What you need to know

  • The Act is live, not delayed. The EU AI Act entered into force on 1 August 2024, and the bulk of its obligations apply from 2 August 2026. That date is not moving.
  • Only high-risk slipped. The Digital Omnibus — a provisional political agreement reached on 7 May 2026 — pushes stand-alone high-risk Annex III systems to 2 December 2027 and product-embedded Annex I AI to 2 August 2028. That is roughly 16 extra months for high-risk Annex III work.
  • GPAI and bans are untouched. Prohibited practices have bitten since 2 February 2025; general-purpose AI (GPAI) model rules since 2 August 2025. The Omnibus does not change them. Articles 50 to 55 continue on schedule.
  • It reaches you in India and the UK. If your AI product is placed on or used in the EU market, you are in scope — having EU customers is enough.
  • The deferral is provisional. It takes legal effect only once published in the EU Official Journal, expected before 2 August 2026. Until then, plan as if high-risk still landed in August.
Watch out

The Digital Omnibus is a political agreement, not yet law. Its deferral of the high-risk deadlines becomes binding only on formal adoption and publication in the EU Official Journal — expected before 2 August 2026, but not guaranteed. Treat 2 December 2027 as a target you are working towards, not a holiday you can take. If you stop your conformity-assessment prep now and the Omnibus stalls, you will be exposed on the original timeline.

What is actually enforceable on 2 August 2026

Strip away the headlines about delay and three sets of obligations are plainly enforceable from 2 August 2026. None of them was touched by the Omnibus, and all three reach builders in Bengaluru, Mumbai, London and Manchester the moment their product touches an EU user.

Prohibited practices. These have been enforceable since 2 February 2025 and remain the hardest line in the Act. Social scoring, untargeted facial-recognition scraping, manipulative or exploitative systems, and certain biometric categorisation are simply banned. If any of these describe a feature you ship into the EU, there is no compliance plan — there is a redesign.

GPAI transparency and documentation. If you train, fine-tune materially, or place a general-purpose model on the EU market, the GPAI rules that began on 2 August 2025 apply. In practice that means maintaining up-to-date technical documentation, publishing a sufficiently detailed summary of training data, and putting a copyright policy in place that respects the EU text-and-data-mining opt-out. A team in Pune fine-tuning an open-weight base into a product sold to EU customers is squarely in this conversation.

Article 50 transparency duties. This is the one most product teams underestimate. From 2 August 2026 you must tell users when they are interacting with an AI system unless it is obvious, label AI-generated or manipulated audio, image, video and text in a machine-readable way, and disclose deepfakes and synthetic media. A UK SaaS firm running a customer-support chatbot, or an Indian startup generating marketing imagery, both need a labelling and disclosure layer in place by August — not a paper policy, a shipped feature.

Pro tip

Article 50 is the cheapest part of the Act to get right and the easiest to forget. Add an "you are chatting with an AI assistant" line to every conversational surface, and embed C2PA-style provenance metadata on anything you generate. Both are small engineering jobs that close your biggest near-term exposure. Do them this quarter, regardless of where your high-risk work stands.

The five risk tiers, with an example you will recognise

The Act sorts every system into a tier, and your obligations follow from the tier — so classification is the first job, not the last. Here is the ladder with a concrete example an Indian or UK builder would actually meet.

Tier What it means Recognisable example Your duty
Prohibited Banned outright since 2 Feb 2025 Social-scoring or untargeted face-scraping feature Do not build or ship it into the EU
High-risk (Annex III) Stand-alone systems in sensitive domains CV-screening or credit-scoring model used by an EU employer or lender Full conformity assessment — now due 2 Dec 2027
Limited-risk Transparency duties only (Article 50) Customer-support chatbot or AI image generator Disclose AI use; label generated content (2 Aug 2026)
Minimal-risk No specific AI Act obligations AI spam filter or in-game pathing Voluntary codes only
GPAI General-purpose models, separate regime An open-weight LLM you fine-tune and sell into the EU Documentation, training-data summary, copyright policy (live since 2 Aug 2025)

The two tiers that catch builders by surprise are limited-risk and GPAI. Most teams assume "we are not doing facial recognition, so we are fine". But a recruitment-tech startup in Hyderabad selling a shortlisting model to a German employer is in high-risk Annex III; a London studio shipping a generative-image tool is in limited-risk and owes Article 50 disclosures from August. The example domains the Omnibus explicitly covers under Annex III — recruitment, credit scoring, law enforcement, education and border control — are exactly the verticals a lot of Indian and UK product teams sell into.

