Home/Insights/EU AI Act 2026: What Software Buyers Need to Know
Compliance & Regulation

EU AI Act 2026: What Software Buyers Need to Know

The EU just finalised major amendments to the AI Act — deferring high-risk obligations to December 2027 while holding firm on chatbot transparency from August 2026. Here is what software buyers need to know about risk classification, vendor due diligence, and contracting for compliance.

N
NetConsulate Engineering Team
šŸ“… 6 July 2026ā± 8 min read

EU AI Act 2026: What Software Buyers Need to Know

If your organisation buys, builds, or deploys AI-powered software that touches the EU market, the regulatory ground has just shifted under your feet — mostly in your favour. In late June 2026, the EU formally approved the "Digital Omnibus on AI," a package of amendments that pushed back the AI Act's most demanding compliance deadlines while tightening rules in a few specific areas.

This guide explains what the EU AI Act means for software buyers in practical terms: which obligations apply now, which are coming, what changed in the 2026 amendments, and what questions to ask any AI vendor before you sign.


Why Software Buyers Should Care — Even Outside the EU

The AI Act has extraterritorial reach, similar to GDPR. It applies to providers placing AI systems on the EU market regardless of where the provider is established, and to organisations whose AI system output is used within the EU.

In practice this means:

  • A US company selling AI-powered recruitment software to a German customer falls under the Act
  • An Indian software firm building a credit-scoring model for a French bank falls under the Act
  • An Australian retailer using an AI chatbot that serves EU visitors falls under the Act
If any part of your software supply chain touches the EU, the Act is relevant to your procurement decisions — and non-compliance carries penalties of up to €35 million or 7% of global annual turnover for the most serious violations.

The Risk-Based Framework in Two Minutes

The AI Act does not regulate "AI" as a single category. It classifies AI systems by risk level, with obligations scaling accordingly:

Risk levelExamplesWhat applies
ProhibitedSocial scoring, manipulative techniques exploiting vulnerabilities, most real-time biometric surveillanceBanned outright since February 2025
High-riskRecruitment and HR tools, credit scoring, educational assessment, critical infrastructure, medical AIStrict obligations — risk management, data governance, human oversight, documentation, registration
Limited riskChatbots, AI-generated contentTransparency obligations — users must know they are interacting with AI
Minimal riskSpam filters, recommendation engines, most business softwareNo new obligations
The vast majority of AI systems in everyday business use fall into the minimal-risk category and face no new requirements. The compliance burden concentrates on high-risk systems — and knowing whether the software you are buying falls into that category is the single most important question in AI procurement today.

The 2026 Timeline — What Just Changed

The original timeline required high-risk AI systems to comply by 2 August 2026. Implementation ran into serious delays — harmonised technical standards were not ready, and many member states had not designated their national enforcement authorities. In response, the EU institutions negotiated the Digital Omnibus on AI, which received political agreement in May 2026 and completed formal adoption at the end of June 2026.

Here is the current state of the timeline:

Already in force:
  • February 2025 — Prohibited AI practices banned; AI literacy obligations began
  • August 2025 — Obligations for general-purpose AI model providers (the companies building foundation models) took effect
Applying from 2 August 2026:
  • Transparency obligations (Article 50) — chatbots and AI systems interacting with humans must disclose that they are AI. This deadline was NOT deferred and takes effect as planned
  • Most of the Act's remaining general provisions and enforcement machinery
Deferred by the 2026 Omnibus:
  • High-risk systems (Annex III) — recruitment tools, credit scoring, education, law enforcement applications — deferred from August 2026 to 2 December 2027
  • High-risk AI embedded in regulated products (Annex I) — medical devices, machinery, vehicles — deferred to 2 August 2028
  • Watermarking of AI-generated content — for generative AI systems already on the market before August 2026, a grace period applies until 2 December 2026
New additions:
  • A new prohibition on AI systems that generate non-consensual intimate imagery or child sexual abuse material takes effect on 2 December 2026

What the Omnibus Changed Beyond Dates

The 2026 amendments made several substantive changes that affect procurement decisions:

SME simplifications extended to mid-caps. The simplified compliance framework — reduced documentation requirements, proportionate penalties, regulatory sandbox access — now covers companies with up to 750 employees and €150 million annual revenue, not just small enterprises. If you buy from mid-sized AI vendors, their compliance path just became more manageable, which reduces vendor risk. Industrial AI carveout. AI used in industrial applications already regulated under the EU Machinery Regulation is exempted from direct AI Act application, with AI safety measures instead handled through that sectoral framework. This significantly simplifies compliance for manufacturing AI — predictive maintenance, quality control vision systems, and production optimisation tools. Narrower "safety component" definition. AI features in regulated products that merely assist users or optimise performance — without creating health or safety risks on failure — will not automatically trigger high-risk obligations. Bias detection provisions. The rules clarify when special-category personal data (health information, biometric data) can be used to detect and correct bias in AI models, subject to a strict necessity test.

