The EU AI Act's Big Deadline Just Moved to 2027 — What US Founders and In-House Counsel Should Actually Do Now

If you run AI products that touch EU users, you have probably seen the headlines: the EU AI Act's high-risk deadline has slipped to 2027. That is broadly true, but the way it is true matters for how you plan the next eighteen months.

The headline deadline moved — but read the fine print

On 6 May 2026, EU institutions reached a provisional political agreement on the Digital Omnibus on AI, the first amendment to the AI Act since its adoption. Member State representatives in the Council confirmed that agreement on 13 May 2026, following the Commission's tabling of the proposal on 19 November 2025. This is the package that produced the deadline shift everyone is talking about.

What actually moved is specific. The stand-alone high-risk obligations under Annex III — the use cases that make a system high-risk on its own, like AI in hiring or credit decisions — were postponed from 2 August 2026 to 2 December 2027. The Annex I obligations, which cover high-risk AI embedded in regulated products, moved from 2 August 2027 to 2 August 2028. So this is not a blanket pause on the whole Act. It is a targeted delay on two defined buckets of high-risk obligations.

Here is the part that should govern your planning. The relief is legally contingent. The amendments take effect only on the third day following publication in the EU Official Journal, and as of mid-June 2026 that publication had not yet happened. Until it does, the original 2 August 2026 date technically still stands.

What did NOT move: obligations still live in 2025 and on 2 August 2026

The deferral is real, but it is narrow. The same institutions that pushed the high-risk deadlines into 2027 deliberately left the AI Act's foundational obligations untouched — one analysis notes that the EU institutions "refrained from modifying many of the core, foundational obligations in the AI Act." So before you tell your team the pressure is off, map what is already in force and what still lands next August.

Several obligations have applied for more than a year. Under the Act's staggered application schedule, the Article 5 prohibited-practices ban has been in force since 2 February 2025, the Article 4 AI-literacy duty has applied since the same date (retained, though modestly softened), and the obligations on general-purpose AI models took effect on 2 August 2025. None of these moved.

The date to watch is 2 August 2026. The Article 50 transparency obligations — disclosing to people that they are interacting with an AI system, and labeling synthetic or deepfake content — remain on schedule for that day and were not delayed; 2 August 2026 remains an active compliance date. There is one narrow concession: the Article 50(2) machine-readable watermarking requirement for systems placed on the market before 2 August 2026 slips four months to 2 December 2026. That is a small operational grace, not the broad high-risk deferral.

The Omnibus is also stricter where it counts. A new Article 5 prohibition targeting AI "nudifiers" — tools generating non-consensual intimate imagery — and child sexual abuse material takes effect on 2 December 2026.

Why a US company is in scope at all

The most common reaction US founders have to the EU AI Act is that it's a European problem for European companies. The new 2027 timeline doesn't change that, and the assumption doesn't hold up anyway. The Act's reach is defined by Article 2, and it was built to follow AI systems and their outputs into the EU market no matter where the company behind them sits.

The core hook is the provider rule. Article 2 applies to "providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country." If your product ships an AI feature to EU end users, you are placing that system on the EU market — and your Delaware incorporation does nothing to take you out of scope.

Two further triggers catch companies that assume they've avoided the EU entirely. Under Article 2(1)(b), the Act reaches "deployers of AI systems that have their place of establishment or are located within the Union" — so a US company's EU subsidiary running a US-built internal tool is an in-scope deployer. And under Article 2(1)(c), it reaches "providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union." That last clause is the one founders miss: no EU sales, no EU entity, but if the output is consumed in the Union, you're in.

• Shipping an AI feature to EU end users — you're a provider placing a system on the EU market (Article 2).
• Your EU subsidiary using a US-built internal tool — that subsidiary is a deployer located in the Union (Article 2(1)(b)).
• EU users consuming your AI's output, even with no EU sales — output used in the Union pulls you in (Article 2(1)(c)).

The deadline move bought time to comply. It did not narrow who has to.

Are you even building a "high-risk" system?

Being in scope and being high-risk are two different questions. The Act reserves its heaviest obligations for a defined set of use cases, and most consumer and B2B SaaS does not land there. Before you budget for conformity assessments and technical documentation, work out whether your system actually falls into the high-risk tier at all.

