← auditaisdk.com

EU AI Act 2026 Deadlines: Complete Compliance Timeline for AI Startups

By Marc Dubois · May 10, 2026 · 9 min read · Updated for the Omnibus delay

TL;DR: The May 2026 Omnibus provisional agreement pushed the high-risk obligation date from August 2, 2026 to December 2, 2027 (Annex III) and August 2, 2028 (Annex I). GPAI obligations are already in force since August 2025. Prohibited practices have applied since February 2025. Procurement teams have not updated their checklists, so enterprise vendor assessments still demand deployer documentation right now.

I keep getting the same message from CTOs of AI startups: "Marc, did the Omnibus kill the August deadline? Should I stop preparing?" The short answer is no — the Omnibus delayed enforcement, not procurement. This article gives you the full updated timeline so you know what's enforceable today, what's enforceable next year, and what enterprise buyers will still ask for in the meantime.

The complete timeline at a glance

DateWhat appliesWho it affects
Aug 1, 2024AI Act entered into forceWhole regulation, with staggered applicability
Feb 2, 2025Prohibited practices (Article 5) and AI literacy obligations (Article 4)All providers and deployers placing AI on the EU market
Aug 2, 2025General-purpose AI (GPAI) obligations (Articles 51 to 56), governance structure, penalties for GPAIFoundation model providers: OpenAI, Anthropic, Mistral, Meta, etc.
May 10, 2026 (today)You are here. Procurement still asks for compliance docs even though high-risk enforcement is delayedB2B AI startups selling to enterprise
Aug 2, 2026 (was the deadline)Originally: high-risk Annex III obligations applicable. Now postponed by the Omnibus.Skipped — see December 2, 2027
Aug 2, 2027GPAI models placed on the market before Aug 2, 2025 must be in full complianceLegacy foundation model providers
Dec 2, 2027Annex III high-risk standalone systems: full Chapter III applies (risk management, technical documentation, human oversight, conformity assessment, registration)HR scoring, credit scoring, education access, law enforcement, migration, justice, biometrics
Aug 2, 2028Annex I embedded high-risk systems (medical devices, machinery, toys, lifts, aviation, vehicles, etc.) full applicabilityManufacturers in regulated product sectors with embedded AI

What changed in the May 2026 Omnibus

On May 7, 2026, the Commission, Parliament and Council reached a provisional political agreement on the AI Act Omnibus simplification package. The headline changes that affect AI startups directly:

Why the delay does not let you off the hook: Enterprise procurement checklists were finalised before the Omnibus and most legal and procurement teams will not refresh them until late 2026 at the earliest. If you sell to a Fortune 500 European subsidiary today, the vendor assessment in front of you almost certainly still asks for Annex IV / Article 26 documentation. That is the gap auditai-sdk closes for under €50/month.

What is enforceable right now (May 2026)

Three categories of obligations are already legally binding in the EU today:

1. Prohibited practices (Article 5) — full penalties apply

Since February 2, 2025. Up to €35 million or 7% of global annual turnover, whichever is higher. Includes: cognitive manipulation that causes harm, social scoring by public authorities, exploiting vulnerabilities of specific groups, real-time remote biometric identification in public spaces (with narrow law-enforcement carve-outs), emotion recognition in workplaces and schools, untargeted scraping for facial recognition databases, biometric categorisation by sensitive attributes, and predictive policing of natural persons.

2. AI literacy obligations (Article 4)

Since February 2, 2025. Every provider and deployer must ensure their staff and other persons operating AI systems on their behalf have a sufficient level of AI literacy. There is no fixed curriculum, but enterprise procurement is starting to ask "show us your AI literacy programme" — a one-page training record satisfies most checks. The defensible package is three documents (signed policy, role-based training matrix, training log with annual refresh); the Article 4 literacy programme template walkthrough ships the populated set plus the procurement questionnaire response.

3. GPAI obligations (Articles 51 to 56)

Since August 2, 2025. Affects foundation model providers directly. Affects you indirectly: when you sign a contract to use Claude, GPT or Mistral, you are entitled to the GPAI provider documentation, copyright policy summary, and training data summary. Your enterprise customers will ask you for these. Save them. The downstream-provider flowdown — what you owe when you build on GPT-4 or Claude — is the subject of the GPAI downstream-provider deep dive, including the Article 25(1)(c) substantial-modification trap that flips heavy fine-tuners into the GPAI provider role.

What is coming next (and what to prepare)

Aug 2, 2026 — Article 50 transparency

If your product generates synthetic content (text, image, audio, video) you need to:

This is the August 2026 obligation that did not get delayed. If you ship a generative AI feature, this is your real deadline. Full walkthrough of each paragraph and the C2PA + SynthID toolchain in the Article 50 transparency deep dive.

