For many companies, the EU AI Act used to have one major planning date:
2 August 2026 — the date when many high-risk AI obligations were expected to start applying.
That timeline is now more complicated.
In May 2026, EU institutions moved toward delaying some high-risk AI Act obligations through the Digital Omnibus package. The Council of the EU announced a political agreement on 7 May 2026 to simplify and streamline AI rules, noting that high-risk AI provisions were originally due to enter into force on 2 August 2026.
At the same time, the European Commission published draft guidelines on high-risk AI classification in May 2026 and opened a consultation until 23 June 2026. The guidelines are meant to help providers, deployers, authorities, and other stakeholders determine whether an AI system is high-risk under Article 6 of the AI Act.
The practical message for companies is not "AI Act delayed, ignore it."
The practical message is:
Some deadlines may move, but classification, inventory, governance, documentation, and evidence work should start now.
1. The original AI Act timeline
The EU AI Act entered into force in 2024 and applies progressively. The Commission's AI Act overview explains that prohibited practices and AI literacy rules applied from 2 February 2025, GPAI obligations began from 2 August 2025, and transparency rules are due to apply from August 2026.
The Commission's AI Act implementation timeline also states that the Act applies progressively, with full rollout originally foreseen by 2 August 2027.
A simplified original timeline looked like this:
| Date | Original AI Act milestone |
|---|---|
| 2 February 2025 | General provisions, AI literacy, and prohibited AI practices started applying |
| 2 August 2025 | Governance rules and GPAI model obligations started applying |
| 2 August 2026 | Many obligations for high-risk AI systems, transparency obligations, and governance provisions expected to apply |
| 2 August 2027 | Further high-risk obligations for systems linked to regulated products expected to apply |
| 2030 | Special timeline for certain AI systems in large-scale EU IT systems |
This phased model remains important because not everything is affected in the same way by the 2026 Omnibus changes.
2. What the 2026 Digital Omnibus changed
The Digital Omnibus is a simplification package affecting digital regulation, including the AI Act. The key AI Act issue is the timing of high-risk obligations.
Reliable coverage of the May 2026 agreement reports two major planning dates:
| AI system type | Previous planning date | New planning baseline reported after Omnibus agreement |
|---|---|---|
| Standalone Annex III high-risk AI systems | 2 August 2026 | 2 December 2027 |
| High-risk AI embedded in Annex I regulated products | 2 August 2027 | 2 August 2028 |
ITPro reported that, following the political agreement on the AI Omnibus, rules for areas like biometrics and border control are set to take effect on 2 December 2027, while product-integrated systems must comply by 2 August 2028.
VerifyWise similarly summarizes the May 2026 agreement as moving Annex III standalone high-risk obligations to 2 December 2027 and high-risk AI embedded in Annex I regulated products to 2 August 2028, while noting that formal adoption was still pending at the time of publication.
Pinsent Masons also reported that high-risk AI rules would take effect from late 2027 rather than summer 2026 if the new deal is adopted.
For compliance planning, this means the timeline is now split:
| Area | Practical status in 2026 |
|---|---|
| Prohibited AI practices | Already active |
| AI literacy | Already active |
| GPAI obligations | Already active from 2025 for relevant providers |
| Transparency obligations | Still important for August 2026 planning |
| High-risk Annex III systems | Expected to move to December 2027 under Omnibus planning |
| High-risk AI in regulated products | Expected to move to August 2028 under Omnibus planning |
3. What did not change
The most dangerous interpretation is:
"The AI Act was delayed."
That is too broad.
The Omnibus does not erase the AI Act. It mainly affects parts of the high-risk implementation timeline.
