Regulation

EU AI Act 2026: What the Regulatory Timeline Means for Businesses

From 2 August 2026, the EU AI Act's transparency obligations apply across the EU, while the Digital Omnibus has pushed the high-risk obligations back to December 2027.

Regulierung: EU AI Act 2026: Was der Regulierungsfahrplan für Unternehmen bedeutet
KI-generiert (gpt-image-2)

The EU AI Act 2026 marks the next major wave of application of the European AI regulation: since 2 August 2026, the transparency obligations of Art. 50 of Regulation (EU) 2024/1689 have applied across the EU – including the labelling requirement for chatbots and AI-generated content. The EU AI Act is the world's first comprehensive legal regulation governing artificial intelligence in the European Union; it entered into force on 1 August 2024 and, under Art. 113 of the Regulation, applies in stages through 2027. For businesses, this means: some obligations are already in effect, while another set – the obligations for high-risk AI systems – has been postponed to December 2027 by the Omnibus amendment adopted in summer 2026.

  • Transparency obligations (Art. 50: chatbot labelling, AI content labelling): applicable EU-wide since 2 August 2026 (Art. 113 EU AI Act).
  • Prohibited AI practices (Art. 5) and the AI literacy obligation (Art. 4): already in force since 2 February 2025 (Art. 113(a)).
  • Obligations for GPAI models (Chapter V, including Art. 53): applicable since 2 August 2025 (Art. 113(b)).
  • Obligations for standalone high-risk AI systems (Annex III): postponed from 2 August 2026 to 2 December 2027 by the 'Digital Omnibus on AI' (European Commission, as of 7 July 2026).
  • Fines for violations of prohibitions: up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher (Art. 99(3) EU AI Act).

Which deadlines apply to the EU AI Act in 2026 – and what did the Digital Omnibus change?

Under Art. 113 of the Regulation, most of the EU AI Act applies from 2 August 2026, including the transparency obligations of Art. 50 – originally, the obligations for standalone high-risk AI systems under Annex III were also meant to take effect on the same date. Art. 113 of the Regulation text sets out a three-tier timeline: 'It shall apply from 2 August 2026. However: (a) Chapters I and II shall apply from 2 February 2025; (b) Chapter III Section 4, Chapter V, Chapter VII and Chapter XII and Article 78 shall apply from 2 August 2025, with the exception of Article 101; (c) Article 6(1) and the corresponding obligations in this Regulation shall apply from 2 August 2027' (EUR-Lex, Official Journal L, 12 July 2024). In spring and early summer 2026, however, the Council and the European Parliament changed this timeline for the high-risk obligations: Parliament approved the so-called 'Digital Omnibus on AI' amendment on 16 June 2026 by 423 votes to 57, with 174 abstentions; the Council gave its final green light on 29 June 2026. The European Commission summarises the consequence as follows: 'Rules for systems used in certain high-risk areas — including biometrics, critical infrastructure, education, employment, migration, asylum and border control — will apply from 2 December 2027' and 'For systems integrated into products such as lifts or toys, the rules will apply from 2 August 2028' (digital-strategy.ec.europa.eu, as of 7 July 2026). The transparency obligations of Art. 50 are unaffected by this postponement and remain in effect from 2 August 2026.

Date What applies from this date Legal basis
1 August 2024 EU AI Act enters into force (20 days after publication in the Official Journal on 12 July 2024) Art. 113, sentence 1, EU AI Act
2 February 2025 Prohibited AI practices (Art. 5) and the AI literacy obligation (Art. 4) become applicable Art. 113(a) EU AI Act
2 August 2025 Obligations for GPAI models, governance and fine provisions (except Art. 101) become applicable Art. 113(b) EU AI Act
2 August 2026 Most of the Regulation applies EU-wide, including transparency obligations for chatbots/AI content (Art. 50) Art. 113, sentence 2, EU AI Act
2 December 2027 Obligations for standalone high-risk AI systems under Annex III (instead of originally 2 Aug 2026/2 Aug 2027) European Commission on the 'Digital Omnibus on AI', as of 7 July 2026
2 August 2028 Obligations for high-risk AI as a safety component in products under Annex I (instead of originally 2 Aug 2027) European Commission on the 'Digital Omnibus on AI', as of 7 July 2026

From when must businesses label chatbots and AI-generated content?

Since 2 August 2026, the transparency obligations of Art. 50 of the EU AI Act (Regulation (EU) 2024/1689) have applied: providers must disclose when users are interacting with an AI system and must mark AI-generated audio, image, video or text content as such in a machine-readable format (Art. 113 in conjunction with Art. 50 EU AI Act, EUR-Lex, Official Journal, 12 July 2024).

What risk classes does the EU AI Act distinguish?

The EU AI Act assigns AI systems to four risk classes, each triggering different obligations: prohibited practices, high-risk systems, systems subject to transparency obligations, and minimal-risk systems. The European Commission describes the principle as follows: 'The AI Act defines 4 levels of risk for AI systems' (digital-strategy.ec.europa.eu, as of 7 July 2026). According to the text of the Regulation, prohibited practices under Art. 5 include, among others, systems that deploy 'subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques' for behavioural manipulation, social scoring systems, and the 'untargeted scraping of facial images from the internet or CCTV footage' to build facial recognition databases (EUR-Lex, Official Journal, 12 July 2024). High-risk systems are exhaustively listed in eight areas under Art. 6(2) in conjunction with Annex III (EUR-Lex, Official Journal, 12 July 2024) — details in the table.

