The EU just moved its biggest EU AI Act compliance deadline.
What that delay actually means for your team is more specific than the headlines suggest.
On May 7, 2026, the EU Council and Parliament provisionally agreed to push back the most demanding requirements for stand-alone high-risk AI systems from August 2026 to December 2027. If you've been watching August approach with growing unease, that's real breathing room.
But the delay is specific. Four obligations are still on the August 2026 timeline, one has been in force since February 2025, and agencies using ChatGPT, Claude, or Gemini for client work need to understand what actually applies to them right now.
If your team uses AI for content, research, client communications, or internal operations, here's the breakdown you actually need.
EU AI Act Compliance: What Just Changed and What Didn't
The Act entered into force in August 2024. Different sections have been rolling out on a staggered timeline since then.
Here's where things actually stand after the May 2026 deal:
| When | What applies |
|---|---|
| February 2025 | Prohibited AI practices banned. Subliminal manipulation, social scoring, real-time biometric identification in public spaces. Already in force. |
| August 2025 | Transparency rules for GPAI model providers (OpenAI, Anthropic, Google) already live. |
| August 2026 | AI literacy obligations (Article 4) enforceable. General-purpose AI transparency rules for deployers take effect. |
| December 2027 | High-risk stand-alone AI systems. Employment decisions, credit scoring, biometrics. Delayed from August 2026. |
| August 2028 | High-risk AI embedded in regulated products (medical devices, machinery). |
The delay that made news applies to December 2027. The August 2026 obligations did not move.
What "Deployer" Actually Means for Your Team
The Act divides AI responsibility between two roles: providers and deployers.
Providers are the companies building the models. OpenAI, Anthropic, Google. They carry the heaviest technical compliance requirements.
Deployers are any organization using an AI system in their own operations or on behalf of clients. If your team uses ChatGPT, Claude, or Gemini for client work, your agency is a deployer.
That status comes with real obligations. What those obligations look like depends on how you're using the AI, which is where most agency owners get confused.
Where Most Agencies Actually Land
The Act defines four risk levels. Where your usage falls determines what you need to do.
Unacceptable risk (banned since February 2025): Subliminal manipulation, social scoring, real-time biometric identification in public spaces. Almost no agency is near this category.
High risk (December 2027 for most): AI systems making consequential decisions in employment, credit assessment, education, law enforcement, or critical infrastructure. Using ChatGPT to rank job applicants is high risk. Using it to write the job posting is not.
Limited/transparent risk (August 2026): AI-generated content shown to users, chatbots interacting with members of the public. Disclosure requirements apply.
Minimal risk: Content creation, research support, internal summarization, code drafting, brainstorming. No specific compliance burden beyond the baseline literacy requirement.
For most agencies, the honest answer is that the bulk of your AI usage lands in the minimal or limited risk categories. You are not operating employment decision algorithms or credit scoring systems.
"Minimal risk" does not mean zero obligation.
The Four Obligations That Still Apply Before August 2026
Even if your team's AI usage is entirely low-risk content work, four obligations are active on or before August 2026.
1. AI literacy (Article 4), enforceable from August 2026
Every person in your organization using AI needs documented evidence of appropriate training.
This means being able to show that your team understands what the system does, how to recognize errors, and how to verify outputs.
You don't need certifications or university courses. A one-hour internal session with recorded attendance and notes qualifies.
2. Transparency for AI-generated content
Any content your team creates with AI and presents to external audiences needs appropriate disclosure.
Check your client contracts.
Check what you're delivering.
If content is substantially AI-generated, you need a disclosure mechanism in your delivery process.
3. Follow your provider's terms (Article 26)
Deployers (You) must use AI systems in line with the provider's instructions and intended purpose.
OpenAI, Anthropic, and Google all publish acceptable use policies and data governance documentation.
You should review them for each tool your team uses, and record that you did.
4. Vendor verification
You have an obligation to verify that the AI tools you use are themselves compliant with applicable portions of the Act.
Ask each provider:
- Are you registered with the EU AI Office for GPAI?
- What transparency documentation do you publish?
- What data governance applies to enterprise versus free-tier accounts?
For a framework for documenting this kind of AI governance across your team, see AI Governance for Teams: Build a Policy That Actually Works.
What Doesn't Apply to Most Agencies
The heavy compliance burden in the Act, including conformity assessments, technical documentation, EU database registration, and fundamental rights impact assessments, applies to high-risk systems.
If your AI usage is content creation, research, summarization, and client communications, you are almost certainly not operating high-risk systems under the Act's definitions.
The regulations are more context-specific than most coverage suggests. The system's purpose matters more than the tool.
ChatGPT for email drafts is not the same regulatory category as ChatGPT for automated loan decisions.
For a broader view of AI security and exposure risks for teams of your size, AI Security for Teams: The Complete 2026 Guide covers the full picture.
Where to Start
Work through these steps before August 2026.
Step 1: Build your AI system inventory.
List every tool your team uses that has an AI component.
- CRM with lead scoring,
- content generation tools,
- meeting summarizers,
- project management automation.
You likely have more than you think.
Step 2: Classify each one.
For each tool, ask: is this being used to make decisions that directly affect individuals? Employment, credit, access to services?
If yes, you need closer attention here.
If no, you're almost certainly in the minimal or limited risk range.
Step 3: Document your AI literacy training.
Run a session with your team explaining what your AI tools do, how to recognize errors, and how to verify outputs. You must record who attended and when.
Step 4: Review your provider documentation.
Read the data governance