The EU AI Act in June 2026: What's Actually In Force, What's Postponed
A practical guide for engineering and product teams. Not legal advice โ but legal advice based on outdated dates is worse, so let's start with what's actually true this month.
The 60-second summary
- GPAI obligations have been live since 2 August 2025. Enforcement powers kick in on 2 August 2026.
- The Digital Omnibus on AI (political agreement reached 7 May 2026) postpones the original 2 August 2026 deadline for most high-risk AI systems:
- Stand-alone Annex III systems โ 2 December 2027
- AI embedded in Annex I regulated products โ 2 August 2028
- Article 50 transparency obligations (synthetic media labelling, chatbot disclosure) remain on the original schedule and apply 2 August 2026 regardless.
- Penalties for GPAI breaches: up to โฌ15M or 3% of global turnover, whichever is greater.
Timeline as of June 2026
| Date | What applies | Status |
|---|---|---|
| 2 Feb 2025 | Prohibited practices (Art. 5): social scoring, predictive policing, untargeted scraping for facial recognition databases, etc. | live |
| 2 Aug 2025 | General-purpose AI model obligations (Art. 53, 55). AI Office operational. | live |
| 2 Aug 2026 | GPAI enforcement powers โ fines up to โฌ15M / 3% turnover for breaches. | on track |
| 2 Aug 2026 | Article 50 transparency: synthetic content labelling, AI chatbot disclosure. | on track |
| 2 Aug 2026 โ 2 Dec 2027 | Annex III high-risk systems (employment screening, education scoring, biometric ID, credit scoring, etc.). | postponed (provisional) |
| 2 Aug 2027 | GPAI grace period ends for models on the EU market before 2 Aug 2025. | unchanged |
| 2 Aug 2027 โ 2 Aug 2028 | Annex I product-embedded AI (medical devices, machinery, toys, etc.). | postponed (provisional) |
"Postponed (provisional)" means the Digital Omnibus political agreement of May 2026 shifts the date, but only takes legal effect once formally adopted and published. As of the time of writing, that has not yet happened.
Are you in scope?
Three questions to ask, in order:
1. Do you put a GPAI model on the EU market?
If you train, fine-tune, or deploy a general-purpose AI model that's made available in the EU โ even via API to EU users from a US-hosted endpoint โ you're a "provider" of a GPAI model. Articles 53 and 55 apply. This includes the obvious frontier labs and a long tail of fine-tuners who modify a base model "substantially" (the threshold is fuzzy and is the subject of ongoing AI Office guidance).
Key duties: technical documentation, training data summary, copyright policy, and โ for "systemic risk" models trained above the 10ยฒโต FLOPs threshold โ additional model evaluation, incident reporting, and cybersecurity duties.
2. Do you deploy a "high-risk" AI system in the EU?
Annex III lists eight broad areas: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, and administration of justice. If you're using AI to filter rรฉsumรฉs, score loan applications, or rank candidates for university admission to EU residents, you're in this bucket.
Old timeline: obligations applied 2 August 2026.
Provisional new timeline (Digital Omnibus): 2 December 2027.
The substance hasn't changed โ risk management system, data governance, technical documentation, record-keeping, transparency to users, human oversight, accuracy/robustness/cybersecurity, conformity assessment, post-market monitoring. The grace period just got longer.
3. Do you publish synthetic media or run a chatbot?
Article 50 obligations apply 2 August 2026 regardless of the Omnibus:
- Synthetic content (text, audio, image, video) generated by AI must be machine-readably marked โ typically C2PA / SynthID-style watermarking or signed manifests.
- Deep fakes must be clearly labelled when published (with limited journalistic-purpose exceptions).
- Chatbots that interact with humans must disclose they are AI, unless this is obvious from context.
- Emotion recognition and biometric categorisation systems must inform the natural persons exposed.
The chatbot disclosure rule is the one most builders miss. If you run an AI customer support agent on a public site for EU users, you need a clear "you are talking to an AI" disclosure that the user can't easily miss.
