What changed with the EU AI Act Digital Omnibus deal on May 7, 2026?

On May 7, 2026, the EU Parliament and Council reached provisional political agreement on the Digital Omnibus on AI. High-risk Annex III systems moved from August 2, 2026 to December 2, 2027. Annex I embedded AI moved to August 2, 2028. Watermarking obligations extended to December 2, 2026. A nudifier app prohibition added from December 2, 2026. August 2, 2026 remains the date for Article 50 transparency and GPAI fine enforcement.

What is the difference between a provider and deployer under the EU AI Act?

Providers develop AI systems and place them on the EU market under their own name. Deployers use AI systems in a professional capacity within the EU. If you build and sell an AI hiring tool, you are a provider. If you use a vendor's AI hiring tool to screen candidates, you are a deployer. Non-EU companies that import or distribute AI in the EU are treated as providers with corresponding obligations.

When must high-risk AI systems comply after the Omnibus delay?

Following the May 7, 2026 Digital Omnibus deal: standalone Annex III high-risk systems must comply by December 2, 2027. Annex I AI embedded in regulated products must comply by August 2, 2028. These are fixed dates under the Omnibus — not moveable backstops. The Omnibus must still receive formal adoption before August 2, 2026.

EU AI Act Enforcement 2026: The Post-Omnibus Guide

EU AI Act Enforcement

Sarah Mitchell

Sarah Mitchell leads AI coverage at Axis Intelligence. She holds a Stanford AI certification and has been covering artificial intelligence since 2019, when GPT-2 was still a curiosity. Sarah tests every AI tool she writes about — running the same prompts across platforms, timing responses, and comparing outputs side by side. She covers AI tools, LLM comparisons, AI for business, generative AI, and the intersection of AI with cybersecurity and healthcare.

Voice: Curious, analytical. Tests tools herself. Always compares with alternatives. Measured about hype — she’s seen enough AI winters to be cautiously optimistic.

The EU AI Act‘s August 2, 2026 enforcement date is real — but most compliance guides published before May 7, 2026 are now incorrect. On May 7, 2026, the European Parliament and Council reached provisional political agreement on the Digital Omnibus on AI, reshuffling the high-risk AI deadlines that the entire compliance industry had been targeting. High-risk Annex III systems no longer face an August 2026 deadline. But August 2, 2026 is not a non-event — specific obligations do take effect that day, and GPAI fine enforcement begins. This guide reflects the post-Omnibus reality. If your compliance plan was built on pre-May 2026 guidance, parts of it are wrong.

The Post-Omnibus Timeline: Every Date, Every Obligation

The Digital Omnibus deal of May 7, 2026 is provisional — formal adoption by the European Parliament and Council is expected before August 2, 2026, when it must publish in the Official Journal to take legal effect. If formal adoption fails before that date, the original AI Act text applies as written on August 2. Companies should plan for the post-Omnibus timeline while maintaining readiness for the original.

Date	Obligation	Status	Applies to
Aug 1, 2024	AI Act enters into force (Regulation (EU) 2024/1689)	In force	All
Feb 2, 2025	Article 5 prohibited practices ban; Article 4 AI literacy obligation	In force	All operators
Aug 2, 2025	GPAI model obligations: technical documentation, transparency, copyright compliance (Articles 51–56)	In force	GPAI providers
Aug 2, 2026	Article 50 transparency obligations; GPAI fine enforcement begins; AI literacy enforcement; national sandbox obligations	Confirmed — NOT delayed	All operators; GPAI providers
Dec 2, 2026	Article 50(2) watermarking / synthetic content labeling grace period ends; new nudifier prohibition	New date (Omnibus)	GenAI providers; image generators
Dec 2, 2027	High-risk Annex III standalone systems (was: Aug 2, 2026)	Delayed (Omnibus)	High-risk AI providers & deployers
Aug 2, 2027	Legacy GPAI models placed on market before Aug 2025 must be fully compliant	Unchanged	GPAI providers (legacy)
Aug 2, 2028	Annex I embedded AI in regulated products (medical devices, machinery, toys, lifts)	Delayed (Omnibus)	Product manufacturers
Dec 31, 2030	Large-scale IT systems in Annex X areas (freedom, security, justice)	Unchanged	Specific IT systems

Source: Regulation (EU) 2024/1689, Article 113; Digital Omnibus provisional agreement, May 7, 2026. Full timeline: EU AI Act Implementation Timeline.

