⚖️ The EU AI Act is the world’s first comprehensive AI law — and the May 2026 Omnibus agreement just rewrote the compliance timeline. This guide covers risk classification, updated deadlines, the penalty structure, a practical compliance checklist, and why US companies are not exempt.
Last Updated: June 5, 2026
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive horizontal legal framework for artificial intelligence — and in May 2026, it changed significantly. Regulation (EU) 2024/1689, which entered into force on August 1, 2024, has been implementing in carefully phased stages — but on May 7, 2026, the Council of the EU and the European Parliament reached a provisional political agreement on the AI Omnibus: a targeted package of amendments that extends the compliance deadline for Annex III high-risk AI systems by 16 months, from August 2, 2026 to December 2, 2027. This is the most significant development in EU AI Act implementation since the regulation entered into force — and it changes the planning horizon for thousands of organizations that were preparing for an imminent August deadline. The deferral does not remove the underlying obligations. It provides additional time to build the compliance programs, technical documentation, and governance frameworks that the regulation requires. Formal adoption of the Omnibus is expected before August 2, 2026 — organizations should continue compliance preparation regardless.
The EU AI Act affects a far wider range of organizations than most compliance teams initially assumed. Any organization that develops, deploys, imports, or distributes an AI system that affects people in the EU — regardless of where that organization is headquartered — is within scope. US-based companies selling AI-enabled products into EU markets, European subsidiaries of US companies, and non-EU AI developers whose systems are accessed by EU users all face obligations under the Act. The risk-based structure of the regulation — which sorts AI systems into four tiers from unacceptable risk (outright banned) through high risk (strict obligations), limited risk (transparency requirements), and minimal risk (no specific requirements) — determines the compliance burden at the use-case level, not the company level. The same organization may operate AI systems across all four risk tiers simultaneously. Understanding which of your specific AI use cases falls into which tier is the first and most consequential compliance step. For organizations building an internal governance framework to support this classification work, our AI Governance 101 guide covers the policy and accountability infrastructure that sits above any specific regulatory compliance program.
This guide covers the EU AI Act in full for organizations that need to understand it at a practical, compliance-actionable level — not at a policy overview level. It covers the four-tier risk classification system with real examples, the updated compliance timeline incorporating the May 2026 Omnibus agreement, the penalty structure, a practical compliance checklist that organizations can use directly, and specific guidance for US-based organizations that may not realize the Act applies to their operations. For the GPAI-specific layer of the regulation, our dedicated guide to the EU AI Act GPAI Code of Practice covers the obligations for general-purpose AI model providers specifically. For the Article 4 AI literacy requirement — which has been in force since February 2025 — our AI literacy compliance guide covers the training evidence requirements in detail.
📖 New to AI terminology? Visit the AI Buzz AI Glossary — 65+ essential AI terms explained in plain English, each linking to a full in-depth guide.
⚖️ 1. What Is the EU AI Act and Why Does It Matter in 2026?
The 2026 EU AI Act Reality: The EU AI Act is not a future regulatory framework — it is an active legal obligation. Prohibited AI practices have been banned since February 2025. GPAI model obligations have applied since August 2025. Transparency obligations for chatbots, deepfakes, and AI-generated content apply from August 2026. The May 2026 Omnibus extended the high-risk system deadline to December 2027 — but the regulation’s fundamental architecture, its prohibition list, and its transparency requirements are fully in force now.
The EU AI Act is the world’s first comprehensive legal framework specifically designed to govern artificial intelligence across all sectors and applications. It was formally adopted on May 21, 2024, published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024. Its ambition is unprecedented: to create a single, risk-based regulatory framework that applies horizontally across industries — covering healthcare, financial services, law enforcement, employment, education, critical infrastructure, and general-purpose AI — and that applies extraterritorially to any organization whose AI systems produce effects on people in the European Union.
The regulation’s risk-based architecture is its defining structural innovation. Rather than regulating AI as a monolithic technology, the Act assesses risk at the use-case level. An AI system used for a low-stakes task — filtering spam email, recommending music, optimizing logistics routes — faces no specific regulatory requirements under the Act. The same model deployed for a high-stakes task — scoring creditworthiness, evaluating job applicants, assisting in medical diagnosis — faces strict obligations including risk management documentation, bias testing, human oversight mechanisms, technical documentation, and registration in a public EU database. The compliance burden is proportionate to the potential for harm — a design principle that makes the Act genuinely risk-based rather than technology-based, and one that requires every organization to assess its AI use cases individually against the Act’s classification criteria.
