EU AI Act: the 2 August 2026 deadline is being postponed to December 2027

Is the EU AI Act deadline of 2 August 2026 going ahead?

No — not for the heaviest obligations. With the Digital Omnibus on AI, the European Council and Parliament have agreed to postpone the high-risk obligations: stand-alone systems (Annex III) from 2 August 2026 to 2 December 2027, and systems embedded in products (Annex I) from 2 August 2027 to 2 August 2028. One important nuance: as long as that amendment is not published in the EU Official Journal, 2 August 2026 remains the formally applicable date. And a number of obligations do not change — those have applied since 2025.

What happened

The roll-out of the high-risk rules was visibly behind schedule at the end of 2025; standards and guidance were not ready. In response, the European Commission tabled the Digital Omnibus on AI on 19 November 2025. The sequence since:

• —26 March 2026 — the European Parliament adopts its negotiating position (569 in favour, 45 against, 23 abstentions).
• —7 May 2026 — Council and Parliament reach a provisional political agreement; member states (Coreper) confirm on 13 May.
• —2 June 2026 — the IMCO and LIBE committees give the green light.
• —16 June 2026 — Parliament adopts the final text: 423 in favour, 57 against, 174 abstentions.
• —Next — formal adoption by the Council (expected late June), publication in the Official Journal, entry into force three days later. The legislators want this done before 2 August 2026.

Practical consequence: until the amendment is in the Official Journal, the original date is still legally leading. Prepare as if both scenarios could happen — but count on the new dates.

What is being postponed (and what is added)

Note: the package is not pure deregulation. A new ban is added to Article 5 — on AI that generates non-consensual intimate imagery ('nudify') or child sexual abuse material.

What does NOT change — and this is often missed

These obligations already applied and remain in force:

• —Prohibited AI practices (Art. 5) — in force since 2 February 2025. Think of certain forms of social scoring, untargeted scraping of facial images, emotion recognition in the workplace.
• —AI-literacy obligation (Art. 4) — since 2 February 2025. Anyone who has staff working with AI must ensure they have sufficient AI knowledge.
• —GPAI models (general-purpose AI) — obligations since 2 August 2025.
• —General transparency (Art. 50) — stays 2 August 2026 (only the watermarking sub-obligation moves to December 2026).
• —Enforcement and penalty regime — national authorities get their enforcement teeth from 2 August 2026, including for the prohibited practices that have applied since 2025.

In other words: the postponement affects the high-risk build burden, not the basic rules. Those are here now.

The fines (unchanged)

The penalty regime (Art. 99) stays as it is:

• —Prohibited practices: up to €35 million or 7% of worldwide annual turnover — whichever is higher.
• —Other obligations, including high-risk: up to €15 million or 3%.
• —Incorrect/misleading information to authorities: up to €7.5 million or 1%.
• —For SMEs and start-ups, the lower of the two amounts always applies.

What it means for healthcare

Clinical AI usually becomes high-risk via the medical-device route (Art. 6(1)), not via the use-case list. According to the official guidance MDCG 2025-6, an AI device is high-risk if two conditions are met together: (1) it is itself a medical device or a safety component of one, and (2) it requires a conformity assessment by a notified body under the MDR/IVDR.

• —In practice almost all clinically meaningful AI software falls under MDR class IIa or higher (Rule 11) or IVDR class B+ — so high-risk. Examples: clinical decision support (CDSS), image/ECG/pathology analysis, treatment recommendation, early-warning scoring.
• —In-house exception: devices built and used within a single healthcare institution (Art. 5(5) MDR/IVDR) are not high-risk AI — relevant for academic hospitals building their own models. But the Art. 5 ban, Art. 50 transparency and GDPR still apply.
• —Emergency triage falls separately under Annex III (point 5(d)) and is high-risk in its own right.

The product-bound route moves to 2 August 2028 — extra room for medical-AI builders. But the MDR/IVDR, GDPR and health-security (e.g. NEN 7510) requirements continue to apply in full; a DPIA is generally required for health data.

What it means for finance

Two use cases are explicitly high-risk (Annex III, point 5):

• —Creditworthiness / credit scoring of natural persons (point 5(b)) — with an exception for fraud detection.
• —Risk assessment and pricing of life and health insurance (point 5(c)).

Three things to know:

• —The 'no significant risk' exception (Art. 6(3)) rarely helps here: profiling of natural persons is always high-risk.
• —A Fundamental Rights Impact Assessment (Art. 27) is mandatory — including for private banks and insurers — for 5(b) and 5(c). That duty does not fall on most other private parties.
• —DORA (since 17 January 2025) runs in parallel and is not postponed: for a high-risk credit AI, AI Act and DORA obligations stack (ICT risk, resilience, third-party oversight).

The use-case route moves to 2 December 2027.

National implementation (example: the Netherlands)

Each member state designates its own authorities and implementation. As one example, the Dutch government published a draft Implementation Act on 20 April 2026 (consultation ran to 1 June 2026; not yet adopted). The gist:

• —The Data Protection Authority (AP) and the Radiocommunications Agency (RDI) take a coordinating role; the RDI becomes the national single point of contact (SPOC, Art. 70).
• —Beneath them, sector regulators supervise — for health the IGJ, for finance the AFM and DNB.
• —The GDPR line and the AI Act line run together: for health data, the AP tests security in practice against the NEN 7510 standard.

What you should do now — despite the postponement

A delay is not a cancellation. The extra ~16 months are exactly enough to build high-risk systems properly, rather than sprinting to a date that moved anyway. Four things already in play:

1. 01AI literacy (Art. 4) is already mandatory. Train the people working with AI — it's low-hanging fruit and it applies now.
2. 02Check for prohibited practices (Art. 5). Don't run anything that's already banned; enforcement starts 2 August 2026.
3. 03Inventory and classify your AI systems. Which will fall under high-risk (Annex III or the product route)? Without that map you can't plan.
4. 04Build governance from the design, not as a compliance layer afterwards: audit trails, confidence-scoring per step, human-in-the-loop on decisions that matter, logging (Art. 12, with at least six months' retention for deployers) and a DPIA where personal data is involved.

That last point is exactly how I build systems: safety and human control sit in the design, not around it. Then "being compliant" isn't a separate project, but a property of the system.