What August 2, 2026 Actually Triggers (The Non-Delayed Obligations)

This is the section most compliance teams need to read. The Omnibus delayed the high-risk deadline — not everything. Three categories of obligation take effect on August 2, 2026 regardless of the Omnibus:

1. Article 50 Transparency Obligations

Article 50 requires disclosure when users interact with AI systems. From August 2, 2026:

Chatbots and conversational AI must inform users they are interacting with an AI system, unless this is obvious from context.
AI-generated or AI-manipulated content that depicts real persons must be labeled as artificially generated.
Emotion recognition and biometric categorization systems must inform exposed individuals of their operation.
Deep fake audio or video must be marked as artificially generated.

Exception: The Article 50(2) watermarking obligation — requiring technical marking of AI-generated synthetic media — carries a grace period to December 2, 2026 under the Omnibus deal for providers whose models were released before August 2, 2026.

According to Axis Intelligence’s reading of the Omnibus text, this creates a two-tier obligation at August 2026: disclosure is required from August 2, watermarking is required from December 2 for pre-existing models.

2. GPAI Fine Enforcement Begins

GPAI model obligations took effect August 2, 2025. But the enforcement mechanism — the EU AI Office’s power to impose fines on GPAI providers for noncompliance — activates on August 2, 2026. This means:

GPAI providers who have not produced required technical documentation (Article 53) are now subject to fines of up to €15 million or 3% of global annual turnover, whichever is higher.
GPAI providers with systemic risk models (compute threshold: 10²⁵ FLOPs training capacity) who have not conducted adversarial testing, logged serious incidents, or disclosed energy-efficiency data are subject to fines of up to €15 million or 3% of global annual turnover.
The EU AI Office has direct enforcement authority over GPAI providers — national authorities are not involved at this tier.

3. AI Literacy (Article 4)

Article 4 requires providers and deployers of AI systems to ensure that their personnel operating or using AI systems “have a sufficient level of AI literacy.” This obligation has been in force since February 2025, but enforcement infrastructure — national competent authorities with penalty frameworks — becomes operational by August 2026. Organizations that have not implemented AI literacy programs for AI-operating staff face regulatory exposure from this date.

What the Omnibus Changed: The High-Risk Delay Explained

The original AI Act required high-risk Annex III systems to meet full compliance requirements by August 2, 2026. The Omnibus moves that to December 2, 2027 for standalone systems — a 16-month extension.

The proximate cause was practical: by early 2026, neither harmonized technical standards nor the EU’s own compliance support tools (including the AI Act database and conformity assessment templates) were ready. Requiring compliance with a framework that lacked its own infrastructure was acknowledged, even by the European Commission, as unworkable.

What the Omnibus did not change:

The legal obligations themselves (unchanged; only the enforcement date moved)
The scope of who is covered (unchanged)
The fine structure (unchanged)
The requirement that companies begin compliance work now (no entitlement to wait until December 2027)

The DLA Piper analysis of the April 28 failed trilogue was explicit: organizations working toward August 2026 should continue doing so. The May 7 deal confirmed the extension but framed it as a fixed deadline, not a moveable backstop. According to Axis Intelligence’s reading of the political agreement, the December 2027 date is described by co-legislators as “fixed” specifically to prevent the same deadline ambiguity that plagued the original August 2026 date.

The Risk Tier Framework: Where Every AI System Sits

The EU AI Act classifies all AI systems into four tiers. The tier determines your obligations, your timeline, and your fine exposure.

