The EU AI Act got delayed to 2027 and 2028. Here's what's still due August 2026.

The deadline I’ve been telling people to plan for moved last night. On May 7, 2026, the European Parliament and the Council closed the Digital Omnibus on AI trilogue. Stand-alone high-risk AI systems under Annex III now apply from December 2, 2027. AI embedded in regulated products under Annex I goes to August 2, 2028. The August 2, 2026 deadline that everyone has been planning around survived for one specific group of obligations: the Article 50 transparency rules that actually hit most small businesses. Those didn’t move.

If you read my March overview or April agents-specific post, the practical advice still stands. The deadline shift is real. The relief most coverage is selling is overstated. This post is what actually changed, what didn’t, and what to do about it if you’re running a 5–30 person service business in the EU.

What just happened, in three paragraphs

The Commission proposed the Digital Omnibus package in November 2025 to simplify several digital files at once. The AI Act portion always had two arguments behind it: harmonized standards aren’t ready, and Commissioner Henna Virkkunen, the Executive Vice-President for Tech Sovereignty, Security and Democracy, has been pushing a deregulation-flavored simplification agenda since taking the file. The package was meant to push the high-risk obligations out without reopening the Act’s core structure.

Trilogue negotiations between the Council, the Parliament, and the Commission opened in late April. The first session collapsed on April 28, 2026 after roughly 12 hours over the conformity assessment language for Annex I (AI built into machinery, medical devices, lifts, toys, watercraft). Cyprus held the rotating Council presidency through June 30, with Marilena Raouna, the Cypriot Deputy Minister for European Affairs, leading the Council side.

A week later, on May 7, the trilogue closed. Co-rapporteurs Arba Kokalari (EPP, Sweden, Internal Market) and Michael McNamara (Renew, Ireland, Civil Liberties) signed off for Parliament. The political agreement still needs formal endorsement by the Parliament plenary and the Council, plus the legal-linguistic revision step, but the substance is fixed. Modulos has the cleanest summary of the deal text I’ve seen this week. The IAPP write-up is the second-best read.

What got delayed, what didn’t

If I were running an SMB this week, this is the table I’d tape to the wall.

Provision	Old date	New date
Article 4 (AI literacy duties)	February 2, 2025	Already in force
Article 5 (prohibited practices)	February 2, 2025	In force; expanded May 7
Articles 50–55 GPAI provider rules	August 2, 2025 / 2026	Unchanged
Article 50 transparency for AI users	August 2, 2026	Unchanged: August 2, 2026
Article 50(2) synthetic-content marking	August 2, 2026	December 2, 2026 (3-month grace)
New Article 5 prohibitions (nudifiers, CSAM)	n/a	December 2, 2026
Annex III stand-alone high-risk	August 2, 2026	December 2, 2027
Annex I AI in regulated products	August 2, 2027	August 2, 2028
Regulatory sandboxes (Article 57)	August 2, 2026	August 2, 2027

Read that table once and you’ll see the actual story. The high-risk machinery is what got the headlines because it’s the part with the eye-watering fines and the conformity assessment paperwork. It also affects almost none of the businesses I work with directly. The piece that does affect them, Article 50, is the line that didn’t move.

Why Article 50 is the line that matters for most SMBs

Article 50 sets four transparency duties on providers and on deployers of certain AI systems:

If a person interacts with an AI system, the provider must let them know, unless that’s already obvious.
AI-generated synthetic audio, image, video, and text must be marked in a machine-readable format and detectable as artificial.
Deployers of emotion-recognition or biometric-categorization systems must inform exposed individuals.
Deployers of AI-generated or manipulated content (deepfakes) must disclose it.

The deal closed yesterday left those four duties on their original schedule. The only carve-out is a three-month grace period for the marking obligation in Article 50(2), and only for systems already on the market before August 2, 2026. New systems put on the market after that date are obligated immediately.

There is no SME size carve-out anywhere in Article 50. A two-person dental practice in Klaipėda using an AI receptionist that picks up after hours has the same disclosure obligation as a 50,000-person hospital chain. That’s true regardless of what the Omnibus did to Annex III.