What This Means for Your Procurement Process

1. Ask vendors for their AI Act risk classification — in writing

Any credible AI vendor selling into the EU should be able to tell you which risk category their system falls into and why. A vendor who cannot answer this question clearly has not done their compliance homework. For high-risk systems, ask for their conformity assessment plans and timeline to the December 2027 deadline.

2. Chatbot transparency applies from August 2026 — check your customer-facing AI now

If your organisation deploys chatbots or AI assistants that interact with EU users, the disclosure obligation applies from 2 August 2026 — weeks away, not deferred. Users must be informed they are interacting with an AI system. This is a simple fix — a clear disclosure in the interface — but it carries real penalty exposure if ignored.

3. The deferral is preparation time, not a reprieve

The high-risk deadline moved to December 2027 precisely because compliance infrastructure was not ready — not because obligations were softened. The substantive requirements remain: risk management systems, data governance, technical documentation, human oversight, accuracy and robustness standards, and registration in the EU database. Organisations that treat the deferral as 18 months of extra preparation will be ready; those that treat it as a cancellation will face the same scramble in late 2027.

4. Contract for compliance

AI procurement contracts should now include: warranties that the system complies with applicable AI Act obligations, allocation of responsibility between provider and deployer duties (the Act assigns different obligations to each role), commitments to maintain conformity as standards are finalised, and indemnities for regulatory penalties arising from vendor non-compliance.

5. Document your own deployer obligations

Buyers are not passive in the AI Act's framework. Deployers of high-risk systems have their own duties — using systems per the provider's instructions, ensuring human oversight, monitoring operation, and keeping logs. Your governance framework should assign clear internal ownership for these duties before deployment, not after.


Penalties — What Non-Compliance Actually Costs

The AI Act's penalty structure exceeds GDPR's:

ViolationMaximum penalty
Prohibited AI practices€35 million or 7% of global annual turnover
High-risk system non-compliance€15 million or 3% of global annual turnover
Supplying incorrect information to authorities€7.5 million or 1% of global annual turnover
Penalties apply per infringement, and EU data protection authorities are already enforcing GDPR aggressively in AI contexts — meaning AI systems face regulatory exposure on two fronts simultaneously.

A Practical Compliance Checklist for Software Buyers

Between now and December 2027:

  • Inventory — catalogue every AI system in use or under procurement, including AI features embedded in larger software packages
  • Classify — determine each system's risk category, prioritising anything touching recruitment, credit, education, or safety
  • Verify transparency compliance — confirm customer-facing chatbots disclose AI interaction before 2 August 2026
  • Engage vendors — request risk classifications, conformity plans, and contractual compliance commitments
  • Assign ownership — designate internal responsibility for deployer obligations and AI governance
  • Monitor standards — harmonised technical standards are still being finalised; compliance details will sharpen through 2026–2027

Conclusion

The EU AI Act's 2026 amendments bought the market time on the hardest requirements while holding firm on transparency. For software buyers, the picture is now clearer than it has been since the Act passed: minimal-risk AI faces no new burden, chatbot transparency arrives in August 2026, and high-risk obligations arrive in December 2027 with a more workable compliance framework than originally drafted.

The organisations that will navigate this well are those that treat AI compliance as a procurement criterion today — asking the right questions of vendors, contracting for compliance, and building internal governance — rather than a legal problem to solve when enforcement begins.

If your organisation is buying or building AI systems and needs help assessing where they fall under the EU AI Act — or building compliance-ready AI from the start — NetConsulate embeds regulatory compliance into every AI project from the first line of code.


Planning an AI project that needs to meet EU AI Act requirements? Submit a proposal request and our team will respond with a compliance-aware approach within 2 business days.
Related NetConsulate service
šŸ”’
Responsible AI & compliance

We embed fairness testing, explainability (XAI), bias auditing, and regulatory compliance (EU AI Act, GDPR) into your AI systems from day one — not as an afterthought.

Get a proposal for this service