Risk Tier	Definition	Enforcement Date	Maximum Fine
Unacceptable (Prohibited)	Practices banned outright under Article 5	Feb 2, 2025 (in force)	€35M or 7% of global turnover
High Risk — Annex III	Standalone AI in regulated domains (employment, credit, biometrics, etc.)	Dec 2, 2027 (post-Omnibus)	€15M or 3% of global turnover
High Risk — Annex I	AI embedded in regulated products (medical devices, machinery)	Aug 2, 2028 (post-Omnibus)	€15M or 3% of global turnover
Limited Risk	AI with transparency obligations (chatbots, deepfakes, emotion recognition)	Aug 2, 2026	€7.5M or 1.5% of global turnover
GPAI Models	Foundation models; systemic-risk models have additional obligations	Aug 2, 2025 (obligations); Aug 2, 2026 (fines)	€15M or 3% of global turnover
Minimal Risk	All other AI (spam filters, AI in video games, recommendation systems)	No mandatory requirements	N/A

Prohibited Practices: Already Enforceable Since February 2025

The following practices have been illegal since February 2, 2025. Any organization still deploying these systems is already in breach:

AI systems that deploy subliminal techniques to manipulate behavior in ways that cause harm
AI-based social scoring by public authorities
Real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow exceptions)
Biometric categorization systems that infer sensitive attributes (race, political opinion, religious beliefs, sexual orientation)
Emotion recognition in workplace or educational settings (with narrow exceptions)
AI systems that exploit vulnerabilities of specific groups (children, disabled persons, economically disadvantaged)
Scraping of facial images from the internet or CCTV to build facial recognition databases
New (post-Omnibus, from Dec 2, 2026): AI systems that generate sexual or intimate imagery without consent (nudifier apps); AI-generated child sexual abuse material

High-Risk Systems Under Annex III: The Eight Categories

Annex III defines the specific use cases classified as high-risk. These are the systems facing the December 2, 2027 compliance deadline:

Category	Examples
Biometric identification and categorization	Facial recognition for remote ID; emotion classification
Critical infrastructure	AI managing water, electricity, gas, traffic, digital infrastructure
Education and vocational training	Exam assessment AI; student admission tools; behavioral monitoring
Employment, workers management	CV screening; hiring AI; performance monitoring; task allocation
Essential private and public services	Credit scoring; insurance pricing; benefits eligibility assessment
Law enforcement	Predictive policing; lie detection; evidence reliability assessment
Migration, asylum, border control	Risk assessment for asylum; visa processing AI; border surveillance
Administration of justice	AI assisting judicial decisions; dispute resolution

Note: The Annex III list is not automatic. A provider can argue that their specific system — even if it falls within a listed category — does not pose a significant risk of harm and is therefore not high-risk. This requires documented justification that would survive regulatory scrutiny.

Who Is in Scope: Provider, Deployer, Importer, Distributor

The AI Act regulates based on functional role in the AI value chain, not company size or location. Getting this classification wrong is the most common compliance error.

Provider: Any entity that develops an AI system (or has one developed) and places it on the EU market or puts it into service in the EU under its own name or trademark. Includes companies outside the EU if they target EU users.

Deployer: Any natural or legal person who uses an AI system in a professional capacity within the EU. A company using a vendor’s AI hiring tool is a deployer.

Importer: A company in the EU that brings in an AI system from a non-EU provider.

Distributor: Any entity in the supply chain — other than the provider or importer — that makes an AI system available on the EU market.

Why this matters for non-EU companies: The Act’s extraterritorial reach mirrors GDPR Article 3. Any organization, regardless of headquarters location, must comply if its AI systems are used within the EU or produce outputs affecting EU residents. A U.S. company running AI-based loan approvals for European customers is a provider of a potential Annex III system — regardless of where its servers are located.

According to Axis Intelligence’s analysis of the provider/deployer split, the practical obligation distribution is:

If you build the AI and sell or license it: You are a provider. You own the technical documentation, conformity assessment, and registration obligations.
If you procure AI from a vendor and use it internally or for customers: You are a deployer. Your primary obligations are implementation of vendor instructions, human oversight, maintaining logs, and ensuring AI literacy among staff.
If you fine-tune or substantially modify a GPAI model from a provider: You may become a provider for the fine-tuned version, with provider-level obligations.

