EU AI Act: deadlines and the Digital Omnibus (status May 2026)
Which EU AI Act obligations apply when — and what the May 2026 Digital Omnibus changes. A practical timeline for companies operating in the EU.
Auf Deutsch lesen: deutsche Fassung
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive law on artificial intelligence. It entered into force on 1 August 2024 and applies in stages. This article lays out the timeline that matters for companies operating in the EU — and what the May 2026 Digital Omnibus proposes to change.
The staged timeline
- 2 February 2025: Prohibited AI practices are banned — and the AI literacy obligation (Art. 4) applies. Providers and deployers must take measures, to their best extent, to ensure a sufficient level of AI literacy among their staff (a proportionate best-efforts duty).
- 2 August 2025: Rules for general-purpose AI models (GPAI) and the governance framework start to apply.
- 2 August 2026: The bulk of the obligations for high-risk AI systems (Annex III) become applicable — in the original text.
- 2 August 2027: Obligations for high-risk AI that is a safety component of regulated products (Annex I) apply.
What the Digital Omnibus changes
On 7 May 2026 the EU institutions reached a provisional political agreement on a so-called Digital Omnibus that adjusts parts of the AI Act. The key points for businesses: the application of the high-risk obligations is to be postponed — for Annex III systems to 2 December 2027, and for Annex I systems to 2 August 2028 — and the requirements around AI literacy (Art. 4) are to be eased and simplified.
Important caveat: as of May 2026 this is a provisional agreement, not yet formally adopted and in force. Until it is, the original text and its dates apply. Plan against the original deadlines and treat the relief as a welcome buffer, not as a reason to wait.
The honest summary in May 2026: the prohibitions, GPAI rules and AI literacy already apply. The high-risk obligations are likely to move later — but that is not yet law.
What you should do now
- Build an inventory of your AI systems and classify them by risk (prohibited / high-risk / limited / minimal).
- Cover the AI literacy duty: proportionate, documented training for the people who work with AI.
- Check transparency obligations (Art. 50): label AI interactions and AI-generated content where required.
- If you operate high-risk AI, start the governance work now — the build-up takes longer than the remaining time often suggests.
How ISO 42001 helps
A management system built to ISO/IEC 42001 gives you exactly the structures the AI Act asks for: an AI inventory, risk and impact assessments, human oversight, transparency and life-cycle control. It is the most efficient way to turn a legal obligation into a repeatable, auditable process.
Frequently asked questions
Does the AI Act already apply?+
Yes, in stages. Since 2 February 2025 the prohibited practices and the AI literacy duty apply; since 2 August 2025 the GPAI rules. The high-risk obligations follow later — and the Digital Omnibus (provisional, May 2026) is set to postpone them further.
Is the Digital Omnibus already in force?+
No. As of May 2026 it is a provisional political agreement, not yet formally adopted. Until then the original AI Act text and dates apply.
Does the AI Act apply to non-EU companies?+
Yes, if your AI system is placed on the EU market or its output is used in the EU — regardless of where your company is based.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor (PECB)
Last updated: 27 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act — honestly and without a sales pitch.