The May 7, 2026 Omnibus political agreement is the most significant development in the Act’s implementation since its adoption. The World Economic Forum’s analysis of the EU AI Act identified the high-risk compliance requirements as the most operationally demanding elements of the regulation — and the Omnibus agreement directly addresses that assessment by extending the Annex III high-risk deadline by 16 months. The provisional agreement must still be formally adopted by the European Parliament and Council — expected before August 2, 2026 — and will enter into force three days after publication in the Official Journal. Until formal adoption and publication, the original August 2, 2026 deadline for high-risk obligations remains legally in force. Organizations that reduced their compliance efforts in anticipation of the extension before formal adoption are exposed to regulatory risk during the gap.
⚠️ 2. EU AI Act Risk Classification: Where Does Your AI System Fit?
Risk classification is the first and most consequential step in EU AI Act compliance. Every AI system your organization develops, deploys, or uses must be individually assessed against the Act’s four-tier classification system — because the tier determines the entire compliance obligation structure. The same organization will often operate AI systems across multiple risk tiers simultaneously: a chatbot on the website (limited risk — transparency obligations), an internal document summarization tool (minimal risk — no specific requirements), and an AI-assisted CV screening system for recruitment (high risk — full compliance obligations). Getting the classification right — and documenting the reasoning — is the foundation of every subsequent compliance action. The European Commission published draft guidelines for classifying high-risk AI systems on May 19, 2026, for stakeholder consultation — organizations should monitor these guidelines as they finalize, as they will provide the authoritative interpretation of classification edge cases.
| Risk Level | Definition | Examples | Compliance Requirements | Status |
|---|---|---|---|---|
| Unacceptable Risk | AI systems that pose a clear threat to fundamental rights, safety, or democratic values — prohibited outright under Article 5 | Social scoring by public authorities; subliminal manipulation causing harm; real-time biometric ID in public spaces (with narrow exceptions); emotion recognition in workplace/education; AI-generated CSAM and non-consensual intimate imagery (from Dec 2, 2026) | ❌ Complete prohibition — no deployment, no market placement. Maximum fine: €35M or 7% global annual turnover | 🔴 In force since Feb 2, 2025. New prohibitions (NCII/CSAM) from Dec 2, 2026 |
| High Risk — Annex III (Use-Based) | AI used in high-stakes decision-making contexts listed in Annex III — poses significant risk to health, safety, or fundamental rights | CV screening and candidate ranking; credit scoring; educational assessment; biometric categorization; law enforcement risk assessment; border control; critical infrastructure management; judicial decision support | ⚠️ Risk management system; data governance and bias testing; technical documentation; automatic logging; human oversight enabling override; accuracy and robustness standards; conformity assessment; EU database registration; CE marking | 🟡 Deadline extended to Dec 2, 2027 (Omnibus provisional agreement, May 7, 2026 — pending formal adoption) |
| High Risk — Annex I (Product-Based) | AI systems that are products or safety components of products governed by EU product safety legislation listed in Annex I | AI in medical devices; AI in toys; AI in lifts; AI in radio equipment; AI in civil aviation; AI in motor vehicles; AI in machinery (now governed directly under Machinery Regulation rather than AI Act) | ⚠️ Same high-risk obligations as Annex III; CE marking; conformity assessment. Note: Machinery Regulation exclusion — AI in machinery covered under sectoral rules, not AI Act directly | 🟡 Deadline extended to Aug 2, 2028 (Omnibus provisional agreement — pending formal adoption) |
| Limited Risk | AI systems that interact with humans or generate/manipulate content — transparency obligations ensure humans know they are interacting with AI | AI chatbots and virtual assistants; emotion recognition systems; deepfake generators; AI-generated text, images, audio, or video published publicly; AI systems designed to appear human | ✅ Disclose AI nature to users; label AI-generated content; ensure AI-generated synthetic content is machine-readable detectable (watermarking — Article 50). Deployers must inform users that emotional states are being recognized (where applicable) | 🟡 Article 50 transparency obligations from Aug 2, 2026. Watermarking (Article 50(2)) for systems placed on market before Aug 2, 2026 deferred to Dec 2, 2026 |
| Minimal Risk | All other AI systems — not in the above categories. No specific EU AI Act requirements apply; voluntary codes of conduct are encouraged | AI-powered spam filters; AI product recommendation engines; logistics optimization AI; AI for quality control in manufacturing (where failure does not create safety risk); music or content curation AI | ✅ No mandatory compliance obligations. Voluntary codes of conduct encouraged. Standard data protection and consumer protection law still applies (GDPR etc.). Maintain classification documentation in case of regulatory inquiry | ✅ No specific obligations. Majority of AI systems fall into this category |
Risk classification as of June 2026, incorporating the May 7, 2026 AI Omnibus provisional political agreement. Annex III and Annex I extended deadlines pending formal adoption — expected before August 2, 2026. Organizations should maintain compliance preparation regardless of extension. The European Commission’s draft high-risk classification guidelines (published May 19, 2026) provide additional guidance on edge cases — monitor for final version.
