EU AI Act, August 2 2026: what changes and what got postponed

August 2, 2026 brings GPAI enforcement and transparency duties, not the full high-risk regime, which slipped to December 2, 2027. Build your AI inventory now.

Read time
8 min
Word count
1.2K
Sections
9
FAQs
8
Share
3D glowing AI core orb encircled by luminous nodes over a faint grid on a dark background
August 2, 2026 activates GPAI enforcement and transparency duties.
On this page · 9 sections
  1. What actually applies on August 2, 2026
  2. What got postponed, and why
  3. GPAI obligations you cannot defer
  4. Penalties and the readiness gap
  5. What enterprises should do now
  6. India-specific considerations
  7. FAQ
  8. How eCorpIT can help
  9. References

Summary. August 2, 2026 is a real EU AI Act milestone, but a narrower one than the calendar promised a year ago. From that date, the enforcement powers over general-purpose AI (GPAI) models activate and transparency obligations apply, including labeling AI-generated content. The headline duties for high-risk systems did not arrive on schedule: a Digital Omnibus simplification package pushed most high-risk (Annex III) obligations from August 2, 2026 to December 2, 2027, a 16-month delay, and high-risk AI embedded in regulated products to August 2, 2028. The Council gave the package its final green light on June 29, 2026, after the European Parliament endorsed it on June 16, 2026. Penalties still bite: up to €35 million or 7% of global annual turnover. This is what enterprises and compliance leads should do now.

What actually applies on August 2, 2026

Three things are live from that date. First, transparency obligations, including duties on deployers, apply, so AI-generated content and interactions must be disclosed and labeled. Second, the enforcement powers over GPAI models, which became legally applicable on August 2, 2025, now carry teeth: the AI Office can request information, require fixes, and act on non-compliance. Third, the prohibited-practice rules that have applied since February 2, 2025 remain in force.

In short, the obligations most likely to touch every company, transparency and GPAI, are the ones that arrived on time. The heavyweight, sector-specific high-risk regime is the part that moved.

Date What applies
February 2, 2025 Prohibited AI practices and AI literacy duties
August 2, 2025 GPAI model obligations begin
August 2, 2026 GPAI enforcement powers; transparency obligations
December 2, 2027 High-risk (Annex III, use-based) obligations
August 2, 2028 High-risk AI embedded in regulated products (Annex I)

What got postponed, and why

The Digital Omnibus is a cleanup package the EU agreed after months of industry complaints that the timeline was unworkable. It defers the high-risk obligations for stand-alone Annex III systems, the use-based tier covering areas like biometrics, critical infrastructure, education, employment, migration and border control, from August 2, 2026 to December 2, 2027. High-risk AI built into regulated products under Annex I moves to August 2, 2028.

Henna Virkkunen, the EU's Executive Vice-President for Tech Sovereignty, Security and Democracy, framed the deal this way: "Our businesses and citizens want two things from AI rules. They want to be able to innovate and feel safe. Today's agreement does both. With simpler and innovation-friendly rules, we make it easier to innovate without lowering the bar on safety."

Two cautions. The relief is a deadline shift, not a repeal: the high-risk obligations still arrive, and building conformity, data governance, logging and human oversight takes far longer than the extra 16 months suggests. And the package only entered its final stages in late June 2026, so treat the dates as firm but the fine print as settling.

GPAI obligations you cannot defer

If you provide a general-purpose AI model on the EU market, the duties are already enforceable. Every provider must maintain detailed technical documentation covering model architecture, training procedures and performance; provide documentation to downstream providers who build on the model; publish a sufficiently detailed summary of training-data content using the AI Office's template; and comply with EU copyright law, including honoring text-and-data-mining opt-outs under the Copyright Directive.

There is a shortcut worth taking. The GPAI Code of Practice, a voluntary framework the EU AI Office published in July 2025, gives signatories a "presumption of conformity": regulators assume you comply unless evidence suggests otherwise. For most providers, signing is cheaper than defending an ad hoc position later.

Penalties and the readiness gap

The fines are tiered and large enough to matter at board level.

Violation Maximum fine
Prohibited AI practices €35 million or 7% of global annual turnover
High-risk system non-compliance €15 million or 3% of turnover
Supplying misleading information to authorities €7.5 million or 1% of turnover

Most organizations are not ready. Industry surveys through 2026 report that around 78% of organizations have not taken meaningful compliance steps and more than half lack even a basic inventory of the AI systems they run. Compliance budgets for large enterprises are estimated at $8 million to $15 million, with third-party certification adding $50,000 or more per high-risk system. The delay to December 2, 2027 is time to close that gap, not a reason to stop. This sits inside sound generative AI enterprise strategy and the same discipline as our enterprise AI export-control compliance playbook.

What enterprises should do now

The delay changes sequencing, not direction. A practical order for the next few quarters:

Build an AI inventory. You cannot govern systems you have not catalogued, and more than half of organizations still lack one. List every AI system, its purpose, its data and whether it falls in a high-risk category.

Ship transparency now. Labeling AI-generated content and disclosing AI interactions is due on August 2, 2026, so it is the immediate work, not a 2027 problem.