The builder's checklist (regardless of what the Omnibus does)
The Omnibus postpones application, not the substance of the rules. Doing the work now is still useful โ and the August 2026 GPAI enforcement date doesn't move.
For GPAI providers (live since Aug 2025, enforced from Aug 2026)
- Maintain up-to-date technical documentation that follows the AI Office templates.
- Publish a training data summary covering content sources, scale, and lawful basis.
- Have a written copyright policy, including how you handle Article 4(3) opt-outs from the Copyright Directive (TDM reservations).
- If you're a "systemic risk" model (above the 10ยฒโต FLOPs threshold, or designated by the AI Office): implement model evaluations against the safety-and-security chapter of the GPAI Code of Practice, document incidents, and notify the Commission of serious incidents within set timeframes.
- Consider signing the GPAI Code of Practice. It's voluntary but is becoming the de facto compliance benchmark โ and signed adherence is what regulators will look at first.
For Annex III high-risk deployers (deadline moved, but don't stop)
- Catalogue every high-risk AI system you operate. The deferred deadline is for systems "placed on the market" โ meaning systems already deployed before that date have a different (and harder) path.
- Stand up a risk management system. The ISO/IEC 42001 framework is the practical mapping most companies are using.
- Establish data governance: training, validation, and testing data must be relevant, representative, and (as far as possible) free of errors.
- Implement human oversight. Not theoretically โ actually staff the role, design the override UI, and test it.
- Document accuracy, robustness, and cybersecurity measures. The conformity assessment will ask.
For everyone subject to Article 50 (deadline is Aug 2026, unchanged)
- Audit your synthetic content pipelines โ does every AI-generated artefact carry a machine-readable mark?
- Audit your chatbot UIs for "you are talking to an AI" disclosures. "Hi, I'm Sandy ๐" with no further context does not satisfy this.
- If you use emotion recognition or biometric categorisation, add an in-flow disclosure to the natural persons being processed.
- Check your terms of service against the Article 50 text. Many will need updates.
Things that still aren't clear
- What counts as "substantial modification" of a GPAI model โ the threshold determining whether a fine-tuner becomes a provider โ is still being clarified.
- Open-source carve-outs exist but their scope is contested. Releasing weights under a permissive licence does not automatically exempt you, especially if you also host an API.
- How Annex I deferrals interact with sectoral product law (CE marking for medical devices, machinery, etc.) is the trickiest area; in many cases the sectoral conformity assessment still needs the AI risk pieces.
- Whether the Omnibus survives the European Parliament's full vote. The political agreement is provisional; the formal adoption process can still alter the deadlines.
Useful primary sources
- Regulation (EU) 2024/1689 (the AI Act) โ full text on EUR-Lex
- European Commission AI Act portal (the official compliance landing page)
- General-Purpose AI Code of Practice (Final Version, July 2025)
- EU AI Act explorer โ readable, cross-referenced version of the text
FunWithText tools that pair with this
None of these are a substitute for compliance work, but several of our client-side tools map directly onto specific Act obligations:
- PII Sanitizer โ pre-flight check before pasting personal data into LLM prompts. Helps with Article 5 prohibited-practices hygiene and Annex III high-risk data-governance duties.
- Prompt Injection Scanner + Indirect Prompt Injection Scanner + Multimodal Injection Check โ useful for the "robustness and cybersecurity" duties under Article 15.
- MCP Inspector โ for GPAI deployers using Model Context Protocol servers; surfaces supply-chain risks that the safety-and-security chapter of the Code of Practice asks you to consider.
- Agent Log Redactor โ for the record-keeping duties: keep logs without leaking secrets or personal data.
Caveats
This is general information for builders, not legal advice. The Digital Omnibus is a moving target; the AI Office is producing guidance documents weekly; the precise scope of "substantial modification" is being argued in real time. For specific compliance decisions, talk to a lawyer who specialises in EU tech regulation. For the political weather, the substack EU AI Act Newsletter is the best signal-to-noise source we've found.