1. Introduction
If you have been keeping an eye on AI regulation, the past few weeks handed you a lot to digest. On 7 May 2026, the European Parliament and the Council of the EU reached a provisional agreement on the Digital Omnibus on AI — a package of targeted amendments to the EU AI Act, and the first set of changes to the regulation since it was originally adopted in June 2024.
For businesses across Europe and beyond, this is significant news. Not because the EU AI Act has been softened or delayed into irrelevance — it has not — but because the rules around when certain obligations kick in, and what is now explicitly prohibited, have shifted in ways that every organisation using AI needs to understand.
The EU AI Act is already the world’s most comprehensive piece of AI legislation. It applies to a far wider range of organisations than most people initially assume, and with enforcement infrastructure now fully active across member states, the compliance clock is very much running.
This article walks you through everything that matters right now: what the Omnibus agreement actually changed, which new prohibitions have been added, the revised enforcement timeline from 2026 through to 2028, what the EU AI Act enforcement penalties for non-compliance look like, and — most importantly — what your business should be doing about all of it. No legal jargon, no unnecessary complexity. Just a clear picture of where things stand.
2. Quick Explainer: What is the EU AI Act and Who Does It Apply To?
Before we get into what just changed, it is worth taking a moment to ground the conversation — especially if you are coming to this topic fresh.
The EU Artificial Intelligence Act, officially Regulation (EU) 2024/1689, is the world’s first comprehensive legal framework specifically designed to regulate artificial intelligence. It entered into force on 1 August 2024, and it operates on a risk-based model: the stricter the rules, the higher the potential harm the AI system poses. The idea is not to ban AI or slow innovation, but to make sure that when AI makes consequential decisions — about your job application, your loan, your hospital diagnosis — there are clear rules around how it works and who is accountable.
One question that comes up constantly is: does this apply to my business if we are not based in Europe? The short answer is yes, almost certainly. The Act’s extraterritorial scope means that any AI application designed and deployed by a company — regardless of where it is headquartered — must comply if it would adversely impact users or citizens of the EU. Think of it the same way most businesses eventually came to think about GDPR: if you serve EU users, you are in scope.
The Act defines four types of actors, and your obligations under the EU AI Act depend entirely on which role you play:
- Provider: the entity that develops an AI system — or has one developed — and places it on the market under its own name or trademark.
- Deployer: the entity that uses the AI system in its operations. A company building a hiring tool on top of a third-party language model is simultaneously a deployer of that model and a provider of the hiring tool.
- Importers and distributors: carry their own lighter set of obligations.
It is also worth being clear on what actually counts as an ‘AI system’ under the regulation. The definition is deliberately broad — it covers any machine-based system that processes inputs and generates outputs such as predictions, recommendations, decisions, or content, and that operates with some degree of autonomy. Straightforward rule-based software that follows a fixed decision tree does not qualify. But most modern AI tools — including off-the-shelf products you may already be using — almost certainly do.
3. The Four Risk Tiers Explained Simply
The EU AI Act’s risk-based approach is the backbone of the entire regulation. Rather than applying a blanket set of rules to every AI tool in existence, it categorises AI systems into four distinct categories based on their potential impact. The idea is proportionality — the more an AI system can affect people’s lives, the harder it has to work to earn the right to operate.
| Risk tier | Regulatory treatment | Examples |
| Unacceptable risk | Banned outright | Social scoring, workplace emotion recognition, mass biometric surveillance |
| High risk | Strict pre-deployment obligations | CV screening, credit scoring, medical AI, border control tools |
| Limited risk | Transparency rules only | Chatbots, deepfake generators, AI content tools |
| Minimal / no risk | Largely unregulated | Spam filters, AI video games, most recommendation engines |
Unacceptable risk — banned outright
Prohibited AI practices include social scoring systems, manipulative AI, emotion recognition tools deployed in workplaces and schools, real-time mass facial recognition in public spaces, and AI systems designed to psychologically manipulate users. These prohibitions have been in force since February 2025. There are no workarounds and no transition periods for these.
High risk — strict obligations before and after deployment
This is where most of the regulation’s weight falls. High-risk AI systems span a long list of sensitive use cases: CV screening and candidate ranking tools, credit scoring systems, AI used in healthcare diagnostics, tools that assist in border control and immigration, and AI deployed in educational assessment. High-risk systems need conformity assessments, documentation, registration in the EU database, and meaningful human oversight before they can be placed on the market.