Three classification nuances from the Omnibus agreement deserve specific attention. First, the “safety component” definition has been narrowed. AI systems used solely for user assistance, performance optimization, efficiency, automation, or quality control will not qualify as high-risk “safety components” under Article 6(1) unless their failure or malfunction could endanger health or safety. This directly removes a significant number of industrial AI applications from high-risk classification that previously sat in a grey zone. Second, SME and small mid-cap accommodations have been expanded. The simplified compliance pathway previously available only to SMEs (under 250 employees, under €50M annual turnover) now extends to “small mid-cap enterprises” — organizations with up to 750 employees and €150 million in annual revenue. Simplified technical documentation, proportionate penalties, and less prescriptive quality management system requirements are all available to qualifying organizations. Third, even systems that claim Article 6 exemption from high-risk classification must still register in the EU database for high-risk AI systems, albeit with reduced information requirements. The earlier proposal to exempt these systems from registration entirely was reversed in the final Omnibus agreement — a significant compliance planning point for organizations that assumed classification exemption meant complete freedom from registration obligations.
📅 3. EU AI Act Compliance Timeline 2026: What Is Required by When
The EU AI Act’s phased implementation timeline is one of its most misunderstood aspects — and the May 2026 Omnibus agreement has added further complexity by deferring some deadlines while leaving others unchanged. The practical result is a bifurcated timeline where transparency obligations, prohibited practice bans, and GPAI model rules proceed on the original schedule, while the Annex III and Annex I high-risk system obligations have been extended. August 2, 2026 remains a live compliance date for multiple provisions — it is not the case that the Omnibus defers everything. Organizations that interpret the Omnibus as a general compliance holiday are misreading the agreement and creating regulatory exposure on the provisions that apply unchanged from August 2026.
| Date | Requirement | Who It Applies To | Action Required |
|---|---|---|---|
| August 1, 2024 | AI Act entered into force | All organizations developing or deploying AI systems with EU market reach | ✅ Begin awareness and scoping. Start AI system inventory. Identify risk classification for all AI use cases. ✅ COMPLETE |
| February 2, 2025 | Prohibited AI systems rules apply (Article 5). AI literacy obligations apply (Article 4) | All providers and deployers of AI systems. HR and training managers overseeing staff who use AI | ⚠️ Stop deployment of prohibited AI immediately. Complete Article 4 AI literacy training for all staff using AI. Document compliance. ⚠️ IN FORCE — IF NOT DONE, ADDRESS NOW |
| August 2, 2025 | GPAI model obligations apply. EU AI Office governance structures operational. New GPAI models must comply immediately | Providers of general-purpose AI models (GPT-5.x, Claude, Gemini, Llama 4, etc.). GPAI model deployers building products on GPAI APIs | ⚠️ GPAI providers: comply with transparency, copyright, and systemic-risk obligations. Model deployers: review GPAI provider’s compliance documentation. ✅ COMPLETE (Aug 2025) |
| August 2, 2026 | Transparency obligations (Article 50) apply. Most remaining provisions of the Act become applicable (excluding Article 6(1)). AI regulatory sandboxes must be operational (now deferred to Aug 2027 under Omnibus) | All providers operating chatbots, deepfake generators, AI content generation systems. All deployers using AI that interacts with people or generates public-facing content | 🔴 Disclose AI nature in chatbots. Label AI-generated content. Implement Article 50 transparency notices. Note: watermarking (Article 50(2)) for pre-Aug 2026 systems deferred to Dec 2, 2026 under Omnibus. DEADLINE APPROACHING |
| December 2, 2026 | New prohibitions on AI-generated non-consensual intimate imagery (NCII) and CSAM apply. Watermarking (Article 50(2)) for systems placed on market before Aug 2, 2026 | Providers of image/video/audio generation systems. All AI-generated content publishers | 🔴 New prohibition in force: no AI systems generating NCII or CSAM. Implement machine-readable content marking (watermarking) for all pre-existing generative AI systems. PREPARE NOW |
| December 2, 2027 | Annex III high-risk AI system obligations apply (standalone use-case systems) — EXTENDED from August 2, 2026 under Omnibus provisional agreement | Providers and deployers of Annex III high-risk systems: CV screening tools, credit scoring AI, biometric categorization, law enforcement tools, educational AI assessment, border management AI | 🟡 Risk management system; data governance; technical documentation; logging; human oversight; conformity assessment; EU database registration; CE marking. USE EXTENDED TIME WISELY — BEGIN NOW |
| August 2, 2028 | Annex I high-risk AI system obligations apply (product-embedded AI) — EXTENDED from August 2, 2027 under Omnibus | Providers of AI embedded in regulated products: medical devices, toys, lifts, radio equipment, civil aviation systems, motor vehicles | 🟡 Full high-risk compliance requirements. Conformity assessment per existing EU product safety regime plus AI Act requirements. Machinery exclusion: AI in machinery now governed by Machinery Regulation directly |
| August 2, 2027 | GPAI models placed on market before August 2025 must be fully compliant. Article 6(1) obligations apply | Legacy GPAI model providers. Organizations deploying grandfathered GPAI models | 🟡 Legacy GPAI model providers must achieve full compliance with GPAI obligations by this date. Providers of Annex I product-embedded AI must also begin compliance preparations now |
Timeline as of June 2026, incorporating the May 7, 2026 AI Omnibus provisional political agreement. Extended deadlines for Annex III (Dec 2, 2027) and Annex I (Aug 2, 2028) are subject to formal adoption by the European Parliament and Council — expected before August 2, 2026. Until formal adoption and Official Journal publication, original deadlines remain legally in force. Monitor the Official Journal for formal adoption confirmation.
