As at 17 July 2026: Parliament approved the Digital Omnibus on AI on 16 June and the Council adopted it on 29 June. Publication in the Official Journal is expected imminently; it enters into force three days after. Verify the current position ›

Regulation (EU) 2024/1689 · In force since 1 August 2024

The EU didn't pause
the AI Act.

Most of it is already enforceable. One chapter moved — and it moved to a condition, not a date.

Banned practices have been enforceable since February 2025. General-purpose AI rules since August 2025. What the Digital Omnibus changed is when high-risk obligations bite — and it tied them to the Commission confirming that standards exist, with a long-stop date behind it. If you are tracking a date, you are tracking the wrong thing.

Aug 2024In force. The Act is law and
has been for two years
Feb 2025Banned practices enforceable
with fines already attached
1 of 13Chapters deferred by the
Omnibus. The rest stands
0Fixed deadlines for high-risk.
It is a condition now

The architecture

Four tiers. This part has never changed.

The Act sorts AI by what it does to people, not by what it is made of. That structure survived the Omnibus untouched, and it is the part worth learning, because it is the part that will still be true in five years. Select a tier.

Your tier is decided by use, not by technology. The same model can sit in three tiers at once, in three products.

Tier 1

Enforceable now

Unacceptable risk — banned

Already law

The parts you can be fined for today.

“The EU delayed the AI Act” is half true and dangerously imprecise. These obligations are in force now. They were never part of the Omnibus discussion, and no amount of headline about simplification changes them.

Prohibited practices

Article 5 has applied since 2 February 2025. Social scoring, manipulative techniques that cause significant harm, untargeted facial-image scraping, emotion inference in workplaces and schools, and most real-time remote biometric identification in public for law enforcement.

These carry the Act's heaviest penalties. If you are doing one of them, the Omnibus did not help you.

AI literacy

Article 4 has applied since 2 February 2025. Providers and deployers must take measures to ensure a sufficient level of AI literacy among the staff dealing with their AI systems, in proportion to context and risk.

The least glamorous obligation in the Act and the one most often discovered late, because it applies whatever tier you are in.

General-purpose AI

Chapter V has applied since 2 August 2025. Providers of GPAI models owe technical documentation, information to downstream providers, a copyright policy and a public summary of training content, with heavier duties for models posing systemic risk.

Untouched by the Omnibus.

Governance, notifying authorities and the penalty regime also arrived on 2 August 2025. So the machinery to enforce the Act has been assembled for a year, and the prohibitions it enforces have been live for eighteen months. Whatever was paused, it was not the Act.

What moved

One chapter, and the reason is not political.

The Commission proposed the Digital Omnibus on AI on 19 November 2025, as part of a wider simplification package that also touches the GDPR, ePrivacy, NIS2 and the Data Act. The AI piece exists because implementation was visibly off track: the harmonised standards were not finished, and Member States had not designated their competent authorities or conformity assessment bodies.

You cannot oblige a company to be assessed against standards that do not exist, by bodies nobody has appointed. That is the honest reason, and it is worth knowing, because it tells you what has to happen before the clock restarts.

DateWhat happensStatus
2 Feb 2025 Prohibited practices and AI literacy apply.Article 5, Article 4. Unchanged by the Omnibus. In force
2 Aug 2025 General-purpose AI obligations, governance, notifying authorities and penalties apply.Chapter V and the enforcement machinery. Unchanged. In force
2 Aug 2026 Article 50 transparency obligations apply.Disclosure that content is AI-generated, and that a user is talking to a machine. Did not move — except that Article 50(2) will not apply to systems already on the market at that date. Did not move
2 Dec 2026 Two new prohibitions apply, and Article 50(2) reaches legacy systems.The Omnibus adds bans on AI generating non-consensual intimate imagery and child sexual abuse material. Watermarking obligations also land here. New
2 Aug 2027 Member States must have at least one national AI regulatory sandbox operating.Also the Commission's deadline for delegated acts on Annex I sectoral rules. Unchanged
2 Dec 2027 Long-stop for high-risk obligations on stand-alone Annex III systems.Was 2 August 2026. This is a backstop, not a deadline — see below. Moved
2 Aug 2028 Long-stop for high-risk obligations on AI embedded in regulated products under Annex I.Was 2 August 2027. Moved

