The EU AI Act just got delayed. Here is why that is not the free pass most businesses think it is.

Last month, EU lawmakers announced that key deadlines under the EU AI Act would be pushed back significantly.1traverssmith.comEU agrees to delay key AI Act compliance deadlinesTravers Smith, May 2026Visit source → A lot of businesses that had been quietly anxious about the August 2026 compliance date exhaled. I understand the relief. I am not sure it is entirely warranted.

The delay is real. The compliance burden has eased, at least for now. But the architecture of the regulation is intact, the direction of travel is unchanged, and August 2, 2026 remains a live date for certain obligations that have not moved.3isms.onlineThe EU AI Act August 2026 Deadline Has Been Delayed: What it Means for BusinessesISMS.onlineVisit source → If you build with AI, or you integrate it into your products, or you use it in decisions that affect people, the EU AI Act is still your problem.

What the EU AI Act actually is

The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It was published in the Official Journal of the European Union in July 2024 and has been coming into effect in phases since February 2025. The core idea is a risk-based approach: the more potential harm an AI system can cause, the stricter the requirements around building, deploying, and monitoring it.

The regulation applies not just to EU-based organisations, but to any organisation whose AI systems affect people in the EU. That means a UK company, a US company, or any other non-EU business is potentially in scope if its AI output touches EU residents in a meaningful way.5hklaw.comU.S. Companies Face EU AI Act's Possible August 2026 Compliance DeadlineHolland & Knight, April 2026Visit source → The model is explicitly similar to GDPR, which followed the same extraterritorial logic.

The four risk tiers

The Act divides AI systems into four categories based on the risk they present.

Unacceptable risk systems are prohibited outright. This covers AI that manipulates people through subliminal techniques, exploits vulnerabilities in specific groups, enables social scoring by governments, and uses real-time biometric surveillance in public spaces, with narrow exceptions for law enforcement.

High-risk systems face the most significant compliance requirements. These are AI systems used in areas where errors can cause serious harm: medical devices, critical infrastructure, employment decisions, education access, credit scoring, biometric identification, border control, and the administration of justice. Organisations deploying high-risk systems must implement risk management programmes, conduct impact assessments, maintain technical documentation, and ensure human oversight.

Limited risk systems, such as chatbots and AI-generated content, face lighter transparency obligations. Users must be told they are interacting with AI. Deepfakes must be labelled.

Minimal risk systems, which covers the vast majority of AI applications, face no specific obligations under the Act. The regulation is explicitly designed not to burden everyday AI use.

General purpose AI models

The Act also introduces rules for general purpose AI models, meaning large foundation models like GPT, Claude, and Gemini. Providers of these models must publish technical documentation, comply with copyright law, and provide summaries of the training data used. Models that present systemic risk, defined by computing thresholds, face additional requirements including adversarial testing and incident reporting.

What has just changed

On 7 May 2026, EU lawmakers reached political agreement on revisions to the Act through what is being called the Digital Omnibus on AI.2gibsondunn.comEU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key ChangesGibson Dunn, May 2026Visit source → The headline change is significant: the compliance deadline for high-risk AI systems, which had been set for August 2, 2026, has been pushed back by 16 months to December 2, 2027 for most categories, and to August 2, 2028 for AI embedded in regulated products like medical devices.4fisherphillips.comEU Overhauls AI Act Just Before Key Deadline: What Should Businesses Do With The Extra Time?Fisher Phillips, May 2026Visit source →

The rationale given was pragmatic. The regulatory infrastructure needed to make the high-risk obligations fully operational, including the harmonised standards and guidance documents, had not materialised on schedule. Pushing the deadline was an acknowledgment of reality rather than a retreat from ambition.

For smaller businesses, the Omnibus also extended regulatory simplifications, including simplified technical documentation requirements, to a broader category of companies. That is a meaningful concession to the concern that the compliance burden was disproportionate for organisations without dedicated legal and compliance teams.

What has not changed

Here is the part that the relief may be obscuring. August 2, 2026 remains a live compliance date. The transparency obligations under Article 50 of the Act were not moved by the Omnibus. If you deploy a chatbot, an AI content generation tool, or any system that interacts with users without making clear that AI is involved, you are subject to those requirements from August.5hklaw.comU.S. Companies Face EU AI Act's Possible August 2026 Compliance DeadlineHolland & Knight, April 2026Visit source →

There is one narrow piece of relief even here. Generative AI systems already on the market before that date get until December 2, 2026 to meet the machine-readable marking requirement specifically.2gibsondunn.comEU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key ChangesGibson Dunn, May 2026Visit source → But that is a transitional grace on a single sub-obligation, not a reprieve from Article 50, and anything you put live from August is in scope from day one.

The prohibition on unacceptable risk AI systems has also been in effect since February 2025 and is not affected by the delay. If you are doing anything that falls into that category, the delay does not help you.

And critically, the formal adoption of the Omnibus must be completed and published in the Official Journal before the revised deadlines legally bind. Until that happens, the original August 2 date for high-risk systems technically remains on the books. Most legal analysis expects formal adoption before August, but it introduces a period of uncertainty that organisations with complex compliance programmes cannot entirely ignore.4fisherphillips.comEU Overhauls AI Act Just Before Key Deadline: What Should Businesses Do With The Extra Time?Fisher Phillips, May 2026Visit source →

What this means for UK businesses specifically

Brexit did not insulate UK businesses from the EU AI Act. If you process data from EU residents, sell products into EU markets, or provide services to EU customers, the Act applies to you in the same way it applies to a US or Canadian company operating in the EU.5hklaw.comU.S. Companies Face EU AI Act's Possible August 2026 Compliance DeadlineHolland & Knight, April 2026Visit source → The GDPR precedent is instructive: UK companies spent years adapting to GDPR's extraterritorial reach, and the EU AI Act follows the same model.

The UK has its own approach to AI regulation, which at the time of writing remains principles-based and sector-led rather than legislation-based. That may feel like a comparative advantage in the short term. It also means less clarity about where the lines are, which creates its own compliance challenges.

If your business operates in both the UK and EU, the practical reality is that EU AI Act compliance will define your floor. Building to that standard protects you in the EU and almost certainly exceeds whatever the UK eventually requires.

My honest take

I have watched a lot of organisations treat the delay as permission to stop thinking about this for another 18 months. I think that is the wrong response, and not just because the August 2 transparency obligations are still live.6consilium.europa.euArtificial Intelligence: Council and Parliament agree to simplify and streamline rulesCouncil of the EU, 7 May 2026Visit source →

The EU AI Act is not a compliance checkbox. It is a signal about the direction the world is moving on AI governance. The risk management practices it requires for high-risk systems, the documentation, the human oversight, the impact assessments, these are good engineering practices regardless of whether they are legally required. Building AI systems with auditability, safety guardrails, and clear accountability built in from the start is simply how good AI systems get built.

The businesses that use the delay to get those practices in place, rather than to defer the question entirely, will find the eventual compliance deadline significantly less stressful. More importantly, they will have built AI systems they can actually stand behind.