EU AI Act high-risk obligations: the 2026 timeline
EU AI Act high-risk obligations: the 2026 timeline
If you sell an AI-enabled product into the EU, the deadline you have been planning against has shifted. The 2 August 2026 date for EU AI Act high-risk obligations is being deferred under the EU's Digital Omnibus, and the new dates are not yet settled. That leaves product and compliance leaders in an awkward position: the work has not gone away, but the clock you set it against is no longer fixed. The sensible response is to plan against a moving date, and to use the extra runway to get the governance groundwork in place.
Where the EU AI Act high-risk timeline actually stands in June 2026
The original phasing under Regulation (EU) 2024/1689 set high-risk obligations under Annex III to apply from 2 August 2026. That date is being moved.
On 19 November 2025 the European Commission published its Digital Omnibus on AI, a package intended to reschedule and simplify parts of the Act's application. A provisional trilogue agreement reached on 7 May 2026 (European Parliament press release 20260427IPR42011) would push stand-alone Annex III high-risk systems to December 2027, and product safety-component systems under Annex I to August 2028.
As of June 2026 this is provisional. It is not formally adopted, not in the Official Journal, and not in force. The Council's Committee of Permanent Representatives endorsed the agreement on 13 May 2026, but the European Parliament plenary vote and final Council adoption are still pending, with the institutions intending to conclude before the original 2 August 2026 trigger. The EP Legislative Train Schedule entry "Digital Omnibus on AI" tracks the live status.
The practical reading: do not write the December 2027 or August 2028 dates into a board paper as fixed law. Treat them as the likely direction, confirm at the point of decision, and plan the underlying work now.
What the Digital Omnibus changes, and what it does not
The Digital Omnibus reschedules application dates for high-risk systems and simplifies some obligations. It does not repeal the Act, and it does not pause the parts already in effect.
Two sets of duties are unaffected. Prohibited AI practices have applied since 2 February 2025. Rules for general-purpose AI models and the Act's governance provisions have applied since 2 August 2025. Neither is touched by the Omnibus.
The Act is being rescheduled in one part rather than rolled back. For anyone building or deploying a system that will fall into the high-risk category, the obligations are still coming, and the change buys time to prepare rather than grounds to stop.
Who the EU AI Act high-risk rules catch: providers, deployers and UK companies
The Act draws a line between two roles, and the obligations differ for each.
A provider develops an AI system and places it on the EU market, or puts it into service under its own name. A deployer uses an AI system under its own authority in the course of its activity. The same organisation can be a provider of one system and a deployer of another. Most of the heavy high-risk obligations fall on providers; deployers carry their own duties, including using the system in line with the instructions for use and maintaining human oversight.
For UK companies, the reach matters. The Act applies to providers that place AI systems on the EU market regardless of where they are established, and to providers or deployers whose system output is used in the EU. A British software company selling an AI-enabled product to EU customers, or whose model outputs are consumed in the EU, can be in scope even with no EU office.
One point to keep clean. A non-EU provider of a high-risk system must appoint an authorised representative in the EU under Article 22 of the AI Act. This is a distinct role from the representative a non-EU controller appoints under Article 27 of the UK or EU GDPR. They serve different regimes and should not be treated as the same appointment.
The EU AI Act high-risk obligations, and where your existing evidence already reaches
High-risk systems carry a defined set of obligations under Articles 9 to 17 of the AI Act: a risk-management system, data governance, technical documentation, logging, transparency to deployers, human oversight, accuracy and cybersecurity, and an overarching quality-management system.
If you already run a certified ISO 27001 information security management system and keep clean UK or EU GDPR records, you are not starting from zero. A good deal of the governance scaffolding those obligations expect is the same scaffolding a mature ISMS and a well-kept records-of-processing already produce. The table below maps where the overlap sits, and is honest about the gaps an ISMS does not close.
