August 2, 2026 is when the EU AI Act moves from preparation into enforcement. That’s the date Annex III high-risk obligations and Article 50 transparency rules become enforceable — and when national competent authorities get the formal power to act.
There’s a proposed amendment — the Digital Omnibus on AI — that’s caused plenty of companies to hit pause. If it passes, the Annex III deadline could shift out to December 2027. The problem is it hasn’t passed. And treating a proposal as law is a very costly gamble. If the Omnibus fails before August 2026, companies that waited face enforcement exposure of up to €35M or 7% of global turnover. If it passes in time, your early compliance work is just a head start. The risk only cuts one way.
This article maps the full three-phase timeline, explains where the Digital Omnibus actually sits, and gives you a clear recommendation. For broader context on EU AI Act, DMA, and DSA across the European tech regulatory landscape, that’s a separate read.
What is the EU AI Act three-phase implementation timeline?
The EU AI Act entered into force on August 1, 2024, but obligations roll out in phases across three years.
February 2, 2025 — Prohibited AI practices under Article 5 came into effect. Real-time biometric surveillance, social scoring, manipulation of vulnerable groups. Already in force.
August 2, 2025 — General-purpose AI (GPAI) model obligations came into force. Providers like OpenAI, Azure AI, and Gemini have been under EU AI Act obligations since this date. Past-tense. For what already applies to companies using third-party AI APIs, see GPAI rules already in force since August 2025.
August 2, 2026 — The main event. Annex III high-risk AI requirements, Article 50 transparency obligations, and formal NCA enforcement all come into force at once. This is the date your compliance programme needs to be targeting.
August 2, 2027 — Rules for AI embedded in regulated safety products (Annex I). If the Omnibus passes, this shifts to August 2, 2028.
Your planning horizon is August 2026. Everything else is secondary to that.
What specifically changes on August 2, 2026?
Three things activate at the same time. The Digital Omnibus doesn’t touch all of them equally.
Annex III high-risk obligations. If your AI system falls into an Annex III category, you need conformity assessments complete, quality management systems documented, risk management systems running, technical documentation finalised, EU AI Database registration done, and human oversight in place. Annex III categories for SaaS and FinTech include biometric identification, hiring screening, credit scoring, medical diagnostics, educational assessment, and law enforcement tools.
Article 50 transparency obligations. Not affected by the Digital Omnibus. Any system that interacts directly with people — chatbots, synthetic content generators, deepfake tools, emotion recognition systems — must disclose its AI nature. The only Omnibus carve-out is a short grace period for systems already on the market before August 2. New deployments: Article 50 applies immediately.
Formal NCA enforcement authority. NCAs were designated by August 2025. From August 2026 they move from guidance mode into active enforcement.
Annex III is where most SaaS, FinTech, and HealthTech companies sit. If your question is whether the regulation applies to your company at all, start there. For the full picture of how the AI Act intersects with the DMA and DSA — including enforcement cases running simultaneously — see our Europe’s tech regulation overview for 2026.
What is the Digital Omnibus and could it push the August 2026 deadline back?
The Digital Omnibus on AI (Omnibus VII) is a legislative amendment package proposed by the European Commission on November 19, 2025. It proposes pushing the Annex III deadline from August 2, 2026 to December 2, 2027 — a 16-month extension — and the Annex I deadline from August 2027 to August 2028.
What it does not touch: Article 50, GPAI obligations, or the Article 5 prohibitions. Those are all locked at their original dates.
Here’s where the legislative process actually sits as of late March 2026:
- The Council of the EU adopted its general approach on March 13, 2026. That’s a negotiating mandate, not final legislation. The Council’s own press release says the AI Act “remains fully operative.”
- The European Parliament’s IMCO/LIBE committees adopted their position on March 18, 2026, with full Parliament plenary expected March 26.
- Trilogue — the three-way negotiation between Commission, Parliament, and Council that must complete before anything is enacted — has not yet begun.
The Cypriot Council Presidency has a target of May 2026 for agreed text. But the legislation isn’t enacted until it completes the full Ordinary Legislative Procedure and is published in the Official Journal of the EU. That cannot happen reliably between a March plenary vote and an August deadline.
