The EU AI Act's 'Wait and See' Window Is Closing — Fixed Deadlines Are Here

Why "Wait and See" Is No Longer a Viable Strategy

For the past year, one of the most common compliance strategies among SMEs has been entirely reasonable: hold off, the standards aren't ready yet, and once the Digital Omnibus lands everything will be clearer. That argument is rapidly losing its footing.

A new analysis from Corporate Compliance Insights, published this week, cuts through the complexity to deliver a blunt message: fixed deadlines are replacing regulatory ambiguity.^[1] The Commission originally proposed tying high-risk AI compliance obligations to the publication of harmonised standards. In theory, this meant compliance would kick in once clear technical guidance existed. In practice, it created a defensible wait-and-see posture: no standards, no compliance needed.

That posture is now officially closed. Both the European Parliament and the Council of the EU have independently settled on fixed calendar dates for high-risk obligations to apply — regardless of when (or if) the harmonised standards arrive. The backstop: December 2, 2027 for standalone high-risk AI systems listed in Annex III, and August 2, 2028 for AI embedded in regulated physical products.^[2]

The Dual-Track Reality for SMEs

Here is what makes this genuinely important for small businesses: nothing has been formally adopted yet. The original August 2, 2026 deadline still stands in law until a final amended text clears trilogue and is published in the EU Official Journal.^[1]

If trilogue negotiations run past August 2, 2026 without a deal, the original deadline applies automatically and without recourse. This creates a dual-track reality: politically, a delay is likely; legally, it cannot yet be relied upon. For risk-conscious organisations — which should be every organisation using AI — the only defensible position is to prepare for the earlier timeline while retaining flexibility to adapt if the later dates are confirmed.

Think of it like this: you wouldn't skip doing your taxes because an election promise suggested tax rules might change. The same logic applies here. The August 2 deadline for transparency obligations — chatbot disclosures, AI content labelling — is not part of the Omnibus at all. It is not being delayed. Do it now.

AI Literacy: The Obligation That Didn't Get Softened

One detail from the Lewis Silkin analysis that deserves more attention: the AI literacy obligation under Article 4 of the AI Act.^[4]

The Commission had proposed a significant weakening: instead of AI literacy being a binding obligation on providers and deployers (employers), it would become a framework led by member states and the Commission — essentially a policy aspiration rather than a compliance requirement.

Both Parliament and Council rejected this. The binding obligation on organisations to ensure staff interacting with AI systems have appropriate training remains in place.^[2] Parliament has lowered the standard from ensuring a "sufficient level of AI literacy" to "supporting the improvement of AI literacy" — a meaningful concession — but it is still an obligation, not optional.

For SMEs, this is frequently the compliance step that falls off the priority list. Unlike technical documentation or conformity assessments, it doesn't require specialist legal help. It just requires your people to understand what they are working with. That is often the hardest part to do at scale, and it is the one that got weaker — but not removed — in the Omnibus negotiations.

The Registration Obligation That Came Back

One more detail worth noting: the Commission proposed removing the obligation for AI providers to register their systems in the EU database if they self-assessed those systems as non-high-risk under Article 6(3). Both Parliament and Council reinstated the registration requirement, while agreeing to streamline the information that needs to be provided.^[3]

This matters for SMEs building AI products. If you are putting an AI system on the EU market, you will still need to register it — even if it is not high-risk. The registration burden is being simplified, which is welcome, but the obligation itself survived the Omnibus negotiations intact.

What to Do With This

Three concrete actions for SMEs this week:

• Handle your transparency obligations now. Chatbot disclosures, AI content labelling — August 2, 2026 is the confirmed deadline and it is not part of the Omnibus. There is no legitimate reason to wait.
• Build your AI literacy programme. Even in basic form — a briefing for staff on what AI tools the company uses, how they make decisions, and how to flag concerns — this addresses the Article 4 obligation and costs almost nothing to start.
• Maintain a dual-track compliance plan. Continue preparing for the August 2, 2026 high-risk deadline as your worst-case scenario, while tracking trilogue outcomes. If the December 2027 date is confirmed before summer, you can deprioritise the rush work. If it isn't, you haven't lost time.

The window for "wait and see" is not fully closed — the delay hasn't been formally adopted yet, and the political will to finalise a deal before summer is real. But every week you spend not building your compliance foundation is a week of accumulated risk. Fixed deadlines remove the ambiguity that made waiting feel reasonable. The law may yet change; your risk exposure doesn't wait for it to.

This article is for informational purposes only and does not constitute legal advice.