Home Ghost Watch July 10, 2026

Who the EU AI Act Actually Applies To, and When Each Deadline Hits

The EU AI Act is not one deadline. It is a staircase of them, and in June the EU moved several of the steps. If you build, deploy, or even just buy AI that touches someone in the EU, some part of this already applies to you, wherever your company sits. Here is the plain-English version: who is covered, what the four risk tiers mean, and the dates that matter now that the AI Omnibus is adopted.

The 30-second check

Does the EU AI Act apply to you?

Three questions, one likely tier. Orientation only; the full answer lives on whichrule.ai.

1. Your role with the AI system
2. Does its output reach people in the EU?
3. What does the system do?

Answer all three questions to see where you likely land.

Timeline

EU AI Act: key deadlines

The AI Omnibus was adopted by the Council on 29 June 2026, following Parliament’s approval on 16 June. The revised deadlines take legal effect three days after publication in the EU Official Journal, which was pending as of early July 2026. This is the AI Omnibus (the AI Act amendments) and is distinct from the wider Digital Omnibus package (GDPR, NIS2, Data Act), which remains in progress.

  1. 1 Aug 2024
    Act enters into force
    Published in the Official Journal
  2. 2 Feb 2025
    Prohibited AI practices ban
    Chapter II prohibitions apply
  3. 2 Aug 2025
    GPAI model rules apply
    General-purpose AI obligations
  4. 2 Aug 2026
    Transparency + enforcement
    Article 50 applies (not delayed)
  5. 2 Dec 2026
    Deepfake/CSAM ban + watermark grace
    Ban universal; watermarking grace = legacy systems only*
  6. 2 Dec 2027
    High-risk Annex III deadline
    Standalone high-risk: credit scoring, insurance pricing, hiring
    Moved from 2 Aug 2026
  7. 2 Aug 2028
    High-risk Annex I deadline
    High-risk AI embedded in regulated products
    Moved from 2 Aug 2027

* The deepfake/CSAM ban is a hard prohibition on 2 December 2026 with no transition window. The watermarking grace period applies only to generative systems already on the market before 2 August 2026; for new systems, Article 50 watermarking applies from 2 August 2026.

Five things that matter

  1. The Act reaches you based on where your AI’s output is used, not where your company is registered.
  2. Obligations follow your role. A provider builds the system; a deployer uses it. Most financial firms are both.
  3. Credit scoring and insurance pricing sit expressly in the high-risk tier, which carries the heaviest obligations.
  4. Article 50 transparency was not delayed. It applies from 2 August 2026, and enforcement powers switch on the same day.
  5. The high-risk deadlines moved: Annex III to 2 December 2027 and Annex I to 2 August 2028, pending Official Journal publication.

The most common mistake companies make about the EU AI Act is treating it as a single event with a single date. It is not. It is a sequence of obligations that switch on at different times for different kinds of AI, and the EU changed several of those times in June 2026. This is a plain-language guide to who is covered, how the Act sorts AI by risk, and which deadlines are live now.

Start with the part people get wrong: it applies outside the EU. The Act reaches you based on where your AI has an effect, not where your company is registered. If you build, deploy, distribute, import, or use an AI system whose output is used by people in the EU, you are likely in scope, even with no EU office. A US bank serving EU customers, a vendor selling an AI tool into Europe, and a company using an EU-facing AI hiring tool are all potentially covered. The practical takeaway is simple: “we’re not an EU company” is not, by itself, a reason you are exempt. If you want to test your own situation, the scope question is set out in Article 2 of the Act.

Know which role you play, because your obligations follow the role. The Act uses a few defined roles, and the two that matter most are provider and deployer. A provider builds or substantially modifies an AI system and puts it on the market. A deployer uses one under its own authority. The heavier obligations fall on providers, but deployers carry real duties too, especially around human oversight and using a system as intended. Most financial firms are deployers of AI they buy and, increasingly, providers of AI they build in-house. Many are both, in different products. The first step in any compliance effort is deciding, system by system, which hat you are wearing.

The Act sorts every AI system into one of four risk tiers

This is the core mechanic, and it is easier than it sounds. The full breakdown by tier is laid out here, but in short:

Unacceptable-risk systems are banned outright. These are a short list of prohibited practices, such as social scoring and certain manipulative or exploitative uses, and they have been prohibited since February 2025. A new ban on tools that generate non-consensual intimate imagery and child sexual abuse material was added in June 2026 and applies from December 2, 2026.

