EU AI Act Phase 1 Implementation Update
Three things are true about EU AI Act enforcement in June 2026: Article 5 prohibitions are live and have been since February 2025; GPAI obligations activated in August 2025; and the high-risk deadline everyone was scrambling toward — August 2, 2026 — just got pushed to December 2, 2027 by a provisional agreement signed on May 7, 2026. Understanding which track you’re on, and what that May 7 agreement actually changes, is the only EU AI Act update that matters right now.
This is not a summary of what other outlets have reported. It’s a structured account of where every compliance obligation stands as of June 9, 2026, built from official EU Council press releases, the AI Office’s published GPAI Code of Practice, and the Gibson Dunn and Travers Smith legal analyses of the Digital Omnibus deal. Where figures conflict across sources, this article reconciles them and explains why.
Table of Contents
The three-track EU AI Act compliance structure (with May 2026 Omnibus changes applied)
The EU AI Act does not have a single deadline. It has three parallel compliance tracks, each covering different AI system types, each with distinct obligations and a different enforcement timetable. Most companies are affected by at least two of them.
BitsFromBytes Compliance Track Matrix — June 2026
| Track | Regulatory basis | What it covers | Enforcement live since | Current deadline | Digital Omnibus change |
|---|---|---|---|---|---|
| Track 1 — Prohibited Practices | Article 5 | 8 banned AI practices (social scoring, subliminal manipulation, real-time biometric ID for law enforcement, etc.) | 2 February 2025 (penalties from 2 August 2025) | Already enforced | New prohibition added: AI-generated CSAM and non-consensual intimate imagery. Compliance deadline for that addition: 2 December 2026 |
| Track 2 — General-Purpose AI (GPAI) | Articles 53–55 | Foundation/frontier models; applies based on training compute (≥10²³ FLOPs for GPAI, ≥10²⁵ FLOPs for systemic-risk tier) | 2 August 2025 | AI Office enforcement of GPAI obligations activates 2 August 2026 | Unaffected. GPAI obligations remain on original schedule |
| Track 3 — High-Risk AI Systems | Articles 9–15, Annex III, Annex I | AI in recruitment, credit scoring, biometrics, law enforcement, education, border management, critical infrastructure, and AI embedded in regulated products | Originally 2 August 2026 | Now 2 December 2027 (Annex III, standalone) / 2 August 2028 (Annex I, product-embedded) | 16-month postponement for Annex III; 12-month postponement for Annex I |
One critical clarification: the May 7 postponement is a provisional political agreement. Formal adoption by the full Council and Parliament is expected before August 2, 2026. Until the amendment is published in the Official Journal of the EU, the original August 2, 2026 deadline remains legally binding. Organizations treating the postponement as already in force are taking a legal risk.
What Article 5 actually prohibits — the 8 live bans (Track 1)
Article 5 has been enforceable since February 2025. Fines of up to €35 million or 7% of global annual turnover apply to violations — the highest penalty tier in the entire regulation, exceeding GDPR’s 4% maximum. As of June 2026, no public enforcement actions have been announced, but investigations are reportedly underway in workplace emotion recognition and predictive policing applications.
The eight banned practices under Article 5 are:
- Subliminal manipulation — AI systems that use techniques beyond a person’s consciousness to distort behavior in a way that causes harm.
- Exploitation of vulnerabilities — targeting people based on age, disability, or social/economic situation to distort their behavior harmfully.
- Social scoring by public authorities — general-purpose scoring of individuals based on behavior or personal characteristics that leads to detrimental or disproportionate treatment.
- Predicting criminality — AI that assesses the risk of a natural person committing a criminal offense solely based on profiling.
- Facial image scraping for recognition databases — untargeted scraping of internet or CCTV images to build or expand biometric databases.
- Emotion recognition in workplaces and education — inferring emotional states of individuals via biometric data in workplace and educational settings. ⚠️ This prohibition is frequently misread: it does not ban emotion detection in safety-critical applications (e.g., detecting drowsiness in transport operators) — it targets employment and academic evaluation contexts.
- Biometric categorization for sensitive characteristics — categorizing individuals by race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.
- Real-time remote biometric identification (RBI) in public spaces — for law enforcement use, with narrow exceptions for serious crime searches, imminent terrorist threats, and victim location — each requiring prior judicial or independent administrative authorization and Fundamental Rights Impact Assessment.
