Last week, the European Parliament backed a delay to certain EU AI Act obligations. If you caught the headlines, you may have read something like “Europe pushes AI law to 2027” and breathed a quiet sigh of relief.
That relief might be misplaced.
What Parliament actually approved is a delay to specific high-risk AI obligations, primarily because the technical standards, guidance documents, and implementation infrastructure needed to support those rules are not yet ready. The EU AI Act as a whole is intact. Several obligations are already in force. Others arrive in August 2026.
For product teams, this is less about politics and more about sequencing.
What actually happened and the updated EU AI Act timeline
In November 2025, the European Commission proposed targeted amendments to the EU AI Act as part of what it called the Digital Omnibus package. The rationale was practical rather than political. The technical standards and implementation tools that businesses would need to demonstrate compliance with the most demanding rules, namely the Annex III high-risk AI system obligations, were running behind schedule. Enforcing rules before the infrastructure existed to support them would have created legal uncertainty for both businesses and regulators.
In March and April 2026, the European Parliament adopted its position on those amendments, proposing fixed long-stop dates to give businesses a reliable planning horizon:
- 2 December 2027: proposed application date for high-risk AI systems listed in Annex III, covering use cases such as hiring tools, credit scoring systems, education access platforms, healthcare triage, and biometric identification
- 2 August 2028: proposed application date for AI systems embedded in regulated products covered by EU product safety and market surveillance legislation, including medical devices, industrial machinery, and autonomous vehicles
| Important: at the time of publication, these dates reflect Parliament’s adopted position. They are proposed dates, not confirmed law. Final deadlines are subject to trilogue negotiations between the European Parliament, the European Commission, and the Council of the EU. Product teams should treat 2 December 2027 as the working planning target while monitoring for a confirmed final date. |
What was not changed by the delay, and what is already in force for any app serving EU users:
| Date | Obligation | Status | Confirmed or proposed |
| 1 August 2024 | AI Act entered into force | In force | Confirmed |
| 2 Feb 2025 | Prohibited practices + AI literacy obligations | Live now | Confirmed |
| 2 August 2025 | GPAI model obligations + governance rules | Live now | Confirmed |
| 2 August 2026 | General application + Article 50 transparency rules | 4 months | Confirmed |
| 2 Dec 2027 | Annex III high-risk AI systems | Extended | Proposed |
| 2 August 2028 | AI embedded in regulated products | Extended | Proposed |
The most common mistake app development teams make is treating the EU AI Act as a single deadline event. The Act applies in layers. Three of those layers are already live. A fourth, covering transparency obligations for AI-generated content and chatbot disclosure, applies in August 2026. Understanding the order of these obligations is the difference between teams that prepare intelligently and teams that scramble.
The story is not that the EU AI Act is gone. The story is that the hardest compliance layer is being pushed back because the ecosystem was not ready.
Which apps are affected by the EU AI Act delay and which are not
The EU AI Act does not classify AI systems by how sophisticated or technically complex they are. The regulation classifies AI systems by what they are used for, who they affect, and whether the output of the AI influences a sensitive decision or outcome. A simple rules-based system used in hiring is regulated more strictly than a complex neural network used to recommend films.
Apps most affected by the December 2027 extended deadline
These Annex III high-risk AI use cases gained more implementation time. If your app operates in any of the following categories, 2 December 2027 is your new compliance target for those features:
- Hiring and recruitment: CV screening, candidate ranking, automated shortlisting, and interview scoring systems used by employers in the EU
- Employment management: AI that allocates tasks, monitors worker performance, evaluates conduct, or influences promotion and dismissal decisions
- Credit and financial access: loan eligibility assessment, creditworthiness scoring, insurance risk profiling, and AI that determines access to financial products
- Education and training: AI that determines access to educational programmes, evaluates learning outcomes, or monitors behaviour during assessments
- Healthcare: clinical decision support tools, AI-assisted triage systems, and diagnostic aids that influence patient care pathways
- Essential services: AI determining eligibility for public benefits, social services, or utility access
- Law enforcement and justice: recidivism risk tools, case prioritisation systems, and sentencing support applications
- Biometric identification and categorisation: AI used to identify individuals or infer characteristics such as emotional state, ethnicity, or political opinion from biometric data
Apps unaffected by the delay
The extended deadline does not apply to apps whose AI features are genuinely low-risk or general-purpose. Common examples include AI-powered content summarisation tools, internal productivity assistants, search enhancement features, and customer support copilots that do not make or materially shape decisions about individuals. These types of AI use cases were not in Annex III scope in the first place.
