LI Solutions

The EU AI Act delay is real. Your chatbot still has an August 2 deadline.

The EU AI Act delay is real. Your chatbot still has an August 2 deadline.

Key takeaways

The delay is real, but it's probably not for you

The May 7 agreement pushes standalone high-risk systems to December 2, 2027 and AI inside regulated products to August 2, 2028. The transparency rules were never part of the deal and still apply from August 2, 2026.

Chatbots must disclose themselves from August 2

If users could reasonably think they're talking to a human, the product has to tell them it's AI. Fines for transparency violations reach 15 million euros or 3% of worldwide turnover.

The watermarking grace period is four months, not a delay

Generative systems already on the EU market before August 2 get until December 2, 2026 to mark their output as AI-generated. Anything launched after August 2 complies from day one.

GDPR doesn't wait for the AI Act

European data protection authorities are already fining AI products under existing data rules. The delay changes none of that, and enterprise buyers are asking for AI classification memos now.

For two years, August 2, 2026 was the date every AI Act explainer circled in red. That was when the heavy machinery arrived: high-risk obligations, conformity assessments, the technical documentation nobody wanted to write. Then, on May 7, EU lawmakers agreed to push most of it back.

The relief headlines wrote themselves, and most founders skimmed them and moved on. Understandable. Also a mistake, because the piece of the Act that actually touches a typical software product didn't move to 2027. Most of it still lands on August 2, four weeks from now.

What got delayed, what didn't, and what's worth doing about it this month.

What actually moved

The May 7 agreement, formally part of the Digital Omnibus, the EU's attempt to simplify its own digital rulebook, rewrites the AI Act's calendar in three places.

  • Standalone high-risk systems (Annex III): recruitment and performance evaluation, credit scoring, insurance risk pricing, biometrics, critical infrastructure. Was August 2, 2026. Now December 2, 2027.
  • AI inside regulated products (Annex I): medical devices, toys, lifts, vehicles. Now August 2, 2028. The definition of "safety component" was narrowed too, so an AI feature that merely assists the user or optimizes performance, without creating a health or safety risk, no longer drags the whole product into high-risk territory.
  • National regulatory sandboxes: member states now have until August 2, 2027 to stand them up.

There's also a grandfathering rule with real money in it: systems already on the EU market before those dates stay out of the high-risk regime entirely unless you substantially modify them later. And the SME simplifications, lighter documentation and proportionate fines among them, now extend to companies with up to 750 employees and 150 million euros in revenue. That covers nearly every company we work with.

So if your roadmap includes AI-assisted hiring, credit decisions, or a diagnostic feature inside a medical device, you just got 16 to 24 extra months. That part of the relief is real.

What still lands on August 2

Article 50, the transparency rules. They were never part of the delay negotiation, and they happen to cover the AI features most products actually ship. Three obligations, in plain terms:

  • If people interact with an AI system, they have to know. A support bot, a booking assistant, a sales agent on WhatsApp: if a reasonable user might think they're talking to a human, the product has to say otherwise.
  • If your product generates or manipulates content, whether text, images, audio or video, the output has to be marked as AI-generated in a machine-readable way. This is the watermarking requirement.
  • Emotion recognition and biometric categorization systems must disclose themselves to the people they're pointed at.

The one concession: generative systems already on the market before August 2 get until December 2, 2026 to sort out watermarking. Anything launched after August 2 complies from day one. That's a four-month grace period, not a delay.

Penalties for Article 50 violations run to 15 million euros or 3% of worldwide turnover, whichever is higher. Not the headline 35 million; that tier is reserved for prohibited practices, which have been live since February 2025 and expand in December to cover nudification apps and AI-generated CSAM. But 3% of turnover for not labeling a chatbot is an expensive way to save one line of UI copy.

The Commission has also published draft guidelines and a Code of Practice on how to implement the transparency rules in practice. Final versions are expected within weeks and are unlikely to diverge much from the drafts.

Where that leaves a typical product

Almost nobody's product is "an AI system" in the abstract, so a quick mapping:

  • Support or booking chatbot: disclosure obligation, August 2. Usually one honest sentence in the interface. The cheapest compliance you'll do all year.
  • AI-generated content in the product: a listing-description writer, an image generator, marketing copy tools. Machine-readable marking, with the December 2 date if you shipped before August 2. Watch the final Code of Practice for what counts as compliant marking.
  • Recruitment, scoring, insurance features: December 2027. But the harmonized standards you'd build against may not be final until close to that date, which is exactly what happened with the original deadline. The teams that wait for the standards will be building against a clock again.
  • Health products: if the AI sits inside a regulated device, the AI Act now waits until 2028. MDR and FDA rules haven't gone anywhere in the meantime, and they remain the binding constraint.

And one thing the delay does not pause: GDPR. European data protection authorities have already fined AI products and blocked specific uses of models. Data minimization, purpose limitation, and transparency about automated decisions apply today, at full strength, to the same features that just got their AI Act deadline moved. A delayed Act is not a regulatory vacuum.

What's worth doing in July

Not a compliance program. Four afternoons of work:

  1. Inventory your AI features against the Act's four buckets: prohibited, high-risk, transparency-only, minimal. For most products the honest answer is one or two transparency items and nothing else. Write it down. A one-page classification memo is the first thing a regulator, or an enterprise customer's procurement team, asks for.
  2. Ship the chatbot disclosure. One sentence in the UI, done before August 2.
  3. If you generate content, pick a marking approach now and follow the draft Code of Practice. Retrofitting metadata across months of stored output in November will hurt considerably more.
  4. Check whether the extended mid-cap relief covers you. Under 750 employees and 150 million euros in revenue, it probably does, and it changes both your documentation burden and your fine exposure.

One caveat: the May 7 deal is a political agreement, not law yet. Parliament and Council are expected to adopt it formally by the end of July, just ahead of the old deadline. The dates are considered settled; the fine print isn't. Whether the general AI literacy duty survives, for instance, is still open. Build against the dates above, and have someone reread the final text when it lands in the Official Journal.

Frequently asked questions

Does the AI Act apply to companies outside the EU?

Yes. Like GDPR and the Cyber Resilience Act, the AI Act follows the product into the market, not the company. If your AI feature is available to users in the EU, you carry the obligations regardless of where you're incorporated. A US startup with EU customers is in scope.

What exactly applies on August 2, 2026?

Article 50, the transparency rules: people interacting with an AI system must be told it's AI, AI-generated or manipulated content must be marked in a machine-readable way, and emotion recognition or biometric categorization systems must disclose themselves. Generative systems already on the market before that date get until December 2, 2026 for the content-marking part. The high-risk obligations moved to December 2027 (standalone) and August 2028 (inside regulated products).

We build on OpenAI or Anthropic APIs. Are these obligations ours or theirs?

Both, at different layers. The model providers carry the general-purpose AI obligations, which have applied since August 2025. But the company that puts the product in front of users carries the product-level duties. If your app presents a chatbot, the disclosure is yours. If your product generates content under your brand, the marking duty is effectively yours too, even though the model underneath is rented.

Is the delay actually final?

Not quite. May 7 was a political agreement between the EU institutions, and formal adoption by Parliament and Council is expected by the end of July 2026, just ahead of the old deadline. The dates are considered settled, but the final text hasn't been published, and some details, like whether the AI literacy duty survives, are still open.