EU AI Act Compliance Requirements: The 2026 Timeline After the Omnibus
The Digital Omnibus moved the EU AI Act's standalone high-risk obligations to December 2, 2027, but the August 2, 2026 date did not empty out. Article 50 transparency duties still apply then, the penalty framework is live, and the high-risk requirements themselves, risk management and lifetime event logging, still exist on a later clock. This lays out what applies when, by role, and the record-keeping obligation that runs underneath most of it.

The Digital Omnibus changed the EU AI Act's timeline, and the change is narrower than the headlines suggested. Standalone high-risk obligations under Annex III moved from August 2, 2026 to December 2, 2027, and high-risk AI embedded in regulated products under Annex I moved to August 2, 2028. What did not move is as important as what did. Article 50 transparency obligations still apply from August 2, 2026, the penalty framework is already in force, and the high-risk requirements themselves still exist, now on a later clock.
I want to lay out what the EU AI Act requires, what applies on which date after the omnibus, and the record-keeping obligation that sits underneath most of it.
The four risk tiers
The Act sorts AI systems into tiers, and the tier sets the obligation. Prohibited practices, such as social scoring and certain biometric categorization, are banned outright and have been since February 2025. High-risk systems, listed in Annex III, carry the heaviest obligations: risk management, data governance, technical documentation, human oversight, and event logging. Limited-risk systems, mainly those that interact with people or generate content, carry transparency duties under Article 50. Minimal-risk systems carry no specific obligation.
Classification is the first task, because everything else follows from the tier. The May 2026 high-risk classification guidance is where the Commission put concrete signals on what pulls a system into Annex III.
What applies on August 2, 2026
The omnibus deferred the high-risk deadline, and it left the August 2, 2026 date carrying real weight:
- Article 50 transparency. Providers of chatbots and assistants must design them so people are told they are interacting with AI. Systems that recognize emotions or categorize people biometrically must disclose that to the people exposed to them. Synthetic text, image, audio, and video output must be marked in a machine-readable format as artificially generated. Systems placed on the market before that date get a grace period until December 2, 2026 for the marking obligation.
- Penalty framework. Article 99 is live. Prohibited-practice violations reach €35 million or 7% of global annual turnover. High-risk non-compliance reaches €15 million or 3%. Supplying misleading information to authorities reaches €7.5 million or 1%.
- GPAI provider obligations, which began in August 2025, continue.
I covered the full before-and-after of the deferral in the omnibus analysis. The short version for planning: the transparency and logging workstreams still have 2026 deadlines even though the high-risk conformity paperwork now has until 2027.
Obligations by role
The Act assigns duties by role, and one system can put you in more than one. Providers, who develop or place a system on the market, carry the conformity assessment, technical documentation, and quality-management obligations. Deployers, who use a high-risk system under their own authority, carry Article 26 duties: operate the system per instructions, ensure human oversight, monitor operation, and keep the automatically generated logs.
Most enterprises are deployers, and the deployer obligations are where the record-keeping bites. A deployer that cannot produce the logs a high-risk system generated is exposed regardless of how well the provider documented the model.
The logging obligation that runs underneath
Article 12 requires high-risk systems to allow automatic recording of events over the system's lifetime, and Article 19 specifies what those logs contain: the period of use, the input data, and the identity of natural persons involved. That requirement moved to December 2, 2027 for standalone high-risk systems along with the rest of the high-risk package, and it did not get simpler. I broke down the architecture it takes in the Article 12 logging analysis.
The reason this obligation deserves attention now, before its deadline, is that it is the slowest to retrofit. Transparency notices are a front-end change. Identity-bound, tamper-evident, per-decision logging is an architecture change at the AI request layer, and the deferral to 2027 is the time to build it rather than a reason to defer it.
DeepInspect
This is the architecture DeepInspect provides for the deployer's record-keeping obligations. DeepInspect sits at the AI request boundary as a stateless proxy between your users or agents and any LLM. It evaluates each request against identity and per-route, per-role policy, and it records every decision independently of the application that made it.
For the EU AI Act, that record is what Articles 12 and 19 describe. Each per-decision entry captures the identity of the natural person behind the request, the input data classification, the policy in effect, the outcome, and a timestamp, committed before the response returns to the application and signed so it holds as evidence. The transparency obligations under Article 50 sit at the application layer, and the logging obligations sit at the request boundary, which is where DeepInspect operates.
If you are mapping EU AI Act obligations across your AI systems and the logging workstream is still on a whiteboard, let's talk today.
Frequently asked questions
- What are the main EU AI Act compliance requirements?
They depend on the system's risk tier. Prohibited practices are banned. High-risk systems under Annex III require a risk management system, data governance, technical documentation, human oversight, and automatic event logging. Limited-risk systems that interact with people or generate content carry transparency obligations under Article 50. Minimal-risk systems have no specific duties. Obligations also split by role: providers handle conformity assessment and documentation, while deployers handle in-use operation, human oversight, monitoring, and log retention. Classification and role identification are the first two compliance steps, since they determine everything that follows.
- What EU AI Act obligations apply on August 2, 2026?
After the Digital Omnibus, August 2, 2026 still triggers the Article 50 transparency obligations: disclosing AI interaction, disclosing emotion recognition or biometric categorization, and marking synthetic content in machine-readable form, with a grace period to December 2, 2026 for systems already on the market. The Article 99 penalty framework is in force, and GPAI provider obligations that began in 2025 continue. The standalone high-risk obligations under Annex III were deferred to December 2, 2027, and high-risk AI embedded in Annex I products to August 2, 2028.
- Did the Digital Omnibus remove the high-risk requirements?
No. It moved the deadlines. Standalone Annex III high-risk obligations now apply from December 2, 2027 instead of August 2, 2026, and Annex I embedded high-risk from August 2, 2028. The substance of the obligations, risk management, data governance, technical documentation, human oversight, and lifetime event logging, is unchanged. The deferral gives deployers more time on conformity work, but the requirements themselves remain, which is why the slower-to-build controls such as identity-bound logging are worth starting during the extension rather than after it.
- What are the penalties under the EU AI Act?
Article 99 sets three tiers. Prohibited-practice violations reach €35 million or 7% of global annual turnover, whichever is higher. High-risk non-compliance reaches €15 million or 3%. Supplying incorrect or misleading information to authorities reaches €7.5 million or 1%. For most enterprise deployers the relevant exposure is the €15 million or 3% tier tied to high-risk obligations. The penalty framework is already in force, so it applies to the obligations that are live now, including the Article 50 transparency duties from August 2, 2026.