The contractual allocation of obligations between providers and deployers is the most active area of EU AI Act legal drafting in 2026.

GPAI Compliance: Foundation Models and the Code of Practice

General Purpose AI models — foundation models like GPT-4, Claude, Gemini, Llama, and Mistral — occupy a distinct regulatory category in the AI Act. GPAI obligations took effect August 2, 2025, and fine enforcement begins August 2, 2026.

GPAI Obligations That Are Already Active

All GPAI providers must (from August 2, 2025):

Maintain technical documentation per Annex XI of the Act
Publish a summary of training data — specifically copyright compliance policies and the EU copyright framework applicable to training datasets
Comply with EU copyright law (the DSM Directive) regarding training data
Implement a policy for complying with copyright and related rights
Make a publicly available summary of training content accessible

Systemic risk GPAI models — those trained with more than 10²⁵ FLOPs of compute — carry additional obligations:

Conduct adversarial testing, including red-teaming
Report serious incidents to the EU AI Office and national authorities
Ensure cybersecurity protections against unauthorized access
Disclose energy consumption data

The EU AI Office, established within the European Commission’s Directorate-General for Communications Networks, Content and Technology, has sole enforcement authority for GPAI rules. National authorities handle high-risk and limited-risk enforcement; the AI Office handles GPAI.

The GPAI Code of Practice

The EU AI Office published the GPAI Code of Practice in July 2025. Signing the Code creates a “presumption of conformity” — regulators will assume a GPAI provider complies with the Act’s requirements unless evidence suggests otherwise. It functions as the closest available safe harbor in the AI Act framework.

According to Axis Intelligence’s assessment of the Code’s practical impact, it is effectively mandatory for any GPAI provider with meaningful EU market exposure. The alternative — demonstrating conformity through other means — is theoretically available but provides no presumption of compliance and exposes providers to higher enforcement risk.

The Fine Structure: What Non-Compliance Costs

The AI Act’s penalty regime exceeds GDPR in its highest tier. The structure is:

Infringement	Maximum Fine	Turnover Alternative
Prohibited AI practices (Article 5)	€35 million	7% of total worldwide annual turnover — whichever is higher
High-risk AI noncompliance; GPAI noncompliance	€15 million	3% of total worldwide annual turnover
Providing incorrect or misleading information to authorities	€7.5 million	1.5% of total worldwide annual turnover

For context, 7% of global 2024 revenue would represent:

Meta: approximately €7.8 billion ($8.5 billion)
Google/Alphabet: approximately €12.8 billion ($14 billion)
Microsoft: approximately €14.7 billion ($16 billion)

SME provisions: For small and medium enterprises and startups, the fine is capped at the lower of the fixed amount or the turnover percentage. A startup with €500,000 in annual revenue faces a maximum Tier 1 fine of €35,000 (7% of €500K), not €35 million. The proportionality provision is real, but material even at the reduced scale for early-stage companies.

Fine stacking: The AI Act’s Article 99(8) prohibits double jeopardy for the same factual violation — when an infringement also violates GDPR or DORA, only the higher applicable fine applies. However, distinct violations can be penalized separately. An AI system that violates both AI Act data governance requirements and GDPR data protection rules generates exposure under both regimes for the respective violations.

Enforcement structure: National market surveillance authorities handle most AI Act enforcement (high-risk systems, limited-risk transparency, prohibited practices). The EU AI Office enforces GPAI rules directly. Financial sector entities may face joint enforcement from national financial supervisors alongside market surveillance authorities.

According to Axis Intelligence’s monitoring of national implementation, Italy enacted national AI legislation in October 2025 (Law No. 132/2025) with fines up to €774,685 — significantly below the EU-level ceiling. Other member states are at various stages of designation of national competent authorities. The enforcement landscape will be uneven across the EU in 2026–2027.