May 7 addition: The Digital Omnibus provisional agreement adds a ninth prohibition: AI systems that generate child sexual abuse material (CSAM) or non-consensual intimate imagery. The compliance deadline for this new ban is December 2, 2026 — after formal adoption of the Omnibus amendment.
The European Commission’s guidelines on prohibited AI practices, published February 4, 2025, are non-binding but break down each prohibition into cumulative conditions with practical examples. The Bundesnetzagentur (Germany’s Federal Network Agency, designated as the country’s market surveillance authority) has published its own enforcement-oriented analysis of Article 5 that is among the most operationally specific guidance documents currently available.
Who is NOT in scope for Article 5’s biometric bans (important exception): National security applications are entirely excluded from the AI Act’s scope under Article 2(3). Member state law enforcement may deploy real-time RBI under the narrow Article 5(1)(h) exceptions. These are not loopholes in enforcement — they are explicit statutory exclusions confirmed in the official EU AI Act text at artificialintelligenceact.eu.
The GPAI Code of Practice: who signed, who didn’t, and what it means (Track 2)
General-Purpose AI obligations under Articles 53–55 activated August 2, 2025. The mechanism the AI Office created to implement them is the GPAI Code of Practice, published July 10, 2025 and formally endorsed by the European Commission in August 2025. Signing is voluntary — but the incentive structure makes non-participation costly.
What signing gets you: Signatories receive a “presumption of conformity” with the AI Act’s GPAI obligations. The AI Office has signaled a collaborative, light-touch enforcement approach for signatories during the first year (August 2025 to August 2026), while non-signatories face more frequent information requests and must demonstrate compliance through alternative means with higher documentation burden.
The Code has three chapters:
- Chapter 1 — Transparency: Applies to all GPAI model providers under Article 53(1)(a) and (b). Covers technical documentation requirements and model card obligations.
- Chapter 2 — Copyright: Applies to all GPAI providers. Covers training data policies, copyright reservation compliance, and rights-holder summaries.
- Chapter 3 — Safety and Security: Applies only to “GPAI with Systemic Risk” — models above the 10²⁵ FLOP training threshold. Currently a small group of 5–15 organizations worldwide.
Signatory status as of June 2026:
The Code has approximately 24 confirmed signatories. Based on data from the GLACIS EU AI Act compliance guide (last updated June 2026) and the AI Office’s official signatory list:
| Company | Signed full Code | Notable exceptions/conditions |
|---|---|---|
| Anthropic | ✅ Full signatory | Claude models (including Claude 4 Opus, flagged as systemic-risk tier in the Code’s worked examples) covered under all three chapters |
| Google (DeepMind) | ✅ Full signatory | Gemini 2.5 Pro cited in Code documentation as systemic-risk tier example |
| Microsoft | ✅ Full signatory | |
| OpenAI | ✅ Full signatory | GPT-4o / o3 models cited as systemic-risk tier examples |
| Amazon | ✅ Full signatory | |
| IBM | ✅ Full signatory | |
| Mistral AI | ✅ Full signatory | |
| Cohere | ✅ Full signatory | |
| Aleph Alpha | ✅ Full signatory | |
| Black Forest Labs | ✅ Full signatory | |
| ServiceNow | ✅ Full signatory | |
| WRITER | ✅ Full signatory | |
| Meta | ❌ Did not sign | Publicly declined. No alternative compliance path announced. |
| xAI (Elon Musk) | ⚠️ Partial | Signed Safety and Security chapter only. Elects “alternative adequate means” for Transparency and Copyright obligations. |
Meta’s refusal to sign is the most commercially significant absence. The company has not publicly explained its position or disclosed an alternative compliance mechanism, which means the AI Office will need to apply more intensive scrutiny to its EU-deployed models.
The official GPAI Code of Practice document is available at code-of-practice.ai, maintained by the AI Office working groups. The three-chapter structure and all signatory commitments are published there in full.
The 10²⁵ FLOP systemic-risk threshold in practice: The Code defines “GPAI with Systemic Risk” as models trained on greater than or equal to 10²⁵ floating point operations. Confirmed to be in scope: OpenAI’s o3, Anthropic’s Claude 4 Opus, Google’s Gemini 2.5 Pro. The Commission may also designate models below the compute threshold if their capabilities or market impact warrant it.
