On June 16, 2026, with mounting pressure from member states and industry groups, the European Parliament formally endorsed a provisional agreement delaying a significant enforcement milestone in the European Union’s Regulation (EU) 2024/1689 (the “Artificial Intelligence Act” or  “AI Act”), with significant consequences for businesses. Completed just under two months before the new enforcement guidelines were to take effect, the agreement extends various enforcement deadlines, eliminates certain duplicative manufacturer requirements, broadens small business exemptions, and adds new prohibitions on certain AI-generated intimate content.

Though the EU’s delay grants organizations additional time to comply with some obligations under the AI Act, delaying implementation of compliance measures could prove costly. Unlike the prior General Data Protection Regulation’s (“GDPR’s”) early enforcement period, EU regulators have already signaled their intent to enforce the AI Act from day one. Moreover, the EU AI Act has an extraterritorial reach—any AI system influencing decisions affecting EU residents, regardless of where a company is headquartered, may fall within the scope of the AI Act. The AI Act penalties are significant: ranging from €7.5 million or 1% of global annual turnover to €35 million or 7% of global annual turnover. For small companies, even the lower tier penalties represent existential exposure. This is not an abstract compliance exercise—rather, it is a binding legal framework with real penalties, obligations, and exposure that begins the moment enforcement powers fully activate.

Many businesses may unknowingly use, and therefore may be considered deployers of, high-risk AI systems regulated under the AI Act. These systems include:

• Employment and Workforce Management: AI systems used for recruitment, candidate screening, performance evaluation, work allocation, or monitoring employee behavior.
• Access to Essential Services: AI systems that evaluate an individual’s eligibility for, or access to, healthcare or wellness services are high-risk. For companies operating employee benefits platforms—including employee assistance programs (“EAPs”)—this category is directly relevant if AI is used to triage, route, or assess employee mental health or wellness needs. The threshold may be lower than you expect.
• Insurance Risk Assessment: AI systems used in health and life insurance pricing or risk classification. Meaning that if your platform feeds data into underwriting or coverage determination processes, this may be implicated.

The delay shifts certain deadlines by creating a rolling deadline format. For example, the compliance deadline for AI systems outlined under Annex III, including High-Risk AI System Requirements (Articles 9–17 and 26) has moved to December 2, 2027—a 17-month extension. The deadline to comply with the rules for AI systems integrated into products subject to product safety regulations (Annex I) would become August 2, 2028—a 12-month extension), but even with the extensions, these deadlines can creep up in a hectic business environment. Here are six steps to take now:

Conduct an AI Inventory

Map every AI tool your company uses in connection with its EU operations or EU employees. Be sure to include vendor-provided SaaS tools with AI features, not just bespoke systems. Many companies are surprised by how many systems qualify.

Classify by Risk

For each AI system you identify, work with legal advisors to assess its risk category: prohibited, high-risk, or limited/minimal risk. This requires knowledge of both what the system does and how the AI Act specifically defines its risk categories.

Audit Your Vendor Contracts

Review any agreements with AI vendors for compliance-relevant provisions, including documentation delivery, log access, incident notification, EU representative obligations, and allocation of deployer vs. provider responsibilities. Most off-the-shelf agreements do not yet reflect the AI Act’s requirements. And for deployers of high-risk AI systems, obligations cannot be outsourced to AI vendors even where the vendor bears primary provider responsibilities.

Implement Deployer-Side Controls

For any high-risk AI system, start human oversight procedures, log retention practices, employee or user notification mechanisms, and any applicable Fundamental Rights Impact Assessment (FRIA). Document these in writing—the AI requires documentation and enforcement will look for it.

Review Your AI Literacy Obligations

An often-overlooked requirement—enforced since February 2025—is that organizations must ensure that staff who work with AI have appropriate AI literacy training. This is a minor obligation that can be addressed with modest internal effort. If you have not already implemented an AI literacy training program, now is the time to do so.

Integrate AI Governance Into Your Broader Compliance Program

AI Act compliance is not a one-time project. Instead, it requires ongoing monitoring as your company’s AI tools evolve, guidance is updated, and enforcement develops. Building AI Act compliance into your company’s broader compliance program, alongside GDPR and sector-specific obligations, will serve to minimize risks and costs in the long-term.

Companies should begin completing core steps immediately. Organizations waiting until 2027 will be starting from behind, with enforcement already active. We are available to guide you through this process whether you need a full EU AI Act readiness assessment, targeted vendor contract review, or specific guidance on high-risk classification for your product or service, we can provide scoped, efficient support designed for your business needs.

This article is intended as general client information and does not constitute legal advice. The EU AI Act is a complex and evolving regulation. Please consult with counsel regarding your specific circumstances.