TechReaderDaily.com
TechReaderDaily
Live
Policy · EU Tech Regulation

EU AI Act Implementing-Act Calendar Reset After Council Approval

With the Council's final green light on 2 July, the AI Act's compliance timeline has been rewritten, with Article 50 transparency obligations still hitting in August but the high-risk regime now a 2027 concern.

A wide banner image showing the official EU AI Act cover page with the European Union flag and regulatory text layout. artificialintelligenceact.eu

On 2 July 2026 the Council of the European Union gave its final approval to a targeted package of amendments to Regulation (EU) 2024/1689, the EU AI Act, closing a legislative scramble that began in earnest when a marathon trilogue collapsed in the early hours of 30 April. The Council's sign-off, reported by JD Supra as the decisive procedural endpoint, arrives exactly one month before the Act's Article 50 transparency obligations become enforceable on 2 August and seven weeks after the Parliament and Council struck their provisional compromise on 7 May. The calendar has shifted, but the compliance obligations have not vanished; they have been redistributed across a longer runway, and the runway now has distinct lanes.

The amendments, which originated in the Commission's omnibus simplification initiative earlier this spring, accomplish three things simultaneously. They push the compliance deadline for high-risk AI systems in Annex III, the category that captures hiring algorithms, healthcare triage tools, and educational assessment platforms, from August 2026 to December 2027, a 16-month extension. They write into the legislative text an outright prohibition on so-called nudification applications, the AI tools that generate non-consensual intimate imagery, with effect from December 2026. And they lighten documentation requirements for small and medium-sized enterprises, a concession to member states that had argued the original text would throttle Europe's AI startup ecosystem before it could mature.

The path to the 7 May provisional agreement was anything but smooth. Two trilogue sessions failed before the breakthrough. The first collapse, on 29 April, ran for twelve hours without resolution, as The Next Web reported, exposing a fault line between the Parliament's left-leaning rapporteur teams, who wanted to preserve the original Act's rigorous protections, and the Council's member-state delegations, who had been instructed by their capitals to secure as much flexibility as possible. The central sticking point was whether high-risk AI systems embedded in consumer products, a diagnostic feature inside a smartwatch, a real-time translation layer in a messaging app, should receive the same treatment as standalone high-risk applications. The Parliament held that they should; several large member states disagreed.

What broke the deadlock, according to the Commission's readout of the 7 May compromise, was a tiered approach. High-risk systems that are integrated into consumer hardware will benefit from a lighter conformity-assessment pathway, provided the AI component is not the product's primary function, while standalone high-risk applications face the full regime. The distinction will be policed by the Commission's forthcoming implementing act on high-risk classification, a document that has been circulating in draft since late May and that the Commission's Artificial Intelligence Board was expected to debate at its 18 June plenary. That implementing act, once adopted, will carry the binding force of the regulation itself.

The procedural calendar matters because the AI Act is not a single compliance event. It is a staggered architecture, and the amendments have reshuffled the stagger. Article 50, which requires any business deploying a chatbot, a deepfake generator, or an AI system that produces or manipulates text, audio, or visual content to disclose that fact to users, comes into force on 2 August 2026 regardless of the omnibus amendments. The Commission published a voluntary Code of Practice on AI-generated content labelling in mid-June, and the signatory window for that code closes on 22 July, as Tech Times reported. The Code of Practice is not legally binding in itself, but signing it creates a presumption of conformity that national data protection authorities, who are the designated market surveillance bodies under the Act, will weigh heavily when enforcement begins.

The tension between the voluntary Code and the mandatory Article 50 obligations is the first real test of the Commission's enforcement philosophy under the AI Act. The Code of Practice was drafted by the AI Office inside DG CONNECT, working with a stakeholder working group that included industry representatives, civil-society organisations, and standardisation bodies. It specifies technical standards for watermarking AI-generated images using the C2PA provenance protocol, requires real-time disclosure when a user is interacting with a chatbot rather than a human, and mandates clear labelling on any synthetic audio or video content distributed within the Union. Companies that sign the Code by 22 July receive a grace period during which national authorities will prioritise guidance over penalties. Companies that do not sign will face the full enforcement apparatus from 2 August onward, with no transitional leniency.

The national data protection authorities, the DPAs, are the wildcard in this equation. Under the AI Act's governance architecture, each member state designates at least one national competent authority to oversee market surveillance, and most have chosen their existing DPA. That means the regulators who spent the last eight years building enforcement muscle under the General Data Protection Regulation will now add AI Act Article 50 to their remit. The Irish Data Protection Commission, which regulates the European headquarters of most large US technology platforms, has already published guidance on its website indicating that it will treat the 2 August deadline as a hard enforcement date and that it expects all entities within its jurisdiction to have disclosure mechanisms fully operational by that date. Other DPAs have been less forthcoming, and the unevenness of national preparation remains a significant source of anxiety for in-house counsel.

The implementing acts, the detailed technical rules that give the regulation its operational teeth, are the second act of this story, and they are only beginning to take shape. The Commission is required to adopt implementing acts covering, among other topics, the classification of high-risk AI systems under Annex III, the conformity assessment procedures for general-purpose AI models, the technical documentation requirements for providers, and the format of the public database of high-risk systems. The draft guidelines on high-risk classification, published by the Commission in draft form in early June, run to 47 pages and include a decision-tree methodology for determining whether a given AI application falls within the high-risk bucket. The draft is a consultation document, not a final text, and the consultation period closes in September.