The national authority readiness gap — the enforcement variable most analyses ignore
The most consequential variable in EU AI Act Phase 1 implementation is not the legislation itself — it’s the structural gap between what the Act requires at the national level and what member states have actually built.
Article 70 required every EU member state to designate national competent authorities (market surveillance + notifying authority) by August 2, 2025. The actual outcome, based on the AI Act National Implementation Plans tracker at artificialintelligenceact.eu and the March 2026 analysis by aiacto.eu:
- Only 8 of 27 member states had formally designated their single point of contact to the European Commission by the August 2025 deadline.
- 12 member states missed the competent authority appointment deadline entirely.
- 3 member states had designated both notifying and market surveillance authorities as of the tracker’s last update.
The three countries with the most operationally advanced frameworks as of June 2026:
Germany: Designated the Bundesnetzagentur as market surveillance authority and Deutsche Akkreditierungsstelle as notifying authority. Adopted the KI-MIG draft law in federal cabinet in February 2026 — the first national transposition framework in any EU member state.
Spain: Created a dedicated AI supervisory agency — AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) — operating in coordination with AEPD (data protection), the Bank of Spain, and CNMV.
Ireland: Designated 15 competent authorities and 9 fundamental rights authorities, coordinated by the National AI Office operational since September 2025. Ireland’s decentralized model reflects the country’s hosting of most major US tech companies’ EU operations.
What the authority gap means for operators: The absence of designated authorities in 19 of 27 member states does not suspend operator obligations. The AI Act applies directly to providers, deployers, importers, and distributors regardless of national authority readiness. What it does create is enforcement fragmentation: the intensity of scrutiny you face depends heavily on which member state you’re primarily active in. A company deploying high-risk AI primarily in Germany faces a structured, active enforcement environment. The same company operating only in a member state without designated authorities faces theoretical compliance liability with no active regulator to coordinate with — until those authorities are designated and ramp up.
The Digital Omnibus on AI: what changed on May 7, 2026, and what didn’t
The Digital Omnibus on AI (COM(2025) 836) is the most significant development in EU AI Act implementation since the regulation entered into force. Understanding it requires separating what actually changed from what is still pending.
What the Omnibus is
The European Commission tabled the Digital Omnibus on November 19, 2025, as a package of targeted amendments to the AI Act. The stated goal: reduce compliance burden by 25% overall and 35% for SMEs by 2029, while acknowledging that the infrastructure needed for high-risk compliance — harmonized technical standards, designated notified bodies, finalised conformity assessment procedures — would not be ready by August 2026.
On May 7, 2026, the Council of the EU and the European Parliament reached a provisional political agreement on the Omnibus terms. This is the agreement that matters. The Council had adopted its negotiating position on March 13, 2026; the Parliament’s IMCO/LIBE committees adopted their joint report March 18, 2026; trilogue negotiations, which nearly broke down in late April, concluded with the May 7 deal.
What the May 7 agreement actually changes
Change 1 — High-risk AI deadlines postponed (the headline change):
- Annex III high-risk AI systems (standalone use-case-based systems including recruitment, credit scoring, biometrics, law enforcement, education, border management): deadline moved from August 2, 2026 to December 2, 2027 — a 16-month postponement.
- Annex I high-risk AI systems (AI embedded in regulated products covered by existing EU product safety law, including medical devices, radio equipment, machinery): deadline moved from August 2, 2027 to August 2, 2028 — a 12-month postponement.
Change 2 — Article 50 transparency obligations largely unaffected: The transparency obligations for AI-generated content (watermarking, synthetic media labeling) remain on the original August 2026 schedule with one modification: the grace period for providers with AI-generated content systems already on the market is reduced from 6 months to 3 months. Those providers must comply by December 2, 2026.
Change 3 — New Article 5 prohibition added: AI systems that generate CSAM or non-consensual intimate imagery are banned. Compliance deadline for this new prohibition: December 2, 2026.
Change 4 — Regulatory sandboxes deadline extended: Member states’ deadline to establish AI regulatory sandboxes is pushed from August 2, 2026 to August 2, 2027.
Change 5 — SME and small-mid-cap enterprise simplification: The Omnibus introduces “small mid-cap enterprise” (SMC) as a new category for proportionate penalty application. The Commission gains new powers to issue implementing acts that disapply overlapping AI Act requirements where sectoral regulation already covers the same ground.
