Short answer: On 2 August 2026, the EU AI Act becomes generally applicable. From this deadline, the transparency obligations under Art. 50 kick in — chatbots must identify themselves as AI, and deepfakes and certain AI-generated texts must be labelled. Violations can trigger fines of up to EUR 15 million or 3% of annual turnover. Only the high-risk obligations were postponed: to December 2027 (Annex III) and August 2028 (Annex I). The bans (Art. 5) and the AI literacy requirement (Art. 4) have applied since February 2025 anyway.
2 August 2026 Is the Real Deadline
Recent AI Act headlines have focused almost entirely on the postponement: the EU is moving the high-risk obligations to December 2027 via the Digital Omnibus. What stuck with many executives is: "The AI Act is coming later." That is only true for part of the regulation. On 2 August 2026, the AI Act becomes generally applicable — which means the deadline affects practically every company that uses AI.
The gap between the legal situation and actual preparation is documented in the Bitkom AI Adoption Study 2026: 69% of German companies need help implementing the AI Act, and only 24% have engaged with it at all. Until now, that was mainly an organisational problem. From the deadline onwards, it can get expensive: violations of the transparency obligations can trigger fines of up to EUR 15 million or 3% of global annual turnover, prohibited practices up to EUR 35 million or 7%.
What Applies When? The Timeline at a Glance
| Date | What | Status |
|---|---|---|
| 2 February 2025 | Prohibited AI practices (Art. 5), AI literacy requirement for all companies (Art. 4) | Already in effect |
| 2 August 2025 | Obligations for providers of General Purpose AI (GPAI) | Already in effect |
| 2 August 2026 | Transparency obligations (Art. 50): chatbots, deepfakes, AI texts. Enforceable fines. AI regulatory sandboxes in every member state | Becomes binding on 2 August 2026 |
| 2 December 2026 | Watermarking obligation for providers of generative AI (Art. 50(2)) | Postponed — originally 2 August 2026 (Digital Omnibus) |
| 2 December 2027 | High-risk AI under Annex III: conformity assessment, documentation | Postponed — originally 2 August 2026 (Digital Omnibus) |
| 2 August 2028 | High-risk AI embedded in regulated products (Annex I) | Postponed — originally 2 August 2027 (Digital Omnibus) |
In short: The postponement gives you more time for high-risk documentation — but no extra time for transparency, AI literacy, and the bans.
What Becomes Binding on 2 August 2026
Transparency Obligations (Art. 50): Label What Is AI
The most important block in practice — and the one most often confused with the postponed high-risk rules. From 2 August 2026, the following becomes binding (a good overview is the practical guide to Article 50 by the AI Act Explorer):
- Chatbot disclosure (para. 1): Companies operating a chatbot or voicebot must clearly inform their users at the latest at first interaction that they are communicating with an AI — unless it is obvious from the context. The EU guidelines interpret this exception narrowly.
- Deepfake labelling (para. 4): AI-generated or AI-manipulated images, audio, and video content must be labelled as artificially created.
- AI texts on matters of public interest (para. 4): Published AI-generated texts on topics such as health, safety, or consumer protection require labelling — unless a human has editorially reviewed them and visibly holds responsibility.
- Emotion recognition and biometric categorisation (para. 3): Affected persons must be informed about the use of such systems.
Important for context: these obligations cover not only developers but explicitly also deployers — precisely the companies that use AI tools. The chatbot on your website, the AI-generated product video, the automatically written advice article: all cases for Art. 50.
One sub-obligation was postponed: the machine-readable watermarking obligation for providers of generative AI (para. 2) only takes effect on 2 December 2026. It concerns the model providers, not the users.
Fines: Tiered, but Real
With general applicability, the sanction regime also takes effect. The frequently cited maximum of EUR 35 million or 7% of global annual turnover only covers prohibited practices under Art. 5. For violations of most other obligations — including the transparency rules of Art. 50 — Art. 99 provides for up to EUR 15 million or 3%, whichever is higher. That is less, but hardly pocket change. And unlike before, from the deadline onwards, authorities are in place to enforce these rules.
Supervision and AI Sandboxes
By 2 August 2026, every EU member state must have established at least one regulatory AI sandbox where companies can test AI systems under supervision. In addition, the EU Commission can impose fines on providers of General Purpose AI models from the deadline onwards — their obligations have existed since August 2025, and now they become enforceable.
In short: From 2 August 2026, every AI that interacts with people or generates content must be recognisable as AI — and violations can be penalised.
What Remains Postponed: The High-Risk Obligations
The Digital Omnibus postpones the obligations for high-risk AI systems: conformity assessment, CE marking, and detailed technical documentation for stand-alone high-risk systems under Annex III only take effect on 2 December 2027. For high-risk AI embedded in regulated products — such as medical devices or vehicles (Annex I) — the relevant date is 2 August 2028.
On the procedural status (July 2026): Council and Parliament reached agreement on the Omnibus on 7 May 2026, Parliament approved it on 16 June, the Council on 29 June. Formally, only publication in the EU Official Journal remains, expected before 2 August — the postponement only takes legal effect with that publication.
One more piece of context: 44 CEOs of major European corporations — including Airbus, Philips, and SAP — had demanded a full moratorium in 2025. The EU refused: the obligations are postponed, not cancelled.
In short: Only the high-risk obligations are postponed — to December 2027 (Annex III) and August 2028 (Annex I). The rest of the timeline stands.
