Two years of compliance planning come to a head on August 2, 2026, but not in the way most founders expected. The EU AI Act's second phase arrives as a split-track deadline: transparency obligations under Article 50 switch on as originally scheduled, while the heavy high-risk compliance framework has been pushed more than a year into the future. Any founder shipping AI products to European users needs to understand which side of the split their system lands on, because the wrong assumption could mean waking up on August 3 to a system that is already out of compliance.
The Digital Omnibus on AI, signed on July 8, 2026 and awaiting publication in the EU Official Journal, is the legislative vehicle behind this recalibration. What was once a single deadline has become a staggered cascade. And as several major law firms have noted in recent advisories, compliance guidance published before July 2026 may already be misleading on key points.
What Actually Switches On August 2
Article 50 is the provision that survived the Omnibus intact. Its general transparency rules apply from August 2 to any AI system placed on the EU market, regardless of the provider's size or location. Three obligations are immediately enforceable.
First, any AI system that interacts directly with a person must inform that person they are dealing with a machine, unless it is obvious from context. This covers chatbots, voice assistants, and customer service AI. Second, deepfakes and any AI-generated or manipulated audio, image, or video content must be disclosed as artificially generated. Third, emotion recognition and biometric categorization systems must notify the individuals being analyzed.
The machine-readable marking obligation in Article 50(2), which covers watermarking of synthetic content, also applies from August 2 for newly placed systems. Providers whose systems were already on the market before that date get until December 2, 2026 to retrofit their watermarking infrastructure. That four-month grace period is a narrow window designed for technical implementation, not policy debate.
For founders of generative media tools, chatbot platforms, or any product that produces or manipulates human-facing content, August 2 is a hard deadline. The engineering work for disclosure labels, watermarking pipelines, and interface notifications needs to be in production, not just in a sprint backlog.
The High Risk Regime That Did Not Arrive
The more consequential change is what did not happen on August 2. The high-risk obligations for stand-alone systems listed in Annex III have been deferred to December 2, 2027. This covers recruitment tools, credit scoring systems, education platforms, law enforcement applications, border control technologies, and critical infrastructure AI. That is a 17-month extension from the original date.
AI embedded in products already regulated under EU product safety law, which are listed under Annex I, got an even longer runway: August 2, 2028. This covers medical devices, machinery, toys, and other products where existing conformity assessment frameworks already apply.
The reason for the deferral is procedural rather than political. Member states were slow to designate national competent authorities. The harmonized standards that high-risk compliance depends on were not finalized. And the conformity assessment tools that providers would use to demonstrate compliance did not exist in a usable form. Regulators found themselves in a position of demanding conformity against benchmarks that had not been published, a legal dead end that the Omnibus resolved by pushing the dates rather than the standards.
But founders should not read this as a relaxation of the rules. The obligations themselves have not been softened. What changed is the deadline, not the requirement. Providers of Annex III systems gain runway, not relief. And if the harmonized standards slip again, the industry will face the same credibility problem in 2027 with less political sympathy for a second extension.
The Provisions Nobody Saw Coming
The Omnibus also added new content that goes beyond timeline adjustments. Article 5 now includes a prohibition on AI systems designed to generate non-consensual intimate imagery, the so-called nudifier applications. This ban applies from December 2, 2026, and was pushed through during trilogue negotiations by the European Parliament. A package sold as deregulation ended up adding a new criminal prohibition.
The AI Office also gained expanded supervisory powers that reach beyond general-purpose AI models to the systems built on them when both come from the same business group. For vertically integrated providers, which describes most frontier AI labs, this effectively consolidates oversight in Brussels rather than distributing it across 27 national regulators. Founders building on top of frontier model APIs should watch whether their upstream provider's vertical structure changes their own regulatory exposure.
Regulatory sandboxes, which were originally required to be operational by August 2026, now have until August 2027. An EU-level sandbox is available as an option for testing at continental scale, which may be useful for founders who want a single compliance pathway rather than navigating 27 separate national implementations.
What Founders Need to Do
The split-track calendar creates a distinct set of action items depending on what kind of AI system you build. Here is the checklist.
If your system interacts with people directly (chatbots, support AI, voice agents): Ensure your interface includes a clear disclosure that the user is interacting with AI. The context-obvious exemption is narrower than it sounds. A chatbot with a human name and a smiley avatar, for example, is almost certainly not context-obvious. This work needs to be in production by August 2.
If your system generates or manipulates media (images, video, audio, text): Implement machine-readable watermarking and disclosure labels. For new systems, August 2 is the deadline. For existing systems already on the market, you have until December 2, 2026.
If your system uses emotion recognition or biometric categorization: You must notify the individuals being analyzed. This is an August 2 deadline with no grace period.
If your system falls under Annex III (recruitment, credit, education, law enforcement, critical infrastructure): Your compliance deadline moved to December 2, 2027. Use the extra time to build conformity documentation, not to defer the work. Monitor the harmonized standards publication timeline closely.
If your system generates synthetic content: Check whether your pipeline needs to exclude non-consensual intimate imagery generation. The December 2, 2026 prohibition will carry criminal penalties, not just administrative fines.
All founders: Review any compliance guidance your team wrote before July 2026. If it references high-risk obligations arriving in August 2026, it is already obsolete. Refresh your compliance calendar and communicate the new timeline to your board, your legal team, and your engineering leads. The deadline is two weeks away, and for the systems it covers, there is no more runway.