The Compliance Readiness Gap

The gap between where organizations need to be and where they are is documented. A Deloitte survey found 53.8% of German enterprises — Europe’s largest economy and a bellwether for industrial AI deployment — had implemented zero concrete AI Act compliance measures as of early 2026. Secure Privacy’s organizational analysis found that over half of organizations across sectors lack systematic AI inventories.

According to Axis Intelligence’s synthesis of readiness data, the compliance gap breaks down structurally across three failure modes:

Inventory blindness: Most organizations don’t have a complete catalog of AI systems in production. Without inventory, classification is impossible. Without classification, the rest of the compliance program cannot be built.

GPAI misclassification: Many companies using foundation models via API (OpenAI, Anthropic, Google, etc.) treat themselves as outside the GPAI framework. This is often incorrect. When a company fine-tunes a model or builds an application substantially dependent on a GPAI model’s outputs, the compliance boundary between “using a vendor’s AI” and “being a provider of an AI system” requires legal analysis, not assumption.

Documentation debt: Technical documentation, risk management systems, conformity assessment records, and audit logs required for high-risk systems take months to build correctly. Organizations treating December 2027 as the starting gun — rather than the finish line — will miss the deadline.

The 6-Step Compliance Roadmap

The following sequence reflects Axis Intelligence’s synthesis of the AI Act’s compliance architecture across Regulation (EU) 2024/1689, the GPAI Code of Practice, and the post-Omnibus enforcement framework.

Step 1: Build the AI Inventory (Weeks 1–4)

Create a complete registry of every AI system your organization uses or deploys professionally. For each system, document:

Name and vendor (if procured) or internal designation
Functional description and intended purpose
Data inputs and outputs
Who in the organization interacts with the system
Who is affected by the system’s outputs
Current governance status

This inventory is the foundation of every subsequent compliance step. Without it, you cannot classify, prioritize, or document. The inventory must be maintained as a living document — systems are added, modified, and retired continuously.

Step 2: Risk Classification (Weeks 3–6)

Map each inventoried system against the AI Act’s four risk tiers. The classification hierarchy is:

Is the practice prohibited under Article 5? If yes: cease immediately.
Is the system listed in Annex III or serves as a safety component for an Annex I product? If yes: high-risk — begin documentation.
Does the system require transparency disclosures under Article 50? If yes: limited-risk — implement disclosures.
None of the above: minimal risk — no mandatory requirements.

Document the classification rationale. If you determine a system that appears to fall under Annex III is not actually high-risk (because it does not pose a significant risk of harm in context), that determination must be documented and defensible. Regulators will scrutinize it.

Step 3: Eliminate Prohibited Practices (Immediate)

Any system deploying prohibited practices under Article 5 must be discontinued. These prohibitions have been in force since February 2, 2025. If your organization is running social scoring, real-time biometric surveillance in public spaces, or emotion recognition in workplace settings without a lawful basis, the exposure is current — not future.

Document the cessation, the date, and the affected individuals where appropriate.

Step 4: GPAI Compliance (Immediate — Fine Enforcement August 2, 2026)

If your organization is a GPAI provider — developing and distributing foundation models — the technical documentation and copyright compliance obligations have been active since August 2025. Fine enforcement begins August 2, 2026. The required actions:

Confirm whether the Code of Practice has been signed (presumption of conformity benefit)
Verify technical documentation per Annex XI is complete and current
Confirm training data copyright compliance policy is published
If systemic risk threshold applies: verify adversarial testing is documented, incident reporting procedures are operational, and energy disclosure is prepared

Step 5: High-Risk AI Program (Targeting December 2027)

For Annex III systems, the compliance program requires:

Risk management system (Article 9): A documented, iterative process for identifying, analyzing, and mitigating risks throughout the AI system’s lifecycle.

Data governance (Article 10): Data quality criteria, documented examination for biases, identification of data gaps, and privacy-by-design implementation.

Technical documentation (Article 11 + Annex IV): A comprehensive file covering the system’s purpose, design, architecture, training methodology, performance metrics, and limitations.