However, apps in the low-risk category are not obligation-free. Article 50 transparency rules apply from August 2026, requiring disclosure when users interact with AI and labelling of AI-generated content. GPAI-related obligations for apps using foundation models have been live since August 2025. Classification must be documented.
What the EU AI Act delay does not remove or reduce
The most significant compliance risk following this delay is not panic. It is false reassurance. The following obligations remain fully in force, unaffected by the extended Annex III deadline.
- Prohibited AI practices are banned and are not delayed. AI systems that deploy subliminal manipulation techniques, enable social scoring by public or private entities, or perform predictive policing based solely on profiling have been prohibited since 2 February 2025. No extension applies to these bans.
- GPAI model obligations are live and not delayed. Any app that integrates a general-purpose AI model, including large language models, image generation models, or multimodal foundation models, has been subject to GPAI transparency and documentation obligations since 2 August 2025. These obligations apply to the downstream deployer as well as the model provider.
- Article 50 transparency rules arrive in August 2026 and are not delayed. From 2 August 2026, any app deploying a chatbot or virtual assistant must disclose to users that they are interacting with an AI system. AI-generated images, audio, and video content must be labelled as such. These transparency obligations are four months away at the time of publication.
- AI literacy obligations are in force now. The EU AI Act requires that any organisation deploying or developing AI systems ensures sufficient AI literacy among the staff who operate or oversee those systems. This obligation started applying on 2 February 2025 and has not been extended.
- Sector regulation runs in parallel and is not delayed. Fintech apps operating in the EU are subject to DORA, which is already in force. Health apps are subject to MDR. Any app handling personal data is subject to GDPR Compliance. These frameworks apply independently of the EU AI Act timeline.
- Contractual liability follows product behaviour, not regulatory deadlines. A B2B contract does not contain a December 2027 liability carve-out. If an AI system causes harm, discriminates unfairly, or fails a governance audit conducted by an enterprise buyer, legal exposure is live regardless of when enforcement formally begins.
How the delay affects three common app archetypes
App teams can identify their position using three archetypes based on what the AI in their product actually does. Each archetype carries a different set of obligations and a different immediate action.
Archetype 1: Apps with low-risk AI features
Low-risk AI features include content summarisation, search assistance, internal productivity agents, smart autocomplete, and support copilots that do not make or influence decisions about individuals. These features were outside Annex III scope before the delay and remain so after it.
The EU AI Act delay does not change the obligation profile for low-risk AI features in any material way. What does apply: Article 50 transparency obligations from August 2026, GPAI-related due diligence if the feature relies on a foundation model, and standard data handling requirements under GDPR.
| Action for low-risk app teams: Document the classification of each AI feature in writing before August 2026. A written classification record demonstrating that the feature falls outside Annex III scope is the primary form of compliance protection for this category. Without documentation, the classification cannot be defended. |
Archetype 2: Apps with customer-facing generative AI features
Customer-facing generative AI features include chatbots, AI-powered content generation tools, image and video synthesis interfaces, and decision support dashboards that surface AI-generated recommendations to end users.
The Article 50 transparency obligations that apply to these features from August 2026 have not been extended. Apps using chatbots must disclose the AI nature of the interaction. Apps generating synthetic content must label it. Opt-out mechanisms must be in place where required. August 2026 is four months away and these changes typically require legal review, design iteration, and engineering work across multiple surfaces.
| Action for generative feature teams: Audit every user-facing surface where AI generates or shapes content before the end of June 2026. Identify which surfaces require disclosure language, synthetic content labelling, or opt-out flows. Treat August 2026 as the hard deadline for these changes. |
Archetype 3: Apps with decision-shaping AI workflows
Decision-shaping AI workflows are systems where AI output materially influences an outcome for an individual. This category includes automated hiring screening, credit eligibility tools, healthcare triage features, insurance underwriting AI, and any AI that prioritises, ranks, or filters people in contexts related to access, employment, finance, or health.