Alongside the dates, the Omnibus narrows “safety component” so that AI which merely assists or optimises is not automatically high-risk where failure creates no health or safety risk; resolves overlaps with sectoral law such as machinery and medical devices; reinstates database registration for providers who self-assess as exempt; and amends the GDPR to permit processing special categories of data for bias detection and correction. It is a simplification package, not a retreat.

The mechanism

High-risk is now a condition, not a date.

This is the part almost every summary gets wrong, and the only part you need to remember. The Omnibus did not move the high-risk deadline from one date to another date. It replaced the deadline with a trigger, and put a long-stop behind it in case the trigger never fires.

Step 1

Standards land

The harmonised standards and the supporting compliance tools have to actually exist. This is what CEN-CENELEC/JTC 21 has been building, and its absence is why the delay happened at all.

Step 2

The Commission decides

The Commission adopts a Decision confirming that those tools are available. This is the event that starts the clock. Not a date in a calendar — an act of the Commission, published.

Step 3

The transition runs

Six months later, high-risk obligations apply to stand-alone Annex III systems. Twelve months after that, to Annex I systems embedded in regulated products.

Step 4

The long-stop

If the Decision never comes, the obligations apply anyway: 2 December 2027 for Annex III and 2 August 2028 for Annex I. Those are ceilings, not targets. The real dates can be earlier.

Two consequences follow, and they are the reason this page exists. First: you cannot plan against 2 December 2027 as though it were the date, because a Commission Decision in, say, early 2027 would pull Annex III forward. Second: the thing to monitor is not a countdown, it is the standards programme and the Official Journal. That is a durable instruction. It will still be right when every date on this page has been superseded.

The United Kingdom

Brexit did not get you out of this.

The most common British misconception about the AI Act is that it is somebody else's problem. The Act reaches outside the Union by design, and it does so on the basis of where your output lands, not where your company is registered.

You place a system on the EU market

Article 2 catches providers placing AI systems on the Union market or putting them into service there, irrespective of whether they are established in the Union or in a third country. A London company selling into Dublin is a provider under the Act.

Your output is used in the Union

The sharper edge. Providers and deployers established outside the Union are caught where the output produced by the system is used in the Union. You can have no EU entity, no EU customer contract, and still be in scope because of where the answer is read.

You are somebody's supplier

Even outside direct scope, you will meet the Act through your customers. An EU deployer with Annex III obligations will push documentation, logging and human-oversight requirements down its supply chain, and it will do so through contracts long before its own deadline.

The UK is doing something different

Britain has no AI act. It has a principles-based approach delegated to existing sector regulators. In that model international standards carry more weight, not less — they are the shared reference a regulator can point at without legislating. Which is why UK firms often end up implementing ISO/IEC 42001 while their EU customers implement the Act.

The practical consequence for a UK business is unglamorous: your exposure is decided by your customers' geography and your own role under Article 2, and both of those are questions you can answer this week without waiting for anyone in Brussels.

Durable

How to check any of this yourself.

Every date on this page can move. This section cannot, because it is method rather than fact. If you learn one thing here, learn this: the primary sources are free, public, and quicker to read than the consultancy summary of them.

Is it actually law yet?

Only the Official Journal decides. A political agreement is not law; a Parliament vote is not law; a Council adoption is not law. An EU act enters into force on the date stated in it, normally the twentieth day after publication in the Official Journal — and for the Omnibus, the third day. Until publication, the previous wording applies in full.

Search EUR-Lex for the act number. If it is not there, it is not law, whatever the press release says.

Where is a proposal up to?

