The EU AI Act Deadlines After the Omnibus: What Still Applies Today, and What Moved to 2027

Updated 19 May 2026. This article was originally published before the EU AI Omnibus political agreement of 7 May 2026. It has been rewritten to reflect the new compliance calendar.

On 7 May 2026, EU legislators agreed to defer the AI Act's high-risk deadlines. Annex III now applies from 2 December 2027, Annex I from August 2028. But Article 4 AI Literacy is unchanged — it has been in force since 2 February 2026, and your enterprise customers still expect you to be compliant today.

What changed in May 2026

The Council of the EU and the European Parliament reached a political agreement on a Digital Omnibus package that postponed several AI Act deadlines:

  • Annex III high-risk obligations — now apply from 2 December 2027 (previously 2 August 2026)
  • Annex I prohibited practices — now apply from August 2028
  • Nudifier-app ban — takes effect 2 December 2026 (new specific prohibition)

What did NOT change

  • Article 4 AI Literacy — in force since 2 February 2026. Every EU employer using AI must demonstrate that staff have sufficient AI literacy.
  • Chapter V GPAI obligations — GPAI providers' duties remain on track (2 August 2026).
  • Enterprise vendor due diligence — contractual, not regulatory. Your enterprise customers continue to ask for your AI policy in vendor onboarding.
  • ISO 27001, SOC 2, sector audits — already include AI as a control objective today.

Why this should not change your plan

The temptation after a deadline extension is to delay. Three reasons not to:

1. Article 4 is enforceable today

National DPAs and the AI Office can act on Article 4 right now. There is no transition period left.

2. Your customers do not wait for regulators

If you sell to enterprises, their procurement and legal teams already include AI compliance questions in vendor due diligence. "We are working on it" loses deals.

3. Compliance done well takes months, not weeks

Eighteen months sounds like a lot. In practice, drafting, internal review, sign-off and training take longer than founders expect. The SMBs that start in 2026 will be ready in 2027. The SMBs that wait until autumn 2027 will be in the same scramble that we just avoided.

What to do now

  • This month: inventory every AI tool your team uses. Identify which use cases are high-risk under Annex III.
  • Within 90 days: document your Article 4 AI Literacy programme. Adopt an AI Acceptable Use Policy. Sign DPAs with any vendor missing one.
  • By end of 2026: complete your AI Register and Vendor Log. Draft Article 50 disclosure wording for customer-facing AI.
  • During 2027: complete DPIA + FRIA for high-risk deployments. Run your sector-specific add-on documentation. Train your team.

Ready AI Act's done-for-you compliance service compresses this for SMBs of 5–50 employees. The AI Compliance Audit (€299) gives you a personalised gap analysis in 48 hours. The Compliance Documentation Package (€499) delivers your full personalised pack — AUP, AI Register, Article 4 Literacy programme, Disclosures and Vendor Log — within 48 hours of your intake. Reviewed by qualified ICT/privacy counsel.

Back to blog