For decision-shaping AI workflows, the Annex III compliance deadline has moved to December 2027. That extension sounds like breathing room. For architecture decisions, it is not. The system built in 2026 is the system that will be submitted for conformity assessment in 2027. Retrofitting compliance controls, logging infrastructure, human oversight checkpoints, and technical documentation into a production workflow that was not designed to accommodate them is significantly more expensive and disruptive than building those controls in from the start
What app builders should do before December 2027
The period between now and December 2027 is a build window. Teams that treat it as a wait window will arrive at the enforcement date with the same gaps they have today, plus the cost of fixing them under pressure.
Step 1: Classify every AI feature by its use case and risk profile
Map every AI feature in the product to one of the four EU AI Act risk tiers: prohibited, high-risk (Annex III), limited risk, or minimal risk. The classification is not based on the sophistication of the underlying model. It is based on the intended use case and whether the output influences sensitive decisions or outcomes. Separate features that are genuinely assistive from features that are materially decision-shaping. Document the classification rationale for each feature before August 2026.
Step 2: Build governance into the product architecture, not around it
For apps with Annex III or GPAI-related obligations, governance controls belong in the product architecture from the start. Logging and audit trails for AI operations. Model and prompt versioning. Human oversight checkpoints where AI output influences a significant decision. Incident escalation flows. Explainability standards appropriate to the use case. Dataset traceability where training data is in scope. These are architecture decisions with long lead times. Teams that defer them will retrofit them, and retrofitting is expensive.
Step 3: Audit your vendor and model stack
Apps that integrate third-party AI models or APIs may be operating as deployers under the EU AI Act, which carries its own set of obligations separate from those of the model provider. Deployers of high-risk AI systems must use those systems in accordance with the provider’s instructions, assign human oversight, maintain logs, and in some cases conduct a fundamental rights impact assessment. Understanding whether your product is operating as a provider, a deployer, or both determines which obligations apply. Ailoitte’s provider vs deployer guide at ailoitte.com/insights/eu-ai-act-provider-vs-deployer covers this distinction in detail for app development teams.
Step 4: Train the teams building and operating AI features
AI literacy obligations have been in force since February 2025. Any organisation that develops or deploys AI systems must ensure that the people involved in building and operating those systems have a sufficient working understanding of AI risk, the applicable obligations, and how to recognise and handle risk in the product workflow. This applies to engineering teams, product managers, QA teams, and operations staff. It is a legal obligation that is already active.
EU AI Act compliance is a product design problem, not a legal one
The strongest AI-enabled products treat regulatory compliance as infrastructure. Not something bolted on before a procurement questionnaire arrives, but something that shapes architecture decisions, workflow controls, and release governance from the first sprint.
Logging systems, oversight checkpoints, human escalation paths, and model versioning are not compliance tasks to be managed by a legal team in the final quarter before an enforcement deadline. They are product infrastructure decisions with the same lead times as any other significant architectural choice. Teams that classify them as legal work defer them. Teams that classify them as product work build them correctly.
Teams that build AI governance into the product from 2026 onward will find enterprise procurement faster, security reviews cleaner, and regulated market entry more straightforward. Teams that treat December 2027 as the start date for compliance work will arrive at that deadline with expensive retrofitting ahead of them.
The delay gives builders more room. It does not give them permission to stay unprepared.
FAQs
Did the European Parliament cancel or suspend the EU AI Act?
No. The EU AI Act has not been cancelled, suspended, or significantly weakened. The European Parliament adopted a position in early 2026 backing a delay to specific Annex III high-risk AI system obligations, extending the proposed compliance deadline from August 2026 to December 2027. Prohibited AI practices remain banned. GPAI model obligations remain active. Article 50 transparency rules arrive unchanged in August 2026. The Act as a whole is fully intact. The delay affects one specific compliance layer, not the regulation itself.