The practical implication of the Omnibus’s bifurcated timeline is that compliance work should not slow down — it should be reprioritized. The Omnibus buys time for conformity assessments, technical documentation, and EU database registration — the most operationally demanding elements of high-risk compliance. It does not defer the AI inventory, risk classification, and governance framework work that must precede those actions. Organizations that use the extended deadline to build properly scoped AI inventories, establish cross-functional AI governance teams, and develop their risk classification methodology will be in a materially better position when the December 2027 deadline arrives than organizations that treat the extension as permission to defer action entirely. As Mishcon de Reya’s compliance analysis noted: “Regulators are likely to treat the extended deadlines as an opportunity for businesses to build structured compliance programmes, rather than as permission to defer action.”
🔒 Building an AI governance framework? Browse the AI Buzz Governance & Security Hub — 30+ in-depth guides covering OWASP, NIST, ISO 42001, AI risk management, and enterprise AI security frameworks.
💰 4. EU AI Act Penalties for Non-Compliance: The Full Fine Structure
The 2026 Penalty Reality: EU AI Act fines dwarf GDPR penalties in their upper range. The maximum fine for operating a prohibited AI system — €35 million or 7% of global annual turnover — is higher than GDPR’s maximum of 4% of global annual turnover. For a company with $10 billion in annual revenue, the prohibited AI system fine could reach $700 million. Compliance is not an optional operational upgrade — it is a legal obligation with board-level financial consequences.
The EU AI Act establishes a three-tier penalty structure that escalates with the severity of the violation. Tier One — Prohibited AI systems: violations of Article 5 (deploying or placing on the market a prohibited AI system) carry the maximum fine of €35 million or 7% of total global annual turnover, whichever is higher. For large organizations, the turnover calculation typically produces the larger number — a company with €5 billion in annual global revenue faces a maximum fine of €350 million for a single prohibited AI system violation. These maximum figures represent the ceiling, not the expected penalty for a first-time violation — but enforcement authorities have discretion to reach them for deliberate, large-scale, or repeat violations. Tier Two — High-risk AI system non-compliance: violations of the obligations in Articles 8–15 for high-risk AI systems, or violations of provider and deployer obligations under Articles 16–29, carry fines of up to €15 million or 3% of total global annual turnover, whichever is higher. Tier Three — Incorrect or misleading information to authorities: supplying incorrect, incomplete, or misleading information to national authorities or notified bodies carries fines of up to €7.5 million or 1% of total global annual turnover. This third tier is specifically designed to deter organizations from attempting to game the conformity assessment process through incomplete or inaccurate technical documentation.
The comparison to GDPR is instructive for organizations already familiar with EU data protection enforcement. GDPR’s maximum fine is 4% of global annual turnover — a figure that made headlines when Meta was fined €1.2 billion in 2023 and Amazon was fined €746 million in 2021. The EU AI Act’s maximum fine of 7% of global annual turnover for prohibited AI systems exceeds GDPR’s ceiling by 75%. The enforcement architecture mirrors GDPR’s national competent authority structure: each EU member state designates one or more national supervisory authorities responsible for market surveillance and enforcement, with the EU AI Office holding oversight responsibility for GPAI models and providing coordination across national authorities. Each member state was required to have its penalty and fine systems in place by August 2, 2025 — meaning the enforcement infrastructure is operational. The Omnibus agreement extended timelines for SMEs and small mid-caps specifically in the penalty context: proportionate fines, rather than full maximum exposure, are explicitly available for qualifying smaller organizations through the simplified compliance pathway. For organizations building a broader AI risk management framework that incorporates EU AI Act compliance alongside NIST AI RMF alignment, our AI Audit Checklist provides the structured assessment tool that covers both regulatory frameworks simultaneously.