Should your company wait for the Digital Omnibus before starting compliance?
No. Proceed as if August 2, 2026 is fixed. Legally, it is.
If the Omnibus passes before August 2026, your early compliance work becomes a head start on the new December 2027 deadline. You might qualify for the grandfathering clause for systems already on the market. Nothing is wasted.
If it doesn’t pass in time, the original deadlines apply immediately. Companies that paused face enforcement exposure and the reputational cost of an infringement finding.
Multiple legal sources are consistent on this: treat August 2026 as binding. Prokopiev Law Group’s March 2026 analysis puts it plainly — treat proposed revised dates as a planning baseline subject to formal confirmation, not as a reason to stop preparing.
What doesn’t change regardless of what happens with the Omnibus: Article 50 is fixed at August 2, 2026. GPAI obligations have been in force since August 2025. Article 5 prohibitions since February 2025.
Use the Omnibus, if it passes, as a reason to slow-roll the final documentation steps. Not as a reason to delay starting. See the EU AI Act compliance roadmap for small and mid-size SaaS companies.
What are the penalties for missing the August 2026 deadline?
The EU AI Act’s penalty structure is bigger than GDPR. Legal Nodes notes the fines were deliberately set higher than any previous EU digital regulation.
€35M or 7% of global annual turnover — for Article 5 prohibited practices. Already in force.
€15M or 3% of global annual turnover — for Annex III high-risk obligation failures. This is the tier most SaaS companies in scope face from August 2026.
€7.5M or 1.5% of global annual turnover — for providing incorrect or misleading information to authorities.
In practice, it’s not abstract. A SaaS company with €5M revenue facing an Annex III violation hits €150,000 maximum. After the 50% SME reduction, that’s €75,000. A €20M company: €300,000 after reduction. That’s significant relative to what compliance actually costs.
Enforcement can also include market withdrawal orders and bans on placing new systems. Infringement findings are public and reputationally damaging, not just financial. For a detailed comparison of compliance cost vs penalty exposure, see EU AI Act compliance cost vs penalty exposure for SMBs.
What concessions does the EU AI Act make for smaller companies?
There are three areas where the Act meaningfully reduces burden for smaller businesses.
Fine reductions. SMEs — under 250 employees, under €50M revenue, or under €43M assets — get a 50% reduction. Micro-enterprises under 10 employees and under €2M turnover get 75% off. The proportional percentages still apply.
Simplified documentation. If your SaaS company integrates OpenAI, Gemini, Claude, or Azure AI via API without modifying the underlying model, you’re almost certainly a deployer, not a provider. Providers carry the heavy load: conformity assessments, full technical documentation, EU declaration of conformity, database registration. Deployers have a lighter set — no conformity assessment, simplified documentation, focus on appropriate use-cases and user transparency. The ERT industry letter from March 2026 put provider compliance costs at up to €319,000 initial plus €150,000 per year for an SME. Deployers avoid most of that.
AI Regulatory Sandboxes. Member states must establish at least one sandbox by August 2026, giving SMEs direct regulatory guidance before full deployment. Availability varies by jurisdiction — check with the NCA in your primary EU operating market.
If you’re using third-party AI APIs, the question to ask is: does any product functionality fall under Annex III? If not, your primary obligation is Article 50 transparency, not the full high-risk stack.
What should you do before August 2, 2026?
Step 1 — Map your AI systems. Inventory every AI system your company uses, develops, or deploys in Europe. Over half of organisations lack this inventory. Without it, everything else is guesswork.
Step 2 — Determine your role (provider or deployer). If you’re using OpenAI, Azure AI, Gemini, or Claude without modifying the base model, you’re a deployer. That’s a different compliance scope — no conformity assessment required.
Step 3 — Classify against Annex III. Does any product feature or internal use fall in a high-risk category: biometrics, hiring, credit scoring, medical diagnostics, educational assessment, law enforcement? If yes, the full Annex III workstream applies. If no, proceed to Article 50.
Step 4 — Implement Article 50 transparency regardless. Any chatbot, synthetic content generator, or deepfake feature needs AI disclosure labelling. It applies regardless of high-risk classification and regardless of what the Omnibus does. Legal Nodes provides a clear pre-August 2026 checklist.