The compliance checklist for IN and UK builders

This is the practical core. Work down it in order. The deferral changes your timeline for one row only — it does not let you skip the others.

Step What to do When
1. Classify Map each system you place on or use in the EU to a tier (prohibited / high-risk / limited / minimal / GPAI). Write it down. Now
2. GPAI documentation If you train or materially fine-tune a model: prepare technical documentation, a training-data summary, and a copyright policy. Already live (2 Aug 2025)
3. Transparency disclosures Add Article 50 notices: "you are interacting with AI", plus machine-readable labels on generated audio, image, video and text. By 2 Aug 2026
4. High-risk plan If high-risk: start your conformity-assessment plan, risk-management system, data governance and logging design now — even though the deadline moved. Start now, due 2 Dec 2027
5. EU contact If you have no EU establishment, appoint an authorised representative in the EU before you place the product on the market. Before EU launch
Watch out

The deferral is not a reason to ignore the Act. GPAI, prohibited and transparency duties bite now, and high-risk preparation is a multi-month exercise — conformity assessment, a risk-management system, data governance, technical documentation and post-market monitoring do not appear overnight. Sixteen extra months sounds generous until you cost the work. Teams that start their high-risk programme in mid-2026 will be comfortable by December 2027; teams that wait until 2027 will not.

Every article here is written by a Verified Builder. Want your name on the next one?

AI Tech Connect lists AI engineers, founders and researchers across India and the UK — and the people hiring browse it to find them. Adding your profile is free.

Become a Verified Builder →

Why the UK route looks nothing like this

UK-based builders should not assume the EU framework mirrors their domestic position — it does not. Britain rejected a single comprehensive AI act and instead extended the remits of existing regulators in a deliberately "pro-innovation" approach. A dedicated UK AI bill has not materialised and looks unlikely to land in 2026. That means a UK firm faces no general horizontal AI law at home, but the moment it sells into the EU it inherits the full weight of the AI Act anyway.

This divergence is widening, not narrowing, and it mirrors the transatlantic split we covered in our piece on the US executive order and EU divergence. For a UK team, the practical upshot is that "we are not regulated here" is a trap: your compliance posture is set by your largest market, and for most ambitious British AI startups that market includes the EU. The funding side of that story — UK teams raising and hiring hard through 2026 — is in our H1 VC round-up, and the appetite for an EU-native model option is exactly why Mistral Large 3 is being positioned as the EU choice.

For Indian builders the calculus is similar but the framing differs. India's own DPDP regime governs personal data, but it is not an AI-specific horizontal law in the EU mould. So an Indian product team selling into the EU is, in effect, complying with two regimes at once: DPDP at home and the AI Act abroad. The good news is that much of the documentation discipline overlaps — data governance, logging and a clear record of what your model was trained on serve both masters.

What to do this week

If you ship anything that an EU user might touch, three actions are worth taking before the August date regardless of your tier. First, run the classification exercise and write down, per product, which tier each system sits in — most teams discover at least one surface they had not thought about. Second, ship your Article 50 disclosures: the chatbot notice and the generated-content labels are small jobs that close your biggest immediate gap. Third, if you are anywhere near high-risk Annex III, open the conformity-assessment plan now and treat December 2027 as a working deadline, not a distant one.

The Digital Omnibus is real relief for high-risk teams — sixteen months is meaningful when the work is this heavy. But the relief is narrow, it is provisional until it hits the Official Journal, and it leaves the parts of the Act that touch most builders fully in force. The teams that come out of this well are the ones that read "delay" as "more runway to do it properly", not "permission to do nothing".

Primary references: the consolidated text and timeline at artificialintelligenceact.eu, and the European Commission's AI Act Service Desk at ai-act-service-desk.ec.europa.eu. Law-firm guidance on the Omnibus and its deferrals has been published by Gibson Dunn, DLA Piper and Osborne Clarke.