What changed
The original AI Act timeline set 2 August 2026 as the compliance date for stand-alone high-risk AI systems under Annex III. The European Commission proposed the Digital Omnibus on 19 November 2025. The Council and Parliament reached provisional agreement on 7 May 2026. Parliament endorsed on 16 June 2026. The Council gave final approval on 29 June 2026. The new dates are fixed: 2 December 2027 for stand-alone Annex III systems, and 2 August 2028 for high-risk AI embedded in regulated products under Annex I.
What did not move
Three things survived the delay intact. The Article 50 transparency obligations apply from 2 August 2026 as originally scheduled: users must be informed when they interact with an AI system and when content is AI-generated. A new Article 5 prohibition on AI-generated non-consensual intimate imagery and CSAM applies from 2 December 2026. And the GPAI obligations in force since August 2025 are untouched. An organization that read the headlines as “the AI Act is delayed” and paused everything has a compliance gap opening in three weeks.
What Article 14 still requires
The substance is unchanged. High-risk AI systems must be designed so natural persons can effectively oversee them: understand the system’s limits, monitor operation, interpret outputs, override or reverse a decision, and stop the system safely. For certain remote biometric identification systems, an identification must be separately verified by at least two qualified persons before any action is taken.
Sixteen months is not a pause
The market’s current answers to Article 14 are process answers: trained overseers, escalation procedures, halt buttons, audit logs. Process describes what should happen. The question an auditor will ask in December 2027 is architectural: can you prove that a specific authorized human oversaw this specific action, at the moment it happened, with evidence that survives adversarial review? A database row your own server wrote does not answer that question.
And the AI Act is not the only clock. DORA is in force now. PCI-DSS v4.0.1 is in force now. PSD2 already forced payments to bind amount and payee into the authorization itself. The evidence requirement is arriving from every direction. The date that moved bought time to build the layer properly, not permission to wait.
Sources
- Council press release, 7 May 2026
- Gibson Dunn client alert on the Omnibus agreement
- CSA research note on the 29 June final approval
Yuthent builds the evidence layer this question points at: per-action cryptographic proof of who approved, at the moment of execution. The model is public as an IETF Internet-Draft. Read the specification at /psea or the architecture questions security teams ask first at /faq.