Change 6 — Machinery regulation carve-out: AI embedded in machinery covered by the Machinery Regulation is removed from the AI Act’s direct application. AI-related safety measures for machinery will instead be introduced by delegated acts under the Machinery Regulation.
What the Omnibus does NOT change
- Article 5 prohibited practices: Already enforced since February 2025. Fully unaffected.
- GPAI obligations (Articles 53–55): Fully unaffected. The August 2025 activation and August 2026 AI Office enforcement ramp stand unchanged.
- The AI Office’s structure and mandate: Unchanged.
- Maximum fines: Unchanged. €35M or 7% of global turnover for prohibited practices; €15M or 3% for high-risk non-compliance; €7.5M or 1% for providing incorrect information to authorities.
The critical caveat: still provisional
The May 7 agreement is a political deal, not a published law. Formal adoption by the full Council and European Parliament is expected before August 2, 2026 — but that formal adoption must still happen. Until the amendment is published in the Official Journal of the EU, the text of Regulation (EU) 2024/1689 as originally adopted remains the applicable law. Legal teams treating the postponement as final before publication are operating on unconfirmed ground.
According to Gibson Dunn’s analysis of the agreement (May 2026): “2 August 2026 remains an active compliance date. The Article 50 transparency obligations for AI systems largely remain on the original schedule. Businesses who are subject to those obligations must stay ready for that date regardless of the Omnibus.”
What the EU AI Act Phase 1 actually requires organizations to do right now
The abstract language of “risk classification” and “conformity assessment” obscures what EU AI Act Phase 1 obligations translate to in practical operational terms. This section breaks it down by company role.
BitsFromBytes EU AI Act Obligation Matrix — by role and track (June 2026)
| Your role | Track 1 (Article 5) | Track 2 (GPAI — if applicable) | Track 3 (High-Risk) |
|---|---|---|---|
| AI Provider (builds/trains the model) | Do not build or deploy any Article 5-prohibited system. Screen use cases before launch. | If ≥10²³ FLOPs: maintain technical documentation, publish summary of training data, implement copyright reservation policy. If ≥10²⁵ FLOPs: additionally comply with systemic-risk Chapter 3 of CoP (adversarial testing, model evaluations, incident reporting, cybersecurity framework). | If Annex III system: risk management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), human oversight (Art. 14), accuracy and robustness (Art. 15), CE marking, EU database registration. Deadline now Dec 2, 2027. |
| AI Deployer (puts model into service for end users) | Same Article 5 obligation. You are responsible for the deployed application’s compliance, not just the underlying model. | Limited direct GPAI obligations. You must comply with provider’s usage policies that implement GPAI requirements. | If deploying Annex III system: fundamental rights impact assessment (Art. 27), maintain logs, report serious incidents to national authority, inform and support users. |
| AI Importer | Article 5 applies to systems you import into the EU market. | Must verify provider compliance before placing GPAI model on EU market. | Must verify provider compliance documentation before importing. Cannot import high-risk systems without CE marking after Dec 2, 2027. |
| AI Distributor | Cannot distribute prohibited systems after learning of non-compliance. | Same verification obligation as importer, proportionate to role. | Must inform provider/importer of discovered non-compliance. Cannot continue distribution without remediation. |
The AI literacy obligation — the most overlooked live requirement
Article 4 is in force since February 2, 2025. It requires providers and deployers to ensure their staff have sufficient AI literacy to operate, oversee, and interpret AI systems they work with. This is not a documentation checkbox — it is an ongoing training obligation. There is no specific curriculum mandated, but it must be appropriate to the person’s role and the AI system’s risk tier.
Most EU AI Act compliance checklists ignore Article 4 because it carries no specific penalty tier. That is a mistake: Article 4 compliance is one of the first things a market surveillance authority will assess when investigating any higher-level violation, because it establishes whether an organization had the organizational competence to understand the compliance obligations it failed to meet.
Harmonized standards: the missing infrastructure that forced the Omnibus
The core reason high-risk AI obligations needed postponing is that the technical standards organizations need to run conformity assessments do not yet exist.
CEN-CENELEC (the European standardization bodies) are developing harmonized standards for the AI Act across five working groups with over 1,000 European experts. The original delivery deadline was April 2025. That slipped to August 2025. Current projections put the first published standards at Q4 2026 — after the original August 2026 enforcement date.