The following areas still matter now:
| Area | Why it still matters |
|---|---|
| Prohibited AI practices | These started applying in February 2025 and are not simply postponed by the high-risk delay |
| AI literacy | Organizations using AI must still build internal competence and awareness |
| GPAI obligations | Providers of general-purpose AI models have obligations that started from August 2025 |
| Transparency duties | The Commission still describes transparency rules as coming into effect in August 2026 |
| Risk classification | Companies still need to know whether their system is prohibited, high-risk, transparency-risk, GPAI-related, or lower-risk |
| GDPR | AI processing of personal data remains subject to GDPR regardless of AI Act timing |
| Product liability and sector law | Medical, employment, credit, consumer, cybersecurity, and discrimination rules may still apply |
The Commission's AI Act overview still describes transparency obligations for certain AI systems, including identifying AI-generated content and labelling deepfakes or certain public-interest AI-generated text.
So the correct planning sentence is:
Some high-risk AI system obligations are being delayed, but AI governance obligations and related legal risks continue.
4. Why the delay happened
The official and legal commentary around the Omnibus describes it as a simplification and streamlining effort. The Council press release frames the May 2026 agreement as an effort to simplify and streamline AI rules while treating the high-risk timeline with priority because the original date was close.
The policy background is that companies, industry groups, and some governments argued that businesses needed more time because guidance, standards, and conformity assessment infrastructure were not ready enough for the original 2026 deadline.
This creates a real compliance problem:
| Problem | Why it matters |
|---|---|
| Classification uncertainty | Companies may not know whether a system is high-risk |
| Missing harmonised standards | It is harder to prove compliance consistently |
| Late guidance | High-risk classification guidelines appeared only in draft form in May 2026 |
| Limited notified body capacity | Product-integrated AI may depend on external conformity assessment |
| Enterprise AI sprawl | Many companies have AI systems deployed without a central inventory |
The May 2026 draft high-risk guidelines are therefore important even before final obligations apply. They help organizations build the classification logic they will need later.
5. What SaaS teams should do now
The delay gives teams more time, but not a reason to wait.
A SaaS company should use 2026 to build the foundation.
Step 1: Create an AI system inventory
List every AI feature, model, workflow, automation, or customer-facing AI capability.
For each system, record:
| Field | Example |
|---|---|
| System name | AI Candidate Summary Assistant |
| Owner | Product team / engineering lead |
| Model type | LLM, classifier, recommender, vision model |
| Provider | Internal, OpenAI, Anthropic, Google, open-source |
| Inputs | CVs, tickets, user messages, images, logs |
| Outputs | Scores, summaries, recommendations, decisions |
| Users | Internal staff, customers, applicants, students |
| Affected persons | Employees, candidates, consumers, citizens |
| Deployment status | Prototype, beta, production |
| EU exposure | EU users, EU customers, EU market |
Without inventory, classification is impossible.
Step 2: Classify risk
Every system should be classified into one of these categories:
| Category | Meaning |
|---|---|
| Prohibited AI risk | Potentially banned or severely restricted |
| High-risk under Article 6(1) | Product safety route |
| High-risk under Article 6(2) / Annex III | Sensitive use-case route |
| Transparency obligation | Users must be informed they interact with AI, or content must be labelled |
| GPAI-related | You provide or integrate general-purpose AI models |
| Lower/minimal risk | No specific AI Act obligations, but governance still recommended |
The May 2026 draft guidelines are especially relevant to Article 6 high-risk classification.
Step 3: Identify Annex III exposure
Most SaaS teams should check Annex III first.
High-risk indicators include AI used for:
| Domain | Example |
|---|---|
| Employment | Hiring, ranking, promotion, performance monitoring |
| Education | Admission, exam scoring, proctoring |
| Credit and essential services | Eligibility, scoring, prioritisation |
| Biometrics | Identification, categorisation, emotion recognition |
| Law enforcement | Risk assessment, evidence support |
| Migration and border control | Visa, asylum, identity checks |
| Justice and democratic processes | Legal decision support, election influence |
This classification should be reviewed by legal, product, engineering, and customer-facing teams.
Step 4: Document intended purpose
High-risk classification depends heavily on intended purpose.
A product marketed as "AI for HR decisions" has a different risk profile than a general writing assistant, even if both use similar LLM technology.
