BusinessPlaybook11 min readPublished July 18, 2026

High-risk delayed to 2027–2028 · transparency and GPAI enforcement still land Aug 2, 2026

The EU AI Act: What actually applies from August 2026

On June 16, 2026, the European Parliament approved amendments that push most high-risk AI obligations out to December 2027 and August 2028. What many teams missed: August 2, 2026 still lands. Article 50 transparency duties — chatbot disclosure, AI-content marking, deepfake labeling — were not delayed, and the Commission’s GPAI enforcement powers are widely documented to activate the same day.

DA
Digital Applied Team
Senior strategists · Published Jul 18, 2026
PublishedJul 18, 2026
Read time11 min
SourcesEC, Morgan Lewis, Gibson Dunn
Article 50 transparency
Aug 2
2026 — not delayed
High-risk Annex III delay
16mo
now Dec 2, 2027
was Aug 2, 2026
Max fine · Art. 50 / GPAI
€15M
or 3% global turnover
Parliament final vote
423–57
Jun 16, 2026 · 174 abstained

The EU AI Act’s August 2026 deadline did not disappear — it got smaller and sharper. On June 16, 2026, the European Parliament granted final approval to the so-called Digital Omnibus amendments by a vote of 423 to 57, with 174 abstentions, pushing the AI Act’s high-risk obligations out by 12 to 16 months. But the transparency duties in Article 50 and the Commission’s general-purpose AI enforcement powers were left untouched, and both are set to land on August 2, 2026 — fifteen days after this post’s publish date.

That combination is producing a dangerous misreading. Teams that skimmed the headlines — “EU delays AI Act” — are concluding they have until December 2027 to think about compliance. That is true only for the high-risk tier. If your business runs a customer-facing chatbot for EU users, generates synthetic images or video for EU campaigns, or publishes AI-generated text on matters of public interest, your obligations arrive in weeks, not years — with maximum fines that reach €15 million or 3% of global annual turnover, whichever is higher.

We have covered this regulation three times before — our original EU AI Act compliance guide in February, our US-business briefing in March, and our risk-tier compliance checklist in May. All three were accurate when published — and all three describe the pre-amendment timeline, under which high-risk obligations would have applied from August 2, 2026. This post is the explicit update: what changed on June 16, what did not, and the checklist an agency or marketing team actually needs before August 2.

Key takeaways
  1. 01
    The June 16 amendments delayed high-risk, not everything.Standalone high-risk AI systems (Annex III) move from August 2, 2026 to December 2, 2027 — a 16-month delay. Product-embedded high-risk systems (Annex I) move from August 2, 2027 to August 2, 2028.
  2. 02
    Article 50 transparency duties still land August 2, 2026.Chatbot disclosure, machine-readable marking of AI-generated content, and deepfake labeling were not postponed. The only carve-out: pre-existing systems get until December 2, 2026 on the machine-readable watermarking duty.
  3. 03
    GPAI rules are already live — the teeth arrive in August.General-purpose AI obligations took legal effect on August 2, 2025. What activates on August 2, 2026, per the Commission's guidance and multiple legal trackers, is the Commission's active enforcement toolkit — information requests, model access, and recall powers.
  4. 04
    Penalties reach €15M or 3% of global turnover.Both GPAI and Article 50 transparency violations carry the same maximum tier under Article 99 — the greater of €15 million or 3% of total worldwide annual turnover. Article 50 enforcement sits with national market surveillance authorities from August 2, 2026.
  5. 05
    Delay is not relaxation.Morgan Lewis's counsel to clients: treat the amendments as extra time to finish compliance work, not as a softening of the underlying obligations. The requirements themselves are materially unchanged — only some deadlines moved.

01What ChangedThe June 16 vote: what moved and what did not.

The amendments approved on June 16, 2026 are the AI Act chapter of the EU’s broader “Digital Omnibus” simplification package — a process that began when the Commission adopted the underlying proposal on November 19, 2025, moved through a provisional political agreement between Parliament and Council in spring 2026, and ended with Parliament’s 423–57 final approval vote. Formal Council adoption and Official Journal publication were expected by August 2, 2026, per Morgan Lewis’s client alert — meaning the amendments were still finishing the legal process even as the rules they modify kept their original effective date.

