EU AI Act 2026: What the Digital Omnibus Delayed, and What Still Applies This August
By Jean-Hugues Migeon
On 29 June 2026, the Council of the EU gave its final approval to the Digital Omnibus on AI, the first substantive amendment to the EU AI Act since it was adopted in 2024. The change has since entered into force following publication in the Official Journal. For anyone tracking the AI Act, this settles months of speculation: the high-risk obligations that were due to apply from 2 August 2026 have been formally postponed, while the transparency and general-purpose AI enforcement wave still lands on schedule this August.
The result is a two-speed timeline that is easy to misread. Several widely cited reference pages have not yet caught up with the new law, and a quick glance at them will tell you everything applies in August 2026. That is no longer correct. This article sets out, clearly, what has been delayed, what has not, the legal mechanism behind the change, and what risk, compliance, and audit teams should be doing about it now.
The short version
The core enforcement date of 2 August 2026 still stands for chatbot and transparency duties and for the power to fine general-purpose AI providers. What moved is the high-risk regime: obligations for stand-alone high-risk systems now apply from 2 December 2027, and high-risk AI embedded in regulated products from 2 August 2028. The Act's risk tiers, penalty levels, and overall architecture are otherwise unchanged, and two new prohibitions were added on top.

What is already in force and unchanged
Three tranches of the AI Act were already live before the Omnibus, and none of them were touched by it.
- Prohibited practices and AI literacy (since 2 February 2025). The bans on social scoring, manipulative or subliminal techniques, untargeted scraping of facial images, and most real-time remote biometric identification in public spaces have applied since February 2025, alongside the AI literacy duty. Breaches carry the heaviest penalties in the Act, up to 35 million euros or 7 percent of global annual turnover.
- General-purpose AI model obligations (since 2 August 2025). Providers of general-purpose AI models have had to maintain technical documentation, publish a copyright policy and a summary of training data, and, for the most capable models, assess and mitigate systemic risk. These substantive duties have been in place for almost a year.
- Governance and penalty provisions (since 2 August 2025). The AI Office and the AI Board, the rules on notified bodies, confidentiality, and the penalty provisions themselves all became operational in August 2025.
What still applies on 2 August 2026
Two important obligations were left exactly where they were, which is why the "chatbot rules go live" framing in the recent headlines is accurate.
- Article 50 transparency duties. From 2 August 2026, organizations must tell people when they are interacting with an AI system such as a chatbot, label deepfakes and other synthetic media, and disclose the use of emotion recognition or biometric categorization. New systems must apply these rules from day one. This is not delayed.
- Enforcement teeth for general-purpose AI. The AI Office's ability to actually fine general-purpose AI providers becomes exercisable on 2 August 2026, closing the initial grace period during which the substantive obligations applied but the fining power was held back. Signing the general-purpose AI Code of Practice, which around two dozen providers have done, is not a substitute for compliance once fines are on the table.
What the Digital Omnibus delayed
The postponements all flow from the same instrument and target the high-risk regime, which is the most operationally demanding part of the Act.
- Stand-alone high-risk systems (Annex III): from 2 August 2026 to 2 December 2027. This covers AI used in areas such as employment and hiring, credit scoring, education, access to essential services, law enforcement, migration, administration of justice, and biometrics. The delayed obligations include conformity assessment, CE marking, the Article 17 quality management system, technical documentation, and registration in the EU database.
- High-risk AI embedded in regulated products (Annex I): from 2 August 2026 to 2 August 2028. Where an AI system is a safety component of a product already governed by EU product legislation, such as medical devices, the longer runway to August 2028 applies.
- Marking of synthetic content for legacy systems (Article 50(2)): a short grace to 2 December 2026. Systems already on the market before 2 August 2026 get a three-month window (reduced from the six months originally floated) to implement machine-readable marking of AI-generated content. New systems must mark from 2 August 2026.
- National regulatory sandboxes: from 2 August 2026 to 2 August 2027. The deadline for member states to have AI regulatory sandboxes operational moved back by a year.
Old dates versus new dates at a glance
- Prohibited practices and AI literacy: 2 February 2025 (unchanged, in force).
- General-purpose AI model obligations: 2 August 2025 (unchanged, in force).
- Article 50 transparency (new systems): 2 August 2026 (unchanged, on schedule).
- General-purpose AI fining power: 2 August 2026 (unchanged, on schedule).
- Synthetic content marking (legacy systems): was 2 August 2026, now 2 December 2026.
- Stand-alone high-risk systems (Annex III): was 2 August 2026, now 2 December 2027.
- High-risk AI in regulated products (Annex I): was 2 August 2026, now 2 August 2028.
- National regulatory sandboxes: was 2 August 2026, now 2 August 2027.
New prohibitions added on top
The Omnibus did not only push dates back. It also widened the list of banned practices, with effect from 2 December 2026. Two additions stand out: AI applications that generate non-consensual intimate imagery of real, identifiable people (so-called "nudifier" tools), and AI-generated child sexual abuse material. Both cover placing such systems on the market and using them, and in-scope providers have until December 2026 to put safeguards in place. The change followed public concern over incidents involving mass generation of sexualized images.
