Good News, Bad News: What the EU AI Act Delay Actually Delayed
There's a comforting story doing the rounds in in-house legal circles at the moment. It goes something like: "The EU AI Act got delayed, we can all exhale." I've had three founders say a version of this to me in the last fortnight, each sporting the wonderfully relaxed posture of someone who has successfully rescheduled a root canal.
They're half right. Which, in regulation, is the most dangerous amount of right there is.
The 60 second version, for anyone reading this between meetings:
The EU's Digital Omnibus on AI is now law, not a proposal. It genuinely did push the heavy "high risk AI system" obligations back to December 2027 and August 2028. That part of the panic can stand down. But the transparency rules under Article 50, the ones that apply the moment your business uses a chatbot, generates marketing content with AI, or produces synthetic audio or video, are untouched. They land on 2 August 2026. That's a matter of weeks, not years.
If you only read one more paragraph, make it this: the deadline didn't move for most businesses. It moved for a narrower category of business than the headlines implied.
None of that required a general counsel to work out. It required someone asking four simple questions.
What actually got delayed
To give credit where it's due, the relief is real. The standalone high-risk systems under Annex III, think recruitment tools, credit scoring, education access, get until 2 December 2027. Systems embedded in already-regulated products (medical devices, machinery, toys) get until 2 August 2028. If your AI use case falls into one of those categories, you have genuinely been handed 16 to 24 months of breathing room, and I'd encourage you to use it properly rather than filing it under "future me's problem."
What didn't get delayed, and this is the part getting lost in the collective sigh of relief, is Article 50. That's the transparency layer. It covers four things: telling people they're talking to a bot, labelling AI-generated deepfakes, disclosing emotion recognition and biometric tools, and marking synthetic content so machines can detect it. None of that moved. All of it is enforceable from 2 August 2026, with the EU AI Office's fining powers switching on the same day.
The cliff edge nobody's talking about
Here's the genuinely useful, slightly annoying detail. The watermarking rule (machine-readable marking of AI-generated content) got a partial reprieve, but only for tools already on the market.
If you're planning to launch a new AI-powered content tool this summer, quietly pushing the release to late August doesn't buy you anything. It does the opposite. Launch before 2 August and you inherit someone else's grace period. Launch after and you're compliant from the first day or you're not compliant at all.
The four things with zero grace period, full stop
Unlike watermarking, these have never had a delay attached to them, Omnibus or otherwise. From 2 August 2026:
Bot disclosure. If a customer is talking to an AI system and it isn't obvious from context, you tell them.
Deepfake labelling. Publish AI-generated or altered images, audio, or video that could pass as real, and you must clearly say so.
Biometric and emotion recognition disclosure. Using tools that categorise people or detect emotion means telling the people it's used on.
AI-generated text on matters of public interest. If you publish AI-assisted text informing the public on something in the public interest, health, consumer protection, economic or political developments, that sort of territory, you must disclose it's AI-generated, unless it's had genuine human review and someone holds editorial responsibility for it. A quick skim before hitting publish doesn't count. Both conditions have to be met, not one or the other.
If your business runs a customer-facing chatbot, produces AI-assisted marketing content, or publishes commentary and thought leadership (worth pausing on, given what you're reading right now is exactly that kind of content, human-reviewed and mine, which is precisely the carve-out that keeps it on the right side of this), this list is not theoretical.
Your contracts are still exposed, regardless of the delay
Standard "comply with applicable law" boilerplate in your MSAs and vendor agreements was written before any of this existed. It doesn't allocate the risk, it just gestures vaguely in its direction. Five things worth checking before you renew anything this quarter:
None of this is dramatic drafting. It's five clauses that didn't need to exist 18 months ago and now do.
The fine print on fines
You'll see "€35 million or 7% of global turnover" quoted as if it's a single, universal number. It isn't, and getting this wrong in a board paper is the kind of thing that gets noticed.
Article 50 breaches (the transparency rules above): up to €15 million or 3% of global turnover. Live from 2 August 2026.
Article 5 prohibited practices: up to €35 million or 7%. This is also where a new prohibition now sits, AI systems that generate non-consensual intimate imagery or CSAM, enforceable from 2 December 2026. If you build or host any kind of image or video generation tool, that date deserves a place on your compliance calendar too.
Three things to actually do this month
Map your AI tools by launch date. Before 2 August or after. That single distinction now determines your watermarking deadline.
Look at the Code of Practice. The European Commission published the final version on 10 June 2026. It's voluntary, but signing up is the closest thing to a safe harbour currently on offer. Two details worth knowing if you're briefing a developer or agency: free-form text under 200 tokens is exempt from watermarking, anything longer needs it, and audio, image and video marking generally needs at least two layers (metadata plus a technical watermark), one alone won't satisfy the Code. The Commission's separate implementation Guidelines are still in draft, so the Code is your most solid reference point right now.
Don't renew anything without the five clauses above. Not the whole MSA rewritten from scratch, just those five gaps closed.
Don't let a pre-Omnibus contract template be the reason your business is exposed on 2 August. If you'd like your active vendor and agency agreements reviewed against the current framework before your next renewal, get in touch, ideally before you sign anything.
Frequently asked, so let’s answer them properly
-
Yes, if your AI system reaches the EU market or its outputs (marketing content, chat responses, code) are used by EU-based customers, the extraterritorial reach catches you.
-
August 2026 is transparency: disclosure, labelling, watermarking. December 2027 is high risk systems: formal conformity assessments and technical documentation for tools like recruitment and credit scoring software. Different obligations, different businesses, often confused as the same deadline.
-
If you provide the generative tool, yes, the output needs machine-readable marking. If you're simply using someone else's tool to write blog posts or generate images, your obligation is to label anything that could pass as authentic, not to build the watermarking technology yourself.
-
Yes. If their contract doesn't address Article 50 compliance and their tool can't produce compliant output, the regulatory risk sits with you as the deployer, not with them.
-
Only if it's published to inform the public on a matter of public interest and hasn't had genuine human review with someone taking editorial responsibility for it. Most commercial marketing content won't meet that "public interest" bar, but commentary on regulation, policy, health, or similar topics might. If in doubt, make sure a named human has actually reviewed and stands behind the piece, and keep a record that they did.
Rory O'Keeffe is a solicitor regulated by the Solicitors Regulation Authority and founder of RMOK Legal, a fractional general counsel practice for tech and AI-driven businesses. He is an SCL-accredited Leading IT Lawyer, a member of the SCL AI Committee, and a contributor to the bestselling AI Advantage (2025).
This article is general commentary for businesses navigating the EU AI Act and does not constitute legal advice on your specific circumstances.
Get in touch for advice tailored to your business.

