Blog

EU AI Act in mid-2026: in force, deferred, what to do

· RAIS Team

The EU AI Act is already law — in force since 1 August 2024, with parts enforceable for over a year. In May 2026 the story is not "the Act is coming". It is that the rules already live, the rules the Digital Omnibus would defer, and the rules still in negotiation are three different things. This guide is for the compliance, security, legal, and HR practitioners who need tools that amplify your in-house expertise.

Background: how we got here

The Artificial Intelligence Act — formally Regulation (EU) 2024/1689 — was adopted on 13 June 2024, published in the Official Journal on 12 July 2024, and entered into force on 1 August 2024. Document references on EUR-Lex are PE/24/2024/REV/1 · CELEX 32024R1689 · OJ L, 2024/1689, 12.7.2024.

The Act applies in stages by design. Some chapters became enforceable six months after entry into force, others after 12, 24, and 36 months. The official European Commission policy timeline lays out which obligations land on which dates, and the European AI Office is the body coordinating Union-level enforcement for general-purpose AI.

What has changed since then is the Commission's November 2025 Digital Omnibus on AI proposal and the Council–Parliament provisional political agreement of 7 May 2026. Those moves shift some deadlines — but the original Regulation deadlines remain law until the Omnibus is formally adopted. That is the gap practitioners need to navigate this quarter.

What is already live and enforceable

Three blocks of obligations are already on the books and being enforced. Treat each as non-negotiable, regardless of where the Omnibus lands.

Prohibited practices (in force since 2 February 2025)

Article 5 of the Regulation lists practices that cannot be placed on the market, put into service, or used in the Union. The Commission Guidelines on Prohibited AI Practices — published 4 February 2025 — set out eight prohibited practices:

  1. Subliminal, purposefully manipulative, or deceptive techniques that materially distort behaviour.
  2. Exploitation of vulnerabilities tied to age, disability, or socio-economic situation.
  3. Social scoring by public or private actors leading to detrimental treatment.
  4. Predictive policing of natural persons based solely on profiling or personality traits.
  5. Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
  6. Emotion recognition in the workplace and in educational institutions (with narrow medical and safety carve-outs).
  7. Biometric categorisation to infer race, political opinion, trade-union membership, religion, sex life, or sexual orientation.
  8. Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes (with narrow, judicially-supervised exceptions).

The 7 May 2026 Council–Parliament agreement signals a ninth prohibition on the generation of non-consensual intimate imagery and child sexual abuse material — but that addition is provisional until the Omnibus is formally adopted.

AI literacy obligations (in force since 2 February 2025)

Article 4 places a direct obligation on providers and deployers to ensure a sufficient level of AI literacy among their staff and any other person operating or using AI systems on their behalf. The European Commission timeline confirms the obligation has been live since 2 February 2025.

Operationally this means three things: AI literacy needs to be defined for each role that touches an AI system, training needs to be delivered against that definition, and records need to be kept. Generic awareness videos do not discharge the obligation — the Article 4 standard is role-relevant competence, not box-ticked attendance.

GPAI model obligations (in force since 2 August 2025)

Obligations on general-purpose AI (GPAI) models — Articles 53 (general providers) and 55 (providers of GPAI models with systemic risk) — became applicable on 2 August 2025, as set out on the European Commission timeline. The European AI Office oversees enforcement for this track, which runs separately from Member State market-surveillance enforcement of high-risk systems.

The voluntary General-Purpose AI Code of Practice, published on 10 July 2025, is the Commission- and AI-Board-endorsed pathway for demonstrating Article 53 and 55 compliance. It has three chapters — Transparency, Copyright, and Safety & Security — and signatories include Anthropic, Google, IBM, Microsoft, Mistral AI, and OpenAI, among others. xAI signed only the Safety & Security chapter. The Code is not mandatory, but signing it is currently the lowest-friction route to compliance.

If your organisation builds, fine-tunes, or significantly customises a GPAI model, these obligations apply to you. If you only deploy third-party GPAI through an API, your obligations sit at the deployer level — which is where Article 4 literacy and the Annex III high-risk regime become the dominant questions.

What the Digital Omnibus defers (and what hasn't yet been adopted)

The Commission proposed the Digital Omnibus on AI on 19 November 2025 as part of a broader push to simplify and streamline the EU digital rulebook. The Council and Parliament reached a provisional political agreement on 7 May 2026 (PRESS 299/26). The deal is exactly what its name says — provisional. Until the Omnibus is formally adopted, the original Regulation 2024/1689 deadlines remain in force.

