EU AI Act: a report that hides imminent obligations
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
A report that only concerns part of the obligations
May 7, 2026, marked a turning point for European companies involved in the development and use of artificial intelligence. On that day, the European Council and Parliament reached a provisional agreement on the Digital Omnibus on AI, postponing certain obligations from Annex III of the AI Act. Initially scheduled for August 2, 2026, these obligations will only be fully applicable on December 2, 2027. However, this extension only pertains to a portion of the regulatory requirements, leading to costly misunderstandings among AI officials.
While the press has described this decision as a reprieve, it is, in fact, a partial postponement. The obligations that remain in effect starting August 2, 2026, cover a wide range of technologies used daily, such as chatbots, AI agents, co-pilots, AI generation tools, and biometric systems. Companies must therefore be prepared to comply with these imminent requirements.
The obligations that are actually postponed
The trilogue agreement, pending formal adoption and publication in the EU Official Journal, includes two main postponements. First, the full application of obligations for AI systems classified as high-risk under Annex III is postponed from August 2, 2026, to December 2, 2027. Additionally, high-risk systems integrated into products covered by sectoral legislation in Annex I will see their deadline shift from August 2, 2027, to August 2, 2028.
Secondly, the obligations for labeling and detecting synthetic content outlined in Article 50(2) of the AI Act are also affected. Although the general application date remains August 2, 2026, providers of generative AI systems already in operation before this date will benefit from a transitional period of four months, until December 2, 2026, to comply. This timeframe is shorter than the six months initially proposed by the Commission and the Council, and well below the twelve months requested by the industry.
What remains unchanged
Despite the partial postponement, a significant portion of the obligations of the AI Act remains unchanged and takes effect on August 2, 2026. The prohibited practices defined in Article 5 have been in effect since February 2, 2025. These practices include subliminal manipulation, social scoring, and untargeted biometric scraping. Sanctions for non-compliance can reach up to 35 million euros or 7% of global revenue.
Furthermore, the transparency obligations of Article 50(1), (3), and (4) remain applicable without postponement. Chatbots and AI agents must declare themselves as such, and emotion recognition and biometric categorization systems must inform the individuals concerned. Deployers of deepfakes and AI-generated content on public interest topics must also label this content. The Guidelines from the Commission, published on July 29, 2025, are clear on these points, with sanctions reaching up to 15 million euros or 3% of global revenue.
Finally, the GDPR obligations of Article 35 regarding prior impact assessments for high-risk AI processing have been in effect since 2018. The CNIL has announced that it is preparing to become the supervisory authority for the AI Act, in addition to its GDPR role, with cross-checks planned for this year.
Managerial pitfalls to avoid
In light of the Omnibus, three misconceptions are circulating among French AI committees, two of which represent major strategic errors.
The first pitfall is the perception of a "reprieve." Many believe they have an additional 18 months and are postponing actions until the end of 2026. However, this interpretation only concerns Annex III, which represents only a fraction of the obligations. Chatbots, AI agents, GenAI tools, and biometric systems fall under Article 50 and are not subject to the postponement.
The second pitfall is inaction, where companies wait for the official publication in the Official Journal to confirm the postponement before taking action. While legally understandable, this approach is risky. The trilogue text still needs to be reviewed, translated, formally adopted, and published, which could take several months. In the meantime, the initial timeline remains applicable, and an organization checked on August 3, 2026, will not be able to invoke an unpublished political agreement.
The third pitfall is entrusting compliance to the CTO without an AI committee. This is common in scale-ups and mid-sized enterprises, where the CTO finds themselves alone managing a complex file that intertwines technical, legal, GDPR, data governance, and civil liability aspects. The AI Act explicitly requires integrated internal governance, and a technical decision isolated from the DPO could lead to GDPR non-compliance detected by the CNIL during a cross-check.
Three crucial decisions to make before August 2026
To avoid these pitfalls, French AI committees should make three structuring decisions in the next twelve weeks.
First, they must formally compose a multidisciplinary AI committee, including the DPO, CISO, legal counsel, a management representative, and possibly a Chief AI Officer. This committee should meet at least quarterly and have a written mandate, in line with the explicit expectations of the AI Act.
Second, it is crucial to finalize the inventory of AI systems outside Annex III but under Article 50. Customer support chatbots, commercial co-pilots, GenAI marketing tools, meeting transcribers, and internal agents must be inventoried for proper classification. Without an inventory, no disclosure strategy is possible, exposing the company to checks starting August 2.
Third, companies must publish a corporate AI policy aligned with Article 4 of the regulation. This policy, which is also a control of the ISO 42001 standard, must formalize the permitted and prohibited uses, roles, and training plan. Without this written framework, defense in the event of a check is impossible. It is therefore essential that this policy be published, dated, and signed by management.
A shift, not a suspension
The most common mistake among French AI committees is to view the postponement as an opportunity to buy time. In reality, the timeline offers a chance to calmly structure compliance. Organizations that have formally composed their AI committee, finalized their inventory, and published their AI policy by August 2, 2026, will be better prepared for the future. Those that ignore these steps will find that the compliance stack has collapsed during the first cross-check by the CNIL.
The Digital Omnibus of May 7 never meant "you can wait," but rather "focus your compliance on what is applicable now." It is a shift in priorities, not a suspension of obligations.
In twelve weeks, the scope of Articles 50, 4, 5, as well as the entire cross-cutting GDPR framework, will come fully into effect. The question is no longer whether you will be checked, but whether your AI committee will have been constituted and what documents it will be able to present on the morning of August 3.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.