Step 5 — Update vendor contracts. Incorporate AI Act obligations into supplier agreements. Define which party holds compliance responsibility.
Step 6 — For Annex III systems, begin the four primary workstreams. Conformity assessment, quality management system, risk management system, and technical documentation per Annex IV.
Step 7 — Register in the EU AI Database before August 2, 2026 if you’re in Annex III scope. Portal: ai-act.europa.eu.
For a complete step-by-step guide, see the EU AI Act compliance roadmap for small and mid-size SaaS companies.
FAQ
Is the Digital Omnibus going to delay the August 2026 deadline?
Not yet, and potentially not in time. As of late March 2026, trilogue hasn’t begun. Even with the Cypriot Presidency targeting May 2026, there’s no guarantee the legislation will be enacted in time to legally amend the August 2 date. Inside Privacy notes: if the Omnibus isn’t adopted before August 2026, the original obligations timeline applies. Treat August 2, 2026 as fixed.
What is the EU AI Act penalty for a small company?
For Annex III violations, the maximum fine is €15M or 3% of global turnover. SMEs get 50% off; micro-enterprises get 75% off. For a €5M-revenue SaaS SME, that’s €75,000 after reduction. Full worked examples are in the penalties section above.
Has the GPAI deadline already passed?
Yes. GPAI obligations came into force on August 2, 2025. Providers like OpenAI, Google DeepMind, Anthropic, and Microsoft Azure AI have been under EU AI Act obligations since then. As a deployer using those APIs, your primary deadline is August 2, 2026.
Which EU AI Act obligations are NOT changed by the Digital Omnibus?
Article 50 transparency (fixed at August 2, 2026). Article 5 prohibited practices (in force since February 2025). GPAI obligations (in force since August 2025). The Omnibus targets only Annex III and Annex I application dates.
What is the difference between Annex I and Annex III high-risk AI systems?
Annex III covers stand-alone AI systems classified as high-risk by application domain: biometrics, employment screening, credit scoring, medical diagnostics, educational assessment, law enforcement. Deadline: August 2, 2026 (Omnibus proposes December 2, 2027). Annex I is AI embedded in regulated safety products — medical devices, machinery, vehicles. Deadline: August 2, 2027. Most SaaS, FinTech, and HealthTech companies are Annex III.
What is the “grandfathering clause” in the EU AI Act?
The grandfathering clause exempts AI systems lawfully on the EU market before August 2, 2026 from Annex III obligations, provided no significant modifications are made. Orrick describes it as an extended compliance period for systems already placed on the market. It doesn’t apply to Article 50 or Article 5.
What does “deployer” mean under the EU AI Act and am I one?
A deployer is any organisation using an AI system professionally that didn’t build the underlying model. If your company integrates OpenAI, Gemini, Claude, or Azure AI APIs, you’re almost certainly a deployer — lighter obligations, no conformity assessment. But Article 50 still applies.
Does the EU AI Act apply if we are not based in Europe?
Yes. It has extraterritorial scope equivalent to GDPR — it applies to any company whose AI outputs are used within the EU. A US, Australian, or UK SaaS company with EU customers is in scope. For a full analysis, see Does the EU AI Act apply to your company?
What does the EU AI Database require and when is registration mandatory?
The EU AI Database is the official registry for providers of high-risk AI systems. Mandatory registration before August 2, 2026 for Annex III systems. Both the Council and Parliament’s Omnibus positions reinstate the registration obligation. Required: provider identity, system description, intended purpose, geographic scope, and conformity assessment outcome. Portal: ai-act.europa.eu.
Is the EU AI Act relevant if we only use AI internally?
Potentially yes. Annex III explicitly includes AI used for recruitment, hiring decisions, and performance evaluation. Internal HR AI tools used by EU employees or to assess EU-based candidates are in scope. Scale and risk level determine enforcement priority.
Where can I find the official EU AI Act documentation?
Official text: Regulation (EU) 2024/1689, accessible via EUR-Lex. EU AI Office portal: ai-act.europa.eu — includes the AI Service Desk FAQ, guidance documents, and Digital Omnibus updates. The European Commission’s Digital Omnibus legislative tracking page shows current position documents.