The general-purpose AI model provisions, located in Articles 51 through 56 of the Act, present a separate implementing-act challenge. These articles impose obligations on providers of what the Act calls general-purpose AI models, the foundation models that underpin services like ChatGPT, Claude, and Gemini, including transparency requirements, risk management obligations, and a notification duty for models deemed to pose systemic risk. The Commission's AI Office is responsible for drafting the implementing act that will define the thresholds for systemic risk classification, and that draft is expected in the fourth quarter of 2026. Until it appears, the precise scope of the GPAI obligations remains provisional, and the model providers now operating in the European market are effectively building compliance infrastructure against a moving target.

The standards harmonisation process, conducted through the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (CENELEC), is running in parallel and slightly behind the implementing-act calendar. The standardisation request from the Commission, the formal document instructing the standards bodies what to develop, was adopted in May 2025, and the resulting harmonised standards will provide the technical specifications that, if followed, create a presumption of conformity with the Act's essential requirements. The standards for AI risk management, data quality, and transparency are scheduled for delivery in mid-2027, but that timeline assumes no significant delays in the CEN-CENELEC Joint Technical Committee 21, which has a workload that now encompasses forty-seven distinct work items. Every missed deadline in the standards process pushes more companies into a position where they must demonstrate conformity through alternative means, which is more expensive and less certain.

The nudification-app prohibition, which the 7 May compromise wrote directly into the regulation, is significant less for its practical scope, the market for such applications, while odious, is not large, than for what it signals about the EU's willingness to amend the AI Act in response to public pressure. The ban was pushed by a coalition of MEPs led by the Renew Europe group and supported by consumer-protection NGOs that had been campaigning on the issue since 2024. The fact that an outright prohibition could be inserted into the text during an omnibus amendment process suggests that the Act is not the immovable object its architects originally imagined. Future amendment cycles, which will follow the Commission's scheduled review of the Act in 2028, could see further prohibitions added or scope adjustments made depending on how the technology evolves.

The Commission's Artificial Intelligence Board, established under Article 65 of the Act and composed of representatives from each member state, held its inaugural meeting in January 2026 and has since met monthly. Its role is advisory, but it is the forum in which member-state regulators coordinate their interpretation of the Act, and its minutes, which are published with a six-week lag, have become essential reading for anyone tracking the enforcement landscape. The Board's June meeting included a session on the Article 50 Code of Practice, a discussion of the draft high-risk classification guidelines, and a closed-door briefing from the Commission on its enforcement priorities for the first year. The minutes of that meeting are expected in the second week of August.

For in-house counsel at companies with significant European operations, the amended calendar creates a bifurcated workload. The Article 50 obligations demand immediate attention: chatbot disclosures, deepfake labelling, and AI-content watermarks must be live by 2 August, and the systems that support them must be auditable. The high-risk compliance obligations, by contrast, have been pushed to December 2027, which is simultaneously a generous extension and a dangerous invitation to postpone. The documentation requirements for high-risk systems are substantial, they include a risk management system, data governance documentation, technical documentation, record-keeping infrastructure, transparency provisions, and human oversight mechanisms, and building them takes longer than most organisations estimate. The 16-month extension buys time, but firms that treat it as a holiday will find themselves scrambling in the autumn of 2027.

The implementing act on conformity assessment for GPAI models, still in its pre-draft phase, is the next document the Commission's AI Office is expected to bring forward. Officials in DG CONNECT have indicated, in public presentations and stakeholder workshops, that the conformity assessment framework will borrow heavily from the New Legislative Framework that governs product safety in the single market, with a structure that relies on notified bodies, independent conformity assessment organisations accredited by member states, to verify compliance. The Commission has not yet published a call for notified bodies under the AI Act, and the process of accreditation typically takes twelve to eighteen months from the publication of the call. That means the notified-body ecosystem will not be fully operational until late 2027 at the earliest, which creates an awkward gap: high-risk obligations become enforceable in December 2027, but the bodies that are supposed to assess conformity may not be fully accredited by then.

The interplay between the AI Act and the GDPR remains unresolved in several important respects, and the implementing acts are unlikely to settle all of them. The European Data Protection Board (EDPB) issued an opinion in late 2025 on the relationship between the two frameworks, concluding that compliance with one does not automatically constitute compliance with the other, but the opinion left open the question of how the AI Act's transparency requirements interact with the GDPR's provisions on automated decision-making. A coordinated enforcement action by the DPAs, scheduled for the first quarter of 2027, is expected to test precisely this interface, and the outcomes will shape the compliance strategies of every company that uses AI to make decisions about individuals in the European Union.

The global policy export question, which has shadowed the AI Act since its adoption, is now entering a new phase. Brazil's AI regulatory framework, passed by the Senate in early 2026, borrows the EU's risk-tiered architecture but adopts a lighter touch on general-purpose models; Japan's AI guidelines remain voluntary but are under active legislative review; and the United States, still operating under a patchwork of executive orders and sectoral rules, is watching the EU's enforcement experience closely. The AI Act's implementing acts will function as a regulatory laboratory: other jurisdictions will observe what works, what breaks, and what imposes costs without commensurate benefits, and they will legislate accordingly. The implementing-act calendar is, in this sense, a global export calendar as well.

The next date on the file is 22 July, when the Article 50 Code of Practice closes for signatories. The date after that is 2 August, when Article 50 itself becomes enforceable and the first test of the Commission's enforcement posture begins. The high-risk classification guidelines will close their consultation period in September, and the GPAI implementing act is expected by the end of the year. The nudification-app prohibition enters force in December 2026. The high-risk compliance obligations take effect in December 2027, and the standards harmonisation process is scheduled to deliver its first tranche of harmonised standards in mid-2027. The calendar is longer than it was in April, but it is not empty. It is full, distributed, and approaching.

Read next

Progress 0% ≈ 10 min left
Subscribe Daily Brief

Get the Daily Brief
before your first meeting.

Five stories. Four minutes. Zero hot takes. Sent at 7:00 a.m. local time, every weekday.

No spam. Unsubscribe anytime · Privacy.