The EU AI Act just moved its deadlines - do not waste the extension

August 2, 2026 spent the better part of two years as the scariest date in European AI. It was the day the EU AI Act’s high-risk obligations were supposed to bite - the technical documentation, the conformity assessments, the human oversight requirements the regulation had been building toward since it entered into force in August 2024.

Last Thursday, Brussels moved it.

On May 7, 2026, Council and Parliament negotiators reached a provisional agreement on the Digital Omnibus on AI, and the practical upshot for anyone running AI inside business processes is this: standalone high-risk obligations now start December 2, 2027, product-embedded ones August 2, 2028, and the transparency rules still arrive this August as scheduled. The documentation the Act demands didn’t get shorter. The runway got longer. So the question worth answering isn’t “did we dodge it?” - you didn’t - but what a process owner should do with sixteen extra months, and why the operational reality of AI regulation means starting now anyway. That’s this post.

What exactly moved on May 7?

Three dates changed and several didn’t, so it’s worth being precise, because half the commentary I’ve read collapses the whole thing into “the AI Act is delayed,” which is wrong in both directions.

The moved part: obligations for high-risk AI systems. Under the provisional agreement, as summarized by CMS, high-risk rules for standalone systems begin December 2, 2027, and high-risk rules for AI built into regulated products begin August 2, 2028. The same write-up notes Parliament is expected to vote on the final text by July 7, 2026 - so formally, until that vote lands, August 2, 2026 is still the date on the books. Nobody serious expects the vote to fail. Plan against December 2027, watch July’s vote anyway.

Worth a sentence on how we got here, since “provisional” confuses people. The Commission proposed this omnibus back on November 19, 2025 as part of its simplification push; negotiators for the Council and Parliament settled the key points last week; the final text now goes to a vote, then publication. Provisional means the handshake happened and the paperwork hasn’t. Treat the new dates as near-certain rather than legally final.

The unmoved part matters more for this year. Prohibited practices - social scoring and the rest of the banned list - have applied since February 2, 2025, and general-purpose AI governance since August 2, 2025, per the European Commission’s own framework page. The Act’s remaining provisions still become applicable on August 2, 2026, which includes the transparency duties: telling people they’re interacting with an AI system and disclosing AI-generated content. The marking requirement got its own near-term date - from December 2, 2026, systems generating audio, images, video, or text must label outputs as AI-generated in machine-readable form.

One more addition from the May agreement: two new prohibited practices, covering the use of AI to generate or manipulate non-consensual intimate imagery and child sexual abuse material. Brussels softened deadlines and hardened bans in the same negotiation, which tells you the direction of travel - simplification, not retreat.

February’s panic was the useful kind

Rewind three months and you can watch the pressure building in real time, in public, on Hacker News.

In late February, a developer with the handle gibs-dev posted an Ask HN about AI Act compliance that read like a checklist of every team’s anxieties: are you taking it seriously yet, is this more red tape, how do you operationalize “113 articles, 13 annexes,” and is anyone actually reading EUR-Lex or just “outsourcing to lawyers and hoping for the best?” One reply in that thread, from a commenter called alexgarden, ended with a line I haven’t stopped thinking about: “157 days isn’t a lot of runway.” Posted February 26 - exactly 157 days before August 2. That was the mood. People were counting.

The sharper signal came two weeks earlier. A founder with the handle rishe_s posted a short observation titled “Early signals that EU AI Act compliance is becoming a sales blocker for AI SaaS,” and the opening pattern deserves quoting in full: “AI SaaS teams don’t think about the EU AI Act until an EU customer or partner asks for documentation. At that point, teams realize compliance isn’t just legal review, but requires technical documentation they don’t have ready.”

Read that again with the delay in mind.

The deadline that actually hits AI vendors first isn’t the one Brussels just moved - it’s the moment an enterprise buyer’s procurement checklist asks for your AI documentation, and that moment doesn’t care about the Digital Omnibus. Mind you, the same dynamic predates this regulation entirely: SOC 2 became table stakes for B2B software years before most buyers could explain what it audits. Compliance regimes move markets through procurement long before they move them through enforcement. A sixteen-month regulatory extension is real, but your next big EU deal might be next quarter, and “we’ll have that documentation in 2027” is a painful sentence to say on a sales call.

So February’s panic, a bit overheated as panics are, pointed at the right gap. The teams that used it to start their documentation are ahead today. The delay didn’t change what they need to produce. It changed who asks for it first.

Annex IV is a process documentation exercise

Strip away the legal framing and the high-risk documentation requirement is asking a familiar question: can you show, in writing, how this system actually works inside your business?

Annex IV runs nine numbered sections. In the official text, a provider of a high-risk system must document, among other things, the system’s general description including “its intended purpose, the name of the provider and the version of the system reflecting its relation to previous versions,” then “the methods and steps performed for the development of the AI system,” an “assessment of the human oversight measures needed in accordance with Article 14,” a “detailed description of the risk management system in accordance with Article 9,” and “detailed information about the monitoring, functioning and control of the AI system,” through to the post-market monitoring plan. Versions, methods, oversight, risks, monitoring. Anyone who has written a serious operations manual recognizes every one of those headings - it’s process documentation with a regulatory citation format.

The HN compliance thread had a comment, from guillermollopis, that nailed where teams stall: “Most teams can figure out whether they’re high-risk (Annex III has 8 clear categories), but then they stare at Annex IV’s 9 sections of required documentation and don’t know where to start.” The same commenter called the output “roughly equivalent to producing a detailed design document for a regulatory audience.”