🌍 5. Does the EU AI Act Apply to Your Business?
The extraterritorial scope of the EU AI Act is the aspect that most frequently surprises US-based organizations — and it is the aspect where the compliance gap between awareness and action is most dangerous. The EU AI Act applies to any organization whose AI systems produce effects on people in the European Union, regardless of where that organization is headquartered. Article 2 of the regulation defines its scope in terms that explicitly extend beyond EU borders: it applies to providers that place AI systems on the EU market or put them into service in the EU; to providers and deployers located outside the EU when the output of their AI system is used in the EU; and to importers and distributors of AI systems in the EU. A US company with no EU offices, no EU employees, and no EU legal entities is within scope if its AI systems are accessed by EU users, if it sells AI-enabled products into EU markets, or if its AI outputs affect EU residents in a material way.
The practical categories of US organizations that need to act now are broader than most compliance teams initially assume. Category One: US AI developers whose systems are accessed in the EU. If your API is called from EU-based applications, if your AI platform is available to EU customers, or if your AI-generated content is consumed by EU residents, you are within scope as a provider. Category Two: US companies deploying third-party AI systems in EU operations. If you use AI-powered HR tools, AI customer service platforms, AI financial analysis tools, or AI-driven marketing systems and those systems interact with EU employees, EU customers, or EU data — you are within scope as a deployer. Category Three: US companies whose EU subsidiaries use AI. Even if the AI system is procured, configured, and operated by a US parent, a European subsidiary’s use of a high-risk AI system triggers EU AI Act deployer obligations on that subsidiary. NIST’s AI Risk Management Framework (AI RMF 1.0) is the US voluntary governance standard that most closely parallels the EU AI Act’s risk-based structure — organizations aligning to both frameworks will find that the NIST AI RMF’s four core functions (MAP, MEASURE, MANAGE, GOVERN) map reasonably well to the EU AI Act’s substantive obligations, making dual-framework compliance more efficient than building EU AI Act compliance from scratch.
The specific actions required from US organizations operating in or selling into EU markets are the same substantive actions required from EU-based organizations — but the starting point differs. Most US organizations are 12–18 months behind their EU counterparts in compliance preparation, having assumed the Act would not affect them or having deferred action pending US regulatory developments. The Omnibus extension to December 2027 provides US organizations with additional runway — but the classification and governance work must begin now to have any realistic chance of meeting the extended deadline. Three practical starting points: first, conduct a complete AI system inventory covering every AI system your organization uses or offers, including third-party AI embedded in vendor software. Second, classify each system against the Act’s risk tiers — prioritizing the identification of any Annex III use cases that will require high-risk compliance by December 2027. Third, review your vendor contracts for every AI tool your organization deploys — the deployer obligations under the AI Act place responsibility on the deploying organization for ensuring the AI systems it uses meet the regulation’s requirements, meaning vendor due diligence is a compliance obligation, not just a procurement best practice. Our AI Vendor Due Diligence Checklist provides the structured evaluation framework specifically designed for this purpose.
✅ 6. EU AI Act Compliance Checklist for Organizations in 2026
The following compliance checklist covers the actions every organization subject to the EU AI Act must take — organized by priority and timeline. Organizations that have not yet begun should start with items 1–5, which create the foundation for all subsequent compliance work. Items 6–12 represent the ongoing compliance infrastructure that must be in place for any organization operating Annex III high-risk AI systems by the December 2, 2027 deadline. Items 13–16 represent the transparency and documentation obligations that apply from August 2, 2026 and must be addressed immediately. This checklist should be treated as a living document — the Act’s implementing guidelines, technical standards from CEN-CENELEC, and national authority guidance will continue to be published through 2026 and 2027, and compliance programs must update accordingly.
Compliance Priority Rule: Any organization not yet compliant with the February 2025 obligations — prohibited AI system identification and Article 4 AI literacy training — must address those immediately before working on the longer-horizon high-risk obligations. Non-compliance with already-in-force provisions creates current legal exposure, regardless of the Omnibus extension for future deadlines.
