2026 AI监管风暴:欧盟AI法案倒计时91天 + Omnibus谈判破裂 | 合规指南
2026 AI Regulation Storm: EU AI Act 91-Day Countdown + Omnibus Collapse | Compliance Guide
> 📌 TL;DR
> 欧盟 AI 法案原定 2026 年 8 月 2 日全面生效,但 5 月 7 日欧盟已达成协议将高风险 AI 系统合规截止日推迟至 2027 年 12 月 2 日。透明度义务推迟至 2026 年 12 月。与此同时,美国白宫于 3 月发布了联邦 AI 政策框架,试图以「联邦优先」取代各州各自为政的监管碎片。纽约州的 RAISE 法案则为前沿模型开发者设置了新的安全门槛。无论你是 AI 开发者还是使用 AI 工具的企业,这场监管风暴都与你直接相关。
一、截止日已延期(原倒计时 90 天):欧盟 AI 法案到底要求什么?
2024 年 8 月 1 日,欧盟《人工智能法案》(EU AI Act,Regulation 2024/1689)正式生效。两年过渡期后,原定 2026 年 8 月 2 日 为高风险 AI 系统完整合规义务的执法起点。但经 2026 年 5 月 7 日的 Digital Omnibus 协议,高风险义务已正式推迟至 2027 年 12 月 2 日(详见下文「延期已确认」一节);部分透明度义务仍自 2026 年 8 月 2 日起适用,AI 生成内容的水印义务则推迟至 2026 年 12 月 2 日。
这不只是一部针对 AI 开发者的法律。它更像是一套覆盖整个 AI 生态的「行业许可证」制度:只要你的 AI 系统在欧盟市场运行,或者输出被欧盟用户使用,你就在监管范围内——无论你的公司总部在硅谷、深圳还是东京。
四级风险分类体系
欧盟 AI 法案采用「风险分级」的监管思路,将所有 AI 系统分为四档:
| 风险等级 | 典型案例 | 监管要求 | 生效时间 |
|---------|---------|---------|---------|
| 🚫 不可接受风险 | 社会信用评分、操纵性 AI、无差别生物识别监控 | 完全禁止 | 2025 年 2 月已生效 |
| ⚠️ 高风险 | AI 招聘筛选、信用评估、医疗诊断辅助、关键基础设施 | 全套合规义务(风险管理、技术文档、人工监督、合格评估) | ~~2026 年 8 月 2 日~~ 2027 年 12 月 2 日(经 5/7 Omnibus 延期) |
| 📋 有限风险 | 聊天机器人、情绪识别、深度伪造内容 | 透明度义务(必须告知用户正在与 AI 交互) | 2026 年 8 月 2 日(AI 生成内容水印推迟至 2026 年 12 月 2 日) |
| ✅ 最低风险 | 垃圾邮件过滤、推荐算法 | 基本无强制要求,但需要 AI 素养培训 | 2025 年 2 月已生效 |
8 月 2 日当天「激活」的核心义务
1. 高风险 AI 系统——全套合规框架
涉及生物识别、关键基础设施、教育、就业、执法、移民、司法和民主进程的 AI 系统,必须在 8 月 2 日前完成:
- 质量管理体系和风险管理框架
- 完整的技术文档和合格评估
- 欧盟数据库注册
- 人工监督机制(human-in-the-loop / human-on-the-loop / human-in-command,三选一)
2. 透明度义务全面执法
第 50 条要求:AI 聊天机器人必须披露其人工性质,情绪识别系统须通知用户,深度伪造内容必须携带机器可读水印。
3. AI 素养要求
第 4 条规定,所有在范围内的企业必须确保员工具备「足够的 AI 素养」。这不是建议——是强制要求。实操上,你需要一份 AI 素养政策和培训记录。
罚款:GDPR 级别的「天价账单」
| 违规类型 | 最高罚款 | 全球营收占比 |
|---------|---------|------------|
| 使用被禁止的 AI | 3500 万欧元 | 7% |
| 高风险系统不合规 | 1500 万欧元 | 3% |
| 提供虚假信息 | 750 万欧元 | 1.5% |
罚款按全球营收计算,不只是欧盟业务收入。一家年营收 10 亿美元的美国公司,如果在欧盟部署了被禁止的 AI 实践,最高可面临 7000 万美元罚款。
⚠️ 重大更新:延期已确认!