What Has Applied for Longer
Two blocks of obligations have been applicable since 2 February 2025 — independent of the August deadline:
Prohibited AI Practices (Art. 5)
Certain AI applications are completely banned in the EU:
- Social scoring by authorities or companies
- Emotion recognition in workplaces and educational institutions
- Real-time remote biometric identification in public spaces (with narrowly defined exceptions for law enforcement)
- Manipulative AI systems that subliminally influence people's behaviour
- Exploitation of vulnerabilities of specific groups (age, disability, social situation)
For most mid-sized companies, these bans are not directly relevant. But if you use AI in HR — for example, application screening or employee monitoring — you should carefully check whether your systems fall into a prohibited category.
AI Literacy Requirement (Art. 4)
This is the obligation that affects everyone. Art. 4 of the AI Act requires: all companies that deploy or provide AI systems must ensure their employees have sufficient AI literacy.
There are no exemptions based on company size. There is no transition period. This obligation has existed since February 2025.
In practice, this means:
- Employees working with AI systems must understand what those systems do and where their limitations lie
- The level of competence must be proportionate to the risk — someone using AI for hiring decisions needs more training than someone using ChatGPT for email drafts
- Training must be documented
In short: The bans and the AI literacy requirement have been binding since February 2025 — if you have gaps here, close them before the deadline.
The Implementation Law: Where Germany Stands
Germany took its time settling the question of authority — now the process is complete. On 11 February 2026, the federal cabinet approved the implementation law for the AI Regulation, and in June 2026 the Bundestag passed it. On 10 July 2026, the Bundesrat approved it; a motion to invoke the mediation committee found no majority (as of July 2026).
The key points:
- The Federal Network Agency (Bundesnetzagentur) becomes the central AI supervisory authority — market surveillance, a complaints office for citizens, and a coordination and competence centre bundling AI expertise for other authorities and companies
- Data protection authorities are setting audit priorities — particularly AI in HR and marketing
- The fine framework follows the EU regulation — up to EUR 35 million or 7% for prohibited practices, up to EUR 15 million or 3% for violations of obligations such as the transparency rules
In short: With the Bundesnetzagentur, Germany gets a central AI supervisory authority. Enforcement is no longer a theoretical scenario — by the deadline, the authority is in place.
SME Relief: What Mid-Sized Companies Need to Know
The EU has recognised that the AI Act could disproportionately burden small and medium-sized enterprises. That is why there are targeted accommodations:
- Simplified documentation: SMEs do not need to create full technical dossiers if they only deploy (not develop) AI systems
- AI regulatory sandboxes: By 2 August 2026, every member state must operate at least one regulatory sandbox where companies can test AI systems under supervision
- Expanded small-mid-cap category: Companies with up to 750 employees fall into a category with reduced requirements
In short: SMEs face significantly less documentation for high-risk systems — but they are not exempt from AI literacy and transparency obligations.
Checklist: What to Do Before 2 August 2026
Before the deadline:
- Create an AI inventory: Which AI systems are in use — including the tools that departments use without IT approval? Which vendors, what data?
- Label chatbots and voicebots: Every AI that interacts with customers or users must identify itself as AI
- Review AI-generated content: Deepfakes and AI texts on matters of public interest require labelling — set up marketing processes now
- Document AI literacy: The training requirement under Art. 4 has existed since February 2025 — if you have postponed it, catch up before the deadline
Within the next 6 months:
- Conduct a risk assessment: Which of your AI systems could be classified as high-risk?
- Audit your vendors: Do your AI providers supply the necessary documentation? Are they GDPR compliant?
- Clarify responsibilities: Who in your company is responsible for AI compliance?
- Leverage GDPR synergies: Many AI Act requirements overlap with existing GDPR obligations
By December 2027:
- Complete conformity assessments for high-risk systems
- Create technical documentation
- Implement a quality management system for AI
What to Look for in AI Vendors
It is not just your own company that must be compliant — the AI systems you use must be, too. Ask your vendors:
- Where is data processed? EU hosting is not a guarantee of compliance, but an important building block
- Is the system transparent? Can you understand how results are generated?
- Is personal data processed? If so: is there a GDPR-compliant legal basis?
- Is technical documentation available? Serious vendors provide this
- How deterministic is the system? Does it deliver the same result for the same input — or does it guess?
Transparency and Traceability: The oneAgent Approach
When building oneAgent, we did not bolt on compliance as an afterthought. We designed it in from the start:
- Deterministic: oneAgent translates your questions into precise database queries. There are no hallucinations because no generative models are let loose on your business data. An automatic verification layer checks every answer against your actual data.
- Transparent: For every answer, you can see which data sources were queried and which steps, rules, and filters led to the result — traceable instead of a black box.
- No personal data analysis: oneAgent analyses business metrics — revenue, inventory levels, conversion rates. No employee monitoring, no scoring, no biometric data.
- GDPR compliant: Hosted in Frankfurt, no training on your data. More on our data privacy approach.
- On-premise option: For companies with particularly strict requirements, oneAgent can run entirely within your own infrastructure.
This does not mean every AI system must be built this way. But it shows that AI data analytics and full compliance do not have to be contradictions.
Conclusion: The Deadline Is Predictable — Use That
On 2 August 2026, two things happen at once: the AI Act becomes generally applicable, and the high-risk obligations remain postponed. If you keep these two apart, you can plan calmly — implement transparency and labelling now, document AI literacy, and prepare high-risk documentation by the end of 2027.
Companies that act now not only avoid last-minute scrambling — they also lay the groundwork for safe, sustainable AI adoption.
If you are looking for an AI solution for your data analytics that is built from the ground up for transparency and data security — try oneAgent for free. No credit card required, no hidden costs. If you want to scan the market first, read our comparison of the best AI analytics tools for mid-market companies in 2026.