| ✅ | Compliance Action | Applies To | Deadline | Priority |
|---|---|---|---|---|
| ☐ | Build a complete AI system inventory — document every AI system in use or under development, including third-party AI embedded in vendor software | All organizations | Immediately | 🔴 Critical — foundation for all compliance |
| ☐ | Classify each AI system by risk level — apply the four-tier classification. Document the classification rationale for every system. Flag any Annex III or Annex I systems for priority compliance action | All organizations | Immediately | 🔴 Critical |
| ☐ | Identify and immediately address prohibited AI systems — any system matching Annex I Article 5 prohibited categories must be decommissioned or modified to remove the prohibited capability | All organizations | In force since Feb 2, 2025 | 🔴 Critical — current legal obligation |
| ☐ | Implement Article 4 AI literacy training for all employees who use, oversee, or make decisions based on AI system outputs. Document training completion with evidence. See our AI literacy compliance guide for the evidence standard | All providers and deployers | In force since Feb 2, 2025 | 🔴 Critical — current legal obligation |
| ☐ | Establish an AI governance framework and appoint an AI compliance owner — with clear accountability for AI Act compliance, authority to stop or modify non-compliant deployments, and a reporting line to senior leadership | All organizations | Immediately | 🔴 Critical |
| ☐ | Implement Article 50 transparency obligations — disclose AI nature to users interacting with chatbots and virtual agents; label AI-generated content (deepfakes, AI-generated images, video, audio intended to deceive) | Providers and deployers of chatbots, AI content generation | August 2, 2026 | 🔴 Imminent |
| ☐ | Implement machine-readable watermarking for AI-generated synthetic content — ensuring content is detectable as AI-generated by machine classifiers (Article 50(2)). Systems placed on market after Aug 2, 2026 must comply immediately; pre-existing systems by Dec 2, 2026 | Providers of generative AI systems (image, video, audio, text) | Aug 2, 2026 (new systems); Dec 2, 2026 (pre-existing) | 🔴 Imminent |
| ☐ | Conduct AI vendor due diligence — for every third-party AI system you deploy, obtain the vendor’s risk classification, compliance documentation, technical documentation, and audit trail. Deployers are responsible for ensuring their AI systems meet the Act’s requirements | All deployers of third-party AI | Ongoing | 🟡 High |
| ☐ | For Annex III high-risk systems: implement risk management system — establish a continuous risk management process covering identification, analysis, evaluation, and mitigation of reasonably foreseeable risks throughout the system lifecycle | Providers of Annex III high-risk AI systems | Dec 2, 2027 | 🟡 High — begin now |
| ☐ | For Annex III high-risk systems: prepare technical documentation — detailed documentation of system design, development process, training data, testing methodology, performance metrics, and known limitations. SMEs and SMCs may use simplified templates | Providers of Annex III high-risk AI systems | Dec 2, 2027 | 🟡 High — begin now |
| ☐ | For Annex III high-risk systems: implement human oversight mechanisms — design systems so that a competent human can monitor, understand, override, and stop the AI system. Document that human oversight is genuine (not a rubber stamp) | Providers and deployers of Annex III high-risk AI | Dec 2, 2027 | 🟡 High — begin now |
| ☐ | For Annex III high-risk systems: complete conformity assessment and register in EU database — conduct or commission conformity assessment, draw up EU declaration of conformity, affix CE marking, and register in the public EU database for high-risk AI systems | Providers of Annex III high-risk AI systems | Dec 2, 2027 | 🟡 High — requires significant lead time |
| ☐ | Implement automatic logging for high-risk systems — automatic log generation for events during system operation, retained for minimum six months (or longer where sector-specific requirements apply) | Providers and deployers of Annex III high-risk AI | Dec 2, 2027 | 🟡 High |
| ☐ | Monitor CEN-CENELEC technical standards as they publish — the harmonized standards that will define exactly how high-risk compliance requirements are met in practice. First standards expected late 2026 through mid-2027 | All organizations with Annex III high-risk AI systems | Ongoing | 🟡 High |
| ☐ | Align with NIST AI RMF (US organizations) — the NIST AI RMF’s MAP, MEASURE, MANAGE, GOVERN functions provide a parallel governance structure. Organizations building dual-framework compliance can use NIST AI RMF work product to support EU AI Act documentation requirements efficiently | US-based organizations subject to EU AI Act | Ongoing | 🟢 Medium |
| ☐ | Establish post-market monitoring and incident reporting — after deployment of any high-risk AI system, implement ongoing performance monitoring, maintain the post-market monitoring plan, and establish procedures for reporting serious incidents to national supervisory authorities | Providers of Annex III high-risk AI | Dec 2, 2027 | 🟢 Medium — plan now |
Compliance checklist as of June 2026. Extended deadlines reflect May 7, 2026 AI Omnibus provisional agreement — subject to formal adoption. Items marked “Current legal obligation” are in force now and should be addressed before any other compliance work. Download and adapt this checklist for your organization’s AI governance documentation.
