The May 2026 Omnibus political agreement extends most high-risk obligations to late 2027 and 2028, pending formal adoption. Conformity assessment still takes 6\u201312 months. Purogaly provides the runtime enforcement, traceability, and audit evidence the Act requires for high-risk AI systems, regardless of which deadline applies to yours.
On May 7, 2026, EU lawmakers reached political agreement on the AI Act Omnibus, which extends many high-risk system deadlines from August 2026 to late 2027 and August 2028. The agreement is still subject to formal adoption. Some provisions of the Act remain on the original August 2, 2026 timeline. Different high-risk categories now have different deadlines. The picture is genuinely mid-flight.
What hasn’t changed: the technical requirements themselves, the penalty framework, and the time it takes to actually become compliant.
On May 7, 2026, after a difficult negotiation, EU lawmakers reached a political agreement to revise the AI Act’s implementation timeline. The agreement is part of the broader Digital Omnibus package aimed at simplifying overlapping digital regulation. It is subject to formal adoption by the European Parliament and Council, which is expected later in 2026 but not yet final.
The headline change: most high-risk AI system obligations under Annex III move from the original August 2, 2026 deadline to two new fixed deadlines, allowing regulatory guidance and technical standards to be finalized first. A 16-month postponement covers new or substantially modified high-risk systems. A 12-month postponement covers AI systems that are products or safety components of regulated products such as medical devices.
What did not change: the prohibited practices list (in force since February 2, 2025), the underlying technical requirements for high-risk systems, the penalty structure, the extraterritorial scope, and the practical time it takes an enterprise to build the technical and organizational measures the Act requires. The deadlines are now further out. The work is the same.
Until the Omnibus is formally adopted, the original deadlines remain the operative ones in law. Several analysts (including the Cloud Security Alliance) continue to advise organizations to treat August 2, 2026 as the planning deadline. Once adopted, the new dates become enforceable. Most enterprises now plan to a range: prepare for the original deadline, expect the revised one, design infrastructure that works for either.
The Omnibus extension does not touch the parts of the Act that are already enforceable. Three categories of obligations apply now, not in 2027 or 2028.
Social scoring, untargeted facial scraping, workplace emotion recognition, real-time biometric identification in public spaces (with limited exceptions), and other practices defined as unacceptable risk. Penalties up to €35M or 7% of global turnover.
Providers and deployers must take measures to ensure their staff and other people operating AI systems have a sufficient level of AI literacy. Applies across the AI lifecycle.
Providers of general-purpose AI models must meet transparency and documentation requirements. Models placed on the market before this date have a longer compliance window but are still in scope.
Whether the deadline is August 2026, December 2027, or August 2028 for your specific use case, the technical requirements for high-risk AI systems are the same. Five of them have direct implementation implications. A runtime governance platform either delivers them or it does not.
“High-risk AI systems shall be designed so that they can be effectively overseen by natural persons during the period in which they are in use.”
How Purogaly delivers it: Purogaly’s human-in-the-loop approval workflows pause high-risk agent actions until a human decision is made. The decision and the human reviewer are captured in the audit chain. Configurable per policy, per agent, per action.
“High-risk AI systems shall technically allow for the automatic recording of events (logs) over their lifetime.”
How Purogaly delivers it: Every action attempted by every agent generates a log record. Records include action details, matched policy, version, decision, and evidence. The hash-chained log is independently verifiable.
“High-risk AI systems shall be designed so that their operation is sufficiently transparent to enable users to interpret a system’s output and use it appropriately.”
How Purogaly delivers it: Every denial includes a "why gated" explanation. Every approval is traceable to a specific policy version. Deployers and operators see exactly what happened and why, not just that something happened.
“High-risk AI systems shall achieve appropriate levels of accuracy, robustness and cybersecurity and perform consistently throughout their lifecycle.”
How Purogaly delivers it: Network-boundary enforcement means the governance layer cannot be bypassed by a compromised agent. Risk scoring evaluates six signals per action. Policy updates take effect on the next request, not the next deployment.
“A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.”
How Purogaly delivers it: Purogaly’s policy framework operationalizes the risk management system. Risk levels are encoded as policies. Mitigations are encoded as approval workflows. Evidence of risk handling is automatic.
The Act applies to providers placing AI systems on the EU market and to providers and deployers whose system output is used in the EU \u2014 regardless of where the provider is located. A US fintech with European customers, a US healthtech serving EU hospitals, a US SaaS company shipping AI features that touch EU users \u2014 all in scope.
