The EU AI Act's two-clock enforcement: why your vendors are regulated before you are

Bottom line. The mid-2026 consensus that the EU AI Act got watered down is half the story. The European Commission’s framework keeps general-purpose AI model-provider enforcement live on 2 Aug 2026, while the provisionally agreed Digital Omnibus only delays the high-risk obligations that fall on deployers. Your model vendors become directly regulated in August. Your own high-risk clock does not start until December 2027. The gap between those two dates is the part that lands on enterprise IT.

Report. On 2 Aug 2026, the one-year grace period for general-purpose AI model providers ends and the Commission’s supervision and enforcement powers over them take effect. From that date the AI Office can demand documentation, run model evaluations, order risk-mitigation or recall measures, and levy fines of up to 3% of global annual turnover or €15 million, whichever is higher, for GPAI breaches. Models placed on the market before 2 Aug 2025 have until 2 Aug 2027 to reach full compliance.

Running on a separate track is the Digital Omnibus on AI, tabled on 19 Nov 2025 and provisionally agreed on 7 May 2026, then approved by the Parliament’s IMCO and LIBE committees on 2 Jun 2026. It defers the high-risk obligations: stand-alone Annex III systems move to 2 Dec 2027, and AI embedded in regulated products under Annex I moves to 2 Aug 2028. As of mid-June 2026 it remains a provisional agreement awaiting a final plenary vote, so the deferral is the likely outcome rather than a settled one.

The European data-protection regulators have flagged the tension in the simplification drive directly:

“Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights.”

That is Anu Talus, Chair of the European Data Protection Board, in the EDPB and EDPS joint opinion of 11 Feb 2026.

Observe. The Act now runs on two clocks, and they are not synchronised. One governs the people who build the models. The other governs the people who deploy them. Only the first stops in August.

The framing most takes get backwards is treating the high-risk delay as a reason for enterprise buyers to relax. The delay applies to the buyer’s own obligations. It does nothing to the upstream providers, who become finable in August and will behave accordingly.

Reflect. For a senior IT leader, the operational read is the vendor-flow-down gap. A general-purpose model provider facing direct enforcement on 2 Aug 2026 will harden its documentation, copyright provenance, and model-evaluation evidence, and it will push the corresponding demands down its contracts: new disclosure clauses, evaluation cooperation requirements, and usage attestations. Those demands arrive on enterprise procurement desks in the second half of 2026.

The enterprise’s own high-risk deployer obligations, meanwhile, have moved out to 2 Dec 2027. So the sequencing for a CIO running procured AI in HR, credit, security or other high-risk territory is the reverse of the relief narrative: the vendor pressure comes first, roughly 16 months before the in-house deadline. Two questions belong in procurement now. Is the model vendor a signatory to the GPAI Code of Practice, which signals how it will evidence conformity. And does the contract already carry the flow-down clauses that an August-enforceable vendor will want, so the renegotiation is not a surprise.

Share thoughts. Treat 2 Aug 2026 as a vendor-management date, not a compliance-team date: the enterprises that get caught out will be the ones that read the high-risk delay as permission to wait, then meet their model vendors’ new contractual demands cold.