What is the new deadline for high-risk AI compliance under the EU AI Act?
The European Parliament has proposed 2 December 2027 as the new application date for high-risk AI systems listed in Annex III of the EU AI Act. These include AI systems used in hiring and recruitment, credit scoring, education access decisions, healthcare triage, law enforcement risk assessment, and biometric identification. A separate proposed date of 2 August 2028 applies to AI systems embedded in regulated products such as medical devices, industrial machinery, and autonomous vehicles. These dates are Parliament’s proposed position and are not yet confirmed as final law. They are subject to trilogue negotiations between Parliament, the Commission, and the Council of the EU. Product teams should treat 2 December 2027 as a planning target while monitoring for the confirmed final date.
Does the EU AI Act delay affect the August 2026 transparency rules?
No. The August 2026 transparency obligations under Article 50 of the EU AI Act have not been extended or delayed. From 2 August 2026, any app or service using a chatbot or virtual assistant must clearly disclose to users that they are interacting with an AI system. AI-generated images, audio, and video content must be labelled as artificially generated. These obligations apply to any provider or deployer serving EU users, regardless of where the company is based. App teams should treat 2 August 2026 as a firm deadline for transparency-related product changes. Four months is not a long implementation window when legal review, design changes, and engineering work across multiple surfaces are required.
Does my app need to comply with the EU AI Act if my company is based outside the EU?
Yes, if your app serves EU users or if the output of your AI system is used within the EU. The EU AI Act has explicit extraterritorial reach under Article 2. It applies to any provider placing an AI system on the EU market, any deployer using an AI system within the EU, and any provider or deployer outside the EU whose system produces outputs used by EU-based individuals or organisations. This territorial scope mirrors the approach taken by the GDPR. A company headquartered in the United States, India, or anywhere else that offers an AI-powered app to EU users is subject to EU AI Act obligations for that app.
Do GPAI obligations apply to apps that use foundation models such as GPT-4, Claude, or Gemini?
Yes. General-purpose AI model obligations under Chapter V of the EU AI Act started applying from 2 August 2025. These obligations fall primarily on the providers of GPAI models, but they also create due diligence requirements for downstream deployers, which is the classification that typically applies to app development companies using foundation model APIs. As a deployer integrating a foundation model into your product, you are responsible for assessing how that model’s capabilities interact with your specific use case, particularly if your use case is or may become high-risk. You must also ensure your product complies with transparency obligations when the foundation model is used to generate content visible to EU users. Understanding whether your product operates as a provider, a deployer, or both for each AI integration is essential. Ailoitte’s provider vs deployer guide at ailoitte.com/insights/eu-ai-act-provider-vs-deployer covers this distinction in practical terms for app teams.
What should an app development company prioritise before August 2026?
Before August 2026, app development companies building AI-enabled products for EU users should focus on three priorities. First, complete AI feature classification. Every AI feature in every product should be mapped to one of the four EU AI Act risk tiers and the classification should be documented. This is the foundation for all subsequent compliance decisions. Second, prepare for Article 50 transparency obligations. Any chatbot, virtual assistant, or AI-generated content surface needs disclosure language, labelling mechanisms, and where applicable opt-out flows, all of which must be in place by 2 August 2026. Third, audit the vendor and model stack. Understand which AI models and APIs the product relies on, what documentation those vendors provide, and whether the product is operating as a provider or a deployer for each integration. GPAI obligations are already live and deployer responsibilities may be wider than teams assume.
Discover how Ailoitte AI keeps you ahead of risk
Sunil Kumar
Sunil Kumar is CEO of Ailoitte, an AI-native engineering company building intelligent applications for startups and enterprises. He created the AI Velocity Pods model, delivering production-ready AI products 5× faster than traditional teams. Sunil writes about agentic AI, GenAI strategy, and outcome-based engineering. Connect on
LinkedIn
Stephan is the sports journalist for the Maple Grove Report.