If you’ve never thought about Article 50 because the August date felt notional, this is the moment to. I went into the agent-specific implications in the April post on AI agents and the August deadline. Most of that post is still accurate. The piece that’s now wrong is the line where I called the Omnibus a wildcard. It’s no longer a wildcard. It passed.

The new SMC category, and why it might matter to you

The Omnibus introduces a new size tier the Act didn’t have before: the small mid-cap (SMC). Recent policy discussions, summarized in the IAPP brief, suggest SMCs will be defined at up to 750 employees and up to €150 million annual turnover. Above SME, below large.

For SMCs and SMEs together, the deal extends the package the Commission described as “simplified documentation, proportional quality management systems, and reduced penalties.” There’s no exemption from the underlying obligations. You still have to comply. The compliance package is meant to be cheaper to implement.

If you’re 5–30 employees you’re squarely in SME territory and you’ve already had access to most of these proportionality tools (regulatory sandboxes, fee discounts, simplified templates). If you’re 150–500 employees, the SMC category gives you a route into the same toolkit that didn’t exist a week ago. The European Commission’s AI Act Service Desk FAQ is the place I’d watch for the implementing guidance over the next few months.

The new prohibitions you should know about

Article 5 picked up an addition that didn’t get the headline space it deserves. The deal explicitly bans, with a December 2, 2026 effective date:

AI systems generating non-consensual sexually explicit and intimate content
AI systems generating child sexual abuse material
AI systems depicting identifiable persons in sexually explicit activities without consent

This applies in image, video, and audio formats. “Nudifier” apps in the AppStore and Google Play were the immediate target. The downstream effect lands on every SMB shopping for a generative-AI tool. Any vendor you adopt for marketing or communications has to plausibly demonstrate the model can’t produce non-consensual intimate content. Due-diligence questionnaires from December onward will start asking for that demonstration. If your shortlist includes a tool that can’t answer the question, drop it.

What didn’t change, in plain language

Stripping out the regulatory vocabulary, this is what’s still true on August 2 of this year if you’re an EU service business:

If your AI system talks to a person, that person needs to know it’s AI. Email auto-replies, chatbots on your website, voice agents picking up after-hours calls. All of those need disclosure.

If your AI generates content sent to clients, that content needs to be marked as AI-generated in a way machines can detect. Whatever scheme the draft Code of Practice on AI-content marking lands on (still being finalized) is what your tools will have to follow.

If your AI reads a person’s emotional state from voice or face, you have to tell them.

If you’re using AI to make manipulated images or video that look real, you have to disclose.

GDPR didn’t move either. Every workflow you push client data through still needs a Data Processing Agreement, a Transfer Impact Assessment if data leaves the EU, and a record in your Article 30 register. I went into the practical SMB GDPR overlap in the March post and the data-tier choices in the privacy guide. Both still apply on the original timeline.

What I’d actually do this week

Four moves, in the order I’d take them with a client tomorrow morning.

Read your client-facing AI surface. Walk through every channel where an AI system might talk to a person on your behalf. Email autoresponders, voice agents, chatbots, document drafts that go out under your signature, social media replies, intake forms. For each one, check whether you’ve disclosed AI involvement. If you haven’t, write the disclosure line now and add it before August. The line doesn’t have to be elaborate. “Drafted with AI assistance, reviewed by [name]” at the bottom of an email is a defensible implementation today.

Decide where your AI runs and write that down. The Annex III delay does not move the GDPR clock and does not move the Article 50 clock. Both presume you know which AI tool processes which client data on which servers. The afternoon you spend mapping this is the cheapest insurance you’ll buy this year. I broke out the three data-tier options (cloud AI, dedicated GPU server, self-hosted Mac Mini) in the cost-comparison post. Pick a tier per workflow and document it.

