If you've been following the news lately, you've probably seen conflicting headlines: "AI Act delayed," "AI Act enters into force in August," "AI Act simplified." Your legal team may have asked you about it in a meeting, and you said you'd look into it.
Here's what actually happened.
What the EU Decided in May 2026
On May 7, 2026, the European Parliament and Council reached a provisional agreement on what they're calling the "Digital Omnibus" — a legislative package that amends several digital texts at once, including the AI Act.
The main decision: the most demanding AI Act obligations — those applying to so-called "high-risk" AI systems listed in Annex III — are delayed by 16 months. Instead of coming into force on August 2, 2026, these obligations will apply from December 2, 2027.
What's Annex III, concretely? It covers AI systems used in HR (CV screening, performance assessment), credit scoring, access to education, essential services, healthcare, justice, and critical infrastructure — uses that directly affect individuals' rights.
What Was Not Postponed
This is where the headline "AI Act is delayed" becomes misleading.
Several obligations remain on their original schedule:
Prohibited practices (Article 5) have been in force since February 2025. Large-scale social scoring, behavioural manipulation, certain real-time biometric surveillance — these are already prohibited. If you're running such a system, you're already in violation.
Obligations for general-purpose AI models have applied since August 2025. If your company develops or deploys large-scale language models, transparency and technical documentation requirements are already in effect.
The European Commission's enforcement powers kick in on August 2, 2026. From that date, the AI Office can impose fines: up to €35 million or 7% of global annual turnover for the most serious violations. This power has not been delayed.
Transparency obligations for AI-generated content (Article 50) — including labelling AI-generated text, images, and audio — are maintained at their original date of December 2, 2026.
Why the Delay, and What It Signals
This postponement isn't a lobbying victory against regulation. It's a pragmatic acknowledgment that the technical standards companies needed to demonstrate compliance weren't yet ready from European standards bodies. Imposing an obligation date without workable standards would have created paper compliance with nothing to verify it against.
What it signals: the AI Act isn't being abandoned. It's being made practically enforceable. Companies that used the delay to do nothing have just gained 16 more months. Those who started preparing are now ahead of the curve.
What It Means for You
| Situation | Impact of the delay |
|---|---|
| You use AI only as an assistance tool (drafting, research) | Minimal impact — light obligations from the start |
| You have an AI-powered HR module (CV screening, performance scoring) | Annex III delay applies — until December 2027, but start now |
| You develop LLMs or models for clients | GPAI obligations in force since August 2025 — no delay |
| You operate in a regulated sector (healthcare, finance, defence) | Your sector regulators are setting their own timelines — follow those |
The Angle the Press Coverage Misses
The delay to formal obligations doesn't change real-world pressure in supply chains.
If you work with large enterprise clients — a bank, a listed industrial group, a public body — some of them will ask you for AI Act compliance attestations well before the law formally requires it. Because they're auditable themselves and want to demonstrate they work with serious suppliers.
That customer audit calendar has not been postponed by the Digital Omnibus.
The real question isn't "do I have until 2027?" — it's "will my clients ask for proof before that?"
Why the AI Architecture You Choose Now Matters
Whether August 2026 or December 2027, the incoming obligations share a common thread: traceability. Who used which AI system, on what data, with what result. And the ability to demonstrate it to an auditor.
That's exactly where the difference between a cloud AI tool and an on-premise AI becomes concrete. With a US SaaS tool, usage logs belong to your provider. With LMbox, they sit inside your own IT environment — accessible to your CISO, exportable for audit, versioned.
A Paris law firm that deployed LMbox six months ago told us: "The first time a major client asked for our AI usage logs, we had them. Our peers using ChatGPT had to explain why they couldn't answer."
This isn't abstract compliance. It's about being able to answer your next client when they ask the question.
Next step: if you want to assess your AI Act exposure and see how a sovereign AI solution fits into your compliance timeline, get in touch with our team — we'll give you an honest assessment, not a sales pitch.
