Editorial

The EU AI Act in 2026: what's now in force and what it actually changes for AI tools

Jake Snider
By Jake Snider
Lead AI Reviewer · 2026-06-17 · 11 min read
The EU AI Act in 2026: what's now in force and what it actually changes for AI tools

The EU AI Act has spent two years as the most-discussed and least-understood law in tech. Most coverage of the EU AI Act is either breathless ("Europe bans AI!") or dismissive ("it's all theater") — and neither is right. As of June 2026 the EU AI Act, formally Regulation (EU) 2024/1689, is partly in force on a staggered schedule, and the most important development of the past year is counterintuitive: the scariest part got delayed, while a narrower set of rules quietly became the thing that actually affects the AI tools most people build and use.

This is a practical map for AI-tool builders and buyers: what's live right now, what just slipped, what actually bites, and what's still theater. One caveat up front, because it matters: a major 2026 amendment package — the "Digital Omnibus" — was politically agreed but, as of mid-June 2026, not yet finally adopted. We flag every date that depends on it.

What's actually in force right now

The Act entered into force on 1 August 2024, but its obligations switch on in phases. The later milestones are dates of application, not "entry into force":

DateWhat appliesStatus (June 2026)
1 Aug 2024Act enters into forceDone
2 Feb 2025Article 5 prohibited practices + AI-literacy dutyIn force
2 Aug 2025GPAI (general-purpose AI model) obligationsIn force
2 Aug 2026Article 50 transparency duties; GPAI enforcement powers switch onImminent
2 Dec 2026New bans on AI-generated NCII & CSAM; synthetic-content marking grace endsAgreed (Omnibus, provisional)
2 Dec 2027High-risk systems (Annex III, standalone) — delayed from Aug 2026Agreed (Omnibus, provisional)
2 Aug 2028High-risk AI in regulated products (Annex I) — delayed from Aug 2027Agreed (Omnibus, provisional)

The headline: the heaviest, most expensive part of the Act — the high-risk regime, with its conformity assessments and documentation — has been pushed back by roughly a year to 16 months, and is not a 2026 problem for anyone.

The 2026 plot twist: the Digital Omnibus

The reason the timeline above looks lighter than you would expect is the Digital Omnibus on AI, a simplification package that reached a provisional political agreement around 7 May 2026 (confirmed by member states in Council roughly a week later). Under competitiveness pressure — the familiar "Europe is regulating itself out of the AI race" argument that also runs through the debate over Google's AI Overviews and the open web — Brussels blinked on timing.

It does three things that matter here:

  1. Delays high-risk obligations. Standalone high-risk systems (Annex III) move from August 2026 to 2 December 2027; high-risk AI embedded in regulated products (Annex I) moves from August 2027 to 2 August 2028.
  2. Adds a short grace period for synthetic-content marking (more below).
  3. Adds new prohibitions on AI-generated intimate-image abuse (more below).

Two honest caveats. First, this is provisional — it still needs formal Parliament and Council adoption and publication in the Official Journal, targeted before the August 2026 deadline. Treat the December 2026 / 2027 / 2028 dates as "agreed and expected," not "enacted." Second, the delay has critics: policy researchers have argued it lets high-risk systems dodge oversight for another year-plus. Both things are true — relief for builders, and a real softening of the Act's teeth.

The rule that actually touches AI tools: Article 50

If you build or list consumer-facing AI tools, Article 50 is the part to care about. It is a set of transparency duties that becomes applicable 2 August 2026, and unlike the high-risk regime, it applies to ordinary chatbots, generators, and assistants. There are four core duties, split between providers (who build the system) and deployers (who use it):

  • Chatbots must say they are AI. Providers of systems that interact directly with people must ensure users know they are talking to an AI — unless it is obvious. The Commission's draft guidance is strict about how: the disclosure has to happen at the moment of contact, not buried in terms and conditions or a settings menu, and it extends to "agentic" systems that act on a user's behalf. (For what that word actually means, see our piece on what 'agentic' actually means.)
  • Generated content must be machine-readable as AI. Providers of generative AI must mark synthetic audio, images, video, and text in a machine-readable, detectable format — "effective, interoperable, robust and reliable as far as technically feasible." In practice that points toward content-credential standards like C2PA or watermarking approaches like SynthID, though the Act names no specific standard.
  • Emotion-recognition and biometric-categorisation systems must notify the people exposed to them (a deployer duty).
  • Deepfakes must be disclosed. Deployers publishing AI-generated or manipulated images, audio, or video must disclose that it is artificial — with a lighter touch for evidently artistic, satirical, or fictional work, which need only disclose "in an appropriate manner."