Document:
| Evidence | Why it matters |
|---|---|
| Product spec | Shows designed use |
| Marketing claims | Shows promoted use |
| Customer docs | Shows expected deployment |
| UI copy | Shows user interpretation |
| API docs | Shows technical capability |
| Sales deck | Shows commercial positioning |
| Terms of service | Shows prohibited uses |
This prevents "classification drift", where the product evolves into a high-risk use case without formal reassessment.
Step 5: Start documentation early
Even if deadlines move, documentation takes time.
Prepare:
| Document | Purpose |
|---|---|
| AI inventory | Knows what exists |
| Classification memo | Explains legal risk category |
| Risk assessment | Identifies harms and mitigations |
| Data governance record | Shows data sources and quality controls |
| Evaluation report | Measures accuracy, robustness, bias, and failure modes |
| Human oversight design | Shows how humans review and override |
| Logging specification | Supports traceability and auditability |
| Incident process | Handles failures, complaints, and serious incidents |
| Change control | Reassesses classification after major updates |
These artifacts are useful even if your product ultimately remains lower-risk.
6. What high-risk teams should prioritize before 2027
Teams with likely high-risk systems should not wait until late 2027.
High-risk compliance is a system, not a document.
6.1 Risk management system
High-risk AI systems require lifecycle risk management. That means identifying risks, evaluating them, mitigating them, testing controls, and monitoring the system after deployment.
Build a risk register around:
| Risk type | Example |
|---|---|
| Fundamental rights | Discrimination in hiring or credit |
| Safety | Incorrect decision support in health or infrastructure |
| Security | Prompt injection, model manipulation, data leakage |
| Accuracy | Wrong recommendations or false classifications |
| Automation bias | Humans over-trust system output |
| Transparency | Users do not understand AI involvement |
| Data quality | Biased, incomplete, or outdated data |
| Drift | Performance changes after deployment |
6.2 Evaluation and testing
Create repeatable tests before launch.
For SaaS teams, this means:
| Test type | Example |
|---|---|
| Functional tests | Does output format match specification? |
| Accuracy tests | Does the system meet defined performance thresholds? |
| Robustness tests | Does it fail safely on noisy or adversarial input? |
| Bias tests | Are error rates different across protected or sensitive groups? |
| Explainability tests | Can users understand why output was produced? |
| Human oversight tests | Can reviewers override or stop the system? |
| Logging tests | Are inputs, outputs, model versions, and decisions traceable? |
| Abuse tests | Can users push the AI into unsafe behavior? |
The AI Act official text requires high-risk systems to meet appropriate accuracy, robustness, and cybersecurity requirements, and to be designed so their operation is sufficiently transparent for deployers.
6.3 Human oversight
Human oversight cannot be fake.
A real oversight design should specify:
| Question | Good answer |
|---|---|
| Who reviews AI output? | Named role or team |
| When do they review? | Before the decision affects a person |
| What information do they see? | Output, confidence, limitations, evidence |
| Can they override? | Yes |
| Can they stop the system? | Yes |
| Are they trained? | Yes, with AI literacy and domain training |
| Is override logged? | Yes |
| Is automation bias addressed? | Yes |
A dashboard with "human in the loop" is not enough if the human cannot understand, challenge, or override the system.
7. What lower-risk teams should still do
Even if your system is not high-risk, you still need governance.
For example:
| AI feature | Likely category | Still needed |
|---|---|---|
| Support chatbot | Usually lower-risk or transparency-risk | User notice, hallucination testing, escalation |
| Marketing copy generator | Usually lower-risk | Copyright, brand safety, misleading claims control |
| Internal summarizer | Usually lower-risk | Confidentiality, data leakage, access control |
| Code assistant | Usually lower-risk | Security review, license review, developer oversight |
| Recommendation widget | Context-dependent | User profiling, GDPR, fairness review |
The AI Act does not replace GDPR, consumer protection, confidentiality, cybersecurity, or sector rules.
A lower-risk AI feature can still create legal or business risk if it leaks personal data, generates discriminatory content, misleads users, or makes unsupported claims.
8. The compliance trap: waiting for final certainty
Many teams are waiting for final standards, final guidance, final templates, and final deadlines.
That is risky.