🏢 7. GPAI Model Obligations: What the GPAI Code of Practice Requires
General-purpose AI (GPAI) model obligations — covering large foundation models like Claude Opus 4.7, GPT-5.x, Gemini 3.1 Pro, Llama 4, and other models that can be adapted for many downstream tasks — have been in force since August 2, 2025. Every provider of a GPAI model placed on the EU market or accessed by EU users must comply with a set of transparency and copyright obligations, regardless of whether the model is open-weight or proprietary. Providers of GPAI models with “systemic risk” — defined as models trained on a compute threshold above 10^25 FLOPs — face additional obligations including model evaluation, adversarial testing, incident reporting, and cybersecurity safeguards. The GPAI Code of Practice, developed by the EU AI Office with multi-stakeholder input, translates these legal obligations into specific technical and operational requirements. Our full guide to the EU AI Act GPAI Code of Practice covers these requirements in depth, including the specific measures required for systemic-risk models.
For organizations that deploy GPAI models through APIs — building products on Claude, GPT-5.x, Gemini, or similar — the deployer obligations under the GPAI framework are distinct from provider obligations but still real. Deployers must review the GPAI provider’s compliance documentation, understand the terms of use applicable to their deployment context, and ensure that their downstream application does not create high-risk AI system obligations that the underlying model’s GPAI compliance does not cover. A marketing automation tool built on a GPAI API is a different regulatory object from the GPAI model it runs on — and the marketing tool’s compliance posture depends on its use case, not on the model’s GPAI compliance status. The Omnibus agreement clarified the AI Office’s supervisory competence: the AI Office supervises GPAI model providers where the same organization both develops the model and deploys an AI system based on that model, with specific exceptions preserving national authority competence for law enforcement, border management, judicial, and financial institution deployments.
🏁 8. Getting Started With EU AI Act Compliance in 2026
The most important compliance insight from the May 2026 Omnibus agreement is also the simplest: the extension buys time for the hard work, not permission to skip it. The organizations that will be genuinely compliant by December 2, 2027 are not those that will sprint in the last quarter of 2027 — they are the ones building compliance infrastructure now. The AI system inventory, the risk classification exercise, the governance framework, the AI literacy training, and the vendor due diligence are all pre-conditions for the conformity assessment and technical documentation that the Annex III deadline requires. None of them can be meaningfully completed in less than 6–12 months for organizations with complex or large-scale AI use cases.
Three actions deliver the highest compliance ROI per hour invested in 2026. First: complete the AI system inventory. You cannot classify, govern, or document systems you do not know you have — and shadow AI makes this more challenging than it appears, with employees adopting AI tools outside formal procurement at rates that typically mean the real number of AI systems in use is 2–3x the IT-approved list. Our guide to Shadow AI covers the discovery methodology for identifying unsanctioned AI in organizational workflows. Second: address the February 2025 obligations immediately if not already done. Prohibited AI system identification and Article 4 AI literacy training are in force now — non-compliance with these creates current legal exposure that no amount of Annex III extended-deadline planning can offset. Third: conduct structured vendor due diligence on every third-party AI system your organization deploys. Deployer obligations are real and do not disappear because the vendor claims compliance — your organization’s compliance posture depends on the documented evidence of vendor compliance, not on vendor assertions. The AI Vendor Due Diligence Checklist provides the structured evaluation tool specifically designed for this purpose, covering EU AI Act-specific questions alongside the security and commercial terms evaluation that enterprise procurement requires.
📌 Key Takeaways
| Takeaway | |
|---|---|
| ✅ | On May 7, 2026, the EU reached a provisional political agreement (the AI Omnibus) extending the Annex III high-risk AI system deadline by 16 months — from August 2, 2026 to December 2, 2027 — and the Annex I product-embedded AI deadline from August 2, 2027 to August 2, 2028. Formal adoption expected before August 2, 2026. |
| ✅ | August 2, 2026 remains a live compliance date for Article 50 transparency obligations — chatbot disclosure, AI content labelling, and deepfake marking. These are NOT deferred by the Omnibus. Organizations operating chatbots or AI content generation must comply by August 2, 2026. |
| ✅ | Prohibited AI system bans and Article 4 AI literacy training obligations have been in force since February 2, 2025. Organizations not yet compliant with these provisions have current legal exposure — the Omnibus extension for high-risk systems does not defer these already-active obligations. |
| ✅ | The EU AI Act applies extraterritorially — US companies selling AI-enabled products into EU markets, US companies deploying AI systems that interact with EU employees or customers, and US developers whose AI APIs are accessed from EU-based applications are all within scope. |
| ✅ | The maximum fine for deploying a prohibited AI system is €35 million or 7% of global annual turnover — whichever is higher. This exceeds GDPR’s maximum fine of 4% of global annual turnover. For a $10 billion global revenue company, the maximum prohibited AI fine reaches $700 million. |
| ✅ | High-risk AI systems include CV screening and candidate ranking, credit scoring, educational assessment, law enforcement risk assessment, biometric categorization, border control AI, critical infrastructure management, and judicial decision support — each requiring risk management, bias testing, technical documentation, human oversight, conformity assessment, and EU database registration by December 2, 2027. |
| ✅ | The Omnibus extended SME simplified compliance accommodations to “small mid-cap enterprises” (up to 750 employees and €150M annual revenue) — including simplified technical documentation, proportionate penalties, and less prescriptive quality management system requirements. |
| ✅ | The compliance starting point for every organization is the same: build a complete AI system inventory, classify each system against the four risk tiers, immediately address any prohibited systems and Article 4 literacy gaps, then prioritize the Annex III high-risk compliance program for December 2027. |
🔗 Related Articles
- 📖 EU AI Act GPAI Code of Practice Explained: What It Means for Model Providers in 2026
- 📖 AI Literacy (EU AI Act Article 4) Explained: A Practical Training Plan and Evidence Checklist
- 📖 AI Governance Explained: How to Build an AI Policy Framework Your Organization Will Follow
- 📖 The AI Audit Checklist: How to Prove Your Company Is Compliant in 2026
- 📖 AI Vendor Due Diligence Checklist: How to Evaluate AI Tools Before You Share Data
❓ Frequently Asked Questions: EU AI Act Explained
Q1. What did the May 2026 AI Omnibus agreement change about the EU AI Act?
