AI Act 2026: Europe Pushed Almost Everything to 2027. Except the Rules That Hit in August

Everyone tearing their hair out over the AI Act. Then the update package of 16 June 2026 lands, and you discover that most of the toughest obligations have slipped to 2027. The panic, for the most part, was noise. But there is one real deadline, and it is right around the corner: 2 August 2026. And it affects anyone running a chatbot, a content generator or a deepfake on their site.

In 2024 the European Union approved the world's first legislation on artificial intelligence, yet it is still very much under discussion, especially after the major update package, the so-called Digital Omnibus, approved by the European Parliament on 16 June.

What Is the AI Act?

The AI Act (Artificial Intelligence Act) is legislation that regulates the development, market placement and use of AI systems within the European Union, applying rules proportionate to the risk they represent: the more dangerous a system, the stricter the obligations it is subject to.

What Rules Apply to the AI Industry?

The legislation takes a risk-based approach, introducing a pyramidal classification of four levels that calibrates the strictness of the rules in direct proportion to the severity of the potential social, economic and individual harms each application can generate.

Unacceptable Risk

At the top sit systems of unacceptable risk, for which there is an absolute ban on commercialisation and use. This category includes mass surveillance technologies, real-time remote biometric recognition in public spaces, indiscriminate image scraping and systems of psychological and behavioural manipulation, with minimal exceptions reserved exclusively for law enforcement subject to prior judicial authorisation.

The Digital Omnibus itself widened this list with a heavy new ban: AI systems designed to generate non-consensual sexually explicit material or child sexual abuse material (such as so-called "undressing apps") are now banned outright. A clear signal: Europe is easing the timelines on bureaucracy, but not on its red lines.

High Risk

High-risk systems, used in sensitive sectors such as critical infrastructure, healthcare, justice, education, border control and personnel management, are permitted but subject to strict compliance requirements. Providers must implement continuous risk management, ensure rigorous data governance to eliminate discriminatory bias, maintain up-to-date technical documentation and guarantee effective human oversight.

The Digital Omnibus, approved on 16 June, postponed the deadlines for this category: obligations for standalone systems slip from 2 August 2026 to 2 December 2027, while those for systems integrated into already-regulated products, such as medical devices or industrial machinery, move to 2 August 2028.

Limited Risk: The Deadline That Did NOT Slip

For limited-risk systems, such as chatbots and deepfake generators, the AI Act imposes specific transparency obligations: users have the right to know that they are interacting with an AI system or that the content they are viewing has been manipulated.

On this front, unlike high-risk systems, the Digital Omnibus granted no postponement. From 2 August 2026, all AI-generated content intended for the public must be labelled with a machine-readable marking, deepfakes must carry a visible label, and chatbots must explicitly declare their artificial nature.

Translated for anyone running a website or an application: if you have a virtual assistant, AI-generated images or automatically produced text aimed at the public, you have a few weeks to get compliant. This is the only genuinely imminent deadline, and it does not concern only the tech giants.

Finally, the vast majority of software currently in use falls into the minimal or no-risk category, remaining exempt from additional regulatory constraints.

General Purpose Models (GPAI)

A specific regime is also dedicated to general-purpose AI models (GPAI), subject to copyright transparency requirements and to the publication of summaries of their training data, with reinforced controls for models with high computational power.

Why It Benefits GDPR and Data Security

Contrary to what one might think, the GDPR and the AI Act are not in competition: they operate on different planes and complement each other. The GDPR, in force since 2018, protects privacy and personal data. The AI Act goes further: it regulates the systems that process that data, addressing risks the GDPR alone was not equipped to handle.

The clearest case is that of algorithmic bias. The AI Act allows the processing of special categories of data, such as sensitive data, to the extent necessary to detect and correct distortions in high-risk AI systems, provided precise measures are adopted: pseudonymisation, access control and deletion of the data as soon as the bias has been corrected. It is a concrete step forward in the fight against algorithmic discrimination, an area where the GDPR had no tools.

