The Digital Omnibus proposal, currently in trilogue, would defer Annex III high-risk obligations from 2 August 2026 to 2 December 2027. We publish this desk to track what shifts and what does not. Four obligations remain mandatory regardless of Omnibus adoption: Article 5 prohibitions (already in force since 2 February 2025), Article 50 transparency duties for new systems, GPAI obligations under Chapter V, and the Product Liability Directive 2024/2853 transposition deadline of 9 December 2026. Our editorial firewall: every claim is anchored to a specific article, recital, or official institution text. No speculation is presented as settled law.
The Digital Omnibus proposal bifurcates the timeline. Some obligations remain fixed regardless of its adoption. Others shift by sixteen months if it passes. This section maps both scenarios, with each entry marked by status.
The European Parliament, Council, and Commission are scheduled to meet in trilogue on the Digital Omnibus package. The package includes a proposal to defer Annex III high-risk obligations from 2 August 2026 to 2 December 2027 for most deployers. No formal adoption is expected at this session; a political agreement, if reached, would still require formal votes in Parliament and Council before publication in the Official Journal.
Three obligation clusters apply on this date regardless of Omnibus adoption. Article 5 prohibition on unacceptable-risk AI practices (social scoring, real-time biometric surveillance in public spaces, subliminal manipulation) entered force 2 February 2025 but supervisory enforcement begins 2 August 2026. Article 50 transparency requirements for chatbot disclosure, synthetic content marking, emotion recognition disclosure, and deepfake labelling apply to systems first deployed after 2 August 2026. GPAI model obligations under Chapter V also begin. If Omnibus is not adopted, Annex III high-risk obligations under Article 26 also apply from this date.
Directive 2024/2853 is not part of the AI Act and is not affected by the Digital Omnibus. All 27 Member States must transpose it into national law by 9 December 2026. Once transposed, AI software becomes a product subject to strict liability, the rebuttable presumption of defect under Article 10 applies, and claimants gain the right to access evidence under Article 9. Cross-border deployers face this deadline in every jurisdiction where they operate.
SB 24-205, signed May 2024, applies to any developer or deployer of high-risk AI systems that interact with Colorado residents, regardless of where the entity is incorporated. The definition of high-risk substantially overlaps with EU AI Act Annex III categories. European companies with US users or US subsidiaries face a parallel obligation architecture from this date. No Omnibus equivalent exists; this deadline is fixed.
If the Digital Omnibus is adopted and published in the Official Journal before 2 August 2026, Annex III high-risk deployer obligations including Article 26 duties, the FRIA requirement under Article 27, and Article 9 risk management systems would apply from 2 December 2027 instead of 2 August 2026. A further carve-out in the Omnibus proposal would push Annex I embedded-system high-risk obligations to 2 August 2028. If the Omnibus is not adopted in time, the original 2 August 2026 deadline remains legally binding. Compliance preparation should proceed on the basis of the confirmed deadline.
The EU Omnibus proposes moving Annex III high-risk obligations from 2 August 2026 to 2 December 2027. Trilogue negotiations opened in April 2026. No political agreement yet. Our provision-by-provision tracker tells you exactly where each deadline stands today.
Open the Omnibus Tracker →Long form pieces on Article 26, the Revised Product Liability Directive, and the documentation operators need to hold on file when the provisions enter application.
EU AI Act Article 3 definitions explained: provider, deployer, operator, GPAI model, systemic risk. Which category you fall into determines every obligation you carry.
Most professional indemnity, E&O, and cyber policies do not clearly cover AI mistakes, and exclusions are being added at 2026 renewals. What to check in your policy, plus the affirmative AI coverage trend (Counterpart, Coalition).
Article 25 of Regulation (EU) 2024/1689 explains when a deployer or distributor becomes a provider. Covers substantial modification, rebranding, contractual duties, and liability allocation across the AI value chain.
Article 4 of Regulation (EU) 2024/1689 requires deployers to ensure AI literacy for all staff using AI. Already in force since February 2025. A complete guide to what the obligation requires.
