If you're building SaaS products with EU customers, or deploying any kind of ML model that touches hiring, credit, health, or infrastructure — the EU AI Act is your problem. Even if you're based in the US. Even if you've never set foot in Europe.
Here's the current state of play, because it changed significantly on May 7, 2026.
What was supposed to happen on August 2, 2026
The EU AI Act's Annex III high-risk obligations were set to go live on August 2, 2026. That means any AI system used in employment decisions, credit scoring, education access, critical infrastructure, law enforcement, or migration processing would need to comply with a full set of requirements:
- Technical documentation (Annex IV)
- Conformity assessment
- EU database registration
- Human oversight mechanisms
- Post-market monitoring
Non-compliance fines: up to €15M or 3% of global annual turnover. For prohibited AI systems (social scoring, real-time biometric surveillance): €35M or 7% of global turnover. These are calculated on worldwide revenue — not just EU revenue.
What changed on May 7, 2026
The EU reached a provisional agreement under the Digital Omnibus package. The headline: Annex III high-risk AI obligations pushed from August 2, 2026 → December 2, 2027. AI in regulated products (medical devices, vehicles): pushed to August 2, 2028.
What did NOT move:
| Obligation | Status |
|---|---|
| Prohibited AI bans (Feb 2025) | Already enforced ✅ |
| GPAI/LLM transparency (Aug 2025) | Already enforced ✅ |
| High-risk Annex III obligations | Provisionally → Dec 2027 |
| Agreement finalization | NOT yet law ⚠️ |
That last row matters. It's a political agreement, not enacted legislation. If the trialogue process stalls before August 2, the original date stands.
Does this apply to your product?
The EU AI Act has extraterritorial scope — identical in design to GDPR. If any of these are true, you're in scope:
Top comments (0)