The Digital Omnibus on AI moved the deadlines that made headlines and left alone the one that will actually affect your build. High-risk obligations slipped by more than a year. Article 50 transparency did not slip. It applies from 2 August 2026, which is roughly three weeks out, and it is the provision that catches ordinary teams doing ordinary things: generating text, images, or audio with a model and putting the output in front of a person.

The relief was real, and I understand why teams read the coverage and relaxed. It was just relief for a different problem than most of us have. If you are running a summarizer, a support assistant, or a content pipeline on Amazon Bedrock, almost nothing that got deferred was ever going to bind you. The thing that binds you is the thing that stayed.

What actually happened

The European Parliament approved the Digital Omnibus on AI on 16 June 2026, and the Council formally adopted it on 29 June 2026, closing the legislative procedure. It enters into force this month on publication in the Official Journal. So this is settled law, not a proposal to track.

What it changed:

  • Annex III high-risk systems (stand-alone) move from 2 August 2026 to 2 December 2027.
  • Annex I high-risk systems (embedded in regulated products) move from 2 August 2027 to 2 August 2028.
  • A new prohibition on systems generating non-consensual intimate imagery and CSAM, or lacking reasonable safeguards against it, applies from 2 December 2026.

What it did not change: Article 50 transparency obligations still apply from 2 August 2026.

The conflation to avoid

Two separate August 2 dates are doing a lot of damage in internal discussions right now, so be precise about which one anyone means.

2 August 2025 was the GPAI date. Obligations on providers of general-purpose AI models, Articles 51 to 56, have been in force for nearly a year. Those land on whoever provides the model. If you call Anthropic or Meta or Mistral weights through Bedrock, you are not the GPAI provider, and that date was never yours.

2 August 2026 is the transparency date, and it lands on providers and deployers of AI systems. That is you. Building a feature on someone else's model makes you a provider of the system you built, and running it makes you a deployer. Neither of those roles was deferred.

I have sat in more than one meeting where "the AI Act stuff already happened last August" and "the AI Act got pushed to 2027" were said twenty minutes apart, and both speakers were partly right, which is the worst kind of disagreement to have.

What Article 50 asks for

Four obligations, and they are narrower and more mechanical than the discourse suggests.

50(1): tell people they are talking to a machine

If a system interacts directly with people, they must be informed they are interacting with an AI system, unless it is obvious from context to a reasonably observant person. A chat widget labelled "AI assistant" is done. An assistant given a human first name, dropped into a support queue, and never disclosed is not.

50(2): mark synthetic output machine-readably

This is the one with engineering in it. Providers of systems generating synthetic audio, image, video, or text must mark outputs in a machine-readable format, detectable as artificially generated or manipulated. Not a visible label for humans: a marking that a machine can detect, which in practice means provenance metadata such as C2PA for images, watermarking where it applies, and a documented approach for text, where the state of the art is honestly weaker than the drafting implies. Article 50(2) asks that marking solutions be, in its own words, effective, interoperable, robust and reliable as far as this is technically feasible, and that last clause is carrying real weight for text.

There is one transitional detail worth knowing, and it is the only place the Omnibus touched Article 50 at all: systems that generate synthetic content and were already placed on the market before 2 August 2026 get until 2 December 2026 for the machine-readable marking obligation. A four-month grace, for existing systems only. Anything you ship after 2 August is in scope on day one. If you are reading this as a reprieve, note that it buys four months for the systems you have already shipped and nothing for the roadmap.

50(3): emotion recognition and biometric categorisation

Deployers must inform the people exposed to it. If this applies to you, you already know, and you have larger obligations elsewhere in the Act.

50(4): deepfakes and public-interest text

Deployers must disclose deepfake content as artificially generated. And deployers publishing AI-generated or AI-manipulated text to inform the public on matters of public interest must disclose that too, unless a human reviewed it and someone holds editorial responsibility. That exemption is the design hint: human review with named accountability is a real path, not a loophole.

What this means if you build on Bedrock

Bedrock does not mark output for you. There is no flag on Converse that makes your synthetic content compliant, and there should not be, because marking is a property of the artifact you produce and the pipeline that produces it. AWS gives you the inference. The obligation attaches to the system you built around it.

Practically, four things:

  • Inventory what you generate and where it lands. Most teams cannot answer this in one meeting. Every model call that produces content shown to a person outside the company, plus what modality, plus whether a human reviews it before publication. The inventory is the work; the classification is usually easy once you have it.
  • Attach provenance at generation, not at publication. If an image is produced by a model, mark it in the pipeline step that produced it. Marking later means finding it later, and you will not find all of it.
  • Write down your text approach and why. Text marking is genuinely unsettled. A documented, defensible position, with the human-review-and-editorial-responsibility path used where it fits, beats an undocumented gamble. "Technically feasible" is a standard you can meet with evidence, not with silence.
  • Check the disclosure you already ship. The 50(1) work is often already done and just needs confirming. This is the cheapest row in the table.

Why the deferral does not help you

Annex III is credit scoring, hiring, education access, essential services, law enforcement, migration. Real, but a specific list. If your product is not on it, the 2 December 2027 date is trivia. The mental model that fails is treating "the AI Act" as one deadline with one date. It is a set of obligations attached to roles, each with its own clock, and the Omnibus adjusted some clocks and not others. Yours may not have moved at all.

From 2 August 2026 the AI Office and national authorities can fine breaches of provider and deployer obligations, including Article 50, up to EUR 15 million or 3 percent of worldwide annual turnover, whichever is higher. Enforcement capacity in the first months will be limited and nobody sensible expects a wave of August fines. That is a reason to be calm, not a reason to be unprepared, because the inventory step is the slow part and it does not go faster under pressure.

The takeaway

The Digital Omnibus deferred high-risk obligations to December 2027 and August 2028 and left Article 50 transparency on 2 August 2026. GPAI obligations have applied since August 2025 and were always someone else's, not yours. If you generate content with a model and show it to people in the EU, your deadline is three weeks away, with a four-month marking grace only for systems already on the market. Inventory what you generate, mark it where you make it, document your reasoning for text, and disclose the bot. That is a smaller project than the headlines suggest, and it is due considerably sooner.

Read this next

The data-residency and account-boundary side of EU compliance work lives in the field notes at ercan.cloud. The hub is at ercanermis.com.