2026 年 5 月 7 日,欧盟理事会和欧洲议会就 Digital Omnibus on AI 达成政治协议,正式将高风险 AI 系统(Annex III)的合规截止日从 2026 年 8 月 2 日推迟到 2027 年 12 月 2 日。透明度义务(如深度伪造水印)的延期较短,推迟至 2026 年 12 月 2 日。国家 AI 监管沙盒的建立期限推迟到 2027 年 8 月 2 日。
此前 4 月 28 日的三方会谈在 11 小时辩论后破裂,主要分歧在于受现有安全法规管辖的嵌入式 AI 是否应豁免。5 月 7 日的协议解决了这一僵局——受机械法规管辖的嵌入式 AI 将被移出 AI 法案的直接适用范围。
但请注意:这只是政治协议,尚需理事会和议会正式批准,随后进入法律/语言审核流程。不过通常政治协议通过后,正式批准只是程序性步骤。
建议:虽然截止日延后,但合规准备不应停下。 在延期窗口内完成的合规工作不会白费——义务迟早会到来,提前准备意味着到时候不慌不忙。
---
二、大西洋对岸:美国选择了完全不同的路
与欧盟的「严格监管」路线形成鲜明对比,美国正在走一条「联邦优先 + 促创新」的道路。
白宫联邦 AI 政策框架(2026 年 3 月 20 日发布)
这是一份四页的政策建议文件,虽然不具法律约束力,但它定义了美国 AI 立法的方向。核心信号非常明确:联邦政府要统一 AI 监管,防止各州各自为政。
七大优先方向:
1. 儿童安全 — 要求 AI 服务的隐私保护和年龄验证
2. 社区保障 — AI 基础设施不得增加居民能源成本;打击 AI 诈骗
3. 知识产权 — 认为 AI 训练使用版权材料不违法,但建议探索许可框架
4. 言论自由 — 禁止联邦政府强迫 AI 提供商基于政治立场审查内容
5. 促进创新 — 建立监管沙盒;反对设立新的 AI 监管机构
6. 劳动力发展 — 投资 AI 教育和技能培训
7. 联邦优先 — 取消州级 AI 法律中「施加不当负担」的条款
最具争议的是第 7 点:白宫主张联邦法律应优先于州级 AI 法律。这意味着科罗拉多州 AI 法案(要求高风险 AI 的影响评估)和加州消费者隐私法的 AI 条款,都可能被联邦立法覆盖。
支持者认为这避免了「五十个州五十套规则」的合规噩梦;反对者担心联邦标准会成为最低公约数,削弱对消费者的保护。
纽约 RAISE 法案:州级监管的「先锋」
就在白宫推联邦优先的同时,纽约州已经在前沿模型层面走在前面。
RAISE 法案(Responsible AI Safety and Education Act)于 2025 年 12 月签署,2026 年 3 月 27 日通过修正案,2027 年 1 月 1 日正式生效。关键要求:
- 适用对象:训练超过 10²⁶ FLOPs 算力的「前沿模型」开发者
- 大型开发者(年收入 ≥ 5 亿美元)需发布安全协议、72 小时内报告安全事件
- 灾难性风险定义:可能导致 50 人以上死亡/严重伤害,或 10 亿美元以上损失的风险
- 违规罚款:首次最高 100 万美元,再犯最高 300 万美元
对比加州的 TFAIA(15 天报告期限),纽约的 72 小时窗口更为紧迫,信号明确:美国各州不会等联邦立法落地。
---
三、全球「拼图」:一张不完整的地图
【2026 年 4 月】全球 AI 监管态势:
| 地区/国家 | 监管状态 | 关键法律/框架 | 风格 |
|----------|---------|-------------|------|
| 🇪🇺 欧盟 | 全面执法倒计时 | AI Act(2024/1689) | 严格、风险分级、域外适用 |
| 🇺🇸 联邦 | 框架阶段 | 白宫 AI 政策框架(2026.3) | 促创新、联邦优先 |
| 🇺🇸 纽约 | 已立法 | RAISE Act(2027.1 生效) | 前沿模型安全 |
| 🇺🇸 科罗拉多 | 已立法但延期 | Colorado AI Act(2026.6 生效) | 高风险影响评估 |
| 🇨🇳 中国 | 多部专项法规 | 生成式 AI 管理办法、深度合成规定等 | 分领域监管 |
| 🇨🇦 加拿大 | 行业协商 | 加拿大央行 AI 金融安全评估 | 风险导向 |
一个明显的趋势:没有任何国家选择「完全不管」。 分歧只在于管多严、怎么管、谁来管。
---
四、实操指南:你现在应该做什么?