On the cybersecurity front, the most significant innovation comes from the Digital Omnibus. A single European entry point has been created for all notifications relating to data processing, vulnerabilities and cyber events, unifying GDPR, NIS, DORA and other sector-specific frameworks into a coherent system. Previously, these reports travelled on separate and often disconnected tracks, making it harder to respond quickly to incidents.

The combination of GDPR and AI Act represents today the most advanced attempt globally to balance technological innovation with the protection of fundamental rights. Two regulations born at different moments that together shape a uniquely European model.

What Changes for Italian Professionals?

The AI Act does not concern only large tech companies: it also reaches professional practices. On 10 June 2026, the Italian Council of Ministers gave preliminary approval to two draft legislative decrees implementing the AI Act in Italy, in execution of the delegation contained in Law 132/2025, introducing the obligation to include specific modules dedicated to artificial intelligence in initial and continuing training programmes.

The required content is structured on two levels. On the practical level, professionals must acquire knowledge of how AI systems work in their sector, of model-querying techniques and of the limits of the available tools. On the theoretical level, the training must cover European and national AI legislation, the professional's responsibilities in using these tools, disclosure obligations toward clients and employees, and the principle of the primacy of human critical thinking over AI-generated output.

In practice, AI training will become part of each member's mandatory credit requirement. National professional bodies will have six months from the decree's entry into force to define the content, methods and frequency of these programmes, adapting their internal regulations accordingly.

The Risks of the AI Act

An ambitious piece of legislation like the AI Act inevitably introduces a series of challenges and potential drawbacks. The complexity of the rules carries structural tensions between the need to protect rights and the reality of technological development.

The main risk concerns competitiveness and innovation. The heavy compliance burden required for high-risk systems, data governance, detailed documentation, prior certifications, could translate into a serious competitive disadvantage for European companies compared to American or Chinese ones, which operate in more flexible regulatory environments. Although the act provides safeguards for startups and SMEs, the legal and operational costs of compliance risk discouraging research or pushing talent and capital out of the European Union.

There is also the risk of uneven application: the differing technical capabilities, financial resources and political sensitivities of the various member states could lead to divergent interpretations and controls within the same European market. The extraterritorial effect of the rules, on the other hand, is a double-edged sword: anyone wanting to sell in Europe will have to comply, but this could also push some operators to exclude themselves from the EU market rather than bear the cost of compliance.

The artificial intelligence landscape evolves at exponential speed. The AI Act, however remarkable as a regulatory effort, is still an imperfect instrument, like almost all laws that try to govern rapidly evolving phenomena. But it raises a question that goes well beyond the appetite for technological progress: who decides how artificial intelligence develops, and according to which values?

The European answer is clear: the fundamental rights of people come before technological efficiency. It is a legitimate position, and in many ways a courageous one. The AI Act is necessary today, but the real test is not writing the law, it is keeping it in step with an industry that changes every day.

In Short: What You Need to Do Now

Cutting through the noise, the picture for anyone running a website or an application is simple:

• 2 August 2026 (imminent): chatbots, deepfakes and AI-generated content aimed at the public must be labelled and declared. This deadline has not slipped.
• 2 December 2027: obligations kick in for standalone high-risk systems.
• 2 August 2028: obligations for high-risk systems integrated into already-regulated products.

The postponement is not permission to wait. Software built well from the start, with traceable data, security by design and a clean separation between frontend and backend, arrives ready for these deadlines without having to apply costly patches at the last minute. Badly built software, or software running on a generic template, finds itself exposed.

Running a chatbot, AI-generated content or an application that handles sensitive data?

From 2 August the rules change. At M's Works we don't wait for the deadline to scramble: we build software that is compliant by design, with modern architectures that separate data, reduce the attack surface and are aligned with GDPR and the AI Act from day one. No patches applied afterwards, no recurring dependencies.