The EU AI Act high-risk deadline just moved to December 2027. Here is what still hits on August 2, 2026
The EU Council gave final approval to the Digital Omnibus on AI on June 29, 2026, deferring standalone Annex III high-risk obligations from August 2, 2026 to December 2, 2027. Embedded high-risk systems slide to August 2, 2028. Article 50 transparency obligations still apply on August 2, 2026, and the grace period for AI-content labeling was cut from six to three months, landing on December 2, 2026. A new prohibition on non-consensual intimate imagery generation applies from December 2026. The workstreams a policy gateway supports keep their 2026 deadlines.

On June 29, 2026, the EU Council gave final approval to the Digital Omnibus on AI after the European Parliament adopted it on June 16. The adopted text (PE-30-2026-INIT) enters into force three days after Official Journal publication, expected within days. Standalone Annex III high-risk obligations move from August 2, 2026 to December 2, 2027. Embedded high-risk AI systems slide to August 2, 2028. National regulatory sandboxes move to August 2, 2027.
The headlines led with the deferral. The workstreams a policy gateway enforces did not move.
I want to walk through what changed on June 29, what did not change, and why the 16-month deferral on conformity paperwork is not a reason to pause the logging, transparency, and audit-trail work already scoped for August 2.
What the Omnibus deferred
The Digital Omnibus on AI amends the enforcement timetable in Article 113 without touching the substantive obligations in Chapters III and IV. Three dates moved.
Standalone Annex III high-risk systems: August 2, 2026 → December 2, 2027
The Annex III list covers credit scoring, employment screening, education access, biometric identification, critical infrastructure operations, law enforcement uses, migration and border control, and administration of justice. Providers and deployers of these systems now have until December 2, 2027 to complete the conformity assessment, quality management system, post-market monitoring, and CE-marking obligations that would have fallen due next month.
Embedded high-risk AI systems (Annex I): August 2, 2027 → August 2, 2028
AI components inside regulated products (medical devices, machinery, toys) inherit the sectoral certification schedule. That schedule slid a year to align with the parent product cycles.
National regulatory sandboxes: August 2, 2026 → August 2, 2027
Member states now have until August 2, 2027 to establish the sandboxes required under Article 57. Several member states asked for the extension after the AI Office issued its GPAI code of practice in May.
What did not move
Three groups of obligations stayed on the original timetable, and one new prohibition was added.
Article 50 transparency obligations: still August 2, 2026
Article 50 governs transparency for AI systems that interact with people, generate synthetic content, or perform emotion recognition and biometric categorization. A deployer whose chatbot serves EU users must disclose that the user is interacting with an AI system. A provider whose model generates synthetic audio, image, video, or text must mark the output in a machine-readable format identifying it as artificially generated. Neither obligation moved.
AI-content labeling: grace period cut from six months to three months
The original text gave providers six months from the enforcement date to implement machine-readable labeling for synthetic content under Article 50(2). The Omnibus reduced that grace period to three months. The labeling obligation now applies from December 2, 2026 rather than the original February 2027.
Non-consensual intimate imagery and CSAM generation: new prohibition from December 2026
The Omnibus added a targeted prohibition on AI systems whose primary purpose is generating non-consensual intimate imagery or child sexual abuse material. The prohibition applies from December 2026 and sits alongside the existing Article 5 prohibited-practices list. Penalties reach the €35 million or 7% of global annual turnover tier under Article 99.
GPAI obligations: still August 2, 2026
Chapter V obligations on general-purpose AI models stayed on the original schedule. Providers of foundation models placed on the EU market after August 2, 2026 must comply with the transparency, copyright policy, and technical documentation requirements laid out in Articles 53 and 55. The AI Office issued the GPAI Code of Practice in May 2026 to give providers an implementation reference.
Why the deferral does not defer the logging work
The Article 12 record-keeping requirement is part of the Chapter III obligations that shifted to December 2027 for standalone Annex III systems. The temptation is to conclude that logging can wait too. Two reasons that reading fails in practice.
The Article 50 transparency obligation requires per-decision evidence
An AI system that generates synthetic content must mark the output identifying it as artificially generated. A chatbot that interacts with a person must disclose the AI interaction. The provider or deployer that receives a regulator inquiry after December 2, 2026 will be asked to produce evidence that the disclosure and labeling actually happened for specific interactions. Application logs that record "chatbot session started" fail this test. What survives the inquiry is a per-decision record showing which interactions triggered the disclosure banner, which outputs received the machine-readable label, and which model version produced each output.
The other 2026 obligations still consume audit infrastructure
Fannie Mae LL-2026-04 goes live for mortgage lenders on August 6, 2026. HIPAA-covered clinical AI deployers face the Colorado SB 26-189 timeline (January 1, 2027) and the Tennessee SB 1580 mental-health chatbot rules (July 1, 2026). Financial-services deployers face DORA's ICT third-party risk register with a January 2027 deadline. Every one of those regimes requires per-decision audit evidence at a level of detail that application logs cannot produce.