The Commission frames the package as simplification, not rollback — it consolidates AI Act, GDPR, and Data Act touchpoints alongside the timeline changes. The practical driver, per law-firm coverage of the vote, was that European standardisation bodies were running late on the harmonized technical standards high-risk compliance depends on, with many not expected until late 2026 — after the original high-risk deadline would already have hit.

Delayed
High-risk obligations only
Annex III → Dec 2, 2027 · Annex I → Aug 2, 2028

Standalone high-risk systems (education, employment, credit scoring, critical infrastructure, biometrics, law enforcement, migration) get 16 more months. Product-embedded systems under EU product-safety law (medical devices, toys, lifts) get 12 more months.

16-month and 12-month extensions
Not delayed
Transparency and GPAI enforcement
Article 50 + Commission GPAI powers · Aug 2, 2026

Chatbot disclosure, AI-content marking, and deepfake labeling under Article 50 remain live from August 2, 2026. The Commission's GPAI enforcement toolkit is widely documented to activate the same day. Article 5 prohibitions and GPAI obligations were already in force.

Live in August 2026
Delay is not relaxation
Morgan Lewis’s core counsel to businesses is to treat the changes “primarily as an extension of time to complete their AI Act compliance efforts, rather than as a material relaxation of the underlying obligations.” Nothing about what a high-risk system must eventually do was softened — conformity assessments, risk management, data governance, and human oversight all survive intact. Only the date moved.

One genuinely new provision did arrive in the same package: a new prohibited-AI category banning “nudifier” applications that generate non-consensual sexually explicit or intimate imagery, added to the Article 5 prohibitions with a transitional compliance period running to December 2, 2026. The rest of the Article 5 prohibited-practices list — subliminal manipulation, social scoring, emotion inference in workplaces and education, biometric categorization by protected characteristics — has been in force since February 2, 2025 and is unaffected by the amendments.

02TimelineThe full timeline, before vs after the amendments.

No single source we reviewed lays out every obligation category side by side with both the original and amended dates — law-firm alerts each cover a subset. The table below consolidates the Commission’s AI Act page, Gibson Dunn’s and Morgan Lewis’s analyses, and Latham and Watkins’s GPAI briefing into one reference. The AI Act as a whole entered into force on August 1, 2024 and was always designed to become fully applicable two years later — the amendments changed which exceptions apply, not that target date.

EU AI Act obligation timeline before and after the June 16, 2026 Digital Omnibus amendments, grouped by obligations already in force, obligations going live on August 2, 2026, and obligations delayed or newly added by the amendments. Compiled from the European Commission AI Act page and Morgan Lewis, Gibson Dunn, and Latham and Watkins client alerts.
ObligationOriginal deadlineAfter June 2026 amendmentsChanged?
Already in force
Article 5 prohibited practicesFebruary 2, 2025In force — unchangedNo
GPAI obligations (Articles 51–56)August 2, 2025In force — unchangedNo
Live August 2, 2026
Article 50 transparency (chatbot disclosure, content marking, deepfake labels)August 2, 2026August 2, 2026 — not delayedNo
GPAI Commission enforcement powersAugust 2, 2026 (one year after obligations)August 2, 2026 — untouched by the amendmentsNo
Moved or newly added by the amendments
Article 50(2) machine-readable watermarking — systems already on the market before Aug 2, 2026August 2, 2026December 2, 2026 — four-month grace periodYes
Nudifier ban (new Article 5 prohibition)Not in original actTransitional period to December 2, 2026New
High-risk, Annex III standalone systemsAugust 2, 2026December 2, 2027 — 16-month delayYes
High-risk, Annex I product-embedded systemsAugust 2, 2027August 2, 2028 — 12-month delayYes

Two rows deserve a second look. The Article 50(2) watermarking grace period applies only to AI systems already on the market before August 2, 2026 — anything placed on the market on or after that date needs machine-readable marking from day one. And for GPAI models that were on the market before August 2, 2025, providers have until August 2, 2027 to reach full compliance, per Latham and Watkins — a separate, pre-existing transition that the June amendments did not touch.

