The 2 August 2026 milestone in the EU Artificial Intelligence Act has, for most of 2025 and early 2026, been treated by the trade press as a single hard deadline. The reality in mid-2026 is more nuanced, and the nuance matters for any company building or outsourcing AI features. Two facts to anchor the rest of this article:
This is not legal advice. Final legal application depends on the published Official Journal text, on implementing acts and on member-state guidance. The intent of this article is to give an engineering and procurement leader a factual reading of what applies on 2 August 2026 and what does not, and a practical operating checklist for the year ahead.
We discuss the operational and political adjacency of this work — including the resilient nearshore delivery model that supports it — in our companion piece on the <a href="/en/blog/us-call-center-reshoring-bills-nearshore-morocco-alternative-2026">US call-center reshoring bills and the nearshore middle path</a>.
On the basis of the European Commission Digital Strategy pages and the Gibson Dunn Digital Omnibus analysis, the operative items on 2 August 2026 for a company building or deploying AI in the EU are the following.
Per the **Gibson Dunn** analysis of the 7 May 2026 provisional agreement and tracking by **artificialintelligenceact.eu**, the principal deferral concerns **high-risk AI systems listed in Annex III**. Annex III covers, among other categories, AI systems used in employment and worker management, in education and vocational training, in essential private and public services (including credit-scoring and access to public benefits), in law enforcement, in migration and border control, and in the administration of justice and democratic processes.
Under the provisional agreement, the obligations applicable to providers and deployers of Annex III high-risk systems — including the risk-management system, the data-governance requirements, the technical documentation, the record-keeping, the transparency obligations to deployers, the human oversight measures, the accuracy, robustness and cybersecurity requirements, and the post-market monitoring — would apply from **2 December 2027** instead of 2 August 2026.
Two important qualifications. First, the agreement is provisional as of late June 2026; the final text, the formal trilogue conclusion and the Official Journal publication remain pending. Second, the deferral does not affect the GPAI obligations, the prohibitions on the practices listed in Article 5 (already in force since February 2025), or the AI Office's enforcement powers, all of which proceed on the original calendar.
The practical operating consequence: a mid-market company that is building or deploying an AI agent that is *not* an Annex III high-risk system has, on 2 August 2026, *fewer* applicable obligations than the press cycle in 2025 suggested. A company that *is* building or deploying an Annex III high-risk system has roughly sixteen extra months to operationalize the controls — but should treat that calendar as an implementation budget, not as a reason to defer the work.
This checklist is engineering-and-procurement oriented. It is not legal advice. It is the operating program a competent in-house technical lead, working with external counsel, would put in place in the second half of 2026 for a company that is building, deploying or outsourcing AI features in the EU.
For a buyer that is outsourcing the build of an AI agent, an LLM-based product feature or an internal copilot, the operating model that holds up under the AI Act in mid-2026 has six characteristics. Each is verifiable in procurement.
A buyer who can ask a development supplier these six questions and receive concrete answers — with examples — has a partner whose operating model already absorbs the Act. A buyer who receives a deck instead has a marketing response.
Our practical role for mid-market buyers in the second half of 2026 is twofold. On the build side, our <a href="/en/services/software-development">software development</a> and <a href="/en/services/ai-automation">AI automation</a> pods integrate the technical documentation, training-data summary, provenance labelling and DevSecOps controls into the standard delivery shape, on the same loaded rate. On the assurance side, our <a href="/en/services/cybersecurity">cybersecurity</a> practice handles the accuracy, robustness, secrets management and KEV monitoring requirements the Act folds into high-risk system obligations.
Delivered nearshore from Casablanca and Rabat on Central European Time, two hours by flight from Frankfurt, with native English and French and growing Spanish, German and Arabic coverage, the cost basis lets a mid-market buyer afford the compliance overhead the Act requires without the documentation work becoming the dominant line item. The economic and geographic context for buyers comparing options is documented in <a href="/en/why-morocco">Why Morocco</a>.
On 2 August 2026, the AI Office's enforcement powers on GPAI providers become fully operable and the transparency obligations apply. The high-risk Annex III obligations are, under the provisional Digital Omnibus agreement of 7 May 2026, deferred to 2 December 2027. A company building or outsourcing AI features in the EU should treat 2 August 2026 as a real milestone that materially reduces ambiguity about GPAI obligations, and should treat the Annex III deferral as an implementation budget rather than a reason to wait. The buyers who write the compliance posture into the procurement contract — documentation produced during build, provenance end to end, dataset registry, downstream-deployer information pack, DevSecOps baseline — will, in 2027, find out they are not exposed. The buyers who do not, will find out the other way.
This article is informational and is not legal advice. Confirm the application of the AI Act to your specific system with qualified counsel in your jurisdiction.
${CTA_AI_ACT}
**Sources:** European Commission, Digital Strategy pages on the AI Act (digital-strategy.ec.europa.eu/policies/ai-act); Gibson Dunn, "EU AI Act Omnibus Agreement" (7 May 2026); artificialintelligenceact.eu (independent tracker of the AI Act). This article describes the AI Act and the provisional Digital Omnibus agreement as published as of late June 2026 and is not legal advice.
Per the European Commission's Digital Strategy pages on the AI Act, on 2 August 2026 the AI Office's enforcement powers over general-purpose AI (GPAI) providers become fully operable, the transparency obligations on GPAI providers apply (including the training-data summary using the AI Office template and the EU copyright compliance policy), and the labelling obligations on AI-generated content apply. Member-state governance milestones also land. This article is not legal advice.
Per Gibson Dunn's "EU AI Act Omnibus Agreement" analysis (7 May 2026) and artificialintelligenceact.eu tracking, the provisional political agreement defers the application of obligations for high-risk AI systems listed in Annex III from 2 August 2026 to 2 December 2027. The agreement is provisional pending the final text, formal conclusion and Official Journal publication.
No. The Article 5 prohibitions remain in force from their original February 2025 date. The GPAI obligations and the AI Office's enforcement powers proceed on the original 2 August 2026 calendar. Only the Annex III high-risk obligations are deferred under the provisional Digital Omnibus agreement.
Per the published text, administrative fines for the most serious breaches are capped at the higher of thirty-five million euros or seven percent of global annual turnover. Lower thresholds apply for other categories of breach. The AI Office becomes the operative enforcer for GPAI providers on 2 August 2026.
Build a documented inventory of AI systems with preliminary classifications; produce technical documentation per model including the AI Office training-data summary template; publish the EU copyright compliance policy; implement provenance-based labelling on AI-generated content; flow obligations to and from third-party providers under contract; and treat the Annex III deferral to December 2027 as an implementation budget rather than a reason to wait. This is an engineering-and-procurement program, not a one-off compliance project.
Because the AI Act's technical documentation, provenance labelling, dataset registry, copyright policy and downstream-deployer information pack cannot be retrofitted at delivery without rework. The supplier has to operate the controls during build. A buyer who can ask a partner for the per-feature documentation, the provenance metadata, the dataset registry and the DevSecOps baseline and receive concrete answers has a partner whose operating model already absorbs the Act.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777