This is not a minor procedural delay. Under the AI Act, conformity assessment for Annex III high-risk AI systems typically requires reference to harmonized standards to establish technical compliance. Without those standards, both providers trying to prepare documentation and conformity assessment bodies trying to certify systems are working against an incomplete framework. The AI Office acknowledged this in its own communications to the Commission as a driver of the Omnibus proposal.
The EU AI Act implementation timeline maintained by Future of Life Institute at artificialintelligenceact.eu tracks standardization deliverables alongside the legislative calendar and is the most consistently updated public reference for deadline changes.
Who should NOT treat the Omnibus delay as permission to pause
The 16-month delay on Annex III high-risk deadlines is not a pause button. Three categories of organization face real urgency regardless of the postponement:
1. Organizations using AI in employment decisions: Recruitment systems, performance evaluation tools, promotion/demotion AI, and worker monitoring applications all fall under Annex III. The compliance documentation these require — risk management systems, data governance frameworks, human oversight protocols — takes 12–18 months to build properly. Starting in late 2026 targeting a December 2, 2027 deadline leaves no margin for the audit, iteration, and conformity assessment process.
2. Law enforcement and public sector deployers: Article 5 biometric and social scoring prohibitions apply to public authorities now. The extension doesn’t move those obligations. Additionally, real-time remote biometric identification systems used in public spaces require Fundamental Rights Impact Assessments and EU database registration before each use — obligations with no postponement.
3. Organizations in Germany, France, Spain, and Ireland: These four member states have operational enforcement frameworks and active market surveillance authorities. The regulatory environment in these countries is not hypothetical. A company using AI for credit scoring or recruitment in Germany faces a Bundesnetzagentur that has the designation, legal mandate, and technical capacity to investigate and impose penalties today.
The compliance cost reality for different organization sizes
EU AI Act compliance is not uniformly expensive. The cost structure varies dramatically by organization size and the risk tier of the AI systems deployed.
Large enterprises (revenue above €150M): Compliance costs for full Annex III high-risk AI obligations range from $8–15 million in initial investment, with $2–5 million in ongoing annual costs for monitoring, auditing, and documentation maintenance. Third-party conformity assessment certification costs $50,000 or more per AI system. These figures come from the Responsible AI Labs compliance countdown analysis and the RAIL Score knowledge base.
Mid-size companies: Initial compliance investment typically runs $2–5 million with $500K–2M in ongoing annual costs.
SMEs: Initial costs range from $500K–2M. SME-specific protections in the AI Act apply the lower of the fixed penalty amount or the percentage-of-turnover figure. The Digital Omnibus amplifies SME relief by introducing the SMC category and reducing documentation overlap with GDPR.
The irony is that most organizations aren’t yet spending these amounts. According to Vision Compliance data cited by RAIL Score (April 2026): 78% of organizations have not taken meaningful compliance steps. Over 50% lack even a basic AI inventory — the most foundational prerequisite for any risk classification exercise.
The gap between what compliance costs and what organizations have invested is the principal risk factor for the August 2026 window, even with the high-risk deadline now moved to December 2027. Article 50 transparency obligations and GPAI enforcement activation still hit in 2026.
Where this leaves you: a decision framework by AI system type
The EU AI Act Phase 1 implementation update comes down to a single question for any organization: which track are you on?
If your AI system is in any of the 8 Article 5 banned categories: You were required to shut it down or restructure it before February 2, 2025. There is no compliant path to continue operating it. If you are still running it, you are in active violation with potential €35M penalties. The only question is whether a national authority has yet investigated you.
If you develop or operate a GPAI model (≥10²³ FLOPs): Obligations are live. Signing the Code of Practice is the fastest path to presumption of conformity. If you haven’t signed, you need an alternative documented compliance approach ready for AI Office inspection. Full enforcement powers activate August 2, 2026. The GPAI track has not been postponed.
If you build or deploy high-risk AI under Annex III: The December 2, 2027 deadline gives you breathing room — but only if the Omnibus is formally adopted before August 2, 2026 as expected. Use the extension to build documentation frameworks, complete risk classifications, and prepare for conformity assessments properly rather than rushing an audit in 2025. Companies that begin this process in mid-2026 will be well-positioned. Companies that begin it in late 2027 will not.