On May 7, 2026, EU legislators reached a provisional political agreement extending the Annex III high-risk AI system compliance deadline by 16 months — from August 2, 2026 to December 2, 2027. Annex I product-embedded AI (medical devices, toys, lifts) was extended to August 2, 2028. Importantly, August 2, 2026 remains a live compliance date for Article 50 transparency obligations — chatbot disclosure, AI content labelling, and deepfake marking are not deferred. Two new prohibitions on AI-generated non-consensual intimate imagery and CSAM take effect December 2, 2026. Formal adoption of the Omnibus amendments is expected before August 2, 2026. See our EU AI Act GPAI Code of Practice guide for the GPAI-specific obligations that remain unchanged.
Q2. Does the EU AI Act apply to US companies?
Yes — the EU AI Act applies extraterritorially. Any organization that develops, deploys, or distributes AI systems whose outputs affect people in the EU is within scope, regardless of where that organization is headquartered. US companies selling AI-enabled products into EU markets, US companies operating AI tools that interact with EU employees or customers, and US developers whose AI APIs are accessed from EU-based applications are all subject to the regulation. The deployer obligations apply to the organization using the AI system — not just the vendor that built it. See our AI Vendor Due Diligence Checklist for the structured evaluation framework US organizations should use for every AI tool deployed in EU-facing operations.
Q3. What are the penalties for non-compliance with the EU AI Act?
The EU AI Act uses a three-tier penalty structure. Prohibited AI system violations: up to €35 million or 7% of total global annual turnover (whichever is higher) — exceeding GDPR’s 4% maximum. High-risk AI system non-compliance: up to €15 million or 3% of global annual turnover. Providing incorrect information to authorities: up to €7.5 million or 1% of global annual turnover. The enforcement infrastructure — national supervisory authorities in every EU member state — has been operational since August 2025. For organizations building compliance programs to avoid these penalties, our AI Governance 101 guide covers the governance framework that sits above any specific regulatory compliance action.
Q4. What AI systems are classified as high-risk under the EU AI Act?
Annex III of the EU AI Act lists the use-case categories that qualify as high-risk: biometric identification and categorization; critical infrastructure management (energy, water, transport); educational assessment and student evaluation; employment-related decisions (CV screening, candidate ranking, performance evaluation, promotion, termination); essential private and public services (credit scoring, insurance risk assessment, emergency services dispatch); law enforcement (crime risk assessment, evidence evaluation); migration and border control; administration of justice and democratic processes. Each of these use cases triggers the full high-risk compliance obligation set — risk management, bias testing, technical documentation, human oversight, conformity assessment, and EU database registration — with a deadline of December 2, 2027 under the Omnibus agreement. See our AI literacy guide for the Article 4 training requirements that apply to everyone using these high-risk systems.
Q5. What should my organization do first to comply with the EU AI Act?
Start with three actions in this order. First: complete a full AI system inventory — document every AI system in use or under development, including third-party AI embedded in vendor software. Shadow AI means the real number is typically 2–3x the IT-approved list. Second: address the February 2025 obligations immediately if not done — identify and decommission any prohibited AI systems, and implement Article 4 AI literacy training with documented evidence for all staff who use or oversee AI. These are current legal obligations, not future deadlines. Third: classify every AI system against the four risk tiers, prioritizing the identification of Annex III use cases that will require full high-risk compliance by December 2, 2027. Our AI audit checklist provides the structured framework for this classification and documentation work.
📧 Get the AI Buzz Weekly Digest
Weekly AI insights, tools, and strategies — delivered every Monday. Free.
Leave a Reply