EU AI Act: What Still Changes on 2 August 2026 — and How to Respond to a Compliance Request

Quick answer: 2 August 2026 remains a major EU AI Act compliance date, but its exact impact is now affected by the Digital Omnibus on AI. Under the original AI Act (Regulation 2024/1689), this was the date when most remaining provisions became applicable, including the obligations for high-risk AI systems and the wider penalty framework. However, a provisional EU political agreement reached on 7 May 2026 would delay high-risk obligations for standalone Annex III systems until 2 December 2027, and for high-risk AI embedded in regulated products until 2 August 2028. Several transparency duties and enforcement-related rules still make 2 August 2026 an important date for many organisations.

The EU AI Act is the world's first comprehensive law on artificial intelligence, and it phases in over several years rather than switching on at once. The 2 August 2026 milestone was long described as the single most significant compliance date for most businesses. The Digital Omnibus does not remove that date, but it does change what arrives on it.

If you build, deploy, sell, or even procure AI systems that touch people in the EU, this still affects you. So does the parallel reality that complaints, regulator inquiries, and partner due-diligence questions about AI compliance are already arriving — and they need a clear, documented, formal response.

This guide is general information, not legal advice. The EU AI Act is complex and parts of it are still being amended through the Digital Omnibus, which at the time of writing was a provisional agreement not yet formally adopted. Always check the current text of Regulation 2024/1689 and seek qualified legal advice for your specific situation.

2 August 2026 remains an important AI Act date, but not everything originally scheduled for that day may now arrive at the same time. Here is what still stands.

Most of the Act becomes applicable under the original Regulation. Article 113 of Regulation (EU) 2024/1689 states that the Regulation applies from 2 August 2026, subject to earlier and later exceptions. That general application date is not removed by the Digital Omnibus.

Many transparency obligations remain on the 2026 track. A range of Article 50 transparency duties — for example, the obligations on deployers to disclose certain AI use — remain due to apply from 2 August 2026. One important exception: the Article 50(2) obligation on providers to mark AI-generated or synthetic content has been moved (see the timeline below).

GPAI enforcement powers begin. The European Commission's supervision and enforcement powers over providers of general-purpose AI (GPAI) models come into force on 2 August 2026. GPAI obligations themselves have applied since 2 August 2025.

The penalty framework is in play for the rules already in force. Fines for prohibited practices and for GPAI breaches are active. What moves is the application of the high-risk obligations — and therefore the practical bite of the penalties tied specifically to them.

On 7 May 2026, the Council of the EU and the European Parliament reached a provisional political agreement on the Digital Omnibus on AI — the first set of targeted amendments to the EU AI Act since its adoption. The agreement was prompted by the fact that the standards and compliance tools needed for high-risk systems were behind schedule. These changes only take legal effect once the Omnibus is formally adopted and published in the Official Journal, which must still happen before they become legally binding.

The headline changes are:

• High-risk obligations delayed. Standalone Annex III high-risk systems would move from 2 August 2026 to 2 December 2027. High-risk AI embedded in regulated products under Annex I would move to 2 August 2028.
• Watermarking grace period shortened, then moved. The Article 50(2) obligation on providers to mark AI-generated and synthetic content would apply from 2 December 2026 (a three-month grace period rather than the six months originally floated). Other Article 50 transparency obligations, including those on deployers, would still apply from 2 August 2026.
• A new prohibited practice. The agreement adds to the Article 5 prohibitions a ban on AI-generated non-consensual intimate imagery (so-called "nudifiers") and on AI generating child sexual abuse material.

Two cautions. First, these dates are conditional: until formal adoption and publication, the original timeline could still apply if the process is not completed in time. Second, the core architecture of the Act — the risk tiers, the conformity-assessment regime, the GPAI track, and the role of the AI Office — does not change. The delay buys preparation time; it does not remove the obligations.

The Act entered into force on 1 August 2024 and phases in as follows. The 2027-2028 dates below reflect the Digital Omnibus provisional agreement and are conditional on formal adoption.

• 2 February 2025 — Prohibited AI practices became enforceable, and AI literacy obligations began.
• 2 August 2025 — Obligations for general-purpose AI (GPAI) models began to apply. Governance structures, including the EU AI Office, became operational, and Member States were required to have their penalty rules in place.
• 2 August 2026 — Main application date under the original Regulation (Article 113). Article 50 transparency obligations remain important, GPAI enforcement powers begin, and the penalty framework is active for rules already in force. High-risk obligations were originally scheduled for this date but the Digital Omnibus would move them.
• 2 December 2026 — Proposed new date for the Article 50(2) provider obligation to mark AI-generated and synthetic content, if the Digital Omnibus is adopted.
• 2 December 2027 — Proposed new application date for standalone Annex III high-risk AI systems, if the Digital Omnibus is adopted.
• 2 August 2028 — Proposed new application date for high-risk AI systems embedded in regulated products (Annex I), if the Digital Omnibus is adopted.

The Act assigns obligations by the role you play in the AI value chain. The main roles are:

• Provider — the organisation that develops an AI system, or has one developed, and places it on the market or puts it into service under its own name. Providers carry the heaviest obligations.
• Deployer — the organisation that uses an AI system under its own authority in a professional context. Deployers have their own duties, especially around human oversight and using systems as instructed.
• Importer and distributor — organisations that bring AI systems from outside the EU into the market or make them available, with verification and record-keeping duties.

Crucially, the Act has extraterritorial reach, and the Digital Omnibus does not change this. If your AI system, or its output, is used in the European Union, the Act can apply to you regardless of where your company is headquartered. A provider in the United States, the United Kingdom, or anywhere else is not outside scope simply because it has no EU office. What matters is whether the system touches people in the EU.