Automatic logging (Article 12): Event logs automatically generated during system operation, retained for audit purposes.

Transparency to deployers (Article 13): Instructions for use, risk disclosure, performance characteristics, and human oversight measures documented for downstream deployers.

Human oversight (Article 14): Technical and organizational measures ensuring qualified humans can monitor, intervene, override, and shut down the system.

Accuracy, robustness, and cybersecurity (Article 15): Performance benchmarking, resilience against adversarial manipulation, and cybersecurity controls documented and tested.

Conformity assessment: For most Annex III systems, self-assessment (internal control) per Annex VI is sufficient. Third-party assessment is required only for biometric systems and AI assisting law enforcement or judicial decisions.

EU AI Act database registration: High-risk systems must be registered in the European Commission’s public AI database before being placed on the market.

Step 6: Article 50 Transparency (Immediate — August 2, 2026)

If your organization operates chatbots, conversational interfaces, deepfake tools, emotion recognition systems, or AI that generates or manipulates content depicting real persons, August 2, 2026 is your deadline — the Omnibus did not delay Article 50.

Required actions before August 2:

Implement disclosure when users interact with a chatbot or AI conversational system
Label AI-generated images, video, or audio depicting real persons
Inform individuals subject to emotion recognition or biometric categorization
If releasing a GenAI model for the first time after August 2, 2026: implement watermarking from day one (no grace period for new releases)

The Non-EU Company Problem: Extraterritorial Scope

The AI Act applies to any organization whose AI systems are used in the EU or produce outputs affecting EU residents — regardless of where the company is headquartered. This extraterritorial reach mirrors GDPR Article 3.

The practical test from Article 2(1): if your AI system is placed on the EU market, put into service in the EU, or produces outputs used within the EU, you are in scope.

Specific scenarios that bring non-EU companies into scope:

A U.S. SaaS company using AI-based credit scoring for European customers is a provider of a potential Annex III system
A Canadian logistics company using AI for workforce scheduling in its EU operations is a deployer of a potential Annex III system
Any company worldwide providing GPAI models accessible to EU users is a GPAI provider
A non-EU company using an AI hiring tool from a U.S. vendor to screen candidates for EU positions is a deployer subject to Article 26 obligations

The enforcement question — how effectively the EU can impose fines on non-EU entities — remains open, as it has been for GDPR since 2018. According to Axis Intelligence’s assessment, enforcement will concentrate initially on EU-established entities and EU subsidiaries of non-EU companies, then expand via market access mechanisms (withdrawal of CE marking, prohibition on EU distribution) for non-EU providers who ignore notices.

The strategic implication: non-EU companies with significant EU revenue exposure should treat AI Act compliance as a market access requirement, not merely a legal risk management exercise.

Frequently Asked Questions

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive legal framework for artificial intelligence, entering into force August 1, 2024. It classifies AI systems by risk tier, imposes obligations on providers and deployers commensurate with risk level, and establishes a penalty regime with fines reaching €35 million or 7% of global annual turnover for the most serious violations.

What changed on May 7, 2026 with the Digital Omnibus deal?

On May 7, 2026, the EU Parliament and Council reached provisional political agreement on the Digital Omnibus on AI. High-risk Annex III standalone systems now face a December 2, 2027 deadline (moved from August 2, 2026). AI embedded in regulated Annex I products faces August 2, 2028 (moved from August 2, 2027). Watermarking obligations get a grace period to December 2, 2026. A new prohibition on nudifier apps applies from December 2, 2026. The Omnibus is still subject to formal adoption before August 2, 2026.

What actually takes effect on August 2, 2026?

Three categories are confirmed and not delayed: Article 50 transparency obligations (chatbot disclosures, deepfake labeling, emotion recognition disclosure); GPAI fine enforcement (the EU AI Office can now impose fines for GPAI noncompliance that has existed since August 2025); and AI literacy enforcement infrastructure becoming operational across member states.

Does the EU AI Act apply to companies outside the EU?

