Skip to content
RingMod
← Notes
Field note

The EU AI Act deadline moved. Your buyers' questionnaires didn't.

Europe deferred its high-risk deadlines and Colorado repealed its AI act, yet buyer due diligence keeps tightening. Build to the durable bar.

Last updated

Five weeks before the EU AI Act’s high-risk obligations were due to apply, the EU moved the deadline. The Digital Omnibus on AI, adopted by the European Parliament on 16 June and given final approval by the Council on 29 June 2026, defers the stand-alone high-risk obligations from 2 August 2026 to 2 December 2027, and the obligations for AI embedded in regulated products to 2 August 2028. It enters into force once published in the Official Journal, expected this month.

If your company spent the last year building toward August, that’s a strange feeling. If it spent the last year waiting, it feels like vindication. Both readings miss what actually happened.

The whipsaw is the pattern now

The EU deferral is the third major reversal in twelve months. Colorado passed the first comprehensive US state AI law in 2024, delayed it in a 2025 special session, then repealed and replaced it in May 2026 with a narrower transparency law effective January 2027 — the original never took effect at all. A December 2025 executive order directed the US Justice Department to challenge state AI laws and ordered a federal preemption framework drafted, with outcomes still unresolved in the courts.

Meanwhile, quieter rules landed and stayed. Texas’s TRAIGA has applied since 1 January 2026, including patient-disclosure duties for healthcare AI. California’s SB 53 and AB 2013 took effect the same day, and AB 316 closed an argument before anyone seriously made it in court: it is no longer a defense that “the artificial intelligence autonomously caused the harm.”

Planning a multi-year compliance program against that backdrop, at any fixed snapshot of the rules, is planning against a moving target.

What never moves

Strip the dates away and look at what each regime demands, and the whipsaw resolves into something stable. The EU AI Act’s high-risk core is automatic logging (Article 12) and effective human oversight (Article 14), now due later, still due. Colorado’s replacement keeps pre-decision notice and post-decision explanation. Texas wants disclosure. The GPAI obligations that did keep their dates are documentation obligations, and the Commission’s power to enforce them begins 2 August 2026, deferral or no deferral.

Four artifacts keep recurring, in every regime, on every date: a log that can reconstruct what the system did, a human who can oversee and stop it, evidence the system was evaluated and works, and a process for when it doesn’t. Regulators disagree about deadlines. They have not disagreed about the artifacts.

The enforcement that matters has no deadline

For most companies selling AI-touched products, the binding constraint in 2026 was never a regulator. It’s the buyer’s security review. Enterprise procurement teams now routinely ask AI vendors for governance evidence: oversight design, logging, evaluation results, incident history, and increasingly a certification: ISO/IEC 42001 announcements have become a trust signal, with major model and cloud providers among the certified (Anthropic announced its certification in January 2025). In insurance, about half the states have adopted the NAIC’s model bulletin expecting insurers to run written AI governance programs and oversee AI vendors, which turns every insurer’s vendor list into an examination surface.

A questionnaire from your biggest prospect doesn’t get deferred by the Council. It arrives when the deal does, and “the EU moved its deadline” is not an answer to any question on it.

Build to the bar that survives every version

The rational response to regulatory whiplash is to stop tracking versions and build the invariant core once: logging, oversight, evaluation, incident response, with named ownership. That set satisfies the strictest plausible reading of the current rules, answers the procurement questionnaires that are live today, and has the useful property of also being what makes the system operable. It’s the same list as the Observability, Ownership, and Evaluation dimensions of the production-readiness bar, which is the point: compliance-durable and production-ready are mostly the same artifacts.

If your AI feature needs to survive both a buyer’s diligence and whichever version of the rules is in force when you ship, that’s what the AI production readiness engagement assesses: the artifacts, against the bar, before the questionnaire arrives.

Questions this raises

Straight answers.

What exactly changed with the EU AI Act in June 2026?
The Digital Omnibus on AI, adopted by the European Parliament on 16 June and the Council on 29 June 2026, defers the compliance dates for high-risk AI systems: stand-alone Annex III systems (hiring, credit, essential services, and similar) move from 2 August 2026 to 2 December 2027, and AI embedded in regulated products moves to 2 August 2028. It enters into force shortly after publication in the Official Journal, expected in July 2026. This is a deferral and simplification; the high-risk obligations themselves (logging, human oversight, documentation) survive with later dates.
Did anything still happen on 2 August 2026?
Yes. The European Commission's enforcement powers over general-purpose AI model providers begin on 2 August 2026; the underlying GPAI obligations have applied since August 2025. Separately, California's SB 942 transparency requirements for large generative AI providers take effect the same day after their own delay, a date the legislature chose to align with EU timelines.
Should we pause AI compliance work until the rules settle?
Pausing optimizes for the version of the rules that's cheapest to satisfy and bets your roadmap on it staying that way. Colorado's law was delayed, repealed, and replaced within a year; the EU moved its own flagship deadline five weeks before it hit. The durable move is building the artifacts every regime keeps asking for — decision logs, human oversight, evaluation records, an incident process — because those also answer the security questionnaires your enterprise buyers send now, which have no grace period.
Which US AI rules are actually in force right now?
As of July 2026: Texas's TRAIGA has applied since 1 January 2026, including a duty for healthcare providers to disclose AI use in treatment. California's SB 53 (frontier developer transparency), AB 2013 (training-data disclosure), and AB 316 (a defendant can't argue the AI acted autonomously as a defense) are in force. Colorado's replacement act, SB 26-189, takes effect 1 January 2027. The list moves; verify against the statutes for your sector before relying on it, and treat this as engineering context rather than legal advice.

Production-Readiness Audit

The writeup has a service behind it.

If this is your situation, the production-readiness audit is where it gets fixed — by the person who wrote this.

Request an audit