If your AI compliance plan was written before June 2026, it is probably wrong.
For two years, August 2, 2026 was presented as the big AI Act deadline: the date high-risk AI system obligations would apply. We relayed it ourselves. It is no longer the right date.
On June 29, 2026, the EU Council gave its final green light to the "Digital Omnibus on AI", which postpones the heaviest obligations — without changing their substance.
The updated timeline, date by date
| Obligation | Previous deadline | Current deadline |
|---|---|---|
| Prohibited practices (Art. 5) | February 2, 2025 | In force (unchanged) |
| General-purpose AI model obligations (GPAI) | August 2, 2025 | In force (unchanged) |
| Marking of AI-generated content (Art. 50) | August 2, 2026 | December 2, 2026 |
| Stand-alone high-risk systems (Annex III: HR, biometrics, education, essential services…) | August 2, 2026 | December 2, 2027 |
| High-risk systems embedded in regulated products (Annex I: medical devices, machinery…) | August 2, 2027 | August 2, 2028 |
Two things to note in this table:
What is already in force stays in force. The postponement only covers what was not yet applicable. Prohibited practices (social scoring, manipulation, certain forms of emotion recognition at work) and general-purpose model obligations have applied since 2025 — penalties included.
Content marking arrives earlier than the rest. AI-generated or AI-manipulated content must be identifiable by December 2, 2026. If you produce client-facing content with generative AI, this is the closest deadline on your roadmap.
What doesn't change: maximum penalties
The Digital Omnibus does not touch the penalty regime. The ceilings remain:
- up to €35 million or 7% of global annual revenue for prohibited practices,
- up to €15 million or 3% for other breaches of the regulation.
And the AI Act does not replace GDPR: both apply in parallel. Personal data processed by an AI system remains subject to GDPR, with its own ceilings (up to 4% of global revenue). The French CNIL — preparing to become a market surveillance authority under the AI Act — has published concrete recommendations on deploying generative AI: allowed and prohibited uses defined in a policy, DPO and CISO involved from the start, local and secured systems favored.
"So we have time" — no, and here's why
The postponement to December 2027 is an implementation window, not an exemption. Three reasons not to shelve the file:
1. The obligations haven't changed, only the date has. AI system inventory, risk classification, technical documentation, human oversight, traceability: everything required for August 2, 2026 will be required on December 2, 2027, identically. Companies that start in 2027 will discover that documentation for a system deployed two years earlier is very hard to reconstruct after the fact.
2. Your clients and insurers aren't waiting for the legal date. RFP questionnaires and cyber insurance forms already include AI sections. "Where is the data processed? What traceability?" are questions being asked today — uncontrolled shadow AI answers them very badly.
3. Traceability is built into architecture, not into a binder. Being able to justify every AI-assisted process requires logs, access perimeters, and control over data flows. That is an infrastructure choice. If your AI usage runs through scattered consumer accounts, no compliance document will compensate for the absence of technical control.
A reasonable plan by the end of 2026
No need for a pharaonic program. Four steps, in order:
- Inventory: which AI tools are used, by whom, for what, with which data. Including undeclared usage.
- Classify: which of your use cases would fall under Annex III (HR, scoring, access to essential services…)? Those are the ones that must be compliant by December 2027.
- Frame: a short, enforced AI policy — six decisions beat forty pages.
- Centralize: replace scattered usage with a single platform where logs, access rights, and data location are controlled by construction.
That is precisely what Eridia provides: an AI platform deployed on your infrastructure or hosted in France, with full usage traceability — enough to answer an auditor, a client, or a regulator with logs rather than promises.
If you want to know where you stand against the real timeline, let's take stock together: 30 minutes, free.