Start with Annex III, which lists eight high-risk use-case categories: biometrics; critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services and benefits; law enforcement; migration, asylum, and border control; and the administration of justice and democratic processes. If your system does not touch any of these domains, the high-risk regime largely does not apply to you. If it does touch one, you are not finished — you have a second question to answer.

An Annex III system is not automatically high-risk. Article 6(3) carves out systems that do not pose a significant risk of harm: those performing a narrow procedural task, improving the result of a previously completed human activity, detecting decision-making patterns or deviations without replacing human assessment, or performing a preparatory task. There is one hard limit you cannot draft around — a system that profiles natural persons is always high-risk, regardless of how narrow you think its function is.

The Omnibus also tightened the "safety component" definition. AI used solely for non-safety functions — user assistance, performance optimization, efficiency, automation, convenience, or quality control — does not become high-risk merely by being embedded in a regulated product, unless its failure would endanger health or safety.

None of this is a free pass. Because Article 50 transparency duties and the GPAI rules sit outside the high-risk regime, they apply regardless of high-risk classification. Escaping high-risk does not mean escaping the Act — it means you face a lighter, but still real, set of duties.

The trap: treating the delay as a reprieve

It is tempting to read a 2027 deadline as a green light to shelve the project until 2026 is nearly over. That reading misjudges why the date moved. The Commission tabled the Digital Omnibus on AI because implementation was visibly off track — harmonized standards and the compliance tooling that high-risk providers will lean on simply were not ready. The substantive bar did not soften. The scaffolding around it slipped, and the clock moved to match.

You can see the same pattern in the supporting infrastructure. The Omnibus also pushes the deadline for Member States to stand up national AI regulatory sandboxes to 2 August 2027 — a full year later than originally scheduled. When the testing environments, the standards, and the enforcement runway all slide together, that is a system admitting it is not yet ready to receive compliant products, not a regulator relaxing what compliance means.

Meanwhile, the work that actually consumes your calendar is unchanged. High-risk providers still have to complete conformity assessment before placing a system on the market, and that is a long-lead exercise measured in quarters, not weeks. The value-chain analysis under Article 25 is just as demanding. That provision can pull a deployer, distributor, importer, or other third party into the full set of provider obligations through three triggers: putting your name or trademark on a high-risk system already on the market, making a substantial modification while it stays high-risk, or changing the intended purpose of a system — including a general-purpose AI system — so that it becomes high-risk under Article 6.

Read those triggers carefully, because they describe ordinary commercial behavior. Re-brand a vendor's model as your own, fine-tune it past its original scope, or point a GPAI tool at a regulated use case, and you may become the provider. The reprieve runs against the clock, not against the requirements — and the mapping to find out where you sit in the chain is exactly the kind of work the extra time is for.

Actionable Next Steps

The 2027 dates give you room to plan, but the work that earns that head start starts now. Translate the obligations covered above into a short, sequenced program your team can begin this quarter. Most of it is inventory and documentation — unglamorous, but it is what conformity assessment and contract negotiation will demand of you later.

1. Build an AI use-case registry and classify each system. Map every model and AI-enabled feature against the Annex III high-risk categories and the Article 6(3) carve-outs so you know which systems are in scope and which fall outside it.
2. Map and meet the Article 50 transparency obligations. These go live on 2 August 2026, with the watermarking grace period running to 2 December 2026, and they were not part of the delay — they apply regardless of high-risk status.
3. Run a GPAI provider check. Confirm whether your team triggers general-purpose AI provider obligations, which have applied since August 2025 and were not pushed back.
4. Audit your vendor contracts for value-chain flow-down. Under Article 25, re-branding, substantially modifying, or repurposing a third-party or GPAI system can convert you into a provider — so the obligations need to be allocated in writing.
5. Watch the EU Official Journal. The deadline relief is not legally effective until publication, so do not unwind compliance work in reliance on a provisional agreement.
6. Document a defensible governance posture now. A registry, a classification record, and a written allocation of responsibilities are the artifacts that turn the 2027 runway into a genuine advantage.

Treat the extra time as engineering and contracting lead time, not a reason to pause — the teams that are ready in 2027 are the ones building the paper trail in 2026.