When do the EU AI Act's high-risk obligations now apply?

Under the Digital Omnibus provisional agreement (May 2026), the Annex III high-risk obligations move from 2 August 2026 to 2 December 2027, and those for systems embedded in regulated products to 2 August 2028. The agreement is provisional: it depends on the Council's formal adoption and publication in the Official Journal of the EU.

Is the 2 August 2026 deadline still in force?

Yes. Until the Digital Omnibus is formally adopted and published in the Official Journal of the EU, 2 August 2026 remains the legal application date for Annex III. Adoption is expected before that date, but it is not yet law.

Which obligations have NOT been postponed?

The prohibited practices (Art. 5, in force since February 2025, including emotion recognition in the workplace), the general-purpose AI (GPAI) obligations, and everything outside the AI Act: DORA, NIS2, the GDPR and, in Spain, art. 22 of the LOPDGDD and art. 64.4.d of the Workers' Statute.

Insights

17 June 20267 min read

The EU AI Act's moving deadline: how it evolved, the postponement to 2027, and what doesn't change for your board

The EU AI Act's timeline has been a moving target from the start — and in 2026 it moved again: the 'Digital Omnibus' postpones high-risk obligations from 2026 to late 2027. The story of that evolution, and the governance lesson: the deadline moves; the duty does not.

Topics:
EU AI Act
Digital Omnibus
Corporate governance
Regulation

When Regulation (EU) 2024/1689 was adopted, it was sold to boards as a countdown with dates set in stone. The reality is more interesting: the timeline of a regulation this ambitious never lands in a straight line. It is worth telling the full evolution, because the lesson for a board lies not in any single date, but in the pattern.

A timeline that never stopped moving

August 2024 — the starting point. The AI Act enters into force with a deliberately phased calendar: the most dangerous first, the most complex later.

February 2025 — the unacceptable. The prohibited practices (Art. 5) arrive: subliminal manipulation, social scoring, emotion recognition in the workplace. No grace period.

August 2025 — models and penalties. General-purpose AI (GPAI) model obligations, institutional governance and the sanctions regime take effect.

The original plan — August 2026 and 2027. The most demanding part came last: the high-risk systems of Annex III —recruitment, credit scoring, biometrics— were to comply by 2 August 2026; those embedded as safety components in regulated products, a year later.

November 2025 — the turn. Here the story changes. With European competitiveness at the centre of the debate —after the Draghi report— and with technical standards and compliance infrastructure not ready in time, the Commission proposes the "Digital Omnibus" (COM(2025) 836): simplify burdens and, above all, postpone the start of the high-risk obligations.

May–June 2026 — the agreement. On 7 May, Parliament and Council reach a provisional political agreement. On 16 June, Parliament approves it in plenary (423 in favour, 57 against, 174 abstentions). The new calendar: stand-alone high-risk systems (Annex III) → 2 December 2027; embedded in products → 2 August 2028.

It is not only a postponement

It pays to read the fine print. Under the provisional agreement, the package also simplifies documentation and registration obligations for high-risk systems and adds a new prohibited practice (systems generating child sexual abuse material or non-consensual intimate imagery). These are substantive changes —still subject to formal adoption—, not just a change of date.

Today: the limbo, and why it matters

As of this article, the agreement is provisional: it still requires formal adoption by the Council and publication in the Official Journal of the EU. Until that happens, 2 August 2026 remains, legally, the binding date for Annex III. The postponement is near-certain, but it is not yet law — and a serious board plans with that precision, not with the headline.

What this evolution teaches a board

The regulatory calendar is a moving target. Governing by headline —rushing in 2025, braking in 2026— is exhausting and erratic. The discipline lies in governing by fundamentals, not by dates.
Look at what has not moved by a single day: the prohibitions, the GPAI obligations and —outside the AI Act— DORA, NIS2, the GDPR and, in Spain, Article 22 of the LOPDGDD (automated individual decisions) and Article 64.4.d of the Workers' Statute (the "Ley Rider"), which requires informing worker representatives about the algorithms affecting employment decisions. All of that binds you today.
The reprieve is not permission to dismantle: it is room to govern well. Operational and reputational risk —a scoring system that discriminates, an automated decision without oversight— never had a calendar.

How to use the sixteen months

Not as a pause, but as the chance to do it in order:

Complete the inventory of AI systems without the last-minute rush.
Assign an owner and a documented human oversight protocol.
Review supplier contracts: deployer responsibility does not transfer to the supplier.
Comply now with what is not postponed (Workers' Statute 64.4.d, GDPR, DORA and NIS2 by sector).
And, where relevant, structure oversight at board level — the conversation about the technology committee.

The decision to take now

Keep the matter on the agenda and use the reprieve to govern, not to defer. The AI Act deadline is now longer; your responsibility is exactly where it was.

Official sources: Regulation (EU) 2024/1689 · Digital Omnibus on AI — COM(2025) 836 · Council of the EU — press release of 7 May 2026 · European Commission — AI regulatory framework.

Last updated: 17 June 2026. The agreement is provisional; this analysis is based on the sources available at that date and may change with the Council's formal adoption.