Limited risk — transparency obligations only
AI systems that interact with users must clearly communicate that they are doing so. Chatbots, voice assistants, and AI-generated content tools fall here. The rules are comparatively lighter, but they are still binding from August 2026.
Minimal risk — largely unregulated
AI-enabled video games and spam filters fall under this category. There are no mandatory obligations at this level. The important caveat is that a system’s risk tier is not permanently fixed — if the way a tool is used changes significantly, its classification may change too.
4. Breaking: What the May 2026 Omnibus Agreement Actually Changed
This is the section most businesses are searching for right now — and it is also the one where misinformation is spreading fastest. The short version: the Omnibus agreement brought genuine relief on some deadlines, added significant new prohibitions, and left the fundamental structure of the regulation completely intact.
What it is
The Digital Omnibus on AI marks the first set of amendments to the EU AI Act since its adoption in June 2024. The package responds to delayed standards, unclear governance, and heavier-than-expected compliance costs. It was not a rethinking of the regulation — it was a targeted set of practical adjustments to make implementation workable.
Deadline extensions for high-risk AI
The single biggest change is the timeline shift for high-risk AI systems. Obligations applicable to high-risk AI systems under Article 6(2) and Annex III will now take effect on 2 December 2027, instead of 2 August this year — a 16-month extension. For AI systems embedded in regulated products under Annex I, high-risk obligations now apply from 2 August 2028.
The delay is intended to provide businesses with additional time to achieve compliance, while underscoring the expectation that implementation efforts should already be underway. The extension is not a signal to stop work.
What the Omnibus did NOT change
Enforcement of most of the transparency requirements set out in Article 50 of the EU AI Act will start on 2 August 2026, as originally scheduled. GPAI model obligations, which have applied since August 2025, are also untouched. The prohibited practices rules remain in force exactly as they were.
Sector-specific relief
For manufacturers of AI-enabled machinery, the Omnibus provides welcome clarification. Providers of AI-enabled machinery are expressly exempted from certain obligations, reducing regulatory duplication for industrial companies navigating both the Machinery Regulation and the AI Act simultaneously.
5. New Law: The AI Nudification and Deepfake CSAM Ban
Alongside the deadline relief, the Omnibus agreement introduced something entirely new to the prohibited practices list — and it is the kind of addition that signals where the EU’s enforcement priorities are heading.
The agreement adds a new prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material (CSAM). This prohibition applies from 2 December 2026.
The scope of this prohibition is deliberately wide. It applies to systems where generation of such content is the intended purpose, as well as systems where that generation is a reasonably foreseeable and reproducible outcome and the provider has not put in place reasonable and adequate technical safety measures to prevent these outputs. Deployers are also prohibited from using any AI system for the purpose of generating or manipulating such material.
In plain terms: if you build or deploy any AI system capable of producing this type of content — even if that is not its stated purpose — you are required to implement meaningful technical safeguards before December 2026.
Legislators added this prohibition at the trilogue stage of the Omnibus — a strong signal that the EU is willing to use AI regulation not just to manage business risk, but to protect individuals from harm, particularly women and children who are disproportionately targeted by this type of abuse.
For businesses operating image generation tools, multimodal AI systems, or any content editing platform with generative capabilities: this needs to be assessed now. Violations of Article 5 prohibited practices sit at the very top of the fine structure — up to €35 million or 7% of global annual turnover.
6. Complete Enforcement Timeline: Every Date That Matters in 2026–2028
One of the most common points of confusion around the EU AI Act is that it does not have a single enforcement date. It has always operated on a phased schedule, and the Omnibus agreement has added additional layers to that timeline. Here is every date that currently matters, in order.
| Date | Milestone | Status |
| Feb 2, 2025 | Prohibited AI practices + AI literacy obligations | IN FORCE |
| Aug 2, 2025 | GPAI model rules (ChatGPT, Claude, Gemini, etc.) | IN FORCE |
| Aug 2, 2026 | Full transparency obligations (chatbots, deepfakes) | UPCOMING |
| Dec 2, 2026 | Nudification / CSAM prohibition + watermarking | UPCOMING |
| Dec 2, 2027 | Standalone high-risk AI systems (Annex III) | UPCOMING |
| Aug 2, 2028 | Product-embedded high-risk AI (Annex I) | UPCOMING |
| Aug 2, 2030 | Legacy public-sector AI systems | UPCOMING |
The core takeaway: the Omnibus bought time on the most complex parts of the regulation. It did not move the transparency obligations, the GPAI rules, or the prohibited practices timeline. For most businesses, August 2026 still marks the date when significant new obligations kick in.