There is one piece of timing relief here too: for generative systems already on the market before 2 August 2026, the machine-readable marking duty is pushed to 2 December 2026 — a four-month grace period. But note the limit: new products launched on or after 2 August 2026 get no grace and must comply from day one. (As of mid-June 2026 the Commission's Article 50 implementation guidelines are still in draft — published 8 May 2026, consultation closed 3 June — so the fine print could shift.)

For the tools a directory like ours lists, that nets out to something refreshingly concrete: an AI chatbot needs an "I'm an AI" disclosure; an image, video, or voice generator needs to mark its outputs; and anyone publishing deepfakes needs to label them. That is a feature-and-copy change, not a compliance department.

The new bans that hit our messiest category

The Digital Omnibus also amends Article 5 — the list of outright-prohibited practices — to add two bans expected to take effect 2 December 2026: AI systems that generate or manipulate non-consensual intimate imagery (without the person's "freely given, specific, informed, unambiguous, and explicit consent"), and AI that generates child sexual abuse material.

This is the most consequential change for the consumer AI-tool market, because it takes direct aim at the "nudify" / undress category that has quietly become one of the most-trafficked corners of generative AI. The EU is moving from "this is a privacy and IP problem" to "this is a prohibited practice" — the same tier as social scoring and manipulative subliminal AI, carrying the Act's top penalty band. The deployer-side scope is narrower (it bites where a deployer uses such a system for the purpose of generating prohibited material; accidental generation is excluded), but for providers of nudify-style tools, the agreed direction is a ban, not a disclosure.

If you build, invest in, or list AI tools, that is a strategic signal worth taking seriously: the regulatory floor under non-consensual-image generation is about to rise sharply, while the adjacent, consent-based categories — companion chat, fictional character art, creative generators — stay legal under the same Act. (Provisional, again: these prohibitions ride on the not-yet-final Omnibus.)

GPAI: real, but probably not your problem

A lot of AI Act anxiety is misplaced onto the wrong party. The general-purpose AI (GPAI) model obligations — technical documentation, a training-data summary, a copyright policy — have applied since 2 August 2025, but they fall on the people who make foundation models, not on the much larger population of teams building products on top of them. If you are wrapping someone else's model, you are almost certainly a deployer or downstream provider, and your near-term duty is Article 50, not the GPAI rulebook.

The model makers got a soft-law on-ramp: the voluntary GPAI Code of Practice, published 10 July 2025 with three chapters (Transparency, Copyright, and Safety & Security). Signing earns a rebuttable presumption of conformity and a lighter administrative load. Around two dozen organisations signed — OpenAI, Anthropic, Google, Microsoft, Amazon, IBM, Mistral, Cohere, and Aleph Alpha among them. The notable holdout is Meta, which refused; xAI signed only the Safety & Security chapter, leaving it to prove transparency and copyright compliance by other means. Several major non-EU labs sat it out too. The Commission's own enforcement powers over GPAI providers do not switch on until 2 August 2026, so this first year has been compliance-on-paper, not penalties.

What the penalties actually are

The fine tiers (set in Article 99, and untouched by the Omnibus) are real and large:

  • Prohibited practices (Article 5): up to €35 million or 7% of global annual turnover, whichever is higher.
  • Most provider and deployer duties — including Article 50 transparency: up to €15 million or 3% of global turnover.
  • Supplying misleading information to regulators: up to €7.5 million or 1%.

Two qualifiers worth keeping. For SMEs and start-ups the rule flips: they face the lower of the fixed sum or the percentage, not the higher. And — importantly for calibrating the panic — there are no actual enforcement actions, formal investigations, or binding fines on record as of mid-2026. The prohibitions have been live since February 2025, but the regime is still effectively pre-enforcement. The numbers are a ceiling, not yet a track record.

What bites now vs. what's still theater

For a typical AI-tool team in 2026, here is the honest read:

What actually bites: the Article 5 prohibitions (live since February 2025), the agreed NCII/CSAM bans landing December 2026, and — from 2 August 2026 — the Article 50 disclosures: label your chatbot as AI, mark generated media, disclose deepfakes.

What's deferred or soft: the high-risk regime, the genuinely heavy and expensive part, is pushed to December 2027 / August 2028, and for most consumer-AI startups it never applied anyway. GPAI obligations bite only actual model providers.

