EU AI Act High-Risk Deadline Delayed to 2027: What It Means for You

by Tilal Husain
-
7 minutes read
-
July 1, 2026
Compliance and governance controls for high-risk AI systems under the EU AI Act

The deadline moved, but only by sixteen months

For most of the last two years, teams building AI features aimed at a single date: August 2, 2026, when the EU AI Act’s obligations for high-risk AI systems were due to take effect. That date has now moved.

Following the EU’s Digital Omnibus simplification package, the European Parliament gave its formal approval on June 16, 2026, and the Council of the EU gave final sign-off on June 29, 2026. The new application dates are December 2, 2027 for stand-alone high-risk AI systems and August 2, 2028 for high-risk AI embedded in regulated products. A separate obligation, watermarking AI-generated content, was pushed to December 2, 2026. The act still enters into force once published in the EU’s official journal, but the direction is settled: this is a real delay, not a rumor.

What did not change

It is worth being precise here, because “the AI Act got delayed” is an easy headline to over-read.

The ban on prohibited AI practices — things like social scoring and manipulative or exploitative systems — has applied since February 2025 and is unaffected. Transparency obligations for general-purpose AI models have applied since August 2025 and are also unaffected. What moved is the structural compliance regime for high-risk systems: conformity assessments, risk management, data governance, logging, and human oversight for AI used in things like hiring, credit decisions, biometric identification, education access, and critical infrastructure. That regime now has a longer runway, not a cancelled one.

Why the extra time is easy to waste

Sixteen months feels generous when a deadline is fresh. It rarely feels generous eighteen months later, once other priorities have filled the calendar and December 2027 is suddenly next quarter.

The teams that end up compliant on time are the ones that treat this as a scheduling win, not a scope change. If your product already touches hiring decisions, lending, insurance pricing, biometric verification, or safety-relevant recommendations, the honest read is that you were going to need this work eventually — the delay just moved it off the critical path for a year, which is exactly the kind of runway that is easy to spend on everything except the thing it was meant for.

What counts as high-risk, in practice

The AI Act’s high-risk category is broader than most teams assume. It is not limited to obviously sensitive domains — it covers AI used to make or materially influence decisions about people, including:
  • Recruitment, hiring, and employee performance evaluation
  • Creditworthiness and insurance risk scoring
  • Biometric identification and categorization
  • Access to education, public benefits, or essential services
  • Safety components in regulated products (machinery, medical devices, vehicles)
Products that score credit risk or underwrite insurance sit squarely in this category — we covered the model-risk side of that in our piece on AI for credit risk. If any part of your roadmap touches these areas, the classification question is worth answering now, while there is time to design around the answer rather than react to it.

How Innvente can help

Innvente builds AI features for regulated and people-facing decisions — credit, hiring, and operational risk among them — with the governance, logging, and human-oversight controls this regime expects, whether the deadline is next quarter or 2027.

Explore our AI and intelligent systems work, read how we approach securing AI features without data sprawl, or book a free software project audit to get a plain-language read on whether your AI features are high-risk under the Act and what a realistic compliance timeline looks like.

AI Act readiness checklist

  • Inventory every AI feature and score it against the high-risk categories above.
  • Map your role — provider or deployer — for each AI system and vendor you use.
  • Review vendor contracts for unclear or missing compliance commitments.
  • Confirm prohibited-practice and GPAI transparency obligations are already met — those dates already passed.
  • Start risk management, data governance, and logging now, even for a 2027 deadline.
  • Set an internal milestone well before December 2027 — do not plan to the regulatory date itself.

Written By
Tilal Husain

Share on :

7 minutes read - July 1, 2026