AI Act high-risk obligationWhat an ISO 27001 ISMS / GDPR records already partially evidenceAI-specific gap not coveredRisk management (Art 9)ISO 27001 risk assessment, treatment methodology and risk registerRisks to health, safety and fundamental rights across the AI lifecycleData governance (Art 10)GDPR records of processing, lawful basis, data-quality and minimisation controlsTraining, validation and testing dataset governance, bias examinationTechnical documentation (Art 11)ISO 27001 Statement of Applicability, asset and control documentationThe Annex IV technical file specific to the AI systemRecord-keeping (Art 12)ISO 27001 logging and monitoring controlsAutomatic event logging over the system's lifetime for traceabilityTransparency to deployers (Art 13)Existing data-protection transparency noticesInstructions for use that let the deployer meet its own dutiesHuman oversight (Art 14)Access control and segregation-of-duties patternsOversight measures designed into the AI system itselfAccuracy and cybersecurity (Art 15)ISO 27001 Annex A technical controls, vulnerability managementModel accuracy and robustness metrics, resilience to adversarial attackQuality management (Art 17)ISO 27001 or ISO 9001 management-system structureAn AI-specific QMS spanning the obligations above
The point is reusability. The evidence you collect for ISO 27001 and GDPR is not single-use; it carries into the AI governance conversation. The AI-specific work, the dataset governance, the model robustness testing, the Annex IV file, sits on top and still has to be done.
Why an ISO 27001 ISMS and clean GDPR records are the right groundwork
A moving deadline is a planning advantage if you use it. The lowest-regret move is to get the framework-level governance in order first, because it pays off whatever the final AI Act dates turn out to be and whatever else lands on the regulatory agenda.
For the person on the other side of an enterprise procurement, this is what good looks like in practice. Their security team asks for your ISO 27001 certificate and your records of processing. You hand over current, evidenced documentation rather than scrambling to reconstruct it. When the AI-specific questions come, you build on a clean base instead of starting the whole governance story from scratch under time pressure. That is the difference between the moving deadline being runway and it being a problem deferred.
How a single compliance platform helps with the groundwork
This is where it is worth being precise about scope. The Naq platform automates ISO 27001, UK and EU GDPR, and Cyber Essentials from a single dashboard. Controls are mapped across those frameworks, so one piece of evidence satisfies requirements in more than one place at once, rather than being collected several times over.
That is the substrate, not AI Act compliance. Naq does not offer an EU AI Act module or an ISO 42001 module. What it does is keep the ISO 27001 and GDPR evidence base current and reusable, which is the part of the high-risk groundwork that already exists today and does not have to wait for the Omnibus to settle.
Where you need named expert sign-off on the data-protection side, Naq's virtual DPOs sit alongside the platform. Naq also operates a Netherlands entity that can act as a GDPR Article 27 representative, which is a separate matter from the AI Act Article 22 representative role described above.
To see how your ISO 27001 and GDPR evidence maps across your existing tooling and frameworks, book a 15-minute demo.
For the related cross-sector duty taking effect this month, see our piece on the new data protection complaints process. For procurement-driven security work, see our guide to ISO 27001 for suppliers.
Frequently asked questions
When do EU AI Act high-risk obligations apply?
Originally 2 August 2026. Under the Digital Omnibus, a provisional agreement reached in May 2026 would move stand-alone high-risk systems to December 2027 and product safety-component systems to August 2028. As of June 2026 the change is provisional and not yet adopted, so plan against a moving date and confirm the status at the point of decision.
Does the EU AI Act apply to UK companies?
It can. Providers that place AI systems on the EU market, and providers or deployers whose system output is used in the EU, are caught regardless of where they are established. A UK company selling AI-enabled products into the EU can be in scope with no EU office.
Does Naq offer an EU AI Act module?
No. Naq does not cover the EU AI Act or ISO 42001. An ISO 27001 information security management system and clean UK or EU GDPR records evidence part of the governance ground that high-risk AI work builds on, and Naq automates those frameworks from one dashboard.
Has the EU AI Act been paused?
No. Prohibited practices have applied since February 2025 and general-purpose AI rules since August 2025. The Digital Omnibus reschedules high-risk application dates and simplifies some obligations; it does not pause or repeal the Act.
