The Digital Omnibus proposal, currently in trilogue, would defer Annex III high-risk obligations from 2 August 2026 to 2 December 2027. We publish this desk to track what shifts and what does not. Four obligations remain mandatory regardless of Omnibus adoption: Article 5 prohibitions (already in force since 2 February 2025), Article 50 transparency duties for new systems, GPAI obligations under Chapter V, and the Product Liability Directive 2024/2853 transposition deadline of 9 December 2026. Our editorial firewall: every claim is anchored to a specific article, recital, or official institution text. No speculation is presented as settled law.
The Digital Omnibus proposal bifurcates the timeline. Some obligations remain fixed regardless of its adoption. Others shift by sixteen months if it passes. This section maps both scenarios, with each entry marked by status.
The European Parliament, Council, and Commission are scheduled to meet in trilogue on the Digital Omnibus package. The package includes a proposal to defer Annex III high-risk obligations from 2 August 2026 to 2 December 2027 for most deployers. No formal adoption is expected at this session; a political agreement, if reached, would still require formal votes in Parliament and Council before publication in the Official Journal.
Three obligation clusters apply on this date regardless of Omnibus adoption. Article 5 prohibition on unacceptable-risk AI practices (social scoring, real-time biometric surveillance in public spaces, subliminal manipulation) entered force 2 February 2025 but supervisory enforcement begins 2 August 2026. Article 50 transparency requirements for chatbot disclosure, synthetic content marking, emotion recognition disclosure, and deepfake labelling apply to systems first deployed after 2 August 2026. GPAI model obligations under Chapter V also begin. If Omnibus is not adopted, Annex III high-risk obligations under Article 26 also apply from this date.
Directive 2024/2853 is not part of the AI Act and is not affected by the Digital Omnibus. All 27 Member States must transpose it into national law by 9 December 2026. Once transposed, AI software becomes a product subject to strict liability, the rebuttable presumption of defect under Article 10 applies, and claimants gain the right to access evidence under Article 9. Cross-border deployers face this deadline in every jurisdiction where they operate.
SB 24-205, signed May 2024, applies to any developer or deployer of high-risk AI systems that interact with Colorado residents, regardless of where the entity is incorporated. The definition of high-risk substantially overlaps with EU AI Act Annex III categories. European companies with US users or US subsidiaries face a parallel obligation architecture from this date. No Omnibus equivalent exists; this deadline is fixed.
If the Digital Omnibus is adopted and published in the Official Journal before 2 August 2026, Annex III high-risk deployer obligations including Article 26 duties, the FRIA requirement under Article 27, and Article 9 risk management systems would apply from 2 December 2027 instead of 2 August 2026. A further carve-out in the Omnibus proposal would push Annex I embedded-system high-risk obligations to 2 August 2028. If the Omnibus is not adopted in time, the original 2 August 2026 deadline remains legally binding. Compliance preparation should proceed on the basis of the confirmed deadline.
The EU Omnibus proposes moving Annex III high-risk obligations from 2 August 2026 to 2 December 2027. Trilogue negotiations opened in April 2026. No political agreement yet. Our provision-by-provision tracker tells you exactly where each deadline stands today.
Open the Omnibus Tracker →Long form pieces on Article 26, the Revised Product Liability Directive, and the documentation operators need to hold on file when the provisions enter application.
Article 6 has two tracks: safety components in Annex I products and systems in Annex III use cases. This guide reads both tracks in sequence, explains the Article 6(3) exception, and maps the practical classification steps deployers must complete before August 2026.
Annex IV specifies ten documentation categories that providers must maintain for every high-risk AI system. Deployers who procure high-risk AI without understanding Article 11 cannot perform the checks Article 26 requires. This analysis covers Annex IV clause by clause, maps deployer verification obligations, and examines the insurance evidence connection.
Article 5 prohibitions are the only AI Act provisions that applied before the August 2026 high-risk deadline. This analysis covers all eight, identifies the commercial deployments most at risk, and maps the EUR 35 million penalty exposure for breach.
GPAI obligations under Articles 51 to 56 took effect August 2025. The Omnibus delay does not affect them. This analysis maps when a deployer transitions to GPAI provider under Article 25, what Articles 52 and 53 require, and what the GPAI Code of Practice means in practice.
Eight duty-categories, eight documents, one enforcement clock. This reference reads Article 26 provision by provision and maps each obligation to the practical step a deployer must complete before the enforcement deadline.
Article 9 is the foundation of all high-risk AI obligations. This analysis reads it in sequence and maps the continuous, iterative risk management system requirement to what deployers must understand, verify, and document before the enforcement deadline.
Trilogue is scheduled 28 April 2026. COM(2025) 836 proposes deferring Annex III high-risk obligations to 2 December 2027 and Annex I obligations to 2 August 2028. Until the Omnibus is formally adopted and published in the Official Journal, the original 2 August 2026 deadline remains legally binding. This reference maps every provision in table form, names what is not delayed (Article 5, GPAI, Article 50 for new systems, Product Liability Directive 2024/2853), addresses the civil society critique, the insurance market bifurcation, and provides a week-by-week 90-day Omnibus Watch calendar from 25 April to 25 July 2026. 27 verified citations. 12-question FAQ with FAQPage schema. 5,600 words.
