A lot of noise has built up around the AI Act, and manufacturers get contradictory signals: one day "everything kicks in August 2026," the next "the deadlines got pushed anyway." Both are partly true – which is exactly why it's worth separating what actually applies now from what's still ahead. This piece sorts that out and gives you a concrete list of questions for your AI vendor.
A caveat up front: this isn't legal advice. It's a map that makes it easier to talk to a lawyer and a vendor – it doesn't replace either.
The AI Act doesn't arrive "all at once" – it phases in
The AI Act entered into force on 1 August 2024, but its provisions apply in stages. That's the key: the question isn't "are we AI Act compliant," but "are we compliant with the obligations that apply today – and are we on track for the ones still to come."
What already applies by mid-2026:
- Prohibited practices – since February 2025. Systems deemed "unacceptable risk" (social scoring, subliminal manipulation, and others) are banned.
- Obligations for general-purpose AI models (GPAI) – since August 2025. They fall on providers of large models: technical documentation, transparency, systemic-risk management.
- National supervisory authorities – designated and operational; enforcement has already begun.
The nearest real threshold: 2 August 2026 – when most of the remaining provisions apply, including the Article 50 transparency obligations and the penalty rules.
Digital Omnibus: high-risk deadlines pushed back – but not law yet
This is the freshest and most important change. In May 2026 the EU institutions agreed the Digital Omnibus on AI – a package of amendments that, among other things, postpones the deadlines for high-risk systems. The European Parliament voted the text through on 16 June 2026. One step remains: formal adoption by the Council and publication in the Official Journal.
And here's the nuance you can't miss: until the Omnibus is published in the Official Journal, the new dates aren't binding, and the original 2 August 2026 threshold formally still stands. Formal adoption is expected before August 2026 – a well-founded expectation, but not a certainty.
What the agreed text provides, if it enters into force:
- Annex III high-risk (recruitment, scoring, critical infrastructure, and more) – compliance deadline moved from August 2026 to 2 December 2027;
- High-risk embedded in regulated products (Annex I), e.g. machinery, medical devices – moved to 2 August 2028;
- A new prohibition on AI generating non-consensual intimate material and CSAM – effective 2 December 2026;
- Watermarking of AI-generated content (Article 50(2)) for systems already on the market – postponed to 2 December 2026; the broader Article 50 transparency duties stay on August 2026.
The practical takeaway for a manufacturer: don't demobilise your preparations on the strength of a postponement that hasn't taken legal effect yet. Treat the new dates as a likely scenario, not a fact.
What this means for a typical manufacturer
Most manufacturers don't build their own models – they buy or deploy AI solutions. In practice your role is usually deployer, less often provider. That distinction decides which obligations fall on you and which on the vendor.
The second question is risk classification. Not every AI use in a factory is "high-risk." An assistant that helps search documentation or draft an offer usually isn't. But AI wired into a process that affects product safety or decisions about workers may fall under stricter requirements. Classification is the first step – and don't do it by gut feel.
A third thing, often overlooked: the AI Act isn't the only regulation in play. For entities under NIS2, the security and supplier-oversight requirements overlap with AI Act obligations. If you're preparing for a NIS2 audit, treat AI as part of the same landscape, not a separate island.
What to ask your AI vendor before you sign
However the Omnibus lands, these questions are resistant to date changes. If a vendor can't answer them concretely, that's a signal.
- Where is our data processed? On your infrastructure, in a dedicated instance, or in a shared public model? This is the data-sovereignty question – and what you'll tell an auditor.
- Who is provider and who is deployer in this relationship? The vendor should state clearly which AI Act obligations it takes on and which stay on your side.
- How do you classify the risk of our use case? A good vendor walks you through classification rather than waving it off with "it's not high-risk."
- Is there an auditable trail? Can you see which sources an answer was grounded in? Without it, demonstrating compliance and passing an audit is hard.
- How do you keep up with legal change? The AI Act is being amended (the Omnibus proves it). Ask how the vendor updates the solution against shifting dates and requirements.
These five questions don't require you to be a lawyer. They only require the vendor to treat compliance as part of the product, not as your problem to solve after deployment.
The practical bottom line
The AI Act in 2026 is a picture of "partly in force, partly coming, partly being moved right now." The worst strategy is either extreme: panic ("everything from August") or demobilisation ("they'll push it anyway"). The sensible path is to know your current obligation, prepare for the nearest threshold, and pick a vendor that understands this volatility and shoulders part of it.
Want to sort out which AI Act and NIS2 obligations actually apply to your plant? We've put together a cheat sheet mapping the AI Act to NIS2 – book a 30-minute call with the founder and we'll walk it through on your case.
