAI provider obligations, not you. What you should do is ask your vendor to confirm they are meeting GPAI requirements and keep that confirmation on file. Your vendor's GPAI compliance is part of your supply chain risk posture.
Prohibited practices (mostly already in effect)
Several prohibited AI practices have been in force since February 2, 2025. The remaining prohibitions take effect August 2, 2026. Combined, the full prohibited practices list covers:
Social scoring systems operated by public or private entities are prohibited. AI systems that manipulate people through subliminal or deceptive techniques, or that exploit vulnerabilities related to age, disability, or economic situation, are prohibited. Real-time remote biometric identification in publicly accessible spaces is prohibited, with narrow exceptions for law enforcement under judicial authorization. Emotion inference in workplaces and educational institutions is prohibited. Predictive policing based solely on profiling individuals without objective and verifiable facts linked to a specific crime is prohibited.
These prohibitions apply regardless of the May 7 provisional agreement and apply to any organization whose AI systems affect EU residents, including non-EU companies.
What is delayed until approximately December 2027
The table below covers the major obligations from the original AI Act text that the May 7 provisional agreement is expected to push to December 2027.
| Obligation | Original deadline | Expected new deadline | Status |
|---|---|---|---|
| High-risk AI system conformity assessment (Annex III) | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
| Technical documentation for high-risk systems | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
| Post-market monitoring for high-risk deployers | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
| Human oversight requirements (Article 26) | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
| Deployer logging requirements (Article 26) | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
| Fundamental rights impact assessments (Article 27) | August 2, 2026 | ~December 2, 2027 | Delayed (provisional) |
The December 2027 date is not final. The provisional agreement must clear a formal Council adoption vote and be published in the Official Journal before the amended deadlines become binding. That process typically takes several months. Teams managing high-risk AI compliance should continue tracking the EU AI Office's official register rather than relying on press coverage.
Who needs to act before August 2, 2026
If you run AI chatbots, virtual assistants, or any AI that talks to users:
Add a disclosure at the start of interactions. "This response is generated by an AI assistant" meets the requirement. Review any chatbot marketing copy that implies human interaction. Update your privacy notices if they do not already describe the AI systems you deploy. This is not a high-cost change; most chat platforms support custom system prompts or disclosure banners that can be deployed in days.
If you generate AI content for public distribution:
Implement C2PA or equivalent machine-readable marking on AI-generated images and video before they go out. Add visible labels on deepfakes and synthetic media. The content pipeline review matters here. If your marketing team is using AI image tools and publishing to social media or press materials, you need a process that captures those outputs and ensures they carry attribution before publication.
If you are a GPAI model provider:
Finalize technical documentation, publish your copyright compliance summary, and complete your systemic risk assessment if your model's training compute exceeds the 10^25 FLOP threshold. These are not small tasks for frontier model providers, but most smaller organizations fall below the frontier model threshold and only need the documentation and copyright policy.
If you are a US or UK company with EU customers:
The same requirements apply to you. The AI Act has explicit extraterritorial reach: if your AI system affects EU users or EU employees, you are in scope. The prohibition on real-time biometric identification, the Article 50 transparency rules, and the GPAI provider obligations do not have a geographic carve-out for non-EU companies.
If you were preparing for high-risk compliance and now it's delayed, should you stop?
No, and there are three concrete reasons.
The first is legal certainty. The delay is provisional. The formal Council vote could alter the timeline, and the Digital Omnibus proposal adds another variable. Building compliance documentation now is cheaper than rebuilding it under time pressure in Q3 2027.
The second is overlap with other laws. UK AI regulation, Texas TRAIGA (effective January 1, 2026), and Colorado SB 24-205 as amended by SB 26-189 (signed May 14, 2026, with the effective date moved to January 1, 2027) all have overlapping requirements around AI risk assessment, human oversight, and documentation. The compliance work is not wasted; it maps to multiple frameworks simultaneously.
The third is institutional readiness. Companies that have never documented their AI systems, mapped their risk levels, or implemented human review processes cannot do so quickly when a deadline arrives. The organizations that use the delay productively are the ones that will be able to demonstrate a compliance posture when the December 2027 date becomes enforceable.
What to do in the next 30 days
Start with an inventory. List every AI system your company uses or deploys that touches EU users, EU employees, or processes EU personal data. For each one, answer two questions: does it interact with people directly, and does it generate content for public distribution? Those two questions determine your August 2 exposure.
For any chatbot or conversational AI you operate, write and deploy a disclosure. This should be done in the next two weeks, not the next thirty days. The lead time is minimal and the risk of not having it in place is real.
For AI-generated content pipelines, audit what is going out and whether it carries machine-readable attribution. If not, implement a labeling step before August 2.
For your vendor relationships, send a short questionnaire to your AI API providers asking for their Article 50 and GPAI compliance confirmation. File the responses. If a vendor cannot confirm compliance, that is a supply chain risk you need to document.
For high-risk AI compliance work that was already underway, do not dismantle it. Adjust your internal deadline to Q4 2027, but keep the documentation current and the process running. A team that already has logging and human oversight in place faces minimal incremental work when December 2027 arrives.
Related reading: EU AI Act GPAI compliance checklist, August 2 deadline | EU AI Act Article 50 watermarking and deepfake disclosure | AI regulation deadline calendar 2026
Related Reading
- EU AI Act GPAI compliance checklist, August 2 deadline
- EU AI Act Article 50 watermarking and deepfake disclosure
- EU AI Act compliance guide for small teams
- Board AI governance reporting template 2026
- AI regulation deadline calendar 2026
- Colorado AI Act SB 189 employer guide 2027
- EU AI Act GPAI Code of Practice final June 2026
- EU AI Act SME sandbox support measures 2026
- EU AI Act conformity assessment process 2026
- One Big Beautiful Bill AI preemption 2026
- EU AI Act GPAI codes of conduct 2026
