- Not postponed: The transparency obligations (Article 50) apply from 2 August 2026 — chatbot disclosure, labelling of AI-generated content, deepfake labelling. Fine range: up to €15m or 3% of global turnover.
- Postponed (via the “Digital Omnibus”): The Annex III high-risk obligations to 2 December 2027, product-embedded high-risk AI (Annex I) to 2028.
- Long in force and overlooked: The AI literacy obligation (Article 4) has applied since February 2025, as have the prohibitions.
- Most mid-sized companies are deployers, not providers — their duty list is short. It just needs to be worked through before the supervisor asks.
One thing up front: we are AI implementers, not lawyers — this piece is practical orientation, not legal advice. It is based on the regulation text, the official dates and the reporting on the Omnibus agreement, as of 4 July 2026. For a binding assessment of your case, bring a law firm to the table. What we can do here: translate the legal situation into operational language — so you know what to discuss with whom in the first place.
Why everyone is talking past each other right now
The AI Act has been in force since August 2024 and becomes applicable in stages. The original schedule: February 2025 the prohibitions and the AI literacy duty, August 2025 the obligations for providers of large AI models, August 2026 “the rest” — above all the extensive high-risk obligations and the transparency rules.
Then came the deregulation debate. With the “Digital Omnibus”, Council and Parliament agreed in May 2026 to postpone the high-risk obligations; Parliament approved on 16 June 2026, the Council formally adopted on 29 June 2026 — only publication in the Official Journal remains. Since then, half the coverage headlines “AI Act postponed” while the other half warns about the August date. Both are right — they are just talking about different parts of the regulation. And one detail gets lost almost everywhere: as of early July 2026 the Omnibus had not yet been published in the EU Official Journal. Until that happens, the old deadlines formally remain in force — the political agreement is very likely the final outcome, but it is not yet applicable law.
The state of the deadlines — one table instead of ten headlines
| Obligation | Date | Status |
|---|---|---|
| Prohibited practices (incl. social scoring, manipulative AI) | 2 February 2025 | already applies |
| AI literacy / training duty (Art. 4) | 2 February 2025 | already applies — often overlooked |
| Obligations for providers of large AI models (GPAI) | 2 August 2025 | already applies (affects model providers) |
| Transparency obligations (Art. 50: chatbots, AI content, deepfakes) | 2 August 2026 | coming — not postponed |
| Machine-readable marking / watermarking | 2 December 2026 | slightly postponed via Omnibus |
| High-risk obligations (Annex III, e.g. AI in HR, credit scoring) | 2 December 2027 | postponed via Omnibus (previously: Aug 2026) |
| High-risk AI in regulated products (Annex I) | August 2028 | postponed via Omnibus |
As of 4 July 2026. Omnibus dates subject to publication in the EU Official Journal — until then the old dates formally apply.
What actually lands on you from 2 August 2026: Article 50
The transparency obligations are the part of the regulation that affects the most companies — precisely because they don’t target exotic high-risk cases but everyday AI use:
- Chatbots and voicebots: Anyone operating an AI assistant in customer contact must make it recognisable that users are interacting with AI — unless it is obvious.
- AI-generated images, audio and video: Synthetic content — deepfakes in particular — must be labelled as artificially generated or manipulated. This also covers AI images in marketing.
- AI texts on matters of public interest: Anyone publishing such texts AI-generated must disclose it — unless there was human editorial control with responsibility.
- Emotion recognition and biometric categorisation: Affected persons must be informed — rarer in the mid-market, but anyone using it should know.
The fine range: up to 15 million euros or 3 percent of global annual turnover. Realistically no supervisory authority starts at the maximum — but “we didn’t know” no longer holds from August. The good news: these duties are satisfiable with manageable effort. A clean notice in the chat window, a labelling process for AI visuals, an editorial sign-off for AI texts — that is process work, not a major project.
Deployer or provider? The switch that decides your obligations
The regulation consistently distinguishes between providers (who develop AI systems or place them on the market under their own name) and deployers (who use them professionally). Almost the entire mid-market is a deployer — and deployer obligations are considerably leaner: use transparently, train staff, follow the provider’s instructions.
Those who cross the line need to pay attention: anyone who substantially modifies an AI system or gives an AI solution to customers under their own brand can legally become a provider — with the full programme of obligations. Doing this classification properly once is perhaps the most important half hour of the entire compliance exercise. We unpack the user-vs-provider logic in more detail in the build-vs-buy guide (in German); how data residency and EU operation interact is covered in the local LLM guide (in German).
