The EU AI Act Is In Force, But Its Hardest Deadlines Just Slid to 2027.

The EU AI Act's high-risk compliance deadline just moved from August 2, 2026 to December 2, 2027, a sixteen-month delay. The Council and Parliament reached a provisional deal on May 7 to defer Annex III obligations (biometrics, employment, education, credit scoring, law enforcement, migration) and pushed Annex I obligations further still, to August 2, 2028, for AI embedded in regulated products like medical devices and machinery. The eight unacceptable-risk prohibitions and the general-purpose AI rules already in force aren't affected. The hardest, most expensive part of the regulation, the part that changes how Anthropic, OpenAI, Google, and the platform-tier providers build for the European market, is now further out than the regulation has been on the books.

The Live Obligations

The Act sorts every AI system that touches the EU market into four risk tiers (unacceptable, high, transparency, and minimal), with obligations that scale tier by tier and bind both providers and deployers regardless of where they are headquartered. It entered into force in August 2024 and rolls out one tier at a time. February 2025 brought the eight unacceptable-risk prohibitions: harmful manipulation, exploitation of vulnerabilities, social scoring, individual criminal-offense prediction, untargeted biometric scraping, emotion recognition in workplaces and schools, biometric categorization to deduce protected characteristics, and real-time remote biometric identification by law enforcement in public spaces. Those are live and enforceable. August 2025 added obligations on general-purpose AI (GPAI) models: transparency on training-data summaries, copyright compliance, and for models above the systemic-risk threshold, adversarial testing, incident reporting, and cybersecurity protections. The Commission's enforcement powers over GPAI providers, including the power to fine, kick in on August 2, 2026, and the Omnibus did not touch that date.

What the Omnibus Pushed

The May 7 deal moves Annex III high-risk obligations to December 2, 2027. Annex I, covering AI built into products already regulated by EU sectoral safety law, moves to August 2, 2028. Both rounds were originally pegged to August 2, 2026; industry lobbying for the delay started as soon as the Commission published its Digital Omnibus proposal in November 2025. The Omnibus also added a new Article 5 prohibition on AI systems generating child sexual abuse material (CSAM) and non-consensual intimate imagery (NCII). The August 2026 date for Article 50(2), which requires generative-AI providers to mark synthetic audio, image, video, and text content as machine-readable, holds; providers with models already on the market get until December 2, 2026 to comply. The provisional agreement still needs Council and Parliament endorsement and legal-linguistic review, but both institutions have said they intend to finalize before August 2.

The reason the Commission moved on a delay isn't subtle. Member states had until August 2, 2025 to designate the national notifying and market surveillance authorities that enforce high-risk rules. As of early 2026, only three had designated both. Ten had pending legislative proposals or one of the two slots filled. Fourteen had done nothing. Conformity assessment bodies, the third-party certifiers who validate that a high-risk system meets the Act's requirements, can't be notified until those national structures exist. Without notified bodies, there's no functioning compliance pipeline for high-risk providers to use, and harmonized technical standards from CEN-CENELEC are still in draft. Pushing the deadline to late 2027 buys the infrastructure time to catch up to the law.

The Penalty Tiers

The fine schedule is what makes the rollout speed matter. Prohibited-practice violations carry fines up to €35 million or 7% of worldwide annual turnover, whichever is higher; high-risk obligation breaches up to €15 million or 3%; misleading information to regulators up to €7.5 million or 1%. The 7% top rate bites hardest on the platform-tier providers, where a single prohibited-practice ruling against OpenAI or Google could outpace any single GDPR fine produced in the eight years that regime has been in force. The €15M / 3% bracket is where most deployers, not just developers, would have lived. That's the tier that just slipped.

Who Owes What, When

For US foundation-model providers, the live obligations are GPAI transparency and copyright (since August 2025) and synthetic-content labeling (August 2026, with a December grace period for legacy systems). The high-risk machinery (deployer risk assessments, dataset-quality documentation, activity logging, human-oversight design, robustness and cybersecurity testing) moves to December 2027 for standalone applications and August 2028 for embedded ones. For deployers (banks running credit-scoring models, hospitals using diagnostic AI, employers using CV-sorting tools), the rules they were budgeting compliance for this August are now a back-half-of-2027 problem. For platform providers, the only near-term binding regime is GPAI, and the Code of Practice is the path of least resistance: signing it creates a presumption of conformity that regulators have to rebut.

The pattern across the full rollout is hard to miss. The prohibitions, which carry the biggest headline fines but cover the smallest universe of systems anyone has shipped, came in on time. The GPAI rules, which the major labs already had policies approximating, came in on time. Every tier that touches working enterprise deployment has been pushed at least once, and the tier that would have shaped how AI gets built into European hiring, lending, and healthcare is now a problem for late 2027. For builders shipping into the EU, the practical answer this month is the same it's been since August 2025: comply with the GPAI rules, label generative content by August, and treat the high-risk regime as a 2027 budget line, not a 2026 one.