Article 70 required designation of national supervisory authorities by 2 August 2025. Nine months on, only Cyprus, Ireland, Italy, Lithuania, Malta, Finland, and Hungary have completed or substantially completed formal designation. France, Germany, and the Netherlands remain undesignated. This tracker maps every Member State, identifies the most likely enforcement authority, and explains what cross-border deployers must do before 2 August 2026.
ISO CG 40 47 entered the market in January 2026. W.R. Berkley's absolute exclusion PC 51380 followed. This cornerstone reference decodes every major AI exclusion endorsement, names the carriers who have moved, and provides a structured reading guide for every renewal from CGL to D&O.
Today is 24 April 2026. There are exactly 100 days until the operator provisions of the EU AI Act enter application. This is the week-by-week checklist from now to the deadline: the five duties that cannot be delegated, the minimum operator file, the penalty architecture, the insurance dimension, and the supervisory authority in each major Member State.
Article 50 of Regulation (EU) 2024/1689 imposes four distinct disclosure duties that apply far beyond the high-risk classification: chatbot AI-notification, machine-readable marking of generated content via C2PA and watermarking, emotion recognition disclosure, and deepfake and public-interest text labelling. This cornerstone reads each paragraph in statutory order and sets out the minimum transparency file.
Two EU instruments activate within months of each other. The AI Act governs deployment behaviour. The revised Product Liability Directive governs harm caused by defective AI products. This analysis maps how they interact at the article level, including the Article 10 defectiveness presumption triggered by AI Act non-compliance.
101 days remain before the 2 August 2026 deadline. This is the operational deliverable: a week-by-week checklist from today to 22 July, a neutral template structure mapped to Art. 27(1)(a)-(g), a DPIA alignment table, and a plain account of the supervisor notification duty that determines whether deployment on 2 August is lawful.
Article 27 requires public bodies, providers of public services, and deployers of creditworthiness or insurance risk systems to complete a seven-element FRIA before first deployment. This guide sets out who must comply, what the document must contain, and how it relates to the GDPR DPIA obligation.
Which authority will conduct deployer enforcement inquiries, how the penalty tiers under Article 99 are calculated, and what triggers a supervisory investigation from August 2026.
What Article 14 requires providers to build and deployers to staff. The five functional capabilities, the competence and authority requirements of Article 26(2), and the minimum documentation set.
A reading of EIOPA's AI governance opinion and how its supervisory expectations map onto the operator obligations in the EU AI Act, with implications for insurers and deployers.
A close reading of Article 13 and the transparency obligations it places on providers of high-risk AI systems, with a guide to the information operators must pass through the deployment chain.
Directive 2024/2853 makes AI software a product subject to strict liability. A guide to the rebuttable presumptions, the expanded damage types, and what operators must do before December 2026.
When an AI agent causes harm, at least three parties may have contributed. A structured reading of how the EU AI Act and Product Liability Directive allocate responsibility across the chain.
A practical breakdown of the Chapter III duties, the human oversight standard, and the documentation an operator must hold on file when the provisions enter application on 2 August.
Two free browser-based tools for deployers working toward the 2 August 2026 deadline. No account required. No data transmitted.
Enter your AI deployment details across seven form sections and generate a structured draft Fundamental Rights Impact Assessment covering all mandatory elements of Article 27(1)(a)-(g). Print or save as PDF in under 15 minutes.
Twenty-five questions across five operator obligation categories. Each question scored 0, 1, or 2 points. Receive an instant readiness percentage and per-category breakdown showing where your gaps are largest before 2 August 2026.
A free three-question widget that tells your readers whether their AI system is likely high-risk under EU AI Act Annex III. One iframe snippet. No account, no API key, no cookies. CC-BY 4.0. Every embed carries an attribution link back to agentliability.eu.
The deployer of a high risk AI system shall take appropriate technical and organisational measures to ensure that they use such systems in accordance with the instructions for use.Article 26(1), Regulation (EU) 2024/1689 · The AI Act
The AI Act is often discussed in the language of prohibition and risk classification. Operator liability sits in a quieter register. It is procedural, continuous, and cumulative. It applies from the moment a system is put into service inside the Union, and it does not distinguish between in house deployments and third party agents operating under contract.
Three interpretations have hardened over the past six months. First, the deployer's duty to monitor outputs cannot be delegated to the provider through a terms of service. Second, human oversight under Article 14 is a design requirement, not a run time option. Third, fundamental rights impact assessments under Article 27 are expected for any public body and for any private deployer operating in the sectors listed in Annex III.
This publication tracks those interpretations as they cross from academic commentary into supervisory practice. Each piece is dated, footnoted to the text, and maintained as the Commission and national authorities issue guidance.
When an AI agent causes harm, three parties carry different standards of obligation. The Act binds the deployer to procedural duties; the revised Product Liability Directive binds the provider of a defective product; the affected party receives a rebuttable presumption in their favour.
Designs the AI system and places it on the Union market.
Puts the system into service in the course of a professional activity.
Natural or legal person who experiences harm traceable to the system.
Agent Liability EU sits inside a network of five sister publications covering the regulatory, certification, and insurance dimensions of autonomous AI agent deployment.
A published framework from Future Proof Intelligence for assessing autonomous AI agent deployments. Seven dimensions. Independent. Continuously maintained.
Read the framework