Watch for high-risk drift. December 2027 sounds far away. It isn’t, if your workflows touch employment screening, credit assessment, education access, biometrics, or essential services. An AI agent that prioritizes patient appointments at a healthcare practice might be high-risk. An AI system that screens job applicants at an accounting firm is high-risk. An AI that scores loan applicants for a small mortgage broker is high-risk. The 18-month delay isn’t relief if the work to comply takes 18 months. Start the inventory now and you’ll have a year of slack instead of two months.

Sign up for the AI Office’s communications. The Commission’s Code of Practice on AI-content labeling is still in draft. The implementing guidance for SMCs will land over the summer. The European Parliament’s Think Tank brief on the Omnibus is the cleanest tracking document I’ve found. Add it to your reading queue. Don’t outsource this read to your accountant.

What you should ignore

Most of the Omnibus coverage published in the last 24 hours leads with “16 more months of relief” framing. That framing is wrong for the typical service business I work with, because the deadlines that actually apply to your operations didn’t move. Reading the headline as “I have until 2027” is the failure mode that produces a scramble in July when a client asks for an updated DPA and you don’t have one.

You should also ignore the LinkedIn posts implying the AI Act has been gutted. It hasn’t. The political agreement preserved the structure. Article 5 picked up new prohibitions. Article 50 transparency duties survived. Article 4’s literacy duty has applied since February 2, 2025 and still applies, which is the easiest one to neglect because nobody’s been fined for it yet. The AI literacy obligation requires that staff using AI on your behalf actually understand it. A morning of internal training, documented, costs nothing and gets you out of the easiest enforcement target on the books.

The 200-page AI governance policy advice is also still wrong. A 5-page document covering inventory, risk classifications, transparency measures, oversight assignments, and incident response is what most SMBs need. That advice didn’t change because the deadline did.

Frequently asked questions

Is the EU AI Act delayed?

The high-risk parts are. Stand-alone high-risk systems under Annex III now apply from December 2, 2027 instead of August 2, 2026. AI systems embedded in regulated products under Annex I now apply from August 2, 2028. The Article 50 transparency obligations and the Article 5 prohibitions still apply on their original schedule, with August 2, 2026 as the live deadline for most of Article 50.

Does my small business still have to do anything by August 2, 2026?

Yes. If you use AI to interact with clients, generate content, recognize emotions, or produce deepfakes, you have to disclose that under Article 50. There’s no SME exemption. The new prohibitions on non-consensual intimate content and CSAM also apply, with a December 2, 2026 effective date.

What’s the SMC category?

A new size tier the Omnibus introduced: small mid-cap, defined up to roughly 750 employees and €150 million annual turnover. Companies in that range now get the same proportionality tools (simplified documentation, reduced fees, sandbox access) that SMEs already had.

Do I need a fresh compliance plan because of this?

If your existing plan assumed the Article 50 transparency duties hit August 2, 2026 and that GDPR overlap matters from day one, no. Update the dates for any Annex III systems you operate and keep going. If you don’t have a plan, the March SMB checklist is still the place to start.

Where can I read the actual deal text?

The political agreement is provisional until formally endorsed. The cleanest current write-ups: Modulos, IAPP, DLA Piper, and the European Parliament Legislative Train Schedule entry. The Commission’s AI Act Service Desk FAQ will host the official guidance once formal adoption happens.

A footnote about my April prediction

In the April post on agents and the AI Act I wrote: “treat August 2nd as the deadline. If the Omnibus passes and buys you 16 months, great, you’ll be ahead of everyone who waited.” August 2, 2026 to December 2, 2027 is 16 months exactly. The Omnibus passed. If you took that advice, you’re ahead.

If you didn’t, the work is the same as it was a week ago. The deadline for the high-risk parts moved. The deadline for the parts that actually touch a 12-person dental practice in Vilnius didn’t. Inventory the AI you’re using, document the data flows, set up disclosure on your client-facing channels, pick a data tier per workflow, and assign a human overseer. Five steps. One afternoon for the inventory. The other four spread across May and June.

If you want to talk through where your specific setup lands now that the deadline has split into two, I do free 30-minute discovery calls. No pitch. Just an honest read of what August 2 means for you and what changed last night.