Handle GPAI duties if they apply to you. Documentation, the training-data summary and copyright compliance are already enforceable, and signing the Code of Practice buys a presumption of conformity.

Start high-risk conformity early. Risk management, data governance, logging and human oversight are exactly the controls that take longest, so use the extra 16 months to build them, connecting to the layers in our guide to enterprise AI agent governance and the runtime controls in AI agent security and prompt-injection guardrails.

India-specific considerations

The EU AI Act reaches beyond the EU. Any organization placing an AI system or GPAI model on the EU market, or whose output is used in the EU, is in scope regardless of where it sits, so Indian IT-services firms, product companies and global capability centers that serve EU clients are affected. The practical move is to treat EU-facing AI work as in-scope from the start: keep the documentation, transparency labeling and human-oversight evidence an EU client or auditor will ask for. This aligns with, rather than replaces, India's own Digital Personal Data Protection Act duties, and with the export-control posture in our note on AI regulation and export controls for enterprise models. For Indian firms, EU readiness is increasingly a condition of winning and keeping EU accounts.

FAQ

How eCorpIT can help

eCorpIT is a Gurugram-based, CMMI Level 5 technology consultancy that helps enterprises and EU-facing Indian firms get AI-Act ready. We build the AI inventory, classify systems by risk, set up transparency labeling and GPAI documentation, and design the logging and human-oversight controls that high-risk conformity will require by December 2027. For an EU AI Act readiness review, contact our team.

References

  1. EU AI Act Omnibus agreement: postponed high-risk deadlines and key changes (Gibson Dunn)
  1. Artificial intelligence: Council and Parliament agree to simplify rules (Council of the EU)
  1. The EU AI Act's August 2, 2026 deadline just moved: what the Digital Omnibus changed (ComplianceHub)
  1. Rules on high-risk AI to be delayed under EU omnibus deal (Pinsent Masons)
  1. EU hits snooze on AI Act rules after industry backlash, with Virkkunen statement (The Register)
  1. AI Act regulatory framework (European Commission, Shaping Europe's digital future)
  1. EU AI Act deadlines 2026-2027: compliance calendar and fines (Legiscope)
  1. EU AI Act penalties and fines explained 2026 (Legalithm)
  1. The Digital AI Omnibus: proposed deferral of high-risk AI obligations (DLA Piper)
  1. EU AI Act update: timeline relief, targeted simplification, and new prohibitions (Inside Global Tech, Covington)
  1. EU AI Act 2026: penalties, risk tiers and new deadlines (Decode the Future)
  1. EU AI Act August 2026: your compliance countdown (Responsible AI Labs)

_Last updated: July 9, 2026._

Frequently asked

Quick answers.

01 What actually changes under the EU AI Act on August 2, 2026?
Two things go live: enforcement powers over general-purpose AI models, which the AI Office can now act on, and transparency obligations, including labeling AI-generated content and disclosing AI interactions. Prohibited practices, in force since February 2, 2025, continue. The full high-risk regime is not part of this date.
02 Did the EU delay the high-risk AI rules?
Yes. A Digital Omnibus simplification package moved most high-risk (Annex III, use-based) obligations from August 2, 2026 to December 2, 2027, a 16-month delay, and high-risk AI embedded in regulated products to August 2, 2028. The Council gave final approval on June 29, 2026, after Parliament's endorsement on June 16, 2026.
03 What are the penalties under the EU AI Act?
Fines are tiered under Article 99. Prohibited practices can draw up to €35 million or 7% of global annual turnover. High-risk non-compliance can reach €15 million or 3% of turnover. Supplying misleading information to authorities can bring €7.5 million or 1% of turnover.
04 What must GPAI model providers do?
Maintain technical documentation on architecture, training and performance; give documentation to downstream providers; publish a training-data summary using the AI Office template; and comply with EU copyright, including text-and-data-mining opt-outs. These are already enforceable, and signing the GPAI Code of Practice grants a presumption of conformity.
05 Does the EU AI Act apply to Indian companies?
Yes, if they place an AI system or GPAI model on the EU market or their output is used in the EU. Indian IT-services firms, product companies and global capability centers serving EU clients are in scope regardless of location, so EU-facing AI work should carry documentation, transparency and oversight evidence from the start.
06 Is the delay a reason to pause compliance work?
No. The high-risk obligations still arrive on December 2, 2027, and the controls they require, risk management, data governance, logging and human oversight, take longer to build than the extra 16 months implies. Transparency and GPAI duties also apply on August 2, 2026, so some work is immediate.
07 What is the GPAI Code of Practice?
It is a voluntary framework the EU AI Office published in July 2025, written by independent experts. Signatories gain a presumption of conformity, meaning regulators assume compliance unless evidence suggests otherwise. For most general-purpose model providers, signing is cheaper and safer than defending an ad hoc compliance position later.
08 Where should an enterprise start?
Build an AI inventory first, since more than half of organizations still lack one. Then ship transparency labeling for the August 2, 2026 date, handle GPAI duties if they apply, and begin high-risk conformity work early so the longest-lead controls are ready well before December 2, 2027.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.