What almost everyone overlooks: the training duty has applied since February 2025
While everyone stares at August 2026, Article 4 has long been applicable: since 2 February 2025 companies must ensure sufficient AI literacy among everyone working with AI systems. No certificate mandate, no prescribed course format — but the expectation that staff can assess the systems they use: what can the tool do, what can’t it, which data may go in, when must a human check?
A documented, role-based training concept is the usual route — and simply good management besides: the DIHK and Bitkom figures have shown for years that mid-market AI projects rarely fail on technology, but on nobody being able to work with it properly.
Your to-do list until August — five items, no mega-project
- 1. Build an AI inventory. Which AI systems are in use — official and unofficial (shadow AI)? No list, no compliance.
- 2. Clarify your role. For each system: are we a deployer or (accidentally) a provider? When in doubt, have it checked legally.
- 3. Implement transparency. Chatbot notice, labelling of AI images/videos, sign-off process for AI texts — by 2 August 2026.
- 4. Set up the training record. Document a role-based AI literacy concept — the duty has applied since February 2025.
- 5. Schedule the high-risk check, don’t dramatise it. If you use AI in HR decisions, credit scoring or similar: the obligations are coming (expected December 2027) — time for clean preparation instead of panic, but not for denial.
And a sixth item that needs no regulation: if you buy AI solutions from service providers, build the compliance questions into your provider selection — the five screening questions for any AI agency already cover data residency and responsibilities. And for the bigger policy picture: AI as a growth opportunity for Europe.
Sources and context
This piece is practical orientation, not legal advice. It is based on the AI Act (EU) 2024/1689 with its staged application schedule, the Article 50 transparency obligations including the fine range (up to €15m / 3% of global turnover), and public reporting on the “Digital Omnibus” agreement (agreement May 2026, European Parliament approval on 16 June 2026, formal Council adoption on 29 June 2026; postponement of the Annex III high-risk obligations to 2 December 2027, Annex I to 2028, machine-readable marking to December 2026). All information as of 4 July 2026 — at that time the Omnibus changes had not yet been published in the EU Official Journal; until publication the original deadlines formally apply. Assessments and prioritisation are Digital Maker’s view.
FAQ: the EU AI Act in the mid-market
What applies from 2 August 2026 under the EU AI Act?
From 2 August 2026 the transparency obligations under Article 50 apply: anyone operating a chatbot must inform users they are interacting with AI; AI-generated or manipulated images, audio and video (deepfakes) must be labelled; the same goes for published AI texts on matters of public interest. The big high-risk obligations (Annex III) were originally due on the same date but have been postponed to December 2027 via the “Digital Omnibus”.
Has the EU AI Act been postponed?
Partially — and that is exactly what causes the confusion. The “Digital Omnibus” (agreement May 2026, European Parliament approval on 16 June 2026, formal Council adoption on 29 June 2026) postpones the obligations for standalone high-risk systems (Annex III) to 2 December 2027 and for product-embedded high-risk AI (Annex I) to August 2028. NOT postponed are the transparency obligations under Article 50 — they apply from 2 August 2026. Also, as of early July 2026 the Omnibus had not yet been published in the EU Official Journal; until then the old deadlines formally remain in force.
Does the EU AI Act also apply to small and medium-sized companies?
Yes. There is no general SME exemption — only individual reliefs. The good news: most mid-sized companies are “deployers” (users) of AI, not “providers” — and deployer obligations are considerably leaner. However, anyone who substantially modifies an AI system or offers one under their own name can slip into the stricter provider obligations. This classification should be done properly once.
What is the AI literacy obligation under Article 4?
Article 4 has obliged companies since 2 February 2025 to ensure sufficient AI literacy among all staff working with AI systems. So this duty has long applied — it just gets overlooked because everyone is staring at August 2026. A documented, role-based training concept is the usual way to meet it.
What penalties apply for breaching the transparency obligations?
Breaches of the Article 50 transparency obligations can be fined up to 15 million euros or 3 percent of global annual turnover — whichever is higher. The prohibited practices carry even higher ranges. Realistically no supervisory authority starts at the maximum — but “we didn’t know” is no longer a defence from August 2026.
Is your AI use ready for August?
In a discovery call we go through your AI inventory, clarify the deployer/provider question for your systems and prioritise what really needs doing by August — sober rather than panicked. Four eyes, thirty minutes, no slides.