What surviving a review still requires
An architecture that satisfies the 2026 obligations that did not move produces, for every AI request, a record containing a verified identity for the natural person behind the request, the role and authorization context that was in effect, the data classification applied to the prompt, the policy version that governed the decision, the decision outcome, a timestamp with sufficient precision to correlate across systems, and a cryptographic signature that prevents post-hoc modification. That record is independent of the application that made the request. It is committed before the model response returns to the application.
The Article 50 transparency obligation adds one more field. For each interaction, the record must show whether the disclosure banner was served, whether the output received a machine-readable label, and which format the label used.
Beyond the Omnibus
The Omnibus changed timing, not architecture. The controls that satisfy Article 50 in December 2026 also satisfy the deferred Chapter III obligations in December 2027. Deployers that build the audit infrastructure now capture 16 months of operational evidence before the high-risk conformity clock starts. Deployers that pause the work face a December 2027 deadline with no operational evidence to submit.
Cross-regime, the same architectural pattern satisfies Fannie Mae LL-2026-04, Colorado SB 26-189, Tennessee SB 1580, and the NIST AI RMF. Each regime uses different vocabulary for the same infrastructure requirements. The Omnibus deferred one regime's paperwork. The infrastructure the paperwork will document is still due.
DeepInspect
This is the architecture DeepInspect was built to provide. DeepInspect sits at the AI request boundary as an external enforcement layer that operates as a stateless proxy between the application and any LLM. Every request that passes through it is evaluated against per-route, per-role policies using the identity context the application supplies. For Article 50 transparency obligations, the proxy attaches the disclosure and labeling metadata to the per-decision audit record so the deployer can produce evidence on demand.
Every decision produces a per-decision audit record containing identity, role, policy version, data sensitivity, decision outcome, timestamp, and transparency-marker state. The record is signed and tamper-evident. The record is committed before the application receives the model's response, which means the application cannot suppress it.
For the obligations still due on August 2 and December 2, 2026, this is the missing infrastructure. If you are running AI in a regulated environment and your December 2026 readiness depends on application logs the application controls, that readiness is incomplete.
If you are facing the August deadline, let's talk.
Frequently asked questions
- Does the Omnibus change Article 5 prohibited practices?
Article 5 prohibited practices remained in force from February 2, 2025. Social scoring by public authorities, real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions), emotion recognition in workplaces and schools, and untargeted scraping of facial images are still prohibited. The Omnibus added the non-consensual intimate imagery and CSAM generation prohibition, applicable from December 2026. Deployers running AI systems that could fall inside any Article 5 category should treat the prohibition list as the highest-priority compliance risk regardless of the Chapter III deferral.
- If my system is Annex III but embedded in a regulated product, which date applies?
Annex I embedded systems now face August 2, 2028. Standalone Annex III systems face December 2, 2027. A single deployment can hold both classifications. A hospital that runs a clinical decision support system inside a medical device inherits the medical device's Annex I timeline for the embedded component and the Annex III timeline for any standalone decision-support software the device exchanges data with. The correct answer for a deployer with a mixed profile is to map each subsystem to its regime.
- What are the Article 50 disclosure obligations in practice?
Article 50 requires four disclosures. Deployers of AI systems that interact with people must ensure the person knows they are interacting with an AI (unless obvious from context). Deployers of emotion-recognition or biometric-categorization systems must inform the persons exposed to those systems. Deployers of AI-generated or manipulated content that constitutes a deep fake must disclose the artificial nature of the content unless the content is authorized by law or is part of an evidently creative work. Providers of AI systems that generate synthetic audio, image, video, or text must mark the output in a machine-readable format identifying it as artificially generated. The August 2, 2026 date applies to disclosures 1-3. The machine-readable labeling in disclosure 4 applies from December 2, 2026 under the compressed grace period.
- How does the deferral interact with the GPAI Code of Practice?
The GPAI Code of Practice sits under Chapter V, which did not move. Providers of general-purpose models placed on the EU market after August 2, 2026 must adhere to the transparency, copyright policy, and technical documentation obligations regardless of whether they sign the voluntary code. The Omnibus explicitly left Chapter V on the original timetable to keep the GPAI regime aligned with the AI Office's implementation program.
- If we already built for August 2, do we need to change anything?
No. The Omnibus deferred deadlines, not architecture. Deployers that already built identity-aware audit logging, per-decision policy evaluation, and transparency-marker recording for August 2, 2026 have the infrastructure the December 2027 date will require. The one addition worth verifying is the transparency-marker field for Article 50, which is not always present in an audit schema focused on Chapter III record-keeping. Confirm that field exists and receives disclosure and labeling metadata for every interaction.
- Where do I read the adopted text?
The adopted text (PE-30-2026-INIT) is available from the Council register. The Official Journal publication and the exact three-day entry-into-force calculation will follow within days of adoption. The EU Digital Strategy AI Act page is the authoritative long-form implementation reference.