What already applies, what was postponed, and what to do next
In May 2026 the EU's “Digital Omnibus” pushed the high-risk deadlines further out. But several core obligations are already legally binding today. This guide separates what is in force now from what you have more time for — and shows how to put the extra runway to good use instead of standing still.
Last updated: June 2026 — not legal advice
The EU AI Act (Regulation (EU) 2024/1689) has been in force since August 2024 and applies in phases. On 7 May 2026 the Council, Parliament and Commission agreed on the “Digital Omnibus” — a reform package that significantly delays the obligations for high-risk AI. Formal adoption is still pending, but the political deal is done. The key point: this is not the all-clear. Several duties have been binding since 2025 and are not being postponed.
The AI Act does not land all at once — it phases in. After the Omnibus agreement, the roadmap looks like this:
The postponed high-risk deadlines are conditional on formal adoption of the Digital Omnibus. Until it is published in the EU Official Journal, the original deadline (August 2026) legally remains the reference point — so track the change and document the assumption in your own planning.
The AI Act does not regulate “AI” as a blanket category — it regulates by risk. Which class your system falls into determines your obligations:
The AI Act distinguishes between the “provider” (who develops an AI system or places it on the market under their own name) and the “deployer” (who uses an AI system in a professional capacity). Most mid-market companies are deployers — and often underestimate that this role carries duties too. But adapt a system substantially, or pass it on under your own brand, and you can become a provider yourself.
Establish your role per system first — it drives the entire set of obligations. When in doubt, for instance when fine-tuning or white-labelling third-party models, check early whether you cross over into being a provider.
Yes, as a deployer. Even if you only use AI rather than build it, the AI-literacy duty and transparency rules apply. On top of that, using such cloud tools overlaps with the GDPR the moment personal data flows into your prompts.
Neither fully scrapped nor entirely postponed. The May 2026 Digital Omnibus moves the high-risk obligations to 2027/2028 but leaves the existing bans, GPAI rules and literacy duties untouched. Formal adoption of the delay is still pending.
For prohibited practices, up to EUR 35 million or 7% of global annual turnover. For breaches of other obligations, up to EUR 15 million or 3%. For supplying incorrect information to authorities, up to EUR 7.5 million or 1%.
No. Building risk management, documentation and data governance takes months. The extended deadline is a buffer, not a reason to defer — and most of the work pays into GDPR and IT security anyway.
They interlock. As soon as AI processes personal data, both apply. A clean GDPR foundation — legal basis, data minimisation, data-subject rights — is often half the battle for AI Act conformity. Our GDPR-compliant-AI guide complements this overview.
We map your AI landscape into the risk classes, clarify your role as provider or deployer, and show which steps matter now — GDPR-compliant and without the hype.
Or start with our structured AI potential and compliance analysis.
Go to the AI readiness analysis