不管你是 AI 开发者还是使用 AI 工具的企业,以下是一份「按优先级排序」的行动清单:
第一步:盘点你的 AI 资产(本周就做)
列出公司内所有使用 AI 的系统——不只是自建的模型,还包括第三方 SaaS 中嵌入的 AI 功能。很多企业不知道自己的 ATS(招聘系统)、CRM 或客服工具里已经有 AI 在做决策。
根据 PwC 的调查【2026 年 4 月】,只有 24% 在 HR 流程中使用 AI 的企业已开始正式的合规准备——这意味着 76% 还在裸奔。
第二步:风险分类
对每个 AI 系统进行四级分类:禁止、高风险、有限风险、最低风险。重点关注 Annex III 列出的八大领域——如果你的 AI 涉及招聘、信用、教育或关键基础设施,大概率是高风险。
第三步:建立治理架构
成立跨部门的 AI 治理委员会(法务 + 技术 + 合规 + 产品)。欧盟 AI 法案将 AI 治理提升到了董事会层面——董事如果「故意忽视重大监管风险」,可能面临个人责任。
第四步:准备技术文档
高风险系统需要完整的技术文档,包括设计决策、数据溯源、测试方法论。如果你一直在用敏捷开发、文档极简的模式,现在补文档会非常痛苦——但必须做。
第五步:实施人工监督
为高风险 AI 决策建立人工监督机制。Article 14 要求三种模式之一:人在回路中(每个决策需人批准)、人在循环上(人可干预)、人在指挥中(人可覆盖/关闭系统)。
第六步:如果你已有 GDPR 合规体系——整合它
AI 法案的风险管理体系和 GDPR 的数据保护影响评估有大量重叠。聪明的做法是整合到一个工作流中,避免重复劳动。
---
五、一些直觉判断
1. 欧盟 AI 法案会成为「全球标准」吗?
大概率会,就像 GDPR 一样。当欧盟设立了最严标准,跨国企业为了避免维护多套合规体系,往往会选择按最高标准来做。这就是所谓的「布鲁塞尔效应」。
2. 美国联邦法案什么时候落地?
短期内不太可能。白宫的框架只是建议,国会要把它变成法律还要经历漫长的立法过程。加上今年是中期选举年,两党在联邦优先权问题上分歧严重。更务实的判断:2027 年前看不到联邦 AI 法。
3. 中小企业怎么办?
好消息是,欧盟 AI 法案对中小企业有比例性保障——罚款金额和合规要求会考虑企业规模。但这不意味着可以忽略。AI 素养培训(Article 4)是对所有范围内企业的硬性要求,无论大小。
4. 最容易踩的坑是什么?