The legal mechanism, and why it is now binding
The instrument driving all of this is the Digital Omnibus on AI, part of a broader EU simplification package. It is worth being precise about its status, because much of the commentary written in late 2025 and early 2026 described it as a proposal. That is no longer the case. The European Parliament approved the text on 16 June 2026, the Council of the EU gave final approval on 29 June 2026, and it entered into force in July 2026 after publication in the Official Journal. Any analysis that still calls it a proposal is out of date.
The delay is best understood as a "stop the clock" measure rather than a change of heart on high-risk AI. The obligations depend on harmonized technical standards from CEN and CENELEC, which give providers a workable route to demonstrate conformity. Those standards are running late. The original target of April 2025 was missed, and current estimates point to the fourth quarter of 2026 at the earliest. The new December 2027 date is intended to be a point by which the compliance pathway actually exists. The Council presents it as a fixed statutory deadline, but the practical dependency on standards means there is some residual risk of further adjustment if the standards slip again.
The Omnibus also made structural changes worth noting. It expanded the AI Office's remit so that it supervises not only general-purpose AI models but also AI systems built on those models within the same organization, with carve-outs where national authorities remain competent. It extended, under a strict necessity standard, the ability to process special-category data for bias detection to providers and deployers of all AI systems rather than only high-risk ones. It also carved AI embedded in machinery-regulation products out of the high-risk regime, while keeping medical devices and toys firmly within it.
Penalties and governance: an uneven map
The penalty ceilings are unchanged. Prohibited-practice breaches can reach 35 million euros or 7 percent of global turnover. Most other obligations, including the Article 50 transparency duties, top out at 15 million euros or 3 percent, and there is a specific tier for general-purpose AI. The Act also bars penalizing the same facts twice under both the AI Act and the GDPR.
Enforcement is split. General-purpose AI is supervised centrally by the AI Office within the Commission, while everything else is enforced by national competent authorities across the 27 member states. That split matters in practice, because national readiness is patchy. A number of member states missed the August 2025 deadline to designate their competent authorities, and some had not completed their implementing legislation by mid-2026. The likely consequence is that early Article 50 enforcement will be geographically uneven, strong in some jurisdictions and slow to start in others.
A caution on stale reference material
One practical trap deserves a direct warning. Several of the most-linked AI Act reference pages, including popular implementation-timeline trackers and some official overview pages, still show the pre-Omnibus dates and present 2 August 2026 as the point at which the Act becomes fully applicable. They reflect the original 2024 text, not the law as amended in 2026. When you are briefing a board or scoping a compliance program, take the high-risk dates from the amending act and the Council's own communication, not from a tracker that has not been updated.
What this means for GRC and AI-risk teams
The delay is a scheduling change, not a reprieve. For most organizations the sensible reading is that the direction of travel has not changed, only the runway. There are a few things worth doing now rather than in 2027.
- Do not stand down high-risk preparation. Conformity assessment, technical documentation, and a functioning quality management system take time to build. The extra months are best spent getting ahead of the December 2027 date, not pausing until it is close.
- Treat August 2026 as a real deadline. Transparency obligations and general-purpose AI fining power arrive this year. If you operate chatbots, generate synthetic media, or rely on general-purpose models, those duties are live in weeks, not years.
- Know which regime each system falls under. The value of the two-speed timeline only materializes if you can say, for each AI system you build or use, whether it is prohibited, high-risk, subject to transparency duties, or lower risk, and which deadline applies to it.
- Keep evidence current. Whether the date is 2026, 2027, or 2028, the underlying requirement is the ability to produce credible, up-to-date evidence of your controls on demand. That is far easier to maintain continuously than to reconstruct under deadline pressure.
How insAIght helps
This is the operating model Anove's insAIght platform is built around. It gives risk, compliance, and audit teams a live inventory of the AI systems in use, maps each system against the frameworks and regulations that apply to it, including the EU AI Act, ISO/IEC 42001, and the NIST AI RMF, and keeps the supporting evidence current. When a deadline shifts, as it just did, the response is a change in configuration rather than a scramble to work out what now applies to which system. For a fast first read on whether the AI tools you already rely on would stand up to scrutiny, ExplAIn offers an accessible starting point.
The takeaway
The Digital Omnibus buys high-risk AI providers time, but it sharpens rather than softens the compliance picture. Transparency and general-purpose AI enforcement are here in August 2026, new prohibitions land in December 2026, and the full high-risk regime follows in December 2027 and August 2028. The organizations that come through this well will be the ones that treat AI governance as a continuous, evidence-based discipline, so that whichever date applies, and wherever the reference trackers happen to lag, the answer to "can you prove it?" is already yes.
Sources: Council of the EU, "Artificial Intelligence: Council gives final green light to simplify and streamline rules" (29 June 2026); Freshfields, "EU AI Act unpacked: the final Digital Omnibus on AI" (10 July 2026); Tech Times, "EU AI Act Enforcement Is Here" (10 July 2026).
Learn more
- insAIght: Anove's AI governance and risk platform for continuous, audit-ready compliance.
- ExplAIn: check whether the AI tools you use are compliant.
- GDPR and AI Act: What Companies Need to Know in 2026: related reading on overlapping regulatory obligations.
- EU AI Act: the 5 key articles you need to know now: a plain-language guide to the provisions that matter most.
Book a demo to see how insAIght keeps your AI governance audit-ready across the EU AI Act's shifting timeline and every other framework on your radar.