7. Penalties: What Non-Compliance Actually Costs
The EU AI Act enforcement penalties are not theoretical, and they are not modest. Understanding the fine structure is important context for any decision about how seriously to take compliance — and how urgently to begin.
| Tier | Violation type | Maximum fine |
| Tier 1 | Prohibited AI practices (Article 5) | Up to €35M or 7% global turnover |
| Tier 2 | High-risk AI non-compliance (Articles 16–49) | Up to €15M or 3% global turnover |
| Tier 3 | Misleading information to authorities | Up to €7.5M or 1% global turnover |
To put the top-tier figure in context: that 7% figure deliberately exceeds GDPR’s 4% cap. For a company pulling in €1 billion in revenue, the exposure reaches €70 million. That is not a routine compliance cost — that is a board-level crisis.
There is some proportionality for smaller organisations. For SMEs, including startups, the fine is the lower of the two amounts — percentage of turnover versus the fixed amount — rather than the higher. This means a startup with €2 million in turnover faces a maximum Tier 1 fine of €140,000 rather than €35 million. That said, €140,000 can still be existential for an early-stage business, and the requirement to cease the prohibited practice — along with the reputational damage — applies equally regardless of company size.
Beyond the administrative fines, civil claims from affected individuals — including claims related to fundamental rights violations, discrimination, or inaccurate AI decisions — are also possible. Certain AI-related practices, such as unlawful dissemination of deepfakes or manipulation of AI systems for fraud, may also constitute criminal offences under national laws.
The enforcement infrastructure is now active. National competent authorities are designated and operational across member states, and the EU AI Office holds direct enforcement powers over GPAI model providers.
8. The EU AI Act vs US and UK Regulation: How the Global Picture is Splitting
If your business operates across borders — or if you simply want to understand why the EU AI Act matters beyond Europe’s shores — it is worth stepping back and looking at how the three major regulatory powers are approaching AI. The picture is diverging rapidly, and the gap between the EU’s approach and that of the US and UK has real practical consequences for any organisation operating internationally.
The EU: binding, comprehensive, rights-first
The EU AI Act is the only binding, horizontal AI law currently in force anywhere in the world at scale. It applies across all sectors, establishes a centralised governance structure through the EU AI Office and national competent authorities, and is grounded in fundamental rights protection as much as product safety. It is heavy, detailed, and backed by penalties that exceed those of almost any other digital regulation in existence.
The US: fragmented and deliberately permissive
The United States has pursued a fragmented, more innovation-permissive approach characterised by multiple state laws and limited federal guidance rather than binding federal law. Under the Trump administration, Executive Order 14179 revoked certain existing AI policies considered barriers to American AI innovation. There is active legislative movement at state level, but no federal framework that comes close to matching the EU AI Act in scope or enforceability.
The UK: principles-based and sector-led
Post-Brexit, the UK has chosen a deliberately different path. Rather than passing a single comprehensive AI law, the UK relies on existing sector regulators — the FCA, ICO, CMA, and others — to apply their existing powers to AI use cases. Importantly, UK companies placing AI systems on the EU market, or whose outputs are used in the EU, are still in scope of the EU AI Act on the same basis as any other non-EU provider.
What the Brussels Effect means for your business
There is a well-documented pattern in EU regulation known as the Brussels Effect: because the EU is such a large and attractive market, the compliance standards it sets tend to become the de-facto global floor. GDPR is the most cited example. The EU AI Act is likely to follow the same path. The organisations that will navigate this landscape most successfully are those that treat multi-jurisdiction compliance not as a burden but as a competitive advantage.