误分类。很多企业没有意识到自己的 AI 系统属于「高风险」,因为他们认为「我们只是用了一个第三方 API」。但如果那个 API 在你的业务中做的是高风险决策(比如筛选简历),你作为部署者也有合规义务。
> ✨ 核心观点
> 2026 年是 AI 从「自由生长」走向「持证上岗」的转折年。欧盟 8 月执法、美国联邦框架出台、各州纷纷立法——监管不是要不要来的问题,而是你准不准备好的问题。现在开始盘点、分类、建制度,比 8 月 1 日晚上通宵补材料要强一万倍。
---
> ⚠️ 2026-05-01 更新:Omnibus 三方谈判破裂,8 月 2 日合规期限悬而未决
> 4 月 28 日,欧洲议会、欧盟理事会和欧委会就「Digital Omnibus」修正案进行了长达 12 小时的第二轮政治三方谈判(trilogue),最终未能达成协议。核心分歧在于嵌入产品中的高风险 AI 系统(如医疗设备、玩具)的分类标准。下一轮谈判定于 5 月 13 日。如果 5-6 月内仍无法达成协议,原定 8 月 2 日的高风险 AI 合规期限将照常生效——届时许多依赖延期预期的企业将措手不及。建议:按 8 月 2 日原定期限做好合规准备,不要赌延期。
最后更新:2026-05-01
> ⚠️ 2026-05-06 更新:下一轮 Omnibus 三方谈判定于 5 月 13 日
> 4 月 28 日谈判破裂后,各方已确认 5 月 13 日举行新一轮 trilogue。若在 8 月 2 日前仍无法达成协议并完成立法程序,原定的高风险 AI 系统合规期限将按现行法律如期生效。企业应以 8 月 2 日为基准做合规准备,而非押注延期。
最后更新:2026-05-06
---
最后更新:2026-05-15 — 新增 5 月 7 日 Digital Omnibus 协议确认延期的重大更新
> 🔄 2026-05-25 更新
>
> Omnibus 协议细节补充:5 月 7 日的 Digital Omnibus 协议采用两级延期结构:
> - Annex III(独立高风险 AI 系统:招聘、信用评估、生物识别等):从 2026 年 8 月 2 日推迟至 2027 年 12 月 2 日(延期 16 个月)
> - Annex I(嵌入产品的高风险 AI:医疗器械、机械、玩具等):从 2027 年 8 月 2 日推迟至 2028 年 8 月 2 日(延期 12 个月)
>
> 新增禁止性 AI 实践:协议新增禁止用 AI 生成儿童性虐待材料(CSAM)或未经同意描绘可识别人物隐私部位的内容,预计 2026 年 12 月 2 日起适用。
>
> CIT 驳回政府中止动议(5 月 20 日):Section 122 案中,CIT 驳回了政府单独的中止执行动议,认为政府未能证明不可弥补的损害、胜诉可能性或公共利益。但 CAFC 的行政中止令仍然有效,10% 关税继续征收中。
>
> 最后更新:2026-05-25
---
> 🔄 最后更新:2026-05-31 — 时效性巡检
> 经多源核实,2026 年 5 月 7 日的 Digital Omnibus 协议已确认生效,当前权威时间表如下:
> - 高风险 AI(Annex III,独立系统):合规义务推迟至 2027 年 12 月 2 日
> - 嵌入式高风险 AI(Annex I,如医疗器械、机械、玩具):推迟至 2028 年 8 月 2 日
> - AI 生成内容水印(透明度):推迟至 2026 年 12 月 2 日
> - 其余透明度义务:仍自 2026 年 8 月 2 日 起适用;禁止性 AI 实践自 2025 年 2 月起已生效,维持不变
>
> 注:本文上方「2026-05-01」「2026-05-06」两条「按 8 月 2 日准备、勿赌延期」的提示,已被 5 月 7 日的协议取代,请以本节为准。
> 📌 TL;DR
> The EU AI Act was originally set for full enforcement on August 2, 2026, but on May 7 the EU agreed to delay the high-risk AI systems deadline to December 2, 2027. Transparency obligations are delayed to December 2026. Meanwhile, the US White House released a federal AI policy framework in March pushing for federal preemption of state laws, and New York's RAISE Act sets new safety requirements for frontier model developers. Whether you build AI or simply use AI tools in your business, this regulatory storm directly concerns you.
I. Deadline Delayed (Originally 97 Days): What Does the EU AI Act Actually Require?
On August 1, 2024, the EU AI Act (Regulation 2024/1689) entered into force. After a two-year transition period, August 2, 2026 was originally the enforcement milestone for full high-risk AI compliance. However, under the Digital Omnibus agreement of May 7, 2026, high-risk obligations have been formally postponed to December 2, 2027 (see "Delay Confirmed" below); some transparency obligations still apply from August 2, 2026, while watermarking of AI-generated content is pushed to December 2, 2026.