03Article 50The transparency duties that land August 2.

The European Commission’s own AI Act page states it plainly: “The transparency rules of the AI Act will come into effect in August 2026.” Three sub-obligations matter most for marketing and agency work.

Article 50(1) — chatbot and virtual-assistant disclosure

Users must be informed they are interacting with an AI system, and the disclosure must be perceivable in the interaction itself. According to the practical guide published by artificialintelligenceact.eu, a disclosure buried in terms and conditions, a metadata-only watermark, or a vague label like “assistant” does not satisfy the duty. If your customer-service widget answers EU users, the AI disclosure belongs in the chat surface itself.

Article 50(2) — machine-readable marking of AI content

Providers of generative AI systems — text, image, audio, and video — must mark outputs in a machine-readable format so they are detectable as AI-generated or AI-manipulated. For agencies, the operational question is pipeline integrity: the marking your generation tools embed has to survive your export, editing, and publishing workflow, and any system your team places on the market on or after August 2, 2026 needs it immediately.

Article 50(4) — deepfakes and public-interest text

Deployers must disclose AI-generated or AI-manipulated image, audio, or video content that appreciably resembles real persons, objects, places, or events and would falsely appear authentic. A parallel duty covers AI-generated text published to inform the public on matters of public interest — with one carve-out agencies should memorize: content that underwent human review or editorial control, with a named natural or legal person holding editorial responsibility, is generally exempt from the text-disclosure duty. Human-edited, AI-assisted copy with an accountable editor sits on the right side of that line.

"A statement buried in terms and conditions, a metadata watermark on its own, or a vague reference to an 'assistant' does not satisfy the chatbot disclosure duty in Article 50(1); the information has to be perceivable in the interaction itself."— artificialintelligenceact.eu, practical guide to Article 50 (2026)

Enforcement of Article 50 sits with national market surveillance authorities rather than centrally with the EU AI Office, and that enforcement layer takes effect from August 2, 2026 — it was not postponed by the Digital Omnibus. Gibson Dunn’s alert makes the operational point directly: “2 August 2026 remains a live compliance date,” and organizations should keep preparing for it regardless of the deferred high-risk deadlines.

04Agency ChecklistArticle 50, translated into agency functions.

Legal client alerts explain the articles; they rarely explain what a marketing team should do on Monday morning. Legal commentary around the act gives the mapping for a non-EU business serving EU customers: a customer-service chatbot engages Article 50(1), a marketing function generating synthetic content for EU campaigns engages Article 50(2), and where existing people are depicted, the deepfake labeling duty in Article 50(4) also applies. The table below reframes each Article 50 sub-clause as an agency function — the operating model we run ourselves, including the AI content-engine work we deliver for clients.

Article 50 agency compliance checklist mapping five marketing functions — customer-service chatbots, AI-generated ad creative, synthetic content featuring real people, AI-generated public-interest text, and AI-assisted editorial content — to the applicable Article 50 sub-clause, whether disclosure is required, and the practical action. Compiled from the Article 50 text via artificialintelligenceact.eu and the European Commission AI Act Service Desk.
Marketing functionArticle 50 clauseDisclosure required?Practical action
Customer-service chatbot / virtual assistant for EU users50(1)Yes — perceivable in the interaction itselfPut explicit AI-disclosure copy in the chat UI at conversation start; do not rely on terms and conditions or an ambiguous “assistant” label
AI-generated ad creative (image, audio, video) for EU campaigns50(2)Yes — machine-readable marking of outputsVerify your generation tools embed machine-readable marking and that it survives your editing and export pipeline; new systems need it from day one
Synthetic content depicting real people, places, or events50(4)Yes — visible deepfake disclosureLabel synthetic creative that appreciably resembles real persons or events and could falsely appear authentic — on top of the 50(2) machine-readable marking
AI-generated text published on matters of public interest50(4)Yes — unless exemption appliesDisclose AI generation, or route the content through human editorial review so the exemption applies
AI-assisted editorial content with human review and a named editor50(4) carve-outGenerally exemptDocument the editorial-control step and name a natural or legal person holding editorial responsibility for each publication
The exemption worth operationalizing
The Article 50(4) editorial-control carve-out is the single most useful clause in the article for content teams: human-edited AI-assisted copy with a named, accountable editor is generally outside the text-disclosure duty. If your content workflow already runs human review before publication, the compliance gap is documentation — proving the review happened and naming who holds editorial responsibility — not a new production process.

