EU AI Act 2026: New Deadlines, New Obligations — What SMEs Need to Know Now

The Clock Is Ticking Differently Than Expected

August 2, 2026 was supposed to be the day obligations for high-risk AI systems under Annex III would take effect: risk management, technical documentation, conformity assessment, CE marking, and registration in the EU database. August 2, 2026 is less than two months away.

But on May 7, 2026, negotiators from the Council, Parliament, and Commission reached agreement on the Digital Omnibus on AI, the first amendment package to the AI Act since its adoption in June 2024. The core message for SMEs: the deadlines have been extended, the obligations remain.

This buys time, but should not be mistaken for an all-clear. Anyone deploying or developing AI systems needs to understand the new timeline and prioritize preparations now.

The New Deadlines at a Glance

The postponements follow a two-tiered model:

Annex III high-risk AI systems — use-based systems in sensitive areas such as HR management, creditworthiness assessment, or critical infrastructure: obligations are postponed from August 2, 2026 to December 2, 2027, a 16-month extension.

Annex I high-risk AI systems — product-regulated systems in machinery, lifts, and medical devices: instead of August 2027, now August 2028, an additional year.

Transparency obligations under Article 50(2), the labeling of AI-generated content: for systems placed on the market before August 2, 2026, the obligation is deferred to December 2, 2026. Systems placed on the market after that date must be labeled from day one.

National AI regulatory sandboxes: member states now have until August 2027 instead of August 2026.

The delays reflect the practical challenges of operationalization. Standards bodies such as CEN-CENELEC need more time for standards, conformity assessment bodies must be established, and companies simply lack the resources.

New Prohibitions from December 2026

Beyond the deadline extensions, the Digital Omnibus introduces two new prohibitions supplementing Article 5 of the AI Act: the generation of non-consensual intimate imagery and child sexual abuse material using AI. These prohibitions take effect on December 2, 2026.

Relevant for companies is the differentiation: providers are liable if generating such content is the intended purpose or a reasonably foreseeable and reproducible outcome without effective safety measures. Deployers are only liable if they use systems specifically for these purposes, including circumventing safety measures.

What the AI Act Concretely Means for SMEs

Most mid-sized companies are neither providers of GPAI models nor operators of high-risk AI in critical infrastructure. Nevertheless, the AI Act affects them, often indirectly:

Transparency obligation: anyone publishing AI-generated content — texts, images, audio — must label it as artificially generated or manipulated. This affects marketing departments, content teams, and external communications.

Deployer obligations: anyone using an AI system falling under the AI Act must operate it in accordance with the provider's instructions, provide trained personnel for human oversight, and report incidents. Few companies today have a process for AI incident reporting.

Documentation: the AI Act demands traceability. Companies must document which AI systems they use, for what purpose, and with what data — a requirement currently unmet in most SMEs.

AI literacy: Article 4 requires that staff operating AI systems possess sufficient AI literacy. This is not a technical but an organizational obligation with documentation requirements.

Human-in-the-Loop as a Compliance Strategy

A central principle of the AI Act is human oversight of high-risk AI systems, Article 14. The natural person must have the ability to monitor, interpret, override, or shut down the system.

This aligns with the Human-in-the-Loop principle that centerbit has championed since its founding: AI agents operate within defined boundaries; critical decisions remain with humans. What is a new regulatory requirement for many companies is already an architectural principle for HITL-based systems.

The question is not whether companies use AI. It is whether they can demonstrate that a human makes the final decision where it matters legally or ethically.

Three Steps for the Next 12 Months

First: inventory. Which AI systems are currently in use in the company, internally and externally? Who operates them, with what data, for what purpose? Most companies do not fully know this, and that is precisely where the risk lies.

Second: establish AI governance. A central unit or person that documents AI use, conducts risk assessments, and serves as the point of contact for supervisory authorities. This does not have to be a full-time job, but there must be clear accountability.

Third: implement HITL structures. For every AI system, define where the boundary lies between automation and human decision-making. This is not only required by regulation but also makes business sense — no one wants an unchecked AI creating legally binding documents or making customer decisions.

Conclusion

The Digital Omnibus of May 2026 is a breather, not a repeal. The deadlines have been extended, the obligations refined. Companies that begin inventory and governance now will reach the new deadlines without haste. Those waiting until the supervisory authority asks for documentation are acting negligently.