This isn't just a law targeting AI developers. Think of it as a comprehensive "operating license" system for the entire AI ecosystem: if your AI system operates in the EU market, or its output is used by EU residents, you're in scope — regardless of whether your headquarters is in Silicon Valley, Shenzhen, or Tokyo.
The Four-Tier Risk Classification
The EU AI Act takes a risk-based approach, classifying all AI systems into four tiers:
| Risk Level | Examples | Requirements | Effective Date |
|-----------|---------|-------------|----------------|
| 🚫 Unacceptable | Social scoring, manipulative AI, untargeted biometric surveillance | Completely banned | Feb 2025 (already active) |
| ⚠️ High Risk | AI hiring tools, credit scoring, medical diagnostics, critical infrastructure | Full compliance (risk management, documentation, human oversight, conformity assessment) | ~~Aug 2, 2026~~ Dec 2, 2027 (delayed by the May 7 Omnibus) |
| 📋 Limited Risk | Chatbots, emotion recognition, deepfakes | Transparency obligations (must disclose AI interaction) | Aug 2, 2026 (watermarking of AI-generated content delayed to Dec 2, 2026) |
| ✅ Minimal Risk | Spam filters, recommendation engines | Largely unregulated, but AI literacy training required | Feb 2025 (already active) |
What "Activates" on August 2
1. High-Risk AI Systems — Full Compliance Framework
AI systems in biometrics, critical infrastructure, education, employment, law enforcement, migration, justice, and democratic processes must have completed:
- Quality management systems and risk management frameworks
- Comprehensive technical documentation and conformity assessments
- EU database registration
- Human oversight mechanisms (human-in-the-loop, human-on-the-loop, or human-in-command)
2. Transparency Obligations Go Live
Article 50 requirements become enforceable: AI chatbots must disclose their artificial nature, emotion recognition systems must notify users, and deepfake content must carry machine-readable watermarks.
3. AI Literacy Requirements
Article 4 mandates that all in-scope businesses ensure their staff have "adequate AI literacy." In practice, this means you need an AI literacy policy and training documentation.
Penalties: GDPR-Scale "Mega Fines"
| Violation Type | Maximum Fine | % of Global Turnover |
|---------------|-------------|---------------------|
| Prohibited AI practices | EUR 35 million | 7% |
| High-risk non-compliance | EUR 15 million | 3% |
| False/misleading information | EUR 7.5 million | 1.5% |
Fines are calculated on global revenue, not just EU operations. A US company with $1 billion in worldwide revenue deploying a banned AI practice in the EU could face up to $70 million in penalties.
Possible Delay? Don't Bank on It
The European Commission proposed a "Digital Omnibus" package in late 2025 that could push high-risk obligations for Annex III systems to December 2027. As of May 2026, the second political trilogue on April 28 failed to reach agreement after 11 hours of deliberation (the main sticking point being whether AI embedded in products already governed by existing EU safety legislation should be exempt). The next trilogue is scheduled for May 13.
But here's the thing: this is a proposal, not a done deal. If you build your compliance plan on the assumption of a delay, you're gambling. The prudent approach is to prepare for August 2.
---
II. Across the Atlantic: America Chose a Radically Different Path
In stark contrast to the EU's "regulate first" approach, the US is pursuing an "innovation first, federal preemption" strategy.
The White House Federal AI Policy Framework (Released March 20, 2026)
This four-page policy recommendation document, while not legally binding, defines the direction of US AI legislation. The core message is unmistakable: the federal government wants to unify AI regulation and prevent a patchwork of state laws.
Seven priority areas:
1. Child Safety — Privacy protections and age verification for AI services
2. Community Protection — AI infrastructure must not increase residents' energy costs; combat AI-enabled fraud
3. Intellectual Property — Asserts AI training on copyrighted material doesn't violate copyright, but suggests exploring licensing frameworks
4. Free Speech — Prohibits the federal government from coercing AI providers to censor based on political agendas
5. Enabling Innovation — Regulatory sandboxes; explicitly recommends against creating a new AI regulatory body
6. Workforce Development — Investment in AI education and skills training
7. Federal Preemption — Preempt state AI laws that impose "undue burdens"
Point 7 is the most controversial: the White House argues that federal law should override state-level AI laws. This means Colorado's AI Act (requiring impact assessments for high-risk AI) and California's CCPA AI provisions could be superseded by federal legislation.