The high-risk category is the one whose deadline the Digital Omnibus would move, so it is worth being precise about what falls inside it.

Broadly, two routes lead to a high-risk classification. The first is AI used as a safety component of, or as, a product already regulated under EU product-safety law (Annex I) — the route now slated for 2 August 2028. The second is the list of standalone high-risk uses set out in Annex III — the route now slated for 2 December 2027 — which includes areas such as:

• employment, recruitment, and worker management (for example, CV-screening or hiring tools),
• access to essential private and public services, including creditworthiness and credit scoring,
• biometrics and biometric categorisation,
• education and vocational training (for example, scoring exams or determining admission),
• critical infrastructure, law enforcement, migration, and the administration of justice.

The delay reflects the fact that the harmonised standards and support tools needed to comply with these requirements are still being finalised. It is preparation time, not a reprieve: the substantive obligations are unchanged.

The Act uses a tiered penalty structure, and the figures are deliberately large.

The most serious tier applies to breaches of the prohibited-practices rules: fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher.

A second tier covers many other breaches — including obligations of providers, deployers, importers, distributors and notified bodies, as well as the Article 50 transparency duties: fines of up to EUR 15 million or 3% of total worldwide annual turnover, whichever is higher.

Supplying incorrect, incomplete, or misleading information to authorities carries its own, lower penalty band. As high-risk obligations move to 2027-2028, the penalties tied specifically to them move with the substantive duties, but the prohibited-practice and GPAI penalties are already live.

Finally, the AI Act does not replace the GDPR. Where an AI system processes personal data, both regimes apply at the same time, and data protection authorities keep their jurisdiction over the personal-data aspects.

Even with the delay, formal requests are multiplying. You may receive one from a national market surveillance authority, from the EU AI Office (for GPAI matters), from a customer or downstream provider running due diligence, or as part of a complaint filed against you. A weak or late response can escalate a routine inquiry into an investigation.

A strong response letter is structured, factual, and easy to verify. Use this structure:

1. Identify the request precisely

State clearly what you are responding to: the date of the request, the sender, the reference number if any, and exactly what was asked. This shows you have read it carefully and creates a clean paper trail.

2. State your role under the Act

Make clear whether you are responding as a provider, deployer, importer, or distributor of the system in question, and identify the system precisely. Your obligations follow from this role, so getting it right frames everything that comes after.

3. Answer the specific questions, point by point

Address each question the request raised, in order, with facts. Where the Act requires documentation — technical documentation, risk-management records, data-governance measures, human-oversight arrangements — describe what you have and reference the documents you are enclosing.

4. Be candid about gaps and remediation

If something is not yet in place, do not hide it. Say what is missing, what you are doing about it, and by when. Regulators respond far better to a documented remediation plan than to silence or denial.

5. Close with a clear contact and next step

Name a responsible contact, confirm your willingness to provide further information, and propose a concrete next step or timeline. List your enclosures.

DocuGov.ai generates jurisdiction-aware AI Act compliance and response letters built on this structure — turning a stressful regulator inquiry into a clear, professional document in minutes. You can start from our AI Act compliance letters page.

The Act is not only about corporate obligations. It also strengthens the position of people affected by AI systems, and those rights are worth knowing.

If you believe a system uses a banned practice — for example, social scoring, certain forms of emotion or biometric surveillance, or the newly added ban on AI-generated non-consensual intimate imagery — you can report it. See our guide to filing a prohibited AI practice complaint.

Separately, under the GDPR, you have rights when a decision about you is made by automation alone. You can object to such a decision and demand human intervention with a GDPR Article 22 objection, and you can ask for a meaningful explanation of how an algorithm reached a decision affecting you with a right to explanation request.

These letters work best when they are specific: identify the decision, the system if known, the date, and exactly what you are asking the organisation to do.

Treating the delay as a cancellation. The Digital Omnibus buys time; it does not remove the high-risk obligations. The dates moved to 2 December 2027 and 2 August 2028 — they did not disappear.

Assuming you are out of scope because you are outside the EU. Extraterritorial reach means the test is whether the system touches the EU, not where you are based.

Relying on the new dates before they are law. The Omnibus was a provisional agreement at the time of writing. Until it is formally adopted and published, plan against the possibility that the original timeline still applies.

Confusing the GPAI rules with the high-risk rules. GPAI model obligations have applied since August 2025; the high-risk regime is a separate layer with its own (now deferred) dates.

Ignoring a regulator request or answering informally. An email reply with no structure and no documents invites follow-up. A formal, documented response closes the loop.

Forgetting the GDPR. If personal data is involved, you are managing two compliance regimes at once, not one.

• 2 August 2026 is still the Act's main application date (Article 113), with Article 50 transparency duties, GPAI enforcement powers, and the active penalty framework.
• The Digital Omnibus on AI (provisional agreement of 7 May 2026) would defer high-risk obligations: 2 December 2027 for standalone Annex III systems, 2 August 2028 for AI embedded in regulated products.
• The Article 50(2) provider watermarking duty would move to 2 December 2026; other Article 50 duties stay at 2 August 2026.
• The new dates are conditional on formal adoption and publication of the Omnibus.
• The Act applies regardless of where your company is based if the AI system is used in the EU.
• Fines reach EUR 35 million or 7% of global turnover for the most serious breaches, and EUR 15 million or 3% for many others.
• If you receive a compliance request, respond formally, point by point, with documentation. DocuGov.ai can generate that letter for you.