05GPAI EnforcementThe GPAI nuance most coverage gets wrong.

A large share of secondary coverage compresses the general-purpose-AI story into “GPAI rules start August 2026.” That is imprecise in a way that matters. The substantive GPAI obligations under Articles 51 to 56 — the documentation, copyright-policy, and training-data-summary duties for model providers — already took legal effect on August 2, 2025, and the June 2026 amendments did not touch them. What changes on August 2, 2026, as widely documented across the Commission’s guidance and multiple law-firm trackers, is the activation of the Commission’s active enforcement toolkit: requests for information, model access, and recall powers, arriving one year after the obligations took effect.

In other words: a GPAI provider that has ignored its obligations since August 2025 has not been compliant — it has been un-policed. That distinction disappears on August 2, 2026.

Aug 2, 2025
GPAI obligations in force
2025

Articles 51-56 took legal effect for general-purpose AI model providers. Not touched by the June 2026 amendments — the substantive rules have applied for a year.

Already live
Aug 2, 2026
Commission enforcement activates
2026

Per the Commission's guidance and multiple legal trackers, the Commission's active enforcement powers — information requests, model access, recall — begin one year after the obligations took effect.

Widely documented date
Aug 2, 2027
Legacy-model deadline
2027

GPAI models placed on the market before August 2, 2025 have until this date to reach full compliance, per Latham & Watkins — a pre-existing transition, unchanged by the amendments.

Pre-existing models

For most agencies and marketing teams, GPAI duties fall on the model providers you build on, not on you. But the enforcement activation still matters downstream: from August 2026 the Commission can demand information and, in the extreme, pull non-compliant models — which makes provider selection and contract terms a compliance surface. If a vendor’s model leaves the EU market, your product built on it inherits the disruption.

06PenaltiesWhat non-compliance actually costs.

The Article 99 penalty framework puts GPAI violations and Article 50 transparency violations in the same maximum tier: fines up to the greater of €15 million or 3% of total worldwide annual turnover for the preceding financial year, per the Article 99 summaries published by artificialintelligenceact.eu and Holistic AI. EU institutions and bodies that breach transparency duties face a separate cap of €750,000.

Undertakings
or 3% of global turnover
€15M

The maximum for GPAI and Article 50 transparency violations — whichever of the two figures is higher. For a large group, the turnover prong dominates; for everyone else, €15M is the ceiling that concentrates attention.

Article 99
EU institutions
transparency-breach cap
€750K

EU institutions, agencies, and bodies breaching the transparency duties face fines up to €750,000 — a separate, lower tier from the private-sector maximum.

Article 99
SMEs & startups
of the two caps
Lower

SME and startup fines are capped at the lower of the applicable percentage or flat amount, and penalties overall must be effective, proportionate and dissuasive, taking SME economic viability into account.

Proportionality rule

Two features of the enforcement design are easy to miss. First, Article 50 enforcement is decentralized — national market surveillance authorities in each member state carry it, which means enforcement intensity will likely vary by country and the first test cases may come from the more active regulators rather than Brussels. Second, the SME proportionality rule is real but not a shield: it caps the amount, not the liability. A small agency running an undisclosed chatbot for EU clients is still in scope from August 2 — the fine math is just different.

07Action PlanWhat to do before August 2.

Fifteen days is enough for the transparency tier — these are disclosure and process changes, not conformity assessments. Here is how we would sequence it, in priority order.

Priority 1
Chatbot disclosure audit

Inventory every AI conversational surface reachable by EU users — site chat, WhatsApp flows, voice agents. Add explicit AI disclosure in the interaction itself. This is the most visible, most easily tested duty a regulator can check from a browser.

Ship this week
Priority 2
Content-marking pipeline check

Map where AI-generated image, audio, and video enters EU campaigns. Confirm machine-readable marking survives your editing and export steps. Pre-existing systems have until December 2, 2026; anything new from August 2 needs marking immediately.