Supporters say this prevents the nightmare of "50 states, 50 rule sets"; critics fear a federal standard will become the lowest common denominator, weakening consumer protections.
New York's RAISE Act: The State-Level Vanguard
Even as Washington pushes federal preemption, New York is already moving ahead on frontier model regulation.
The RAISE Act (Responsible AI Safety and Education Act), signed in December 2025 and amended March 27, 2026, takes effect January 1, 2027. Key requirements:
- Scope: Developers training models exceeding 10²⁶ FLOPs
- Large developers (revenue ≥ $500M) must publish safety protocols and report safety incidents within 72 hours
- Catastrophic risk defined as: foreseeable risk contributing to 50+ deaths/serious injuries or $1B+ in damages
- Penalties: Up to $1M first violation, $3M for subsequent violations
Compared to California's TFAIA (15-day reporting window), New York's 72-hour requirement is significantly more aggressive, sending a clear signal: states won't wait for federal legislation.
---
III. The Global Puzzle: An Incomplete Map
AI Regulatory Landscape as of April 2026:
| Region | Status | Key Legislation | Approach |
|--------|--------|----------------|----------|
| 🇪🇺 EU | Enforcement countdown | AI Act (2024/1689) | Strict, risk-based, extraterritorial |
| 🇺🇸 Federal | Framework stage | White House AI Policy Framework (Mar 2026) | Pro-innovation, federal preemption |
| 🇺🇸 New York | Enacted | RAISE Act (eff. Jan 2027) | Frontier model safety |
| 🇺🇸 Colorado | Enacted, delayed | Colorado AI Act (eff. Jun 2026) | High-risk impact assessments |
| 🇨🇳 China | Multiple sector-specific regulations | Generative AI Measures, Deep Synthesis Rules, etc. | Sector-by-sector |
| 🇨🇦 Canada | Industry consultation | Bank of Canada AI financial security assessment | Risk-oriented |
One clear trend: no major economy is choosing to not regulate AI at all. The debates are about how strict, which approach, and who enforces.
---
IV. Practical Playbook: What You Should Do Right Now
Whether you develop AI or simply use AI tools in your business, here's a priority-ordered action checklist:
Step 1: Inventory Your AI Assets (Do This Week)
List every AI system in your organization — not just models you've built, but also AI features embedded in third-party SaaS tools. Many businesses don't realize their ATS, CRM, or customer service platforms already have AI making decisions.
According to PwC's survey [April 2026], only 24% of enterprises using AI in HR processes have begun formal EU AI Act compliance preparation — that's 76% still unprotected.
Step 2: Risk Classification
Classify each AI system into the four-tier framework: prohibited, high-risk, limited risk, minimal risk. Pay special attention to Annex III's eight domains — if your AI involves hiring, credit, education, or critical infrastructure, it's likely high-risk.
Step 3: Build Governance Structures
Establish a cross-functional AI Governance Committee (legal + engineering + compliance + product). The EU AI Act elevates AI governance to board-level responsibility — directors who "consciously disregard significant regulatory risks" may face personal liability.
Step 4: Prepare Technical Documentation
High-risk systems require comprehensive technical documentation: design decisions, data lineage, testing methodologies. If you've been running agile with minimal documentation, backfilling will be painful — but it's mandatory.
Step 5: Implement Human Oversight
Establish human oversight mechanisms for high-risk AI decisions. Article 14 requires one of three modes: human-in-the-loop (human approves each decision), human-on-the-loop (human can intervene), or human-in-command (human can override/disable).
Step 6: If You Have a GDPR Framework — Integrate It
The AI Act's risk management system significantly overlaps with GDPR's data protection impact assessments. The smart approach is to integrate both into a single workflow to avoid duplication.
---
V. Honest Takes
1. Will the EU AI Act become the "global standard"?
Most likely, just as GDPR did. When the EU sets the strictest standard, multinational companies — to avoid maintaining multiple compliance regimes — tend to adopt the highest bar globally. This is the "Brussels Effect" in action.