Article 99 of Regulation (EU) 2024/1689 explained for deployers: three fine tiers, how amounts are set, SME proportionality under Art 99(6), and the link to Art 101 GPAI fines.
The complete operator guide to EU AI Act deployer obligations. Art 4 literacy, Art 5 prohibitions, Art 6 classification, Art 9-15 high-risk requirements, Art 26 duties, Art 27 FRIA, Art 50 transparency, enforcement and penalties.
When an AI agent makes a mistake, liability falls on the business that deployed it, not the model provider. The EU liability chain under the AI Act and the revised Product Liability Directive, real cases, and the evidence that reduces exposure.
Article 86 of the EU AI Act gives affected persons a right to obtain explanations of decisions made on the basis of high-risk AI. What deployers must explain, when the right applies, and how it relates to GDPR Article 22.
South Africa AI regulation 2026 for operators. POPIA enforcement, the national AI policy framework, SARB AI guidance, and how South African obligations compare to the EU AI Act.
Article 72 of the EU AI Act requires post-market monitoring systems for high-risk AI. What deployers must implement, what providers must maintain, and how the two obligations interact.
How Germany's BaFin, the Netherlands' AFM and DNB, and France's ACPR are building EU AI Act enforcement capacity in 2026. Practical obligations for financial services deployers across the EU.
What EU AI Act Article 73 requires of deployers when a high-risk AI system causes a serious incident. Who reports, to which authority, within what timeframe, and what documentation is required.
Article 15 of Regulation (EU) 2024/1689 requires high-risk AI systems to meet accuracy, robustness, and cybersecurity standards. A deployer-focused reading of every obligation.
Article 43 of Regulation (EU) 2024/1689 governs conformity assessment for high-risk AI. This guide explains both tracks, notified body requirements, and deployer verification duties.
Two free browser-based tools for deployers working toward the 2 August 2026 deadline. No account required. No data transmitted.
Enter your AI deployment details across seven form sections and generate a structured draft Fundamental Rights Impact Assessment covering all mandatory elements of Article 27(1)(a)-(g). Print or save as PDF in under 15 minutes.
Twenty-five questions across five operator obligation categories. Each question scored 0, 1, or 2 points. Receive an instant readiness percentage and per-category breakdown showing where your gaps are largest before 2 August 2026.
A free three-question widget that tells your readers whether their AI system is likely high-risk under EU AI Act Annex III. One iframe snippet. No account, no API key, no cookies. CC-BY 4.0. Every embed carries an attribution link back to agentliability.eu.
The deployer of a high risk AI system shall take appropriate technical and organisational measures to ensure that they use such systems in accordance with the instructions for use.Article 26(1), Regulation (EU) 2024/1689 · The AI Act
The AI Act is often discussed in the language of prohibition and risk classification. Operator liability sits in a quieter register. It is procedural, continuous, and cumulative. It applies from the moment a system is put into service inside the Union, and it does not distinguish between in house deployments and third party agents operating under contract.
Three interpretations have hardened over the past six months. First, the deployer's duty to monitor outputs cannot be delegated to the provider through a terms of service. Second, human oversight under Article 14 is a design requirement, not a run time option. Third, fundamental rights impact assessments under Article 27 are expected for any public body and for any private deployer operating in the sectors listed in Annex III.
This publication tracks those interpretations as they cross from academic commentary into supervisory practice. Each piece is dated, footnoted to the text, and maintained as the Commission and national authorities issue guidance.
When an AI agent causes harm, three parties carry different standards of obligation. The Act binds the deployer to procedural duties; the revised Product Liability Directive binds the provider of a defective product; the affected party receives a rebuttable presumption in their favour.
Designs the AI system and places it on the Union market.
Puts the system into service in the course of a professional activity.
Natural or legal person who experiences harm traceable to the system.
Agent Liability EU sits inside a network of five sister publications covering the regulatory, certification, and insurance dimensions of autonomous AI agent deployment.
A published framework from Future Proof Intelligence for assessing autonomous AI agent deployments. Seven dimensions. Independent. Continuously maintained.
Read the framework