If you manage AI risk for a living — or had it added to your job description sometime in the last eighteen months — you’ve probably heard some version of the headline: the EU delayed the AI Act.
That’s half true. And the half that’s false is the half that can hurt you. Here’s what actually happened, in plain English, and what it means for the obligations sitting on your desk right now.
What actually happened
In November 2025, the European Commission proposed the “Digital Omnibus on AI” — a package of amendments to the EU AI Act, prompted by an uncomfortable reality: the compliance infrastructure the Act depends on (harmonised standards, notified bodies, national authorities) wasn’t going to be ready in time.
After a failed negotiation round in April 2026, the EU institutions reached political agreement on May 7. The European Parliament formally endorsed the package on June 16, 2026, and the Council gave its final approval on June 29. Publication in the Official Journal is expected imminently; the amendments take legal effect three days after publication.
So yes — something real happened. But “the deadline moved” is the wrong summary. The accurate summary is: the Act split into a near cliff and a far cliff. Some deadlines moved sixteen months. One brand-new obligation arrived. And the obligations most organizations actually face this year didn’t move an inch.
What moved
The heaviest part of the Act — the high-risk regime, with its risk management systems, technical documentation, logging, human oversight architecture, conformity assessments, and registration — got real breathing room:
| Obligation | Old date | New date |
|---|---|---|
| Standalone high-risk AI systems (Annex III — hiring tools, credit scoring, and similar use-based classifications) | August 2, 2026 | December 2, 2027 |
| High-risk AI embedded in regulated products (Annex I — medical devices, machinery, and similar) | August 2, 2027 | August 2, 2028 |
Sixteen months is meaningful. If your organization builds or deploys systems in those categories, you just got a better-resourced window to do the work properly. But notice what that relief covers — and what it doesn’t.
What didn’t move
Three obligations stayed where they were. A fourth is brand new.
Article 4 — AI literacy. In force since February 2, 2025. This is the one almost nobody talks about, and it’s the one you may already be behind on. Every provider and every deployer of AI systems has a duty to take appropriate measures to build and evidence AI literacy among the staff operating AI on their behalf — and the Omnibus did not defer it. It has been live for seventeen months. If a regulator, auditor, or insurer asked you today for evidence of your AI literacy program, “we’re waiting for 2027” is not an answer. This obligation has no countdown, because the countdown already ended.
Article 50 — transparency. Still August 2, 2026. If your systems interact with people or generate synthetic content, the disclosure and labeling obligations arrive on the original date. (One narrow carve-out: machine-readable content marking for legacy systems already on the market gets until December 2, 2026.)
Colorado SB 26-189 — January 1, 2027. While everyone watched Brussels, Colorado repealed and replaced its AI Act (the old SB 24-205 never took effect) with a new law effective in under six months. US state obligations run on their own clock.
New Article 5 prohibitions — December 2, 2026. The Omnibus didn’t only defer; it added. AI generation of non-consensual intimate imagery and child sexual abuse material is now expressly prohibited, with compliance required by December 2026. If you ship any generative capability into the EU, you need a documented position on this.
And one more line item with no statutory date at all: cyber insurance underwriters are asking AI governance questions on 2026 renewal questionnaires right now. Your broker doesn’t care what happened in trilogue.
The trap inside the good news
Buried in the deferral is a detail that inverts the obvious strategy: grandfathering. High-risk systems placed on the market before the new deadlines avoid the full obligations until they’re substantially modified.
Read that again. The runway doesn’t reward waiting — it rewards shipping compliant systems early and banking the grandfathered status. The organizations that treat the next sixteen months as a pause will arrive in December 2027 with the same panic they were facing this August, minus the excuse.
A word on frameworks — and why they aren’t the artifact
While the regulatory calendar was shifting, the analyst world added a useful tool: ARMCF, the AI and Agentic Risk Management and Control Framework (SACR, July 2026), which maps the six NIST CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, Recover — onto AI and agentic systems. It’s a solid SecOps operating model, especially on the runtime detect/respond/recover layers.
Worth keeping the layer distinction straight, though. A framework tells your team what to operate. ARMCF is an analyst synthesis — not a statutory or certifiable standard, and no regulator, auditor, or insurer requires conformance to it. What regulators and auditors ask for are the artifacts: the acceptable-use policy, the documented risk assessment, the board memo, the training records that EU AI Act Article 17, Colorado SB 26-189, and ISO/IEC 42001 require as documented evidence. You need both. They are not the same deliverable.
What to do with sixteen months
The hard part of AI Act compliance was never the documentation template. It’s the work underneath it: finding every AI system in your organization — sanctioned, embedded, and shadow — deciding what each one is, assigning an owner, and keeping that inventory alive as new tools ship. None of that gets easier by waiting, and all of it is prerequisite to everything else.
So the honest to-do list for the rest of 2026 looks like this: lock down the obligations that already apply (Article 4 literacy evidence, an Article 50 transparency plan), finish your AI inventory and classification so you know what the 2027 obligations will actually cover, and build the governance scaffolding deliberately instead of under deadline pressure.
The EU gave organizations time. Time is only a gift to the ones who use it.
Anchor on the obligations, not the countdowns.
Every date in this post traces to a primary source — the Council of the EU press release (May 7, 2026), the European Parliament endorsement (June 16, 2026), and the Council’s final approval (June 29, 2026). The full citation chain and regulatory timeline live in the SanctumShield glossary and on /why-now, refreshed monthly.