The Parliament's Legislative Train Schedule tracks every file through its stages, with dates and rapporteur names. It is the single most useful and least known public tool in EU law-watching.

For the AI Act specifically, the Commission's AI Act Service Desk and the AI Office publish guidance, and the standards position sits with CEN-CENELEC/JTC 21.

Read the recitals

EU regulations open with numbered recitals explaining what each provision is for. They are not binding, but courts and regulators read them, and they routinely answer the question your lawyer is charging you to interpret. The AI Act has 180 of them.

Beware the consolidated text

Once the Omnibus is published, EUR-Lex will offer a consolidated version of the AI Act with the amendments folded in. Consolidated texts are editorial conveniences, not authentic law. Where it matters, cite the original act and its amending act.

This page was last reviewed on 17 July 2026. If you are reading it much later than that, treat every date above as a claim to verify rather than a fact to rely on — and use the four checks here to do it in about ten minutes.

Matthew Blakemore, AI standards practitioner and member of the BSI and ISO artificial intelligence committees, speaking on stage at an AI summit

BSI and ISO AI committees

Matthew Blakemore

The AI Act's high-risk regime is waiting on standards. Matthew is a member of the BSI and ISO committees that write them, contributing through BSI's ART/1 — the UK national mirror committee for ISO/IEC JTC 1/SC 42 — and he was sub-editor of ISO/IEC 8183, the data life cycle framework that ISO/IEC 5259 is built on.

That is a useful vantage point on a regulation whose timetable now depends on a standards programme. He can tell you what is actually being drafted, how ISO/IEC 42001 relates to an AI Act quality management system, and where the gap between the two still sits.

  • CommitteesMember, BSI and ISO artificial intelligence committees, including BSI ART/1
  • StandardSub-editor, ISO/IEC 8183 — Data life cycle framework
  • AdvisoryInnovate UK BridgeAI programme
  • CompanyChief Executive, AI Caramba!
  • FrameworkOriginator of the Snakes and Ladders AI Framework™
  • BookSnakes and Ladders: A Leader's Playbook for AI Strategy, Governance and Risk (forthcoming)

Questions

The EU AI Act, answered.

Has the EU paused the AI Act?

No. This is the most widespread misreading of 2026 and it is dangerous, because it invites people to stop work on obligations that are already enforceable.

The Act entered into force on 1 August 2024. Prohibited practices and AI literacy have applied since 2 February 2025. General-purpose AI rules, governance, notifying authorities and penalties have applied since 2 August 2025. What the Digital Omnibus on AI does is defer the application of the high-risk chapter, and add two new prohibitions. The architecture, the bans and the GPAI rules are untouched.

What is the Digital Omnibus on AI?

A package of targeted amendments to the AI Act, proposed by the European Commission on 19 November 2025 as part of a wider simplification package that also touches the GDPR, ePrivacy, NIS2 and the Data Act. It is not a new law replacing the AI Act; it edits it.

Its central provision defers high-risk obligations, because the harmonised standards were not finished and Member States had not designated competent authorities or conformity assessment bodies. You cannot require conformity with standards that do not exist, assessed by bodies nobody has appointed.

When do high-risk AI obligations actually apply?

There is no longer a simple date, and this is the single most important thing to understand. Application is triggered by the Commission adopting a decision confirming that standards and supporting compliance tools are available. Six months after that, obligations apply to stand-alone Annex III systems; twelve months later, to Annex I systems embedded in regulated products.

Behind the trigger sits a long-stop: if no decision comes, obligations apply anyway from 2 December 2027 for Annex III and 2 August 2028 for Annex I. Those are ceilings, not targets. Plan against the mechanism, not the backstop.

What did not move?

The prohibitions in Article 5, in force since February 2025. AI literacy under Article 4, same date. The general-purpose AI chapter, in force since August 2025. Governance and penalties, also August 2025. And Article 50 transparency, which still applies from 2 August 2026 — with one carve-out, that Article 50(2) will not catch systems already on the market at that date, reaching them instead from 2 December 2026.