What's still uncertain (hedge accordingly): the Digital Omnibus is provisional, so its dates can still move; the Article 50 guidelines are draft; no one has defined the exact technical standard for "machine-readable" marking; and enforcement is unproven.

The takeaway is not "ignore it." It is that the Act in 2026 is a transparency floor plus a few bright-line bans, not the compliance wall the headlines imply — and the floor is cheap to meet if you build it in now.

What to do now

If you build AI tools: add a clear "you're talking to an AI" disclosure at first contact; implement machine-readable marking (C2PA content credentials or a SynthID-style watermark) on any generated media; label deepfakes; and if you operate anywhere near intimate-image generation, build explicit-consent flows — or exit the category — well ahead of December 2026. The open question of whether any of this marking can even be detected reliably is its own rabbit hole; see how AI detectors actually work (and why they're failing).

If you choose AI tools: prefer vendors that already disclose AI interactions and mark their outputs. By August 2026 it is table stakes in the EU, and it is a decent proxy for whether a tool is run by people thinking about the next two years.

Frequently asked questions

Is the EU AI Act in force in 2026? Partly. It entered into force on 1 August 2024 and applies in phases. As of mid-2026, the Article 5 prohibited practices (since February 2025) and the general-purpose AI model obligations (since August 2025) are in force; the Article 50 transparency duties apply from 2 August 2026; and the heaviest high-risk obligations have been delayed to December 2027 and August 2028.

What does the EU AI Act require of AI chatbots? From 2 August 2026, Article 50 requires that people are told when they are interacting with an AI rather than a human. The Commission's draft guidance says this disclosure must come at the moment of contact — not buried in terms and conditions — and it extends to agentic systems that act on a user's behalf.

Do AI image and video generators have to label their output in the EU? Yes. From 2 August 2026, providers of generative AI must mark synthetic audio, images, video, and text in a machine-readable, detectable format. Systems already on the market before that date get a short grace period to 2 December 2026; new products launched after 2 August 2026 get none.

Are AI 'nudify' or deepfake apps banned under the EU AI Act? The agreed Digital Omnibus adds an Article 5 prohibition on AI that generates non-consensual intimate imagery or child sexual abuse material, expected to take effect 2 December 2026. Separately, anyone deploying deepfakes must disclose that the content is artificial. (The new prohibition is provisional until the Omnibus is formally adopted.)

What are the penalties under the EU AI Act? Up to €35 million or 7% of global annual turnover for prohibited practices; up to €15 million or 3% for most provider and deployer duties, including the Article 50 transparency rules; and up to €7.5 million or 1% for supplying misleading information. For SMEs and start-ups, the lower of the two figures applies. No fines have been issued as of mid-2026.

Does the EU AI Act apply to my startup if I only use someone else's AI model? Mostly as a deployer or downstream provider, which means your near-term duties are the Article 50 disclosures, not the general-purpose AI model obligations. Those documentation, training-data, and copyright duties fall on the company that makes the underlying model.

When do the EU AI Act's high-risk rules apply? Later than originally planned. Under the agreed Digital Omnibus, standalone high-risk systems (Annex III) move to 2 December 2027 and high-risk AI embedded in regulated products (Annex I) moves to 2 August 2028 — both deferrals are provisional until formal adoption.

Last updated 16 June 2026. The EU AI Act timeline is moving quickly in 2026; dates tied to the Digital Omnibus are politically agreed but not yet formally adopted as of writing.

— The ToolDirectory.AI editorial team

More from the blog
Editorial

Where AI is actually replacing jobs in 2026 (and where it isn't)

Jake Snider · 2026-06-11
Editorial

AI SDRs in 2026: which AI sales agents actually work

Sydney Weiss · 2026-06-03
Newsletter

Get the weekly roundup.

One email each Friday. The week's additions, the week's deaths, and one thing we changed our mind about. No drip sequences, no AI-generated filler.

Subscribe to the newsletter →

Sign up for our newsletter

Receive weekly updates so you can stay up-to-date with the world of AI

Discover, explore, and compare the most innovative AI tools in the industry

Explore

Top 100 AI tools

Curated collections

AI tool alternatives

AI categories

Pricing

AI glossary

Compare AI tools

Blog

Methodology

Editorial team

AI graveyard

Latest collections
Policy

Terms & conditions

Privacy policy

FAQ

Refund policy

Affiliate disclosure