On this page · 9 sections
Summary. August 2, 2026 is a real EU AI Act milestone, but a narrower one than the calendar promised a year ago. From that date, the enforcement powers over general-purpose AI (GPAI) models activate and transparency obligations apply, including labeling AI-generated content. The headline duties for high-risk systems did not arrive on schedule: a Digital Omnibus simplification package pushed most high-risk (Annex III) obligations from August 2, 2026 to December 2, 2027, a 16-month delay, and high-risk AI embedded in regulated products to August 2, 2028. The Council gave the package its final green light on June 29, 2026, after the European Parliament endorsed it on June 16, 2026. Penalties still bite: up to €35 million or 7% of global annual turnover. This is what enterprises and compliance leads should do now.
What actually applies on August 2, 2026
Three things are live from that date. First, transparency obligations, including duties on deployers, apply, so AI-generated content and interactions must be disclosed and labeled. Second, the enforcement powers over GPAI models, which became legally applicable on August 2, 2025, now carry teeth: the AI Office can request information, require fixes, and act on non-compliance. Third, the prohibited-practice rules that have applied since February 2, 2025 remain in force.
In short, the obligations most likely to touch every company, transparency and GPAI, are the ones that arrived on time. The heavyweight, sector-specific high-risk regime is the part that moved.
| Date | What applies |
|---|---|
| February 2, 2025 | Prohibited AI practices and AI literacy duties |
| August 2, 2025 | GPAI model obligations begin |
| August 2, 2026 | GPAI enforcement powers; transparency obligations |
| December 2, 2027 | High-risk (Annex III, use-based) obligations |
| August 2, 2028 | High-risk AI embedded in regulated products (Annex I) |
What got postponed, and why
The Digital Omnibus is a cleanup package the EU agreed after months of industry complaints that the timeline was unworkable. It defers the high-risk obligations for stand-alone Annex III systems, the use-based tier covering areas like biometrics, critical infrastructure, education, employment, migration and border control, from August 2, 2026 to December 2, 2027. High-risk AI built into regulated products under Annex I moves to August 2, 2028.
Henna Virkkunen, the EU's Executive Vice-President for Tech Sovereignty, Security and Democracy, framed the deal this way: "Our businesses and citizens want two things from AI rules. They want to be able to innovate and feel safe. Today's agreement does both. With simpler and innovation-friendly rules, we make it easier to innovate without lowering the bar on safety."
Two cautions. The relief is a deadline shift, not a repeal: the high-risk obligations still arrive, and building conformity, data governance, logging and human oversight takes far longer than the extra 16 months suggests. And the package only entered its final stages in late June 2026, so treat the dates as firm but the fine print as settling.
GPAI obligations you cannot defer
If you provide a general-purpose AI model on the EU market, the duties are already enforceable. Every provider must maintain detailed technical documentation covering model architecture, training procedures and performance; provide documentation to downstream providers who build on the model; publish a sufficiently detailed summary of training-data content using the AI Office's template; and comply with EU copyright law, including honoring text-and-data-mining opt-outs under the Copyright Directive.
There is a shortcut worth taking. The GPAI Code of Practice, a voluntary framework the EU AI Office published in July 2025, gives signatories a "presumption of conformity": regulators assume you comply unless evidence suggests otherwise. For most providers, signing is cheaper than defending an ad hoc position later.
Penalties and the readiness gap
The fines are tiered and large enough to matter at board level.
| Violation | Maximum fine |
|---|---|
| Prohibited AI practices | €35 million or 7% of global annual turnover |
| High-risk system non-compliance | €15 million or 3% of turnover |
| Supplying misleading information to authorities | €7.5 million or 1% of turnover |
Most organizations are not ready. Industry surveys through 2026 report that around 78% of organizations have not taken meaningful compliance steps and more than half lack even a basic inventory of the AI systems they run. Compliance budgets for large enterprises are estimated at $8 million to $15 million, with third-party certification adding $50,000 or more per high-risk system. The delay to December 2, 2027 is time to close that gap, not a reason to stop. This sits inside sound generative AI enterprise strategy and the same discipline as our enterprise AI export-control compliance playbook.
What enterprises should do now
The delay changes sequencing, not direction. A practical order for the next few quarters:
Build an AI inventory. You cannot govern systems you have not catalogued, and more than half of organizations still lack one. List every AI system, its purpose, its data and whether it falls in a high-risk category.
Ship transparency now. Labeling AI-generated content and disclosing AI interactions is due on August 2, 2026, so it is the immediate work, not a 2027 problem.
Handle GPAI duties if they apply to you. Documentation, the training-data summary and copyright compliance are already enforceable, and signing the Code of Practice buys a presumption of conformity.
Start high-risk conformity early. Risk management, data governance, logging and human oversight are exactly the controls that take longest, so use the extra 16 months to build them, connecting to the layers in our guide to enterprise AI agent governance and the runtime controls in AI agent security and prompt-injection guardrails.
India-specific considerations
The EU AI Act reaches beyond the EU. Any organization placing an AI system or GPAI model on the EU market, or whose output is used in the EU, is in scope regardless of where it sits, so Indian IT-services firms, product companies and global capability centers that serve EU clients are affected. The practical move is to treat EU-facing AI work as in-scope from the start: keep the documentation, transparency labeling and human-oversight evidence an EU client or auditor will ask for. This aligns with, rather than replaces, India's own Digital Personal Data Protection Act duties, and with the export-control posture in our note on AI regulation and export controls for enterprise models. For Indian firms, EU readiness is increasingly a condition of winning and keeping EU accounts.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based, CMMI Level 5 technology consultancy that helps enterprises and EU-facing Indian firms get AI-Act ready. We build the AI inventory, classify systems by risk, set up transparency labeling and GPAI documentation, and design the logging and human-oversight controls that high-risk conformity will require by December 2027. For an EU AI Act readiness review, contact our team.
References
- The EU AI Act's August 2, 2026 deadline just moved: what the Digital Omnibus changed (ComplianceHub)
_Last updated: July 9, 2026._