The parts that are uncertain:
| Uncertain area | Why it matters |
|---|---|
| Final Omnibus adoption details | Some dates or wording may still shift |
| Final high-risk guidelines | Draft guidance may change after consultation |
| Harmonised standards | Technical compliance expectations may become clearer later |
| Enforcement practice | Authorities will develop interpretation over time |
The parts that are already clear:
| Clear area | What you can do now |
|---|---|
| AI systems must be inventoried | Build the inventory |
| Intended purpose matters | Document it |
| Annex III domains are sensitive | Map your systems |
| Human oversight matters | Design it |
| Accuracy and robustness matter | Test them |
| Transparency matters | Inform users clearly |
| GDPR still applies | Assess personal data processing |
| Evidence matters | Keep records |
Do not wait for legal certainty to start engineering discipline.
9. Updated AI Act planning roadmap for 2026–2028
A practical roadmap:
| Period | What to do |
|---|---|
| Q2 2026 | Build AI inventory, map systems to risk categories, identify obvious high-risk candidates |
| Q3 2026 | Review transparency obligations, update user notices, label AI interactions/content where required |
| Q4 2026 | Create classification memos for all AI systems; build high-risk readiness plan |
| H1 2027 | Implement evaluation, logging, human oversight, data governance, and risk controls |
| H2 2027 | Run internal audits, fix gaps, prepare high-risk evidence package |
| 2 December 2027 planning date | Be ready for Annex III high-risk obligations if the Omnibus timeline applies |
| 2028 | Prepare product-integrated high-risk AI systems for conformity and sector-specific requirements |
| 2 August 2028 planning date | Be ready for high-risk AI embedded in regulated Annex I products if Omnibus timeline applies |
This roadmap assumes the Omnibus planning dates are used, but companies should keep monitoring the final legal text.
10. Practical checklist
Use this checklist now.
| Question | Status |
|---|---|
| Do we have a complete inventory of AI systems? | |
| Have we identified all systems used in the EU or offered to EU customers? | |
| Have we checked prohibited AI practices? | |
| Have we checked whether each system falls under Article 6(1)? | |
| Have we mapped each system against Annex III? | |
| Have we documented intended purpose? | |
| Have we checked whether the system profiles natural persons? | |
| Have we identified transparency obligations for chatbots, deepfakes, and AI-generated content? | |
| Have we identified GPAI dependencies? | |
| Have we defined human oversight for risky systems? | |
| Have we created evaluation tests for accuracy, robustness, and bias? | |
| Have we created logging and monitoring requirements? | |
| Have we documented classification decisions? | |
| Have we assigned owners for AI Act compliance? | |
| Are we monitoring final Omnibus adoption and Commission guidance? |
Conclusion
The 2026 Omnibus changes give companies more time for some high-risk AI Act obligations, especially Annex III systems and product-integrated systems.
But the delay is not a compliance holiday.
The AI Act is already partially active. Prohibited practices, AI literacy, GPAI obligations, and transparency planning remain relevant. The European Commission has also published draft high-risk classification guidelines and opened consultation, which means classification work is becoming more concrete, not less.
The safest planning principle is:
Use the delay to build evidence, not excuses.
A serious AI compliance program in 2026 should already know:
- what AI systems exist,
- what they are intended to do,
- whether they affect people,
- whether Annex III applies,
- whether profiling occurs,
- what transparency duties apply,
- what testing exists,
- what human oversight exists,
- what documentation proves the decision.
The deadline may move.
The work should not.
Sources
- Council of the EU, Artificial Intelligence: Council and Parliament agree to simplify and streamline rules, 7 May 2026.
- European Commission, AI Act: Shaping Europe's digital future, implementation overview.
- European Commission AI Act Service Desk, Timeline for the Implementation of the EU AI Act.
- ITPro, European Commission opens public consultation on draft high-risk AI guidelines, May 2026.
- VerifyWise, EU AI Act omnibus: what changed on 7 May 2026 and what changed, May 2026.
- Pinsent Masons, Rules on high-risk AI to be delayed under EU omnibus deal, May 2026.