The EU AI Act Delay: What the 2027 Extension Means

If you spent the first half of 2026 bracing for the EU AI Act's high-risk rules to land in August, you just got a reprieve. On May 7, 2026 EU lawmakers reached a provisional deal, part of the wider Digital Omnibus, to push enforcement of the high-risk obligations back to December 2, 2027. That is a 16-month delay on the part of the law that touches the most businesses.

The reprieve is real, but it is easy to read it wrong. "Delayed" is not "cancelled", and a few rules already took effect last year and are not moving. Plenty of companies will take the headline as permission to stop thinking about this until late 2027, which is exactly the mistake that turns a comfortable runway into a panicked scramble. The penalties on the other side of the deadline are not small: up to 35 million euros or 7% of worldwide annual turnover, whichever is higher.

This guide cuts through it. What actually moved, what did not, and how to spend the extra time so that December 2027 is a non-event for you.

What the delay actually changes

The Digital Omnibus pushes back the obligations for high-risk AI systems, the ones listed in Annex III. These are the systems that make or heavily influence consequential decisions: software that screens job applicants, scores someone's creditworthiness, sorts people in education or essential services. If you build or deploy one of those, the full compliance load, a quality management system, a risk management process, technical documentation, a conformity assessment and registration in the EU database, now has a December 2, 2027 deadline instead of August 2, 2026.

One important caveat that is easy to miss in the celebration: the new dates only bind once the Omnibus is formally adopted and published in the EU's Official Journal. Until that happens, the old August 2026 date is still technically the law on the books. Formal adoption is expected before then, but "expected" is not "done". Build to the new timeline, keep an eye on the publication.

What did not move

Two things are worth being clear about, because the delay does not touch them.

First, the rules that already took effect stay in effect. The ban on unacceptable-risk practices has applied since February 2025. The transparency and governance obligations for general-purpose AI models kicked in during August 2025. If your product uses a general-purpose model, or does anything on the prohibited list, the delay changes nothing for you.

Second, the transparency duties that sit outside the high-risk bucket. If your software talks to people, a chatbot, a voice agent, an AI assistant, you still have to tell users they are dealing with a machine and label AI-generated content. We wrote about exactly this in our guide to chatbot compliance under the EU AI Act, and none of it is affected by the high-risk extension.

Are you even a high-risk provider?

A lot of companies assume the AI Act is aimed at someone bigger and more dangerous than them. Often they are right. The fastest way to lower your stress is to find out whether you are actually in scope before you build a compliance programme you do not need.

Work through it in order:

• Inventory every AI system you build or use. Include the obvious models and the AI features quietly baked into the SaaS tools your team already runs.
• Check each one against Annex III. Hiring, credit scoring, education, essential public and private services, biometrics. If a system is not doing one of those jobs, it is very likely not high-risk.
• Sort provider from deployer. Building and putting an AI system on the market makes you a provider, with the heavier obligations. Using someone else's system in your operations makes you a deployer, with a lighter but real set of duties.
• Read your vendor contracts. If you deploy a third-party high-risk system, your compliance leans on theirs. Find out what they are committing to.

Most small and mid-sized software projects come out of this exercise as either out of scope or a deployer with modest obligations. That is a very different amount of work from being a high-risk provider, and worth knowing before you panic-budget for it.

How to use the extra 16 months

The companies that will sail through December 2027 are not the ones that did nothing until November. They are the ones who used a quiet runway to do the boring, durable work while there was no deadline pressure.

If you are in scope as a provider, start the technical documentation and the risk management process now, while your systems are small and you still remember why you built them the way you did. Retrofitting documentation onto a mature, undocumented system is miserable; writing it as you go is cheap.

If you are a deployer, spend the time mapping your AI vendors and renegotiating contracts so the compliance responsibility is clearly assigned. That is a commercial conversation that takes months, not a technical one, and it is far easier to have it now than under deadline.

And if you came out of the scoping exercise clearly out of scope, write that down. A short, dated memo explaining why your systems are not high-risk is worth a lot the day a customer's procurement team or your own board asks the question. For the Portuguese SME view of all this, our AI Act guide for PMEs walks through the same ground in local terms.

The honest takeaway

The delay is good news handled badly by a lot of teams. The right response is not relief followed by amnesia. It is to spend an afternoon working out whether you are even in scope, deal with the parts of the law that are already live, and then use the long runway to do the compliance groundwork calmly instead of in a fire drill.

If you are building AI features into a product and want a clear read on where you stand, talk to us. A short scoping session usually replaces a lot of anxiety with a one-page answer.