EU AI Act 2026: What Software Buyers Need to Know
If your organisation buys, builds, or deploys AI-powered software that touches the EU market, the regulatory ground has just shifted under your feet ā mostly in your favour. In late June 2026, the EU formally approved the "Digital Omnibus on AI," a package of amendments that pushed back the AI Act's most demanding compliance deadlines while tightening rules in a few specific areas.
This guide explains what the EU AI Act means for software buyers in practical terms: which obligations apply now, which are coming, what changed in the 2026 amendments, and what questions to ask any AI vendor before you sign.
Why Software Buyers Should Care ā Even Outside the EU
The AI Act has extraterritorial reach, similar to GDPR. It applies to providers placing AI systems on the EU market regardless of where the provider is established, and to organisations whose AI system output is used within the EU.
In practice this means:
- A US company selling AI-powered recruitment software to a German customer falls under the Act
- An Indian software firm building a credit-scoring model for a French bank falls under the Act
- An Australian retailer using an AI chatbot that serves EU visitors falls under the Act
The Risk-Based Framework in Two Minutes
The AI Act does not regulate "AI" as a single category. It classifies AI systems by risk level, with obligations scaling accordingly:
| Risk level | Examples | What applies |
| Prohibited | Social scoring, manipulative techniques exploiting vulnerabilities, most real-time biometric surveillance | Banned outright since February 2025 |
| High-risk | Recruitment and HR tools, credit scoring, educational assessment, critical infrastructure, medical AI | Strict obligations ā risk management, data governance, human oversight, documentation, registration |
| Limited risk | Chatbots, AI-generated content | Transparency obligations ā users must know they are interacting with AI |
| Minimal risk | Spam filters, recommendation engines, most business software | No new obligations |
The 2026 Timeline ā What Just Changed
The original timeline required high-risk AI systems to comply by 2 August 2026. Implementation ran into serious delays ā harmonised technical standards were not ready, and many member states had not designated their national enforcement authorities. In response, the EU institutions negotiated the Digital Omnibus on AI, which received political agreement in May 2026 and completed formal adoption at the end of June 2026.
Here is the current state of the timeline:
Already in force:- February 2025 ā Prohibited AI practices banned; AI literacy obligations began
- August 2025 ā Obligations for general-purpose AI model providers (the companies building foundation models) took effect
- Transparency obligations (Article 50) ā chatbots and AI systems interacting with humans must disclose that they are AI. This deadline was NOT deferred and takes effect as planned
- Most of the Act's remaining general provisions and enforcement machinery
- High-risk systems (Annex III) ā recruitment tools, credit scoring, education, law enforcement applications ā deferred from August 2026 to 2 December 2027
- High-risk AI embedded in regulated products (Annex I) ā medical devices, machinery, vehicles ā deferred to 2 August 2028
- Watermarking of AI-generated content ā for generative AI systems already on the market before August 2026, a grace period applies until 2 December 2026
- A new prohibition on AI systems that generate non-consensual intimate imagery or child sexual abuse material takes effect on 2 December 2026
What the Omnibus Changed Beyond Dates
The 2026 amendments made several substantive changes that affect procurement decisions:
SME simplifications extended to mid-caps. The simplified compliance framework ā reduced documentation requirements, proportionate penalties, regulatory sandbox access ā now covers companies with up to 750 employees and ā¬150 million annual revenue, not just small enterprises. If you buy from mid-sized AI vendors, their compliance path just became more manageable, which reduces vendor risk. Industrial AI carveout. AI used in industrial applications already regulated under the EU Machinery Regulation is exempted from direct AI Act application, with AI safety measures instead handled through that sectoral framework. This significantly simplifies compliance for manufacturing AI ā predictive maintenance, quality control vision systems, and production optimisation tools. Narrower "safety component" definition. AI features in regulated products that merely assist users or optimise performance ā without creating health or safety risks on failure ā will not automatically trigger high-risk obligations. Bias detection provisions. The rules clarify when special-category personal data (health information, biometric data) can be used to detect and correct bias in AI models, subject to a strict necessity test.What This Means for Your Procurement Process
1. Ask vendors for their AI Act risk classification ā in writingAny credible AI vendor selling into the EU should be able to tell you which risk category their system falls into and why. A vendor who cannot answer this question clearly has not done their compliance homework. For high-risk systems, ask for their conformity assessment plans and timeline to the December 2027 deadline.
2. Chatbot transparency applies from August 2026 ā check your customer-facing AI nowIf your organisation deploys chatbots or AI assistants that interact with EU users, the disclosure obligation applies from 2 August 2026 ā weeks away, not deferred. Users must be informed they are interacting with an AI system. This is a simple fix ā a clear disclosure in the interface ā but it carries real penalty exposure if ignored.
3. The deferral is preparation time, not a reprieveThe high-risk deadline moved to December 2027 precisely because compliance infrastructure was not ready ā not because obligations were softened. The substantive requirements remain: risk management systems, data governance, technical documentation, human oversight, accuracy and robustness standards, and registration in the EU database. Organisations that treat the deferral as 18 months of extra preparation will be ready; those that treat it as a cancellation will face the same scramble in late 2027.
4. Contract for complianceAI procurement contracts should now include: warranties that the system complies with applicable AI Act obligations, allocation of responsibility between provider and deployer duties (the Act assigns different obligations to each role), commitments to maintain conformity as standards are finalised, and indemnities for regulatory penalties arising from vendor non-compliance.
5. Document your own deployer obligationsBuyers are not passive in the AI Act's framework. Deployers of high-risk systems have their own duties ā using systems per the provider's instructions, ensuring human oversight, monitoring operation, and keeping logs. Your governance framework should assign clear internal ownership for these duties before deployment, not after.
Penalties ā What Non-Compliance Actually Costs
The AI Act's penalty structure exceeds GDPR's:
| Violation | Maximum penalty |
| Prohibited AI practices | ā¬35 million or 7% of global annual turnover |
| High-risk system non-compliance | ā¬15 million or 3% of global annual turnover |
| Supplying incorrect information to authorities | ā¬7.5 million or 1% of global annual turnover |
A Practical Compliance Checklist for Software Buyers
Between now and December 2027:
- Inventory ā catalogue every AI system in use or under procurement, including AI features embedded in larger software packages
- Classify ā determine each system's risk category, prioritising anything touching recruitment, credit, education, or safety
- Verify transparency compliance ā confirm customer-facing chatbots disclose AI interaction before 2 August 2026
- Engage vendors ā request risk classifications, conformity plans, and contractual compliance commitments
- Assign ownership ā designate internal responsibility for deployer obligations and AI governance
- Monitor standards ā harmonised technical standards are still being finalised; compliance details will sharpen through 2026ā2027
Conclusion
The EU AI Act's 2026 amendments bought the market time on the hardest requirements while holding firm on transparency. For software buyers, the picture is now clearer than it has been since the Act passed: minimal-risk AI faces no new burden, chatbot transparency arrives in August 2026, and high-risk obligations arrive in December 2027 with a more workable compliance framework than originally drafted.
The organisations that will navigate this well are those that treat AI compliance as a procurement criterion today ā asking the right questions of vendors, contracting for compliance, and building internal governance ā rather than a legal problem to solve when enforcement begins.
If your organisation is buying or building AI systems and needs help assessing where they fall under the EU AI Act ā or building compliance-ready AI from the start ā NetConsulate embeds regulatory compliance into every AI project from the first line of code.
Planning an AI project that needs to meet EU AI Act requirements? Submit a proposal request and our team will respond with a compliance-aware approach within 2 business days.