9. ChatGPT, Claude, Gemini: How the Act Applies to the AI Tools You Already Use
The EU AI Act does not only regulate AI systems that companies build. It also creates obligations around AI tools that companies use — and in 2026, virtually every professional and business environment is using tools like ChatGPT, Microsoft Copilot, Google Gemini, or Claude in some capacity.
These large language models are what the EU AI Act classifies as General Purpose AI (GPAI) models — foundation models that are not built for one narrow job but can be plugged into almost any downstream product or workflow. Because the same model can power countless different applications and reach millions of users, the regulation treats GPAI models as a distinct category with their own horizontal obligations.
GPAI model obligations took effect on 2 August 2025. Providers of models like GPT-4, Claude, and Gemini must comply now. GPAI providers must provide technical documentation, comply with copyright law, and publish summaries of training data. For the very largest models — those trained with more than 10^25 FLOPs — additional systemic risk obligations apply, including adversarial testing, incident reporting within 72 hours, and energy efficiency disclosures.
The GPAI Code of Practice is a voluntary compliance tool developed by independent experts which offers practical guidance on transparency, copyright, and safety and security. Twenty-six major AI providers have signed the Code — including Microsoft, Google, Anthropic, OpenAI, and Amazon. Meta has notably refused to sign, and faces enhanced regulatory scrutiny as a result.
What this means if you use these tools in your business
Your obligation as a deployer is to use these tools in compliant ways. Transparency is the first requirement — if content is AI-generated and could be mistaken for human-produced content in a context where that distinction matters, disclosure is required. The second is data handling: what you feed into a GPAI model is subject to both GDPR and the AI Act simultaneously.
If you build products or internal tools on top of these models, you are classified as a provider of the application you have built, with the full provider obligations that come with that role. The fact that the underlying model is made by someone else does not reduce your compliance responsibility for what your application does with it.
There is also an emerging question the regulation has not yet fully resolved: agentic AI systems — AI that can plan, decide, and take actions autonomously across multiple steps and tools. The EU AI Office has this on its radar, and further guidance is expected.
10. What the Act Means for Employees: Rights You Now Have When AI Affects Your Job
Most coverage of the EU AI Act focuses on what businesses need to do. This section is for everyone else — the employees, job candidates, and workers whose lives are being shaped by AI decisions every day, often without their knowledge.
AI in hiring is now tightly regulated
Recruitment and candidate screening tools that use AI — systems that rank CVs, score interview responses, or make hiring recommendations — are classified as high-risk AI under Annex III of the regulation. Employers and the vendors they use must carry out conformity assessments, maintain technical documentation, ensure meaningful human oversight, and register these systems in the EU database before deploying them.
Emotion recognition at work is already banned
This is one of the most significant workplace protections in the entire regulation, and it is already in effect. Emotion recognition in the workplace is prohibited under Article 5(1)(f) of the EU AI Act. The ban applies from 2 February 2025 and covers every employer operating in the EU, regardless of where the employer is headquartered. This includes AI that reads facial expressions or voice tone in interviews, biometric categorisation that infers protected traits such as race, political views, or sexual orientation, and social scoring of people’s suitability based on broad personal behaviour.
Workers have the right to human oversight
For any high-risk AI system used in employment contexts — including performance management systems, work scheduling tools, and productivity monitoring AI — the regulation mandates meaningful human involvement in decision-making. Deployers must be given enough information to understand how the system works, what its limitations are, and how to interpret its outputs. End users affected by automated decisions have the right to an explanation and to contest outcomes.
AI literacy obligations apply to employers
Since August 2025, all employers using AI systems covered by the regulation are required to ensure that staff who interact with those systems have sufficient AI literacy to use them appropriately. This means employers cannot simply roll out AI tools and assume employees will figure it out. There is a legal obligation to provide context, training, and meaningful understanding.
11. What Businesses Should Do Right Now: A Practical Action Plan
The Omnibus deadline extension is genuinely useful breathing room, but it is not a reason to stop moving. The hard part of AI Act compliance is not filling in a documentation template. It is finding every AI system in your organisation, deciding which Annex III category each falls into, and getting product and engineering teams to maintain that inventory as new systems ship. None of that depends on the technical standards being final.
Here is a practical, phased approach for businesses at any stage of readiness.