Yes. The Act has extraterritorial scope comparable to GDPR. Any organization whose AI systems are used within the EU or produce outputs affecting EU residents is in scope — regardless of where the company is headquartered. Non-EU companies that build, import, or distribute AI systems in the EU market are subject to the Act’s full obligations.

What is a high-risk AI system under the EU AI Act?

High-risk AI systems fall into two categories. Annex I covers AI used as safety components in regulated products (medical devices, machinery, toys). Annex III covers eight standalone use case categories: biometric identification, critical infrastructure, education, employment, essential services (credit, insurance), law enforcement, migration and border control, and administration of justice.

What are the fines for violating the EU AI Act?

Prohibited AI practices: up to €35 million or 7% of global annual turnover. High-risk or GPAI noncompliance: up to €15 million or 3%. Misleading information to authorities: up to €7.5 million or 1.5%. SMEs and startups face proportionate, reduced caps. For large technology companies, 7% of global revenue represents potential fines in the billions of euros.

What is the GPAI Code of Practice and is it mandatory?

The EU AI Office published the GPAI Code of Practice in July 2025. It is technically voluntary, but signing creates a “presumption of conformity” — regulators assume compliance unless evidence suggests otherwise. For any GPAI provider with EU market exposure, it functions as the closest available safe harbor.

Can a company claim an Annex III system is not actually high-risk?

Yes. Providers can document that an AI system — even one falling within an Annex III category — does not pose a significant risk of harm in its specific deployment context, and therefore is not high-risk. This “self-derogation” must be documented, must be based on substantive analysis, and must be defensible before a market surveillance authority. It is not a blanket opt-out.

What is the first step toward EU AI Act compliance?

Build a complete AI inventory — a registry of every AI system your organization uses or deploys professionally. Without knowing what AI systems exist in your organization, classification is impossible. Most organizations that are behind on compliance trace the failure back to not having a comprehensive inventory.

The two frameworks are distinct but overlapping wherever AI systems process personal data. The AI Act does not replace GDPR; both apply where AI processes personal data. Impact assessments can be unified where both regimes require them. The Article 99(8) anti-double-jeopardy provision means that for the same factual violation, the higher of the two applicable fines applies — not both stacked. Organizations should operate integrated AI governance and data protection programs rather than siloed compliance efforts.

What is the EU AI Office?

The EU AI Office is established within the European Commission. It has direct enforcement authority over GPAI model providers, oversees the GPAI Code of Practice, and coordinates the European Artificial Intelligence Board (composed of national authority representatives). It is the central coordinating body for AI Act implementation at EU level, while national market surveillance authorities enforce obligations on providers and deployers of non-GPAI systems.

When must existing AI systems (legacy systems) comply?

AI systems placed on the market or put into service before August 2, 2026 generally benefit from transitional arrangements. For Annex III systems, the December 2, 2027 deadline applies to all systems — including those already in operation. Legacy GPAI models placed on market before August 2025 must achieve full compliance by August 2, 2027. There is no permanent grandfather clause.

Sources and Methodology

This guide is based exclusively on the following primary and institutional sources:

Regulation (EU) 2024/1689 — The EU AI Act, Official Journal of the European Union. EUR-Lex.
Digital Omnibus on AI — Provisional Agreement, May 7, 2026 — European Parliament legislative process documentation.
EU AI Act Implementation Timeline — Future of Life Institute tracker, updated with official EU publications.
European AI Office — European Commission, DG CNECT.
DLA Piper legal analysis of Digital Omnibus, April–May 2026.
Travers Smith briefing on May 7 provisional agreement.
Deloitte survey data on enterprise compliance readiness (Q1 2026).

Where Axis Intelligence has performed cross-source analysis, synthesized obligations, or produced original compliance frameworks, this is labeled explicitly in the text.

Last updated: May 20, 2026. The Digital Omnibus provisional agreement must still receive formal adoption. This article will be updated upon publication in the EU Official Journal.

Sarah Mitchell is the AI and machine learning editor at Axis Intelligence. She covers AI regulation, foundation model developments, enterprise AI tools, and LLM benchmarking.