Risk class Examples Key obligations
Prohibited (Art. 5) Social scoring, manipulative systems, untargeted scraping of facial images for databases, real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement) Use prohibited; violations fined up to EUR 35 million or 7% of annual turnover (Art. 99(3))
High-risk (Art. 6 + Annex III) Biometrics, critical infrastructure, education, employee recruitment/management, creditworthiness assessment, law enforcement, migration/asylum, justice Conformity assessment, CE marking, risk management, registration (providers, Art. 16); human oversight, logging, informing affected persons (deployers, Art. 26)
Limited risk / transparency (Art. 50) Chatbots, deepfakes, AI-generated text/images/videos, emotion recognition, biometric categorisation Disclosure of AI interaction, machine-readable labelling of AI content, informing affected persons in the case of emotion recognition
Minimal Spam filters, AI-powered recommendation systems, most video game AI No mandatory requirements; voluntary codes of conduct possible (Art. 95)

What must providers do, and what must deployers do?

The EU AI Act distinguishes between obligations for providers and deployers: under Art. 3(3) of the Regulation, providers ('provider') are those who develop an AI system or have one developed and place it on the market under their own name, while under Art. 3(4), deployers ('deployer') are those who use an AI system 'under its own authority' – excluding purely private, non-professional use (EUR-Lex, Official Journal, 12 July 2024). For high-risk systems, Art. 16 governs provider obligations and Art. 26 governs deployer obligations.

  • Providers (Art. 16): carry out a conformity assessment procedure, issue an EU declaration of conformity, affix the CE marking, maintain a quality management system and documentation, register the system in the EU database.
  • Deployers (Art. 26): ensure human oversight by trained personnel, use the system in accordance with the instructions for use, retain automatically generated logs for at least six months, inform employees and their representatives before deployment in the workplace.

What applies to GPAI models such as large language models?

Since 2 August 2025, providers of general-purpose AI (GPAI) models have been subject to their own obligations under Chapter V of the Regulation, regardless of the risk class of individual applications. Art. 53(1) requires GPAI providers, among other things, to draw up and keep up to date 'technical documentation of the model, including its training and testing process and the results of its evaluation', to provide downstream providers with information for integration, to establish a copyright compliance policy, and to publish 'a sufficiently detailed summary about the content used for training' (EUR-Lex, Official Journal, 12 July 2024). Additional obligations apply to GPAI models with 'systemic risk': under Art. 51(2), a model is presumed to have high impact capabilities 'when the cumulative amount of computation used for its training measured in floating point operations is greater than 10^25' – above this compute threshold, Art. 55 imposes additional obligations such as standardised model evaluation, adversarial testing, incident reporting to the AI Office, and enhanced cybersecurity requirements (EUR-Lex, Official Journal, 12 July 2024).

What is a GPAI model with systemic risk under the EU AI Act?

Under Art. 51(2) of the EU AI Act, a general-purpose AI (GPAI) model is presumed to carry systemic risk if the cumulative computation used for its training exceeds 10^25 floating point operations. Since 2 August 2025, such models have been subject to additional obligations, including model evaluation, adversarial testing and cybersecurity measures (Art. 55 EU AI Act, EUR-Lex, Official Journal, 12 July 2024).

What fines can result from violations of the EU AI Act?

Art. 99 of the EU AI Act establishes a three-tier fine system based on the severity of the violation. For violations of the prohibited practices under Art. 5, Art. 99(3) provides for fines 'of up to EUR 35 000 000 or, if the offender is an undertaking, up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher'. For violations of other obligations – such as provider obligations under Art. 16, deployer obligations under Art. 26, or the transparency obligations under Art. 50 – Art. 99(4) provides for fines of up to EUR 15 million or 3% of worldwide annual turnover. Supplying incorrect, incomplete or misleading information to authorities is punishable under Art. 99(5) with fines of up to EUR 7.5 million or 1% of annual turnover. For SMEs and start-ups, Art. 99(6) provides that the lower of the two amounts applies in each case (EUR-Lex, Official Journal, 12 July 2024).

What happens if a company violates the EU AI Act?

The EU AI Act tiers fines by severity: violations of prohibited practices (Art. 5) cost up to EUR 35 million or 7% of worldwide annual turnover; violations of other obligations, such as transparency or deployer obligations, up to EUR 15 million or 3%; providing false information to authorities up to EUR 7.5 million or 1% (Art. 99 EU AI Act, EUR-Lex, Official Journal, 12 July 2024).

Conclusion: How businesses should approach the EU AI Act in 2026

For businesses, one date is binding above all in 2026: 2 August 2026, from which the transparency obligations of Art. 50 take effect across the EU – independent of the 'Digital Omnibus on AI', which has postponed only the high-risk obligations under Annex III to 2 December 2027 and product-integrated high-risk AI under Annex I to 2 August 2028 (European Commission, digital-strategy.ec.europa.eu, as of 7 July 2026). Anyone who develops or deploys AI systems should therefore first clarify their own role as provider or deployer, as well as the risk class of the systems used, based on Art. 5, Art. 6 and Annex III. This classification does not replace individual legal advice; for a legally sound assessment of their own systems, businesses are advised to review the current text of the Regulation as published in the Official Journal.

Sources

  1. Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) · 2024-07-12
  2. AI Act | Shaping Europe's digital future (Anwendungs-Zeitplan, Risikoklassen, Digital Omnibus) · 2026-07-07
  3. European Artificial Intelligence Act comes into force · 2024-08-01
  4. Legislative Train Schedule: Digital Omnibus on AI · 2026-07-11
  5. EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes · 2026-05-27

Last updated:

Related stories