- Build your AI inventory. Start with a single source of truth that captures owners, purpose, data inputs, vendors, users, and deployment locations. Many organisations discover they have far more AI exposure than they realised — embedded in procurement tools, HR platforms, customer support systems, marketing automation, and third-party integrations.
- Classify each system. Apply the four-tier risk framework to each system. Identify whether you are a provider, a deployer, or both for each tool. Prioritise compliance efforts on prohibited and high-risk categories where enforcement exposure is greatest.
- Assign clear ownership. At minimum, you need an executive sponsor with budget authority, a compliance lead, a product or technical owner for each in-scope system, and a procurement contact who can engage vendors.
- Review your vendor contracts. Many businesses will find that their AI compliance exposure sits primarily in the tools they procure rather than the tools they build. Review vendor contracts to ensure they include compliance clauses and confirm what evidence of conformity assessment the vendor can provide.
- Build governance and documentation. For high-risk AI systems, you will need a risk management system, technical documentation, logging and traceability records, and a human oversight procedure. Build evidence as you go — compliance records should be audit-ready from day one, not retrofitted at the end.
- Prioritise the August 2026 obligations first. Transparency obligations, chatbot disclosure, and deepfake labelling are live from August 2. If you run any customer-facing AI product that interacts with users, this needs to be implemented now — it is not covered by the Omnibus delay.
A note for SMEs: The EU AI Act includes specific protections for small and medium-sized businesses — reduced administrative fees, priority access to regulatory sandboxes, and dedicated compliance support from the EU AI Office Service Desk
Frequently Asked Questions
Does the EU AI Act apply to my company if we are not based in Europe?
Almost certainly yes — if your AI system produces outputs used by people in the EU, or if your product is available on the EU market, you are in scope. This applies equally to companies headquartered in the US, UK, Pakistan, Singapore, or anywhere else. The key test is not where you are based — it is where your AI outputs land.
Has the August 2026 deadline been cancelled?
No. This is a very common misconception following the Omnibus agreement. The transparency requirements set out in Article 50 will start on 2 August 2026, as originally scheduled. What the Omnibus extended is the compliance deadline for high-risk AI systems under Annex III, which moved to December 2027. GPAI rules, prohibited practices enforcement, and transparency obligations are all still on the original timeline.
Is open-source AI exempt from the EU AI Act?
Partially. The regulation includes a limited exemption for open-source AI models, but it is not blanket. If an open-source model is released with a commercial purpose, or if it poses systemic risk by virtue of its scale, the full GPAI obligations still apply. Most commercially-used open-source models deployed in enterprise settings are likely in scope.
What is the difference between a provider and a deployer?
A provider is the entity that builds and places an AI system on the market. A deployer uses an existing AI system in their operations. If you use ChatGPT via an API to build a hiring tool, you are a deployer of ChatGPT and simultaneously a provider of the hiring tool itself. Both roles carry distinct obligations, and many organisations carry both simultaneously.
Does a chatbot on my website need to disclose that it is AI?
Yes, from 2 August 2026. Under Article 50, any AI system designed to interact with natural persons must clearly disclose its AI nature to the user. There is a narrow exception where it would be obvious to a reasonable person that they are interacting with an AI, but for commercial deployments this exception should be relied on with extreme caution.
What are the penalties for non-compliance?
Up to €35 million or 7% of global annual turnover for prohibited practice violations — whichever is higher. Up to €15 million or 3% for high-risk AI non-compliance. Up to €7.5 million or 1% for supplying misleading information to regulators. For SMEs, fines are calculated as the lower figure. The penalties are active now — enforcement on the prohibited practices list began in February 2025.
How is the EU AI Act different from GDPR?
GDPR regulates how personal data is collected and processed. The EU AI Act regulates AI systems and the decisions they make — it applies even when no personal data is involved. The two laws overlap significantly when AI processes personal data, and in those cases both sets of obligations apply simultaneously. The AI Act’s fine structure also exceeds GDPR’s maximum, making it the higher-stakes regulation in most AI deployments.
Does using ChatGPT or Copilot in my business require compliance?
Yes, from August 2026 onwards. Using any GPAI tool in a commercial context makes you a deployer under the Act. Your primary obligations are around transparency — disclosing AI-generated content where required — and data governance. If you build products on top of these tools, you carry full provider obligations for what your application does.
FOR MORE BLOGS VISIT BLOG