Dec 2, 2027 — Annex III high-risk full applicability

If your AI system falls under any of these Annex III categories, the full Chapter III obligations kick in:

  1. Biometric identification and categorisation
  2. Critical infrastructure (energy, water, transport)
  3. Education and vocational training (admissions, exam scoring)
  4. Employment, workforce management (hiring screens, productivity scoring)
  5. Access to essential private and public services (credit scoring, insurance, emergency dispatch)
  6. Law enforcement (risk assessment, evidence reliability scoring)
  7. Migration, asylum and border control
  8. Administration of justice and democratic processes

If any of those describe your product, start the technical documentation work now — December 2027 looks far away but the conformity assessment process for high-risk systems involves a notified body and that booking pipeline is already filling up.

Not sure which of these eight categories actually applies to you (or whether the Article 6(3) carve-out gets you out of the regime entirely)? The EU AI Act high-risk classification decision tree walks through each Annex III sub-paragraph with SaaS-specific examples and the common false positives that confuse B2B teams.

Aug 2, 2028 — Annex I embedded high-risk

This applies to AI components in regulated products: medical devices, in-vitro diagnostics, machinery, toys, lifts, recreational craft, cableways, pressure equipment, civil aviation, two- and three-wheel vehicles, agricultural and forestry vehicles. If you sell AI into any of those product sectors, the manufacturer of the final product carries the obligation, but they will absolutely push compliance evidence onto you contractually.

Penalty structure: what each tier looks like

InfringementCapOr % of global turnover
Prohibited practices (Article 5)€35 million7%
Other obligations (Articles 8 to 50, 56 etc.)€15 million3%
Supplying incorrect, incomplete or misleading information to authorities€7.5 million1%
SMEs and startupsLower of the two amounts (cap or %)

The startup-friendly clause matters: as a B2B AI startup with under €50 million in annual turnover, your maximum exposure is the lower number, not the higher. That does not eliminate risk — but it does mean a €35M absolute cap is unlikely unless you are a unicorn.

What every CTO should have on file by Q4 2026

Independent of the high-risk delay, here is the minimum compliance posture that closes enterprise deals in 2026:

  1. Risk classification statement — one page mapping your system to Annex III categories with a yes/no/why answer for each.
  2. Article 26 deployer record — yes you should produce it even though you may technically be a provider, because procurement asks for it. Use this template.
  3. GPAI dependency map — list of every foundation model your stack uses, the GPAI provider's compliance documentation, and the date you collected it.
  4. AI literacy training record — short policy + sign-off list for every engineer touching AI systems. Full role-band template, matrix and log in the Article 4 literacy programme walkthrough.
  5. Audit logs with 6-month retention — per-call inputs, outputs, latency, model version, cost. pip install auditai-sdk generates these automatically.
  6. Article 50 transparency posture — if you ship generative features, the watermarking/disclosure plan with your target date (must be before August 2, 2026).
  7. Incident response procedure — who escalates what to your GPAI provider and to national authorities. The Article 73 thresholds (2 days for fundamental-rights infringement or critical infrastructure disruption, 10 days for death, 15 days residual default) run from awareness, not incident occurrence — full triage decision tree and Annex IX-aligned eight-block report template in the Article 73 serious incident reporting walkthrough.

Don't wait for December 2027

auditai-sdk produces the audit logs, deployer record and risk classification automatically. Three lines of code. Used by AI startups across the EU to unblock enterprise deals today.

See pricing →

Frequently asked questions

Did the August 2, 2026 deadline disappear entirely?

For high-risk Annex III systems, yes — it moved to December 2, 2027. For Article 50 transparency obligations on generative AI, no — that date is still August 2, 2026.

Are GPAI providers also delayed?

No. GPAI obligations have been in force since August 2, 2025. Models on the market before that date have a one-time grace period until August 2, 2027 to retrofit. New foundation models launched after August 2, 2025 must comply from day one.

If I am only a deployer, am I covered by the delay?

Yes — Article 26 deployer obligations for high-risk systems also move to December 2, 2027. But again, enterprise procurement still asks for the documentation today, so the eleven duties (and the Article 27 FRIA trigger for credit, insurance and public-service deployers) are worth building into the product now rather than in eighteen months.

What about UK and Switzerland?

Outside the EU. The UK has its sectoral approach (Information Commissioner's Office, FCA, MHRA each interpret AI separately). Switzerland aligns with EU only via the Council of Europe Framework Convention on AI. If you sell into the EU from UK/CH, the AI Act applies to your product on the EU market.

What about the US?

Under the AI Act, an AI system "placed on the market" in the EU is in scope regardless of where you are headquartered. If you sell to a single EU customer, you are subject to the full Act. Deployers established in the EU that use your system also drag you into scope.

Related guides

This article reflects the EU AI Act as in force on May 10, 2026, including the May 7, 2026 Omnibus provisional political agreement. It is not legal advice. Consult a qualified EU lawyer for product-specific obligations.