The EU AI Act deadline just moved. The real risk for UK founders didn't.

On 7 May 2026 the EU pushed the riskiest parts of the AI Act back by 16 months. Most of the coverage hasn’t caught up.

For UK founders, that’s a real reprieve. If you’ve been told you’ve got 10 weeks to get ready for sweeping high-risk obligations, you’ve been told something that was true two months ago and isn’t anymore.

The deadline didn’t disappear. Some real obligations still land on 2 August 2026. But the part most likely to apply to your business has moved.

The risk that didn’t move is procurement, and it’s bigger than the fine ever was.

What changed on 7 May

The EU Council and Parliament reached political agreement on a “Digital Omnibus” simplification package covering several digital files, including the AI Act. The headline shifts:

• Stand-alone high-risk AI systems under Annex III (employment screening, education, credit scoring, biometrics, critical infrastructure, law enforcement, justice, migration): pushed from 2 August 2026 to 2 December 2027.
• AI embedded in regulated products under Annex I: pushed to 2 August 2028.

The Commission was honest about why. The technical standards and guidance documents companies need to actually implement the rules aren’t ready yet. Rather than penalise businesses for failing to meet standards that don’t exist, they delayed the obligations to match.

For most founders I speak to, that’s the obligation set they were most likely to be in scope for. Hiring tools that rank candidates, scoring systems that affect customers, monitoring of staff. Annex III.

What’s still landing on 2 August 2026

The deadline isn’t empty. Three things still kick in.

Commission enforcement of GPAI provider rules. The provider obligations themselves applied from 2 August 2025; the enforcement powers come online a year later. If you’re a deployer using OpenAI, Anthropic, Google, Mistral and similar, this sits with them, not you.

AI Office governance. The body responsible for overseeing the Act becomes fully operational.

Transparency obligations. Telling users they’re interacting with AI when it’s not obvious, watermarking synthetic media, disclosing AI-generated content. Light touch, but it applies broadly.

For most founders building on AI but not running an Annex III use case, that’s the actual exposure on 2 August. It’s modest.

Two things have already been in force longer than most realise:

• AI literacy obligations (Article 4) applied from 2 February 2025. Providers and deployers must ensure staff using AI have “a sufficient level of AI literacy.” Easiest one to comply with, most often missed.
• Prohibited practices (Article 5): social scoring, manipulative AI, and certain biometric use cases have been banned since 2 February 2025.

The risk that didn’t move

While the Annex III timeline shifted, the commercial pressure didn’t.

I’ve spoken to UK founders who’ve already come up against this from procurement, especially into big enterprise sales. The buyer doesn’t care about your legal exposure. The buyer cares whether their procurement, risk, and compliance teams can clear you to sign.

It looks like:

• “Confirm your AI systems are AI Act compliant or describe your roadmap to compliance.”
• “List the AI subprocessors and model versions you use.”
• “Provide your AI governance documentation.”
• “Describe your human oversight for AI-assisted decisions affecting our staff or our customers.”

These questionnaires are landing now, well ahead of 2 August 2026. The CISO and procurement teams behind them can’t put a vendor forward without something to wave at the risk committee. “We’ll sort it later” loses you the deal, because the buyer has no defensible answer to give upstairs.

That’s the deadline that actually matters for most SMEs. Not the EU Commission knocking on your door. The deal you don’t close because the questionnaire came back blank.

What to do this week (90 minutes)

Sit down with your CTO or technical co-founder and answer four questions.

1. Where in our product or workflow does AI make a decision that affects a person?
2. Which AI providers and models are we using? Write them down. You’ll be surprised how scattered this gets after 12 months.
3. Is a human reviewing the output before it lands on the customer or end user?
4. For anything that touches an Annex III use case (hiring, credit, monitoring, biometrics, education), are we retaining the system logs?

That’s a basic AI register. It’s also the answer to most enterprise vendor questionnaires. Two hours of work that turns a deal-blocker into a credibility signal.

The Omnibus gave you more time to be perfect. It didn’t give you more time to be ready.

Want help?

If you’d like a second pair of eyes on your AI register and your enterprise sales readiness before the next procurement ask lands, I run an Ops Audit that covers exactly this. From £5,000, one-off, no follow-on commitment. Drop me a line at [email protected] or book a discovery call.

Also worth reading

• The Hidden Cost of Signing Contracts Without Review
• Case Study: The Doers — Commercial Contract Risk
• 5 Signs Your Startup Has Outgrown Ad-Hoc Management
• Fractional COO service (governance and compliance documentation in scope)

Sources

• EU AI Act: Article 4 (AI literacy), Article 26 (deployer obligations) and Article 99 (penalties)
• Council of the EU, “AI: Council and Parliament agree to simplify and streamline rules” (7 May 2026 Digital Omnibus political agreement)
• Travers Smith, “EU agrees to delay key AI Act compliance deadlines”
• European Commission, AI Act overview and implementation timeline
• European Commission, Guidelines for providers of general-purpose AI models

---

This post is general information about EU AI Act compliance for UK businesses. It is not legal advice. If you’re in scope for the Act’s high-risk provisions or you handle EU personal data, get advice from a qualified lawyer for your specific situation.

---