Verify before Aug 2
Priority 3
Deepfake and editorial policy

Write the two-line policy: synthetic creative depicting real people gets a visible label; AI-assisted text goes through documented human review with a named responsible editor, which generally exempts it from the 50(4) text-disclosure duty.

Document the carve-out
Reclaimed time
Re-plan high-risk work to Dec 2027

If you have systems in Annex III scope — hiring tools, credit scoring, education — use the 16 months to do conformity work properly against the harmonized standards now expected late 2026, rather than racing a deadline the standards themselves would have missed.

Re-baseline, do not shelve

The trend worth reading underneath the amendments: the EU did not blink on transparency, only on the tier where its own technical standards were late. Delaying Annex III while holding Article 50 firm signals that user-facing honesty about AI — disclosure, marking, labeling — is the part of the regime the EU considers immediately enforceable, no standards bodies required. That is consistent with where enforcement is cheapest to test: a regulator can verify a chatbot disclosure in minutes, while auditing a credit-scoring model takes a harmonized standard and months of technical work.

Looking forward, we expect the August 2026 to December 2026 window to define the enforcement tone. National market surveillance authorities take up Article 50 in August; the watermarking grace period for pre-existing systems and the nudifier transitional period both expire December 2. Early actions will most likely target visible, easily documented failures — undisclosed chatbots and unlabeled synthetic media — because those cases are simple to prove. Teams that treat the transparency checklist as a two-sprint project this summer can reasonably avoid being anyone’s test case. If you want a structured way to run that audit — or to re-baseline a high-risk roadmap against the new dates — our AI transformation engagements cover exactly this scope, and our risk-tier checklist remains the right companion for the tiers the amendments did not touch.

08ConclusionAugust 2 is smaller now — not gone.

The compliance picture, July 2026

The deadline got narrower, not softer.

The June 16 amendments turned August 2, 2026 from an everything deadline into a transparency deadline. High-risk obligations moved to December 2027 and August 2028, and Morgan Lewis’s framing is the one to keep: an extension of time, not a relaxation of the underlying obligations.

What remains on August 2 is precisely the part that touches marketing and agency work every day: telling users when they are talking to an AI, marking AI-generated content so machines can detect it, labeling synthetic media that depicts real people, and documenting the human editorial control that exempts AI-assisted copy. Alongside it, the Commission’s GPAI enforcement powers give the rules that have applied since August 2025 their teeth — with fines reaching €15 million or 3% of global turnover.

The practical read is simple. If you shelved AI Act work when the delay headlines hit, un-shelve the transparency tier this week — it is disclosure copy, pipeline checks, and documentation, all achievable before the date. And spend the reclaimed high-risk months doing that work properly against the standards that are actually arriving, so December 2027 is a formality rather than a second scramble.

Get compliant before August 2

The transparency tier is a two-sprint project — if you start now.

Our team runs Article 50 transparency audits, AI-content pipeline reviews, and high-risk compliance re-baselining for agencies and in-house teams serving EU customers — delivered in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

AI Act readiness engagements

  • Article 50 chatbot-disclosure and labeling audits
  • AI-content marking pipeline verification
  • Editorial-control documentation for the 50(4) exemption
  • High-risk roadmap re-baselining to Dec 2027 / Aug 2028
  • Provider due diligence for GPAI enforcement exposure
FAQ · EU AI Act August 2026

The questions we get every week.

Two things. First, the Article 50 transparency obligations become applicable: users must be told when they are interacting with an AI system, providers of generative AI must mark outputs in a machine-readable format, and deployers must disclose deepfakes and certain AI-generated public-interest text. Second, the European Commission's active enforcement powers over general-purpose AI models — information requests, model access, and recall powers — are widely documented across Commission guidance and legal trackers to activate the same day, one year after the GPAI obligations themselves took effect in August 2025. The high-risk obligations that were originally due on August 2, 2026 were moved to December 2, 2027 by the June 16, 2026 amendments, so they are no longer part of this date.
Related dispatches

Continue exploring AI compliance.