If the Omnibus is adopted as agreed, four shifts matter most to practitioners:

  • Annex III standalone high-risk obligations — the largest deferral. The application date moves from 2 August 2026 to 2 December 2027. Annex III is the standalone use-case list — recruitment AI, credit scoring, education-access decisions, critical-infrastructure AI, certain law-enforcement and migration use cases.
  • Annex I embedded high-risk obligations — the date moves from 2 August 2027 to 2 August 2028. Annex I is the harmonised-product-legislation list, where AI is a safety component of a product already covered by EU product law (medical devices, machinery, toys, lifts, and so on).
  • Article 50 transparency / watermarking grace period — compressed from six months to three months, with a new deadline of 2 December 2026. The grace period shrinks; the obligation itself does not.
  • National AI regulatory sandboxes — Member States' deadline to establish at least one operational sandbox moves to 2 August 2027.

The Omnibus deal also signals the new prohibition on non-consensual intimate imagery and CSAM generation flagged above. None of this is law yet. Until formal adoption — Council and Parliament still need to translate political agreement into adopted text — the Regulation's original dates apply.

One thing the Omnibus does not touch: the obligations already in force. Prohibited practices remain prohibited. Article 4 literacy remains required. GPAI obligations remain live. Commentary that suggests "the AI Act has been pushed to 2027" is reading one row of a longer table. Your programme should not be built on that reading.

Five things your AI programme should still do this week

The Omnibus changes the when of some obligations, not the what. These are the five practitioner moves that hold their value either way.

Inventory your AI use cases against Annex III

The deferral changes the application date — it does not change the list. Knowing which of your AI systems land inside Annex III is the input for every subsequent decision: conformity-assessment scope, risk-management requirements, fundamental-rights-impact assessment, post-market monitoring design. Build the inventory now, while the regulatory pressure is lower. You will reuse it for ISO 42001, NIST AI RMF and internal board reporting.

Close the AI literacy gap now

The Article 4 obligation is already enforceable. Map roles that interact with AI systems — buyers, deployers, reviewers, end users — and pair each role with a literacy specification. Deliver short, role-relevant content and keep the attendance records. If a regulator or auditor asks how you discharge Article 4, "we ran a one-hour all-hands video" is a weaker answer than "every role with AI exposure has a literacy spec and current training records".

Decide your GPAI Code stance

If you build, fine-tune, or significantly customise GPAI models, the voluntary Code of Practice is currently the cheapest path to demonstrate Article 53 and 55 compliance. Decide whether to sign — and which chapters — and document the rationale either way. If you do not build GPAI, capture the analysis that explains why Articles 53 and 55 do not apply to you. Auditors will ask for both.

Map prohibited-practice exposure honestly

The eight Article 5 prohibitions are live. The two that catch organisations by surprise most often are emotion recognition in the workplace and biometric categorisation. If your HR stack, contact centre, security, or productivity tooling does either — even as a feature you never enabled — you have an exposure question to close. Document the analysis and, where the answer is "we don't do this", document how you would detect it if a vendor turned it on.

Lock down the transparency roadmap

Article 50 disclosure and watermarking obligations are coming, and the Omnibus is likely to shrink the grace period to three months with a 2 December 2026 deadline. Pipeline work — synthetic-content tagging, chatbot disclosure flows, deepfake labelling — is engineering work, not legal work. Start the build now, not in October.

How RAIS tools fit in

Compliance work starts with structured documents. The Responsible AI Studio toolkit is built to take the regulatory inputs you already understand and turn them into draft-ready artefacts in minutes — so your in-house expertise is what does the judgement work, not the formatting. Tools that amplify your in-house expertise, not replace it.

  • AI Policy Generator — jurisdiction- and industry-aware AI usage policies that map directly to EU AI Act obligations, with the article references already cited in the document.
  • AI Risk Register — the natural home for your Annex III inventory and the risk-management evidence the Act expects high-risk system providers and deployers to maintain.
  • Employee AI Guidelines — role-relevant, plain-language guidance you can drop into the Article 4 literacy programme.
  • DPA Generator — for the GDPR Art. 28(3) and GPAI-adjacent processor obligations that sit alongside AI Act work.

Generate the document, then run it past qualified review. The toolkit is the starting point, not the sign-off.

Where to read the source material

These are the primary sources every regulatory claim in this guide is tied to. Read them directly when a vendor or commentator tells you something that does not match.

Generate your AI policy → /tools/policy-generator

Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.