— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Digital regulation · Data

The AI Act has two dates and only one is law: the high-risk limbo eight weeks from the deadline

The political deal to push the AI Act's high-risk rules back to December 2027 was struck on 7 May, but by early June it still has not been formally adopted. Until Parliament and the Council vote the text and it is published in the Official Journal, the binding date remains 2 August 2026. Companies are working against a calendar that does not yet exist.

By Yaneth Vickari S. Digital regulation expert 8 min read
AI Act Digital Omnibus European Union high-risk compliance Annex III Official Journal enforcement GPAI
Digital regulation · Data The AI Acthas two datesand only oneis law The high-risk timetable between political deal and formal adoption · 2025-2027 19 Nov 2025 Commission proposes the Digital Omnibus 7 May 2026 Political deal in trilogue Jun-Jul 2026 Pending plenary and Council votes 2 Aug 2026 High-risk date in force today 2 Dec 2027 New deadline if the Omnibus is adopted Dates per European Parliament and Council of the EU announcements on the Digital Omnibus on AI. The new calendar binds only once published in the Official Journal. DIÁLOGO CIUDADANO

One law, two calendars

The European AI Act is living through a legal oddity: it has two dates for the same thing, and only one of them is applicable law. The date printed in the regulation published in 2024 says obligations for high-risk artificial intelligence systems start applying on 2 August 2026. The other date, the one circulating in compliance rooms across the continent, says December 2027. The gap between them is sixteen months, and thousands of projects hinge on which one prevails.

The second date comes from the Digital Omnibus. The European Commission tabled a simplification package on 19 November 2025 that, among other measures, proposes deferring the application of the AI Act’s high-risk obligations. On 7 May 2026, after a nine-hour trilogue session under the Cypriot Council presidency, negotiators from the European Parliament and the Council reached a provisional political agreement on the text. That agreement sets the new calendar so many firms already treat as settled.

What was agreed

The change is not uniform: it splits high-risk systems into two kinds. For stand-alone Annex III systems — those covering areas such as recruitment, credit scoring, education, biometrics and law-enforcement or border-control tools — the compliance obligation moves from 2 August 2026 to 2 December 2027. For AI embedded in products already regulated by EU safety law — medical devices, machinery, radio equipment — the deadline shifts to 2 August 2028.

The reason for the delay is technical, not political, and the co-legislators say so themselves. The harmonised standards companies need to implement the rules are not ready yet; European standardisation bodies such as CEN-CENELEC are working on standards not expected before the final quarter of 2026. The logic of the postponement is sequential: do not penalise anyone for failing to meet standards that do not yet exist.

The package also brings something that is not a postponement but a new ban. The agreement inserts into Article 5 of the AI Act a prohibition on AI systems used to generate non-consensual intimate imagery — the apps known as “nudifiers” — and child sexual abuse material. It is the first substantive tightening of the regulation since its adoption in 2024.

Why the old date still rules

This is the knot many overlook. The 7 May agreement is provisional: a political deal, not yet a law. For the new calendar to take legal effect, the European Parliament and the Council must formally vote the text, which is then published in the Official Journal of the European Union and enters into force three days later. Until that happens, the regulation in force is the 2024 one, and the date in force is 2 August 2026.

By early June 2026 that vote had not yet taken place. Formal adoption is expected between June and July, with publication anticipated toward the end of July, just before the original August deadline. It is a race against the clock: if the procedure drags, 2 August would arrive with the high-risk rules legally active and the postponement still unpublished.

Law firms advising companies have distilled the practical consequence: plan against both dates at once. The recurring advice is to re-anchor compliance programmes to the original 2 August 2026 deadline while the postponement is not formally adopted, and to reclassify any system that had been scoped out on the assumption of a narrower Annex III. Anyone betting solely on December 2027 risks arriving late if the Omnibus stumbles.

What did not move

It helps to separate what changes from what stays the same, because the confusion over dates has spread to parts of the regulation that are not in play. Obligations for general-purpose AI (GPAI) models were not part of the dispute and continue on their current schedule: they came into application in August 2025. Prohibited practices have been applicable since 2 February 2025, with penalties of up to 35 million euros or 7 percent of turnover.

In parallel, the GPAI Code of Practice keeps adding signatories. Through the first quarter of 2026 the code gathered roughly two dozen organisations, among them Anthropic, Google, Microsoft, OpenAI, IBM, Mistral and Cohere; Meta did not sign, and xAI signed only the safety chapter. That split — who signs and who does not — is an early map of how the big providers line up against the European model.

The underlying point

What this episode reveals is not one more delay but the structural difficulty of standing up the world’s most ambitious AI regulation. The AI Act was designed with a staggered calendar precisely to buy time; even so, the technical standards, the designation of national competent authorities and the compliance tools are all arriving late. The designation of national authorities remains incomplete in several member states, which the compliance community describes as an acknowledged “enforcement gap.”

The result is a stretch in which the rule exists on paper but its enforcement machinery is still being assembled. For companies running high-risk systems, the prudent recommendation does not shift with each announcement: build the evidence once and map it against both possible calendars. The legal date rules until another date replaces it in the Official Journal; for now, the two coexist, and only one binds.

← More analysis Home