High-risk systems are permitted but heavily regulated. This is the tier that matters most for financial services, because it expressly includes AI used to evaluate creditworthiness and credit scoring, and AI used for risk assessment and pricing in life and health insurance. High-risk systems carry the demanding obligations: risk management, data governance and bias checks, technical documentation, logging, human oversight, and conformity assessment before going to market. AI used purely to detect financial fraud is specifically carved out of the high-risk list. If you operate in this sector, the financial-services view maps these obligations to the specific use cases.

Limited-risk systems carry transparency duties. If you run a chatbot or generate synthetic media, you generally have to make clear that people are dealing with AI or that content is AI-generated. These transparency rules sit under Article 50, and the disclosures guide breaks down exactly what has to be told to whom.

Minimal-risk systems, which is most AI in everyday use, carry no specific obligations under the Act.

The dates, as they stand now that the AI Omnibus is adopted

In June 2026 the EU finalized a set of amendments, the AI Omnibus, that pushed back the heaviest high-risk deadlines while leaving others untouched. The Council gave final adoption on June 29, 2026, so these are settled, not proposed. Here is the current picture:

  • February 2, 2025: bans on prohibited practices took effect, along with AI literacy duties.
  • August 2, 2025: obligations for providers of general-purpose AI models took effect.
  • August 2, 2026: Article 50 transparency obligations become enforceable, and national market-surveillance authorities gain their enforcement powers. This date was not delayed.
  • December 2, 2026: the new ban on non-consensual intimate imagery and CSAM applies, and a grace period ends for watermarking obligations on synthetic-media systems already on the market before August 2026.
  • December 2, 2027: obligations for standalone high-risk systems under Annex III apply. This is the big move. It was originally August 2, 2026, and now sits sixteen months later. Credit scoring and insurance pricing live here.
  • August 2, 2028: obligations for high-risk AI embedded in already-regulated products under Annex I apply.

The trap in that delay, said plainly

The sixteen-month extension on high-risk systems reads like breathing room. It is better understood as a planning window that is already open. The hard part of AI Act compliance was never filling in a documentation template. It is finding every AI system you run, deciding which tier and which deadline each one falls under, and keeping that inventory current as new systems ship. None of that gets easier by waiting, and a conformity assessment with notified-body involvement does not happen in the final quarter before a deadline. Firms that bank the extension and revisit this in mid-2027 will be in the same scramble they would have faced in 2026, just later.

How to actually approach compliance

The work breaks into a handful of steps, in order. None of them require a large team to begin.

Inventory every AI system first. Map everything you develop, deploy, or procure, including third-party tools, APIs, and AI embedded inside larger platforms you already license. For each one, note its purpose, what data it uses, what decisions it influences, and whether its outputs reach the EU. Everything else depends on this list being complete, and the systems most likely to be missed are the ones that shipped quietly inside a vendor product.

Classify each system by risk tier, and from that, by deadline. Once you know what you run, sort each system into unacceptable, high, limited, or minimal, then attach the date that applies. Getting the tier right is where the real judgment sits, and misclassification is where penalties start, so document the reasoning behind each call. If you are unsure, this is the point to bring in legal or technical help rather than guess.

Assign clear ownership. AI compliance fails when it belongs to everyone and no one. Name an accountable owner, and build a small cross-functional group across legal, security, IT, and the business lines that actually deploy the systems, so that risk management, transparency, and human-oversight duties have a home.

Do the high-risk work with rigor. For anything in the high-risk tier, the obligations are substantive: conformity assessment, documented training data and performance, human-oversight mechanisms, logging, and clear explanations of how decisions are made. Treat these as engineering and governance deliverables with lead times, not paperwork to assemble at the end.

Keep documentation and monitoring live. The Act expects detailed technical documentation for high-risk systems and ongoing monitoring once they are deployed, including incident logs and a defined response path when a system behaves unexpectedly. Build the logging and review cadence in from the start, because reconstructing it after an incident is far harder.

Treat this as continuous, not a one-off. Your AI estate changes as new models ship and old ones are retired, and the rules themselves just changed in June. Bake periodic re-inventory and re-classification into your normal development cycle so your compliance picture stays current instead of drifting out of date between audits.

Where this connects to what we’re building

Keeping track of which rule applies to which system, on which date, across a framework that just changed in June, is exactly the problem we built whichrule.ai to solve. It is a plain-language navigator for the EU AI Act, built for founders and builders rather than for people who bill by the hour, and it maps the Act’s articles to the risk tiers, disclosures, and deadlines that actually apply to a given system. The Act’s staged, role-dependent, recently-amended structure is precisely the kind of thing that is easy to get wrong by hand and easy to keep current with the right tooling. The point of this guide stands on its own, though: the Act already applies to more organizations than realize it, and the work that matters most, knowing what you run and which rule it falls under, is work you can start today.