Is the AI watermarking requirement cancelled?

No — the machine-readable marking duty for AI-generated content (Article 50(2)) moved from 2 August 2026 to 2 December 2026, with a shorter grace period. Plan for it now; four months is one release cycle.

EU AI Act: what actually applies from 2 August 2026 (and what just moved)

Q: We only call models like Claude or Mistral via an API — are we a provider?

Usually you are a deployer or integrator: GPAI obligations sit with the model vendor, while transparency duties and GDPR obligations attach to the product you build. A short classification exercise settles your role per use case.

Q: Does the AI Act replace or change the GDPR?

No. The GDPR (AVG) keeps applying in full to any personal data in your AI features — the AI Act stacks on top of it, it does not replace it.

If you sell AI work to clients, you've probably had the email: "Are we ready for the AI Act in August?" The honest answer got more interesting on 7 May 2026, when the Council and Parliament reached a provisional agreement on the Digital Omnibus — a package that delays the Act's high-risk obligations while leaving the rest of the August date intact. Formal adoption is expected before the deadline; treat the new dates as your planning baseline.

The timeline, as it stands

Already in force

Since 2 February 2025 — the prohibitions (social scoring, manipulative systems, and now also generators of non-consensual intimate imagery, added by the omnibus) and the AI-literacy duty for organisations using AI.
Since 2 August 2025 — obligations for GPAI model providers. These sit with the model vendors, not with the products you build on top.

What still lands on 2 August 2026

Transparency duties — users must be told they're interacting with AI, and deepfakes / AI-generated media must be disclosed by the deployer.
Enforcement machinery — national supervisory authorities and the penalty framework become fully applicable.
The Act's general applicability date arrives — everything not explicitly postponed, applies.

What the omnibus moved

Machine-readable watermarking of AI-generated content (Article 50(2)): 2 August 2026 → 2 December 2026.
National regulatory sandboxes: 2 August 2026 → 2 August 2027.
High-risk obligations for Annex III systems: 2 August 2026 → 2 December 2027.
High-risk AI embedded in regulated products (Annex I): 2 August 2027 → 2 August 2028.

Compliance isn't a PDF you write at the end. It's an architecture decision you make at the start.

What this means if you sell AI to clients

Most client projects — copilots, document automation, support assistants, content tooling — are not high-risk under Annex III. For those, the August 2026 reality is refreshingly concrete: disclose the AI, label generated media, keep your PII handling in order under the GDPR, and be able to show how the system works.

The delay on high-risk systems is breathing room, not a holiday. If your client's use case touches hiring, credit, education or essential services, December 2027 sounds far away — until you remember that logging, human-oversight points and documentation are 10× cheaper to design in than to retrofit. We build to that bar by default, because the second-cheapest moment to do it is now.

The checklist we run on every AI build

Classify the use case. Prohibited, high-risk, limited-risk or minimal — plus your role: provider, deployer or integrator. One page, settled before any code.
Pick the hosting before the first prompt. EU-hosted models — Mistral AI, AWS Bedrock in EU regions — or open weights on the client's own infrastructure when data can't leave.
Design the disclosure UX. "You're talking to AI" is a product decision; bolted-on banners convert worse than honest design.
Log decisions, build in oversight. Prompt and decision logging plus human checkpoints where the impact warrants them.
Hand over the paper trail. Model inventory, evaluation results and DPIA input, so your client's DPO gets answers instead of homework.

The longer version of this lives on our EU Ready page.

FAQ

Is the watermarking requirement cancelled?

No — the machine-readable marking duty for AI-generated content (Article 50(2)) moved to 2 December 2026, with a shorter grace period than originally planned. Four months is one release cycle: plan for it now.

Our client's system is high-risk (Annex III). Can we relax until December 2027?

Build to the high-risk bar now anyway. Retrofitting logging, oversight and documentation into a live system costs multiples of building it in — and the GDPR applies in full today regardless of the AI Act timeline.

Do fines start in August 2026?

The penalty framework and national enforcement structures apply from 2 August 2026 — and the prohibitions have been enforceable since February 2025. Betting on slow regulators is not a compliance strategy.

We only call models like Claude or Mistral via an API — are we a "provider"?

Usually you're a deployer or integrator: the GPAI obligations sit with the model vendor, while transparency duties and GDPR obligations attach to the product you build. A short classification exercise settles your role per use case.

Does the AI Act replace the GDPR/AVG?

No. The GDPR keeps applying in full to any personal data in your AI features — the AI Act stacks on top of it, it doesn't replace it.

Sources: Council of the EU, press release on the AI omnibus agreement (7 May 2026) · Gibson Dunn, EU AI Act Omnibus Agreement analysis · VerifyWise, what changed on 7 May 2026. We're engineers, not your legal counsel — for legal sign-off, loop in your client's DPO and lawyers.

A client asking AI Act questions you'd rather not answer alone? Plan a call — bring us into the conversation, white-label.