EU AI Act enforcement readiness: what to do before August 2

The Omnibus deal extended HRAIS deadlines but shortened watermarking to 3 months. December 2, 2026 is the watermarking cliff. Article 99 penalties are still 7% of global turnover. Here's the practical compliance map.

What the Omnibus actually changed

The political agreement reached on May 7 moved three deadlines and held one. Specifically:

• HRAIS (high-risk AI systems): extended. Compliance deadlines for the heaviest provisions get more time. Concrete date depends on transposition but the practical effect is industry-friendly.
• Regulatory sandboxes: postponed to August 2, 2027. A year of additional runway for member-state sandbox stand-up.
• Watermarking grace period: shortened from 6 months to 3 months. New cliff is December 2, 2026. This is the timeline that moved against industry.
• Article 99 penalties: unchanged. €35M or 7% of global turnover for prohibited practices. €15M or 3% for high-risk violations. €7.5M or 1% for misinformation.

The August 2 grandfathering rule

Generative AI placed on market before August 2, 2026 only needs to comply with watermarking from December 2, 2026 onwards. Systems shipped after August 2 must comply at ship time.

This is the under-noticed clause and the highest-leverage one. Practically:

• Any genAI product you have in EU production today gets six months to add watermarking after the rule activates.
• Any genAI product you launch after August 2, 2026 must ship with watermarking from day one.
• The intent is to avoid breaking running apps; the effect is to accelerate any 2026 launch plan you have to before August 2.

Watermarking: what's actually required

The Act doesn't mandate a specific technology. It mandates that AI-generated content be "detectable as such" by appropriate means. In practice, conforming approaches are:

• Cryptographic provenance metadata (C2PA-style content credentials) attached to outputs.
• Statistical watermarks embedded in token distributions for text outputs.
• Perceptual watermarks for image/audio/video outputs.
• Disclosure UI — a clear "this content was AI-generated" label visible to end users.

For most enterprises the lowest-friction conforming approach is disclosure UI plus C2PA metadata. Statistical watermarking is harder to retrofit and easier for adversaries to strip.

The compliance checklist for enterprises with EU users

Five concrete actions, in priority order:

1. Inventory your AI systems by EU exposure. Which systems have EU end-users? Which are classified as high-risk under Annex III? Which generate content that needs watermarking? You can't comply with what you can't enumerate.
2. Pick your watermarking approach by December 2 ship date. If you have a generative product, your December 2 deadline is real. Lead time for C2PA integration is 8-12 weeks in most engineering orgs. That math doesn't permit further delay.
3. Map your data flows for Article 10 compliance. Training data lineage and bias-testing requirements for HRAIS need documented evidence, not assertions. Article 10 is one of the most-cited enforcement targets.
4. Stand up the conformity assessment process. For HRAIS, you need a documented conformity assessment — either self-conducted with proof, or by a notified body. Either path has lead time.
5. Designate your in-EU representative. Non-EU providers need an authorized EU representative under Article 25. This is administrative but it has a 4-week lead time and it gates everything else.

The penalties matter

€35M or 7% of global turnover is not a parking-ticket-class penalty. For a company at $1B in global revenue, that ceiling is $70M. The penalty is also not theoretical — the Act explicitly authorizes member-state authorities to issue fines, and member states have strong incentive to demonstrate enforcement to constituents.

What we've seen in equivalent contexts (GDPR, DMA) is that the first 18 months of any new EU regime produce a wave of enforcement actions against well-known non-compliant actors specifically to demonstrate teeth. Expect the same pattern with the AI Act starting in Q1 2027.

The strategic question

For most enterprises with EU operations, the question is not whether to comply. It's how to design the compliance work so it doesn't bleed into the product roadmap.

One pattern that's working: bundle the watermarking, conformity assessment, and EU-rep work into a single Q3 2026 compliance sprint, time-boxed to end no later than August 2. That way the engineering work is done, the documentation is filed, and the December 2 watermarking cliff is a no-op rather than a fire.

The honest read

The Omnibus deal is a mixed signal. It bought enterprises time on the heaviest provisions and removed time from the most-customer-facing one. The penalties are real, the deadlines are now firmer than they were in March, and the lead times for compliance work are long enough that "we'll handle it in Q4" is no longer a strategy. Companies that treat this as a Q3 sprint land it. Companies that don't will be writing fine checks in Q1 2027.