Did the Omnibus add anything?

Yes, which is the half of the story nobody reports. It adds prohibitions on AI systems generating non-consensual intimate imagery — so-called nudification tools — and child sexual abuse material, into Article 5, applying from 2 December 2026. It covers both providers placing such systems on the market and deployers using them for those purposes.

It also reinstates an obligation to register in the EU database for providers who consider their high-risk systems exempt, and amends the GDPR to permit processing special categories of personal data for bias detection and correction.

Does the EU AI Act apply to UK companies?

Frequently, yes. Article 2 catches providers placing AI systems on the Union market or putting them into service there, irrespective of whether they are established in the Union or in a third country. It also catches providers and deployers established outside the Union where the output produced by the system is used in the Union.

That second limb is the one that surprises people. A UK company with no EU entity and no EU contract can be in scope because of where its output is read. And even outside direct scope, EU customers push the Act's documentation and oversight requirements down their supply chains through contract terms, usually well ahead of their own deadlines.

What are the four risk tiers?

Unacceptable risk — prohibited outright under Article 5. High risk — permitted subject to the full weight of Chapter III, split between Annex III stand-alone systems and Annex I systems embedded in regulated products. Limited risk — permitted subject to transparency duties under Article 50. Minimal risk — everything else, with no obligations beyond AI literacy.

Tier is decided by use, not by technology. The same model can sit in three different tiers in three different products, and that is the classification error people make most often.

Is the Omnibus in force yet?

Check, do not assume — and this answer is written to be checked. As at 17 July 2026, the European Parliament had approved the text on 16 June 2026 and the Council had adopted it on 29 June 2026, with publication in the Official Journal expected imminently. An EU act is not law until it is published there and enters into force on the date it states.

Until then, the 2024 wording of the AI Act applies as written, including the original high-risk dates. Search EUR-Lex for the act; if it is not there, it is not law, whatever the press release says.

How does ISO/IEC 42001 relate to the EU AI Act?

Article 17 requires providers of high-risk AI systems to operate a quality management system, and Article 40 allows harmonised standards to confer a presumption of conformity. ISO/IEC 42001 is the international AI management system standard, and a well-run AIMS gives you much of the organisational machinery an AI Act QMS needs, already audited.

But be precise: ISO/IEC 42001 is not a harmonised standard cited in the Official Journal, so it confers no presumption of conformity, and the European position is that it does not cover the full set of the AI Act's quality management requirements — which is why a separate European standard, prEN 18286, is being developed. Treat 42001 as a head start, not a finish line. See our ISO/IEC 42001 guide.

What are the fines under the EU AI Act?

Tiered to the breach. Prohibited practices attract the heaviest penalties, up to €35 million or 7% of total worldwide annual turnover, whichever is higher. Most other breaches of obligations attract up to €15 million or 3%. Supplying incorrect, incomplete or misleading information to authorities attracts up to €7.5 million or 1%. Lower caps apply to SMEs and start-ups.

The penalty regime has applied since 2 August 2025, and it applies to the prohibitions that have been live since February 2025. That combination is why “the Act was paused” is an expensive thing to believe.

Where can I read the actual text?

Free, on EUR-Lex. The AI Act is Regulation (EU) 2024/1689. Read the recitals as well as the articles — there are 180 of them and they explain what each provision is for. Regulators and courts read them, and they often answer the question you were about to pay somebody to interpret.

Once the Omnibus is published, EUR-Lex will offer a consolidated version. Consolidated texts are editorial conveniences and not authentic law; where it matters, cite the original act and the amending act.

Next

The deferral is not a reprieve. It is a budget.

Sixteen extra months on Annex III is not time off. It is time to do the conformity assessment properly, build the technical documentation, and design human oversight that survives contact with an auditor — instead of doing all three in a panic. The organisations that treat it as a pause will meet the trigger unprepared, and the trigger is not in their control.