Regulation (EU) 2024/1689 · In force since 1 August 2024
Most of it is already enforceable. One chapter moved — and it moved to a condition, not a date.
Banned practices have been enforceable since February 2025. General-purpose AI rules since August 2025. What the Digital Omnibus changed is when high-risk obligations bite — and it tied them to the Commission confirming that standards exist, with a long-stop date behind it. If you are tracking a date, you are tracking the wrong thing.
The architecture
The Act sorts AI by what it does to people, not by what it is made of. That structure survived the Omnibus untouched, and it is the part worth learning, because it is the part that will still be true in five years. Select a tier.
Tier 1
Enforceable nowAlready law
“The EU delayed the AI Act” is half true and dangerously imprecise. These obligations are in force now. They were never part of the Omnibus discussion, and no amount of headline about simplification changes them.
Article 5 has applied since 2 February 2025. Social scoring, manipulative techniques that cause significant harm, untargeted facial-image scraping, emotion inference in workplaces and schools, and most real-time remote biometric identification in public for law enforcement.
These carry the Act's heaviest penalties. If you are doing one of them, the Omnibus did not help you.
Article 4 has applied since 2 February 2025. Providers and deployers must take measures to ensure a sufficient level of AI literacy among the staff dealing with their AI systems, in proportion to context and risk.
The least glamorous obligation in the Act and the one most often discovered late, because it applies whatever tier you are in.
Chapter V has applied since 2 August 2025. Providers of GPAI models owe technical documentation, information to downstream providers, a copyright policy and a public summary of training content, with heavier duties for models posing systemic risk.
Untouched by the Omnibus.
Governance, notifying authorities and the penalty regime also arrived on 2 August 2025. So the machinery to enforce the Act has been assembled for a year, and the prohibitions it enforces have been live for eighteen months. Whatever was paused, it was not the Act.
What moved
The Commission proposed the Digital Omnibus on AI on 19 November 2025, as part of a wider simplification package that also touches the GDPR, ePrivacy, NIS2 and the Data Act. The AI piece exists because implementation was visibly off track: the harmonised standards were not finished, and Member States had not designated their competent authorities or conformity assessment bodies.
You cannot oblige a company to be assessed against standards that do not exist, by bodies nobody has appointed. That is the honest reason, and it is worth knowing, because it tells you what has to happen before the clock restarts.
Alongside the dates, the Omnibus narrows “safety component” so that AI which merely assists or optimises is not automatically high-risk where failure creates no health or safety risk; resolves overlaps with sectoral law such as machinery and medical devices; reinstates database registration for providers who self-assess as exempt; and amends the GDPR to permit processing special categories of data for bias detection and correction. It is a simplification package, not a retreat.
The mechanism
This is the part almost every summary gets wrong, and the only part you need to remember. The Omnibus did not move the high-risk deadline from one date to another date. It replaced the deadline with a trigger, and put a long-stop behind it in case the trigger never fires.
The harmonised standards and the supporting compliance tools have to actually exist. This is what CEN-CENELEC/JTC 21 has been building, and its absence is why the delay happened at all.
The Commission adopts a Decision confirming that those tools are available. This is the event that starts the clock. Not a date in a calendar — an act of the Commission, published.
Six months later, high-risk obligations apply to stand-alone Annex III systems. Twelve months after that, to Annex I systems embedded in regulated products.
If the Decision never comes, the obligations apply anyway: 2 December 2027 for Annex III and 2 August 2028 for Annex I. Those are ceilings, not targets. The real dates can be earlier.
Two consequences follow, and they are the reason this page exists. First: you cannot plan against 2 December 2027 as though it were the date, because a Commission Decision in, say, early 2027 would pull Annex III forward. Second: the thing to monitor is not a countdown, it is the standards programme and the Official Journal. That is a durable instruction. It will still be right when every date on this page has been superseded.
The United Kingdom
The most common British misconception about the AI Act is that it is somebody else's problem. The Act reaches outside the Union by design, and it does so on the basis of where your output lands, not where your company is registered.
