The Delay That Is Not an All-Clear
As part of the Digital Omnibus, the EU has postponed obligations for high-risk AI systems from August 2026 to December 2027. 44 CEOs of major European corporations — including Airbus, Philips, and SAP — had even demanded a full moratorium. The EU refused.
The delay only affects part of the regulation. The general obligations — transparency, AI literacy, prohibited practices — have been in effect since 2 February 2025. If you think "we still have time," you are mistaken.
According to a Bitkom survey, 69% of German companies need help implementing the AI Act. Only 24% have engaged with it at all. That is a risky gap — serious violations carry fines of up to EUR 35 million or 7% of global annual turnover.
What Applies When? The Timeline at a Glance
Feb 2025 ██████████ NOW IN EFFECT
│ ✓ Art. 5: Prohibited AI practices
│ ✓ Art. 4: AI literacy requirement for ALL companies
│ ✓ Art. 7: Basic transparency obligations
│
Aug 2025 ██████████ IN A FEW MONTHS
│ ✓ Obligations for General Purpose AI (GPAI)
│ ✓ Governance structures must be in place
│
Aug 2026 ██████████ POSTPONED → Dec 2027
│ ✗ High-risk AI: Conformity assessment, CE marking
│ ✗ Detailed documentation requirements
│ ✗ Full market surveillance
│
Dec 2027 ██████████ NEW DEADLINE
→ All high-risk obligations take effect
The delay gives you more time for technical documentation and conformity assessments of high-risk systems. It does not give you extra time for the basics that already apply.
What Already Applies — and What It Means in Practice
1. Prohibited AI Practices (Art. 5) — since February 2025
Certain AI applications are completely banned in the EU:
- Social scoring by authorities or companies
- Emotion recognition in workplaces and educational institutions
- Real-time remote biometric identification in public spaces (with narrowly defined exceptions for law enforcement)
- Manipulative AI systems that subliminally influence people's behaviour
- Exploitation of vulnerabilities of specific groups (age, disability, social situation)
For most mid-sized companies, these bans are not directly relevant. But if you use AI in HR — for example, application screening or employee monitoring — you should carefully check whether your systems fall into a prohibited category.
2. AI Literacy Requirement (Art. 4) — since February 2025
This is the obligation that affects everyone. Art. 4 of the AI Act requires: All companies that deploy or provide AI systems must ensure their employees have sufficient AI literacy.
There are no exemptions based on company size. There is no transition period. This obligation applies now.
In practice, this means:
- Employees working with AI systems must understand what those systems do and where their limitations lie
- The level of competence must be proportionate to the risk — someone using AI for hiring decisions needs more training than someone using ChatGPT for email drafts
- Training must be documented
3. Transparency Obligations (Art. 50) — since February 2025
Users must know when they are interacting with an AI. Companies must disclose:
- That an AI system is being used
- What type of AI is deployed
- What data is being processed
The AI Act Implementation Law: Germany Gets Concrete
On 11 February 2026, the German federal cabinet approved the AI Act Implementation Law. This transposes the European AI Act into German law.
The key points:
- The Federal Network Agency (Bundesnetzagentur) becomes the AI supervisory authority — it will oversee AI Act compliance in Germany
- Data protection authorities are setting audit priorities — particularly AI in HR and marketing
- Fine framework follows the EU maximum: up to EUR 35 million or 7% of global annual turnover for serious violations
This means: there is now a German authority that will enforce violations. Implementation is no longer a theoretical scenario.
SME Relief: What Mid-Sized Companies Need to Know
The EU has recognised that the AI Act could disproportionately burden small and medium-sized enterprises. That is why there are targeted accommodations:
- Simplified documentation: SMEs do not need to create full technical dossiers if they only deploy (not develop) AI systems
- AI sandboxes: Member states are establishing regulatory sandboxes where companies can test AI systems before full compliance requirements apply
- Expanded small-mid-cap category: Companies with up to 750 employees fall into a category with reduced requirements
This does not mean SMEs are exempt from all obligations. The AI literacy requirement and transparency rules apply without restriction. But the administrative burden for high-risk systems is significantly reduced.
Checklist: What Your Company Should Do Now
Regardless of the high-risk postponement — you should take these steps now:
Immediately (already in effect):
- Create an AI inventory: Which AI systems do you use? Which vendors? What data is processed?
- Ensure AI literacy: Training for all employees who work with AI — documented
- Check for prohibited practices: Does any of your systems fall under Art. 5? Look closely at HR and marketing in particular
- Establish transparency: Inform users and employees where AI is being used
Within the next 6 months:
- Conduct a risk assessment: Which of your AI systems could be classified as high-risk?
- Audit your vendors: Do your AI providers supply the necessary documentation? Are they GDPR compliant?
- Clarify responsibilities: Who in your company is responsible for AI compliance?
- Leverage GDPR synergies: Many AI Act requirements overlap with existing GDPR obligations
By December 2027:
- Complete conformity assessments for high-risk systems
- Create technical documentation
- Implement a quality management system for AI
What to Look for in AI Vendors
It is not just your own company that must be compliant — the AI systems you use must be, too. Ask your vendors:
- Where is data processed? EU hosting is not a guarantee of compliance, but an important building block
- Is the system transparent? Can you understand how results are generated?
- Is personal data processed? If so: is there a GDPR-compliant legal basis?
- Is technical documentation available? Serious vendors provide this
- How deterministic is the system? Does it deliver the same result for the same input — or does it guess?
How oneAgent Is Compliant by Design
When building oneAgent, we did not bolt on compliance as an afterthought. We designed it in from the start:
- Deterministic: oneAgent translates your questions into precise database queries. There are no hallucinations because no generative models are let loose on your business data. An automatic verification layer checks every answer against your actual data.
- Transparent: You can see at any time which data sources were queried and how the result was generated.
- No personal data analysis: oneAgent analyses business metrics — revenue, inventory levels, conversion rates. No employee monitoring, no scoring, no biometric data.
- GDPR compliant: Hosted in Frankfurt, data never leaves your network. No training on your data. More on our data privacy approach.
- On-premise option: For companies with particularly strict requirements, oneAgent can run entirely within your own infrastructure.
This does not mean every AI system must be built this way. But it shows that AI data analytics and full compliance do not have to be contradictions.
Conclusion: The Delay Is No Reason to Wait
The AI Act is coming — the only question is how well prepared you are. The basic obligations have been in effect since February 2025. The Federal Network Agency is ready as the supervisory authority. And data protection authorities are already setting audit priorities.
Companies that start implementing now have a clear advantage: they avoid last-minute panic, build internal AI literacy, and can choose AI systems more deliberately.
If you are looking for an AI solution for your data analytics that is built from the ground up for compliance, transparency, and data security — try oneAgent free for 14 days. No credit card required, no hidden costs.