By The EU’s Digital Omnibus deal moved high-risk AI deadlines, and half the internet declared victory. It is an incomplete victory at best. Two obligations still activate on August 2, 2026 — eight weeks from today — and the Omnibus itself has not been formally signed into law yet. If you ship AI features to EU users and you have not looked at Article 50 or GPAI obligations, you are running out of time.
What the Omnibus Actually Did
On May 7, 2026, the EU Council and Parliament reached a provisional political agreement to delay the most burdensome requirements. High-risk AI systems under Annex III — employment tools, CV screening, biometrics, credit scoring, education, law enforcement — had their compliance deadline pushed from August 2, 2026 to December 2, 2027. Systems embedded in regulated products like medical devices or machinery get until August 2028. That is real relief for companies building in those spaces. It covers a lot of ground.
What it does not cover is equally important. The Omnibus is also a provisional agreement, not enacted law. It still needs formal adoption by the European Parliament and Council, then publication in the Official Journal before it has legal effect. That process is expected to complete before August 2 — but expected is not the same as guaranteed. Until publication, the original August 2 deadline remains the current legal baseline. Build your compliance plans around that.
What Still Hits You on August 2
Two categories of obligations were not delayed and did not change.
Article 50 — Transparency obligations. If any of your product’s features involve an AI system interacting directly with people — a chatbot, a voice assistant, a support copilot, an AI-generated summary — you must disclose the AI nature of that interaction at or before first contact. The legal standard here is not whether your engineering team thinks it is obvious. It is whether “a reasonably well-informed, observant and circumspect person” would find it obvious — the EU consumer protection benchmark. Assume the bar is higher than you think. Additionally, any system generating synthetic audio, images, video, or text must mark those outputs as AI-generated in a machine-readable format. Deepfakes require explicit disclosure regardless of context.
GPAI enforcement powers. General-Purpose AI model obligations technically came into force in August 2025, but the EU AI Office’s enforcement authority — the ability to investigate, request documentation, access your model for evaluation, and impose fines — activates on August 2, 2026. If you are a GPAI provider (training a model on more than 10²³ FLOPs capable of generating language, images, or video), your technical documentation, training data summary, and copyright policy need to be ready. If you are building on top of a GPAI provider like OpenAI, Anthropic, or Google, your provider is responsible for their GPAI obligations — but you still own the Article 50 obligations for how you deploy their output to users.
Four Things to Do Before August 2
- Audit your AI-facing features. Does anything in your product interact conversationally with EU users? List every entry point. Each one needs a disclosure mechanism before or at the start of interaction.
- Check your content generation pipeline. Are AI-generated images, audio, video, and text marked as such in metadata or otherwise machine-readable? If not, that is a direct Article 50 gap.
- If you use foundation models — request the GPAI transparency documentation from your provider. OpenAI, Anthropic, and Google all provide this. Confirm you have it on file.
- If you are building a foundation model — technical documentation, training data summary, and copyright policy must be complete and ready for the AI Office by August 2. Do not wait for formal Omnibus publication to start this work.
The Penalty Reality
Non-compliance with GPAI obligations carries fines of up to 3% of global annual turnover or €15 million, whichever is higher. Transparency violations under Article 50 run up to 1.5% or €7.5 million. For SMEs, the cap flips to “whichever is lower,” meaning a startup with €2 million in revenue faces a maximum of €30,000 for a transparency violation — manageable but not free. For larger companies, the percentage wins, and the global turnover baseline means there is no geographic shelter for US companies with EU customers. The EU AI Act applies whenever your output reaches EU users, wherever you are headquartered.
The EU AI Office will likely pursue GPAI enforcement first to establish precedent — the same pattern the GDPR enforcement agencies followed in 2018. High-visibility cases first, then broader market surveillance. Whether or not you are a GPAI provider, your chatbot disclosure and content labeling are straightforward obligations with no ambiguity. Getting those right now is low-effort, high-protection.
The Omnibus gave you breathing room on high-risk obligations. Do not let the relief narrative make you miss the two deadlines that did not move.