Article 2 catches providers placing AI systems on the Union market or putting them into service there, irrespective of whether they are established in the Union or in a third country. A London company selling into Dublin is a provider under the Act.
The sharper edge. Providers and deployers established outside the Union are caught where the output produced by the system is used in the Union. You can have no EU entity, no EU customer contract, and still be in scope because of where the answer is read.
Even outside direct scope, you will meet the Act through your customers. An EU deployer with Annex III obligations will push documentation, logging and human-oversight requirements down its supply chain, and it will do so through contracts long before its own deadline.
Britain has no AI act. It has a principles-based approach delegated to existing sector regulators. In that model international standards carry more weight, not less — they are the shared reference a regulator can point at without legislating. Which is why UK firms often end up implementing ISO/IEC 42001 while their EU customers implement the Act.
The practical consequence for a UK business is unglamorous: your exposure is decided by your customers' geography and your own role under Article 2, and both of those are questions you can answer this week without waiting for anyone in Brussels.
Durable
Every date on this page can move. This section cannot, because it is method rather than fact. If you learn one thing here, learn this: the primary sources are free, public, and quicker to read than the consultancy summary of them.
Only the Official Journal decides. A political agreement is not law; a Parliament vote is not law; a Council adoption is not law. An EU act enters into force on the date stated in it, normally the twentieth day after publication in the Official Journal — and for the Omnibus, the third day. Until publication, the previous wording applies in full.
Search EUR-Lex for the act number. If it is not there, it is not law, whatever the press release says.
The Parliament's Legislative Train Schedule tracks every file through its stages, with dates and rapporteur names. It is the single most useful and least known public tool in EU law-watching.
For the AI Act specifically, the Commission's AI Act Service Desk and the AI Office publish guidance, and the standards position sits with CEN-CENELEC/JTC 21.
EU regulations open with numbered recitals explaining what each provision is for. They are not binding, but courts and regulators read them, and they routinely answer the question your lawyer is charging you to interpret. The AI Act has 180 of them.
Once the Omnibus is published, EUR-Lex will offer a consolidated version of the AI Act with the amendments folded in. Consolidated texts are editorial conveniences, not authentic law. Where it matters, cite the original act and its amending act.
This page was last reviewed on 17 July 2026. If you are reading it much later than that, treat every date above as a claim to verify rather than a fact to rely on — and use the four checks here to do it in about ten minutes.
BSI and ISO AI committees
The AI Act's high-risk regime is waiting on standards. Matthew is a member of the BSI and ISO committees that write them, contributing through BSI's ART/1 — the UK national mirror committee for ISO/IEC JTC 1/SC 42 — and he was sub-editor of ISO/IEC 8183, the data life cycle framework that ISO/IEC 5259 is built on.
That is a useful vantage point on a regulation whose timetable now depends on a standards programme. He can tell you what is actually being drafted, how ISO/IEC 42001 relates to an AI Act quality management system, and where the gap between the two still sits.
Questions
No. This is the most widespread misreading of 2026 and it is dangerous, because it invites people to stop work on obligations that are already enforceable.
The Act entered into force on 1 August 2024. Prohibited practices and AI literacy have applied since 2 February 2025. General-purpose AI rules, governance, notifying authorities and penalties have applied since 2 August 2025. What the Digital Omnibus on AI does is defer the application of the high-risk chapter, and add two new prohibitions. The architecture, the bans and the GPAI rules are untouched.
A package of targeted amendments to the AI Act, proposed by the European Commission on 19 November 2025 as part of a wider simplification package that also touches the GDPR, ePrivacy, NIS2 and the Data Act. It is not a new law replacing the AI Act; it edits it.
Its central provision defers high-risk obligations, because the harmonised standards were not finished and Member States had not designated competent authorities or conformity assessment bodies. You cannot require conformity with standards that do not exist, assessed by bodies nobody has appointed.
There is no longer a simple date, and this is the single most important thing to understand. Application is triggered by the Commission adopting a decision confirming that standards and supporting compliance tools are available. Six months after that, obligations apply to stand-alone Annex III systems; twelve months later, to Annex I systems embedded in regulated products.