A detailed design document for a regulatory audience. That’s the work.

Now, the classification step that comes first is narrower than the panic suggests, and worth doing calmly rather than fearfully. Annex III’s 8 areas cover things like biometrics, critical infrastructure, education, essential services, and law enforcement. Most internal back-office AI lands nowhere near them. An invoice-matching model is not high-risk. A chatbot that drafts support replies is not high-risk, though it does pick up the August transparency duties. The trap area for ordinary companies is employment: the official text sweeps in AI used “for the recruitment or selection of natural persons,” including filtering applications and evaluating candidates, plus systems making promotion and termination decisions or monitoring worker performance. If your hiring stack scores resumes with AI, the high-risk question stops being theoretical, and the December 2027 date is yours to plan against.

Something Tallyfy learned the hard way early on, well before any AI regulation existed: documentation that lives outside the work goes stale the week after you write it. A wiki page describing your process is a snapshot; the process drifts, the page doesn’t, and two quarters later the document describes a workflow nobody runs. Annex IV punishes that pattern brutally, because it demands documentation of how the system runs and is monitored, not how it was imagined at launch. The only documentation that survives an audit cycle is documentation generated by the work itself - a question of how you document processes, not of how well you write.

Build the deployer file before anyone asks

Most companies reading this will never write an Annex IV file, because they don’t build high-risk AI - they use it. The Act has a quieter section for them, and it’s the one I’d actually start with.

Article 26 sets the obligations for deployers of high-risk systems, and every line of it is process work. Deployers must “take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use.” The oversight duty follows: “assign human oversight to natural persons who have the necessary competence, training and authority” - one named owner per system. Then comes the watching and the keeping: “monitor the operation of the high-risk AI system,” and retain the logs it generates for at least six months. And before switching on a high-risk system at work, the company must “inform workers’ representatives and the affected workers” that it’s coming.

Notice what’s missing from that list: anything you can buy. Mind the shape of those duties - an assigned person, a monitoring habit, a retention rule, a notification step. Who reviews the rejections your resume screener produces each week? Where does an override land when the oversight owner disagrees with the model? What changes in your file when the vendor ships a model update?

All of that is process design, and none of it ships in a product box. You can’t cobble together “assign human oversight” from vendor brochures the week a customer asks. It only exists if your process defines it.

So here’s the four-part file I’d build during the extension, whether or not your systems end up formally high-risk:

• An AI inventory with classifications. Every place AI touches a business process, including the unofficial ChatGPT habits, mapped against Annex III’s 8 areas. One page per system: what it does, whose data it sees, which area it could fall under.
• A named oversight owner per system. The Article 26 phrase is “competence, training and authority” - pick the person who has all three, write their name down, and give them an actual gate in the workflow: a human review at design time and at run time, not a name on an org chart.
• An audit trail that accumulates on its own. Six months of logs is the floor for deployers. If your AI runs inside defined workflow steps, every run, approval, and override gets recorded as a side effect of doing the work - live tracking instead of a quarterly dig through Slack history.
• Documentation that regenerates. The Annex IV sections that stall teams - oversight measures, monitoring, control - fall out of a defined process automatically. Document the workflow once, keep running it, and the artifact stays current.

That’s the whole file.

The biggest lesson building Tallyfy keeps teaching us about compliance: regulators and auditors rarely reject companies for having the wrong tool. They reject undocumented judgment - decisions nobody can reconstruct, oversight nobody was assigned, logs nobody kept. Fix those three and the tooling argument mostly disappears.

These templates are a concrete starting point - clone, adapt to your systems, and you’ve got the skeleton of all four artifacts:

Two honesty notes. First, none of this is legal advice - I run a workflow company, not a law practice, and scoping questions like “is our resume screener Annex III high-risk?” belong with counsel who reads the final adopted text. Second, Tallyfy won’t classify your AI systems or generate your conformity assessment. What it holds is the part regulators and buyers keep asking to see: the documented process, the named oversight owner, the approval gates, and a trail showing who acted, on what, and when - the same discipline behind workflow automation that pays off with or without a regulation attached.

December 2027 is a project date, not a horizon

Earlier I called the sixteen months a longer runway. That’s not quite the right frame, and I want to correct it: a runway implies you’re already rolling. Most teams aren’t. For them this is a start date that moved, and the temptation is to move the starting gun with it.

The arithmetic says keep the gun where it was. The February thread’s compliance builders were describing real lead times - alexgarden’s reply argued that the teams handling this well “treat it as an engineering problem from day one” rather than “a quarterly legal review,” and nothing in that sketch is a weekend project. Add the procurement dynamic from rishe_s and the timeline inverts: the regulatory deadline moved out, the commercial one didn’t. An EU enterprise deal in late 2026 will ask the same documentation questions a regulator would ask in 2028.

Which deadline do you plan against?

Worth saying once: this isn’t a European-only concern, either. The EU has a habit of exporting its digital rules - GDPR rewired privacy practices for companies that never set foot in Europe - and AI documentation requirements are already showing up in procurement checklists from buyers nowhere near Brussels.

The good news is that the work compounds. A documented process with assigned oversight and an automatic audit trail isn’t something you stage for one regulation - it’s how you’d want AI running in your business anyway, the argument I made in AI governance starts with process governance from the strategy side. This post is the tactical sequel: the dates, the file, the four artifacts. Start with the inventory this quarter. Put names on oversight next quarter. Let the logs accumulate. When the formal date arrives - or when a customer’s procurement form arrives first, which is the way to bet - the file will already exist.

A deadline that moves is a gift exactly once, and only to the teams that keep working.