High-risk systems are defined in Annex III and include AI used in critical infrastructure, education, employment, essential services (including credit scoring), law enforcement, migration, and justice administration. The list is broad. Most enterprise AI agents deployed in regulated industries will fall within at least one category.
The practical extent of EU enforcement against US companies depends on circumstances, much as with the GDPR. The risk is real but uneven. Most enterprises with significant European exposure are choosing to build for compliance regardless.
The deadlines moved. The conformity assessment timeline did not. Organizations that start now will be ready for whichever date applies to them.
List every AI agent in production. For each, document what actions it can take, what systems it touches, and what data it processes. Without this inventory, you cannot scope compliance work or demonstrate it to an auditor — regardless of which deadline applies.
Determine which agents fall into the high-risk category, and which Annex III category applies. The Omnibus deadlines differ by category, so classification has real consequences. Most enterprise agents handling employment, credit, customer decisions, or sensitive data will be in scope.
The prohibited practices list (in force since February 2025), the AI literacy obligations, and GPAI requirements are not delayed. These apply today. The Omnibus does not change them.
Policy documents are necessary but not sufficient. The Act requires technical measures: human oversight, traceability, accuracy, risk management. These are runtime properties, not document properties. A runtime governance layer is the operational answer to Articles 9, 12, 13, 14, and 15.
The Act requires automatic recording of events with technical reliability sufficient for external audit. A vendor-attested log is weaker than a cryptographically chained log. Build the audit infrastructure on evidence that can be verified independently.
Conformity assessment takes 6–12 months. Whether your deadline is August 2026 (original), December 2027, or August 2028 (Omnibus), starting at least 12 months before puts the process inside the window. Organizations that wait for full Omnibus clarity will compress their timeline.
The EU AI Act entered into force on August 1, 2024 and has applied in phases. The prohibited practices list and AI literacy obligations have applied since February 2, 2025. GPAI model obligations applied from August 2, 2025. The high-risk system obligations were originally scheduled for August 2, 2026, but the May 7, 2026 Omnibus political agreement extends most of them to late 2027 and August 2028, pending formal adoption. Until adoption, the original deadlines remain operative.
The Omnibus splits high-risk obligations into two timelines: a 16-month postponement for new or substantially modified high-risk systems, and a 12-month postponement for high-risk systems that are products or safety components of regulated products such as medical devices. It also clarifies the definition of "safety component," empowers the Commission to disapply overlapping requirements where sectoral rules cover the same ground, and adjusts some transparency deadlines.
Not yet. The May 7, 2026 political agreement is subject to formal adoption by the European Parliament and Council. Adoption is expected later in 2026 but is not guaranteed in scope or timing. Until formal adoption, the original deadlines remain enforceable in law. Analysts including the Cloud Security Alliance recommend treating August 2, 2026 as the planning date for high-risk obligations until the Omnibus is finalized.
For prohibited AI practices: up to €35 million or 7% of global annual turnover, whichever is higher. For breaches of high-risk system requirements: up to €15 million or 3% of global turnover. For supplying incorrect information to authorities: up to €7.5 million or 1% of global turnover. Member states can impose additional administrative measures.
Yes, if the AI system is placed on the EU market or if the output of the system is used in the EU. A US company serving European customers, processing European data, or making decisions that affect European users is subject to the Act. The extent of practical enforcement against US companies depends on circumstances, much as with the GDPR, but the legal obligation applies regardless of where the company is headquartered.
High-risk systems are defined in Annex III and include AI used in critical infrastructure, education, employment, essential services (including credit scoring and insurance), law enforcement, migration and border control, justice administration, and democratic processes. Most enterprise AI agents deployed in regulated industries will fall within at least one category.
Conformity assessment for high-risk AI systems typically takes 6 to 12 months depending on system complexity, the assessment route chosen, and notified body availability. This timeline did not change with the Omnibus. Organizations beginning conformity assessment late in their applicable compliance window will compress their preparation time.
Yes. Purogaly delivers runtime enforcement, tamper-evident audit logging, human-in-the-loop approval workflows, and traceability features that map directly to the Act’s high-risk system requirements. The platform produces the technical evidence that conformity assessment and post-enforcement audits require — regardless of whether your specific deadline is the original August 2026, the Omnibus December 2027, or August 2028.
Walk through what runtime EU AI Act compliance looks like for your AI agents. See the audit evidence. Stress-test it against the Article requirements.
Request a compliance review