Behind the trigger sits a long-stop: if no decision comes, obligations apply anyway from 2 December 2027 for Annex III and 2 August 2028 for Annex I. Those are ceilings, not targets. Plan against the mechanism, not the backstop.
The prohibitions in Article 5, in force since February 2025. AI literacy under Article 4, same date. The general-purpose AI chapter, in force since August 2025. Governance and penalties, also August 2025. And Article 50 transparency, which still applies from 2 August 2026 — with one carve-out, that Article 50(2) will not catch systems already on the market at that date, reaching them instead from 2 December 2026.
Yes, which is the half of the story nobody reports. It adds prohibitions on AI systems generating non-consensual intimate imagery — so-called nudification tools — and child sexual abuse material, into Article 5, applying from 2 December 2026. It covers both providers placing such systems on the market and deployers using them for those purposes.
It also reinstates an obligation to register in the EU database for providers who consider their high-risk systems exempt, and amends the GDPR to permit processing special categories of personal data for bias detection and correction.
Frequently, yes. Article 2 catches providers placing AI systems on the Union market or putting them into service there, irrespective of whether they are established in the Union or in a third country. It also catches providers and deployers established outside the Union where the output produced by the system is used in the Union.
That second limb is the one that surprises people. A UK company with no EU entity and no EU contract can be in scope because of where its output is read. And even outside direct scope, EU customers push the Act's documentation and oversight requirements down their supply chains through contract terms, usually well ahead of their own deadlines.
Unacceptable risk — prohibited outright under Article 5. High risk — permitted subject to the full weight of Chapter III, split between Annex III stand-alone systems and Annex I systems embedded in regulated products. Limited risk — permitted subject to transparency duties under Article 50. Minimal risk — everything else, with no obligations beyond AI literacy.
Tier is decided by use, not by technology. The same model can sit in three different tiers in three different products, and that is the classification error people make most often.
Check, do not assume — and this answer is written to be checked. As at 17 July 2026, the European Parliament had approved the text on 16 June 2026 and the Council had adopted it on 29 June 2026, with publication in the Official Journal expected imminently. An EU act is not law until it is published there and enters into force on the date it states.
Until then, the 2024 wording of the AI Act applies as written, including the original high-risk dates. Search EUR-Lex for the act; if it is not there, it is not law, whatever the press release says.
Article 17 requires providers of high-risk AI systems to operate a quality management system, and Article 40 allows harmonised standards to confer a presumption of conformity. ISO/IEC 42001 is the international AI management system standard, and a well-run AIMS gives you much of the organisational machinery an AI Act QMS needs, already audited.
But be precise: ISO/IEC 42001 is not a harmonised standard cited in the Official Journal, so it confers no presumption of conformity, and the European position is that it does not cover the full set of the AI Act's quality management requirements — which is why a separate European standard, prEN 18286, is being developed. Treat 42001 as a head start, not a finish line. See our ISO/IEC 42001 guide.
Tiered to the breach. Prohibited practices attract the heaviest penalties, up to €35 million or 7% of total worldwide annual turnover, whichever is higher. Most other breaches of obligations attract up to €15 million or 3%. Supplying incorrect, incomplete or misleading information to authorities attracts up to €7.5 million or 1%. Lower caps apply to SMEs and start-ups.
The penalty regime has applied since 2 August 2025, and it applies to the prohibitions that have been live since February 2025. That combination is why “the Act was paused” is an expensive thing to believe.
Free, on EUR-Lex. The AI Act is Regulation (EU) 2024/1689. Read the recitals as well as the articles — there are 180 of them and they explain what each provision is for. Regulators and courts read them, and they often answer the question you were about to pay somebody to interpret.
Once the Omnibus is published, EUR-Lex will offer a consolidated version. Consolidated texts are editorial conveniences and not authentic law; where it matters, cite the original act and the amending act.
Next
Sixteen extra months on Annex III is not time off. It is time to do the conformity assessment properly, build the technical documentation, and design human oversight that survives contact with an auditor — instead of doing all three in a panic. The organisations that treat it as a pause will meet the trigger unprepared, and the trigger is not in their control.