August 2, 2026, was supposed to be D-day for the EU AI Act. After two years of preparation, the regulation's core obligations for high-risk AI systems were set to go live across the single market. But that deadline has been gutted. The Digital Omnibus on AI, signed into law on July 8 after final Council approval on June 29, rewrites the timeline in a way that every founder selling into Europe needs to understand right now. The package splits compliance into two speeds: transparency rules arrive on schedule, while high-risk requirements slide more than a year into the future. For founders who have been scrambling to meet August deadlines, the news is a mix of relief and a warning that the obligations themselves have not been softened one bit.
What Actually Changes on August 2, 2026
Let's start with what is still real. Article 50 of the AI Act survives the Omnibus intact. From August 2, 2026, any AI system placed on the EU market must comply with its general transparency requirements. In practice, this covers three things. First, any system that interacts directly with people must make it clear that a person is dealing with a machine, unless that is obvious from context. That means chatbot labels, disclosure on AI customer service agents, and clear disclaimers on automated phone systems. Second, deepfakes and manipulated audio, image, or video content must be disclosed as artificially generated. Third, emotion recognition and biometric categorization systems must inform the people exposed to them. Additionally, the machine-readable marking obligation in Article 50(2) for watermarking of synthetic audio, image, video, and text also applies from August 2 for newly placed systems. Providers whose systems were already on the market before that date get until December 2, 2026, to retrofit compliance. If you ship AI products into the EU, August 2 is still a firm deadline for these transparency measures. The exemption for context-obvious interactions is narrower than it sounds and founders should not rely on it without legal review.
The High-Risk Regime: Delayed, Not Diluted
The biggest shift in the Omnibus is the deferral of high-risk compliance obligations. Stand-alone high-risk systems listed in Annex III of the AI Act, which includes recruitment tools, credit scoring systems, education platforms, law enforcement applications, border control technologies, and critical infrastructure management, now face full compliance on December 2, 2027, instead of August 2, 2026. That is a seventeen-month extension. For AI embedded in products already covered by EU product safety law under Annex I, such as medical devices, machinery, and toys, the deadline moves even further to August 2, 2028. The reason for the deferral is procedural rather than philosophical. Implementation had stalled on two fronts: member states were slow to designate their national competent authorities, and the harmonized standards that high-risk compliance depends on were simply not finished. Regulators found themselves in the position of demanding conformity against benchmarks that did not yet exist. The obligations themselves have not been watered down. Providers of Annex III systems gain runway, not relief. Every requirement around risk management, data governance, technical documentation, transparency, human oversight, accuracy, and robustness still applies. The difference is that you now have until the end of 2027 to meet them, assuming the harmonized standards arrive on time.
New Prohibitions You Cannot Ignore
A package sold primarily as deregulation ended up adding a significant new prohibition. Article 5 of the AI Act now bans AI systems designed to generate non-consensual intimate imagery the so-called nudifier applications alongside child sexual abuse material. The European Parliament pushed for this during the trilogue negotiations, and it was one of the last items to be finalized. The new prohibited practices apply from December 2, 2026, giving providers just over a year to ensure their systems are not in violation. This is notable because it signals that the EU's regulatory direction is not purely about reducing burdens. The Omnibus also expands the powers of the AI Office, extending its supervisory reach beyond general-purpose AI models to the systems built on them, where the model and system come from the same business group. For vertically integrated providers, which describes most of the frontier labs, this consolidates oversight in Brussels rather than across 27 national regulators. That is a significant shift in enforcement architecture that founders should factor into their compliance planning.
The 'Regulated Twice' Principle: Streamlined Compliance for Regulated Sectors
The headline slogan of the Omnibus has been that companies should not be regulated twice. The Parliament made this the core framing of the deal, and it has real practical implications. Under the new framework, AI products that are already compliant with sector-specific regulations such as the Medical Device Regulation, the Machinery Directive, or GDPR receive streamlined treatment under the AI Act. The goal is to avoid duplicative paperwork where a product's AI component is already covered by existing EU legislation. For founders building AI-enabled medical devices, industrial machinery with AI vision systems, or fintech products with AI decision-making, this means that compliance with your sector-specific regulation counts toward your AI Act obligations. The Commission may also introduce health and safety requirements for high-risk AI within the Machinery Regulation framework, further reducing overlap. However, this is not a free pass. You still need to demonstrate that your sector-specific compliance covers the AI-specific risks. The paperwork may be modular, but the burden of proof rests on you. And if your product falls outside a regulated sector, you get no benefit from this principle at all.
What Founders Need to Do Now
For founders building AI products for the EU market, the Omnibus deal demands immediate action on several fronts. First, if your system interacts directly with people or generates synthetic content, the August 2 deadline for Article 50 transparency rules is not negotiable. Engineering work for chatbot labels, deepfake disclosure, and synthetic content watermarking must be completed now. Second, if you are building a high-risk Annex III system such as recruitment, credit scoring, or biometric tools, use the extended timeline to build proper compliance infrastructure, but do not treat it as an excuse to delay. The harmonized standards may slip again, and you will have less credibility asking for a second extension. Third, review whether your product qualifies for streamlined treatment under the regulated twice principle. If you already comply with medical device, machinery, or financial regulations, document how that compliance maps to AI Act requirements. Fourth, ensure your systems do not run afoul of the new prohibition on nudifier applications, which takes effect December 2, 2026. Fifth, monitor the AI Office's expanding oversight if you are a vertically integrated provider. The Omnibus gives you time, but the direction of travel is clear: the EU is building a unified enforcement apparatus, and the window for shaping how it operates is closing.