If your AI system is minimal-risk (roughly 85% of deployed AI systems): No mandatory obligations beyond the AI literacy requirement of Article 4. Voluntary codes of conduct are encouraged but not required. The compliance burden is managerial, not technical.
If you are a US or non-EU company: The EU AI Act has full extraterritorial reach under Article 2. If you place an AI system on the EU market or put one into service in the EU — regardless of where your company is established — all three compliance tracks apply to you. The 6 in 10 EU and UK tech startups that report delayed access to frontier AI models, and the nearly 60% of EU developers experiencing launch delays reported in the ACT | The App Association survey (February 2026), reflect the real operational friction the Act is already creating for non-EU companies serving EU markets.
FAQ: EU AI Act Phase 1 implementation
What is “Phase 1” of the EU AI Act?
Phase 1 refers to the first enforcement tier of the AI Act, which includes the Article 5 prohibited practices (enforceable since February 2025), the GPAI obligations (active since August 2025), and the Article 50 AI-generated content transparency obligations (targeting August 2026). It does not include the Annex III and Annex I high-risk AI obligations, which are now deferred to December 2027 and August 2028 respectively following the Digital Omnibus provisional agreement.
Has the EU AI Act been delayed?
Partially. The high-risk AI obligations (Annex III and Annex I) were postponed by the Digital Omnibus provisional agreement reached May 7, 2026 — 16 months for standalone high-risk systems, 12 months for product-embedded high-risk AI. The prohibited practices (Article 5), GPAI obligations (Articles 53–55), and AI-generated content transparency (Article 50) were not delayed.
What are the EU AI Act Phase 1 fines?
Violations of Article 5 prohibited practices: up to €35 million or 7% of worldwide annual turnover, whichever is higher. High-risk system non-compliance: up to €15 million or 3% of global turnover. Incorrect information provided to authorities: up to €7.5 million or 1% of turnover. SMEs and startups face the lower of the fixed amount or percentage. GPAI-specific fines are applied within the broader penalty structure based on the nature of the infringement.
What is the GPAI Code of Practice and is it mandatory?
The General-Purpose AI Code of Practice, published July 10, 2025 and endorsed by the European Commission in August 2025, is a voluntary compliance mechanism for GPAI model providers. Signing it grants “presumption of conformity” with Articles 53–55 and reduces administrative burden. It is not legally mandatory — providers can demonstrate compliance through alternative adequate means — but non-signatories face heavier scrutiny from the AI Office. As of June 2026, approximately 24 organizations have signed, including Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, and OpenAI. Meta declined to sign.
Does the EU AI Act apply to my US company?
Yes, if you place an AI system on the EU market or put one into service in the EU. Article 2 applies the regulation to providers regardless of where they are established. The only exemptions are national security applications (Article 2(3)) and certain purely personal, non-professional uses.
What is the systemic risk threshold for GPAI?
The current compute threshold for “GPAI with Systemic Risk” is training computation equal to or exceeding 10²⁵ floating point operations (FLOPs). This tier carries additional obligations under the Safety and Security chapter of the GPAI Code of Practice, including adversarial testing, incident reporting to the AI Office, and cybersecurity frameworks. The Commission confirmed that OpenAI’s o3, Anthropic’s Claude 4 Opus, and Google’s Gemini 2.5 Pro are examples of models in scope.
Is emotion recognition AI banned under the EU AI Act?
Partially. Emotion recognition using biometric data (facial expressions, voice tone, physiological signals) is prohibited in workplace and educational settings under Article 5(1)(f). It is not banned in safety-critical transport applications (drowsiness detection) or medical diagnostic contexts. Each case requires assessment against the full set of cumulative conditions specified in the Commission’s February 2025 guidelines.
When must AI-generated content be labeled?
Article 50 transparency obligations, including requirements to mark AI-generated synthetic media, remain on the August 2026 schedule (unaffected by the Omnibus). Providers of AI systems already on the market get a 3-month grace period to implement labeling solutions, with compliance required by December 2, 2026.
Harper Ellis covers artificial intelligence regulation, model releases, and AI policy for BitsFromBytes. Related reading: EU AI Act Compliance Tools for SMEs, GPAI Models Ranked by Capability 2026, What Is the EU AI Act? A Plain-English Explainer, AI Regulation vs. Innovation: The Industry Response.