2. When will a US federal AI law actually land?
Not soon. The White House framework is merely a recommendation; turning it into law requires a lengthy legislative process. With midterm elections this year and deep partisan divides on federal preemption, a realistic assessment: no federal AI law before 2027.
3. What about SMEs?
Good news: the EU AI Act includes proportionality safeguards for SMEs — penalty amounts and compliance expectations consider company size. But this doesn't mean you can ignore it. AI literacy training (Article 4) is mandatory for all in-scope businesses, regardless of size.
4. What's the most common trap?
Misclassification. Many businesses don't realize their AI systems qualify as "high-risk" because they think "we're just using a third-party API." But if that API makes high-risk decisions in your business context (like screening resumes), you as the deployer also have compliance obligations.
> ✨ Bottom Line
> 2026 is the year AI moves from "free growth" to "licensed operation." EU enforcement in August, a US federal framework emerging, states racing ahead with their own laws — the question isn't whether regulation is coming, but whether you're ready. Starting your inventory, classification, and governance framework now beats pulling an all-nighter on August 1st by a factor of ten thousand.
---
> ⚠️ Updated 2026-04-28: Digital Omnibus May Delay High-Risk System Enforcement
> The European Parliament and Council are negotiating an "AI Omnibus" amendment that could postpone core obligations for high-risk AI systems to December 2027 or even August 2028. The move aims to give companies and regulators more preparation time, but critics argue it risks weakening the law's impact. For the delay to take effect before the original August 2, 2026 deadline, a political agreement must be reached by June 2026. Stay tuned for negotiation updates.
Last updated: 2026-04-28
> ⚠️ 2026-05-01 Update: Omnibus Trilogue Collapses — August 2 Deadline Hangs in the Balance
> On April 28, the trilogue on the Digital Omnibus failed to reach agreement after 12 hours. Next trilogue: May 13. If no deal by June, the August 2, 2026 deadline stands.
Last updated: 2026-05-01
> ⚠️ 2026-05-06 Update: Next Omnibus Trilogue Scheduled for May 13
> Following the April 28 breakdown, a new trilogue session has been confirmed for May 13. If no agreement is reached and formally adopted before August 2, the original high-risk AI system compliance deadline will take effect as written in current law. Organizations should plan for August 2 compliance, not bet on a delay.
Last updated: 2026-05-06
---
Last updated: 2026-05-15 — Added major update on the May 7 Digital Omnibus agreement confirming deadline delay
> 🔄 2026-05-25 Update
>
> Omnibus agreement details: The May 7 Digital Omnibus agreement uses a two-tiered deferral structure:
> - Annex III (standalone high-risk AI: employment, credit, biometrics, etc.): Deferred from August 2, 2026 to December 2, 2027 (16-month delay)
> - Annex I (product-embedded high-risk AI: medical devices, machinery, toys, etc.): Deferred from August 2, 2027 to August 2, 2028 (12-month delay)
>
> New prohibited AI practice: The agreement adds a ban on AI systems that generate child sexual abuse material (CSAM) or depict intimate parts of identifiable persons without consent. Expected to apply from December 2, 2026.
>
> CIT denied government's stay motion (May 20): In the Section 122 case, the CIT denied the government's separate motion to stay enforcement, finding the government failed to demonstrate irreparable harm, likelihood of success on the merits, or public interest. However, the CAFC's administrative stay remains in effect, and the 10% tariff continues to be collected.
>
> Last updated: 2026-05-25
---
> 🔄 Last updated: 2026-05-31 — Freshness Check
> Verified across multiple sources: the Digital Omnibus agreement of May 7, 2026 is confirmed. The current authoritative timeline:
> - High-risk AI (Annex III, standalone systems): compliance deferred to December 2, 2027
> - Product-embedded high-risk AI (Annex I, e.g. medical devices, machinery, toys): deferred to August 2, 2028
> - Watermarking of AI-generated content (transparency): deferred to December 2, 2026
> - Other transparency obligations: still apply from August 2, 2026; prohibited AI practices have been in force since February 2025 and are unchanged
>
> Note: the earlier "2026-05-01" and "2026-05-06" notes above (advising sellers to prepare for an Aug 2 deadline and not bet on a delay) have been superseded by the May 7 agreement — rely on this section.