EU AI Act 2026: Are You Actually Concerned, and What Applies Now?
The Digital Omnibus has shifted the AI Act timeline. What actually applies in 2026, what has been postponed, and how to tell if your SaaS is in scope.
Since the start of the year, the question I hear most about the AI Act is not "how do I become compliant." It is "am I even concerned." That is the right question to ask, because the honest answer is neither "no, this is someone else's problem" nor "yes, your entire product needs an audit by tomorrow."
The picture became more confusing in May 2026, when the EU co-legislators agreed to push back part of the timeline. As a result, most online guides now show dates that are already out of step with reality. So here is a practical reset for a founder or an executive: how to tell whether your SaaS falls within the scope of Regulation (EU) 2024/1689, and what genuinely applies today as opposed to what has been deferred to 2027 or 2028.
On 7 May 2026, the Council, the Parliament and the Commission announced a provisional political agreement on the Digital Omnibus on AI, a simplification package that amends the AI Act on several points. The part that matters to you is the timing.
Under the original text, the bulk of the obligations for high-risk systems were due to apply from 2 August 2026. With the May agreement, those deadlines move: stand-alone high-risk systems (Annex III) shift to 2 December 2027, and high-risk AI embedded in already-regulated products (Annex I) to 2 August 2028. The transparency obligations under Article 50 are pushed back more modestly, from 2 August to 2 December 2026.
Worth flagging. This agreement is political and provisional. It has not yet been formally adopted by the Parliament and the Council. Until the final vote, the original timeline remains the legal reference. Put plainly: if the text were not adopted before 2 August 2026, the initial deadlines would apply again. I work with clients on the assumption that the deferral happens, but I do not treat it as settled. (Analysis as of 2 June 2026.)
Before any talk of risk, the AI Act asks you to identify your role. That is the first thing to settle, and it is where founders most often get it wrong.
The Regulation draws a key line between the provider (the operator that develops an AI system and places it on the market under its own name) and the deployer (the operator using that system in the course of its activity). These definitions are set out in Article 3.
Take the most common case. You run a B2B SaaS and you plug in the API of a large language model — GPT, Claude, Mistral, it does not matter which. In relation to that model, you are a deployer. But if you build a feature on top of it and sell it under your own brand, you become, for that feature, the provider of an AI system. You can be both at once, at different layers of the chain. The model vendor, meanwhile, is a provider of a general-purpose AI model (GPAI), with its own distinct set of obligations.
Why does this matter so much? Because the obligations do not fall on everyone in the same way, and a provider who has not allocated roles in its contracts risks being held to account for failures that actually stem from how its customer uses the system. That is exactly what I cover in the article on the AI Act and SaaS agreements.
The AI Act is built on a risk-based approach with four tiers. Here is what they look like once mapped onto an actual product.
Unacceptable risk (prohibited, Article 5). Social scoring, subliminal behavioural manipulation, certain forms of biometric recognition. These have been banned since 2 February 2025. In practice, the vast majority of B2B SaaS products go nowhere near them.
High-risk (Article 6 and Annex III). AI used in sensitive areas: recruitment and HR, access to credit or insurance, education, critical infrastructure, justice. If your product screens job applications or informs a lending decision, you are probably here — under a demanding regime (documentation, risk management, human oversight). This is the regime that has just been deferred to late 2027.
Limited risk (Article 50). Systems that interact with people or generate content: chatbots, assistants, text or image generation. The obligation is short: tell the user they are dealing with AI, and make AI-generated or manipulated content identifiable.
Minimal risk. Everything else — spam filters, recommendation engines, translation, anomaly detection. No specific obligation under the AI Act.
In practice. Most AI features I see in B2B SaaS products fall under limited or minimal risk. In other words, you are often less exposed than the headlines suggest. The trap is not the imagined "high-risk" label; it is missing the two or three obligations that already apply to you.
People tend to treat the AI Act as a future event. Part of it is already in force.
The prohibitions in Article 5 have applied since 2 February 2025. The same date brought the AI literacy obligation (Article 4): you must ensure that the people who design or use your AI systems have a sufficient level of understanding. This is not a document to file; it is an internal training reflex — simple to put in place, often forgotten.
Since 2 August 2025, the obligations for general-purpose AI models (GPAI) have been live: technical documentation, information for integrators, a copyright-compliance policy, a summary of training data (Articles 53 and following). Good news for most startups: you are not training a foundation model, you sit downstream. These obligations fall first on model vendors, not on you — but they shape what you can and should demand from those vendors by contract.
Finally, the transparency obligation in Article 50 is close: December 2026 under the May agreement. If your product includes a chatbot or generates content, that is the deadline to put on the roadmap now.
Deferring the high-risk regime to late 2027 or 2028 buys time. It does not justify standing still, for a simple reason: product compliance is not the only pressure you will face.
Your enterprise customers are not waiting for the regulatory calendar. Already this year, I see vendor due diligence and security questionnaires asking very specific AI Act questions before signature. A clear answer on your classification and your roles becomes a commercial asset. A vague answer slows the deal down, or kills it. Contractual readiness, then, is prepared now — well ahead of the product deadline.
If you want a useful, proportionate starting point, here is the sequence I recommend to founder clients:
One last reflex, because the AI Act does not live alone: it interacts with the GDPR, which applies the moment your systems process personal data. A good part of your GDPR work is, in fact, reusable for the AI Act.
AI Act compliance looks less like a wall than a staircase whose steps have just been moved. The right move is not to do everything at once; it is to know precisely which step you are standing on. If you want to clarify where you stand and secure your AI contracts, let's talk.
Invested in GDPR compliance? Part of it carries over to the AI Act. What your work already covers, what it does not, and how to run both tracks together.
SaaS, IT, hosting, integration: an overview of how to terminate an IT contract under French law, and the right reflexes to have
Let's build together to grow your business
I have been supporting software and SaaS companies for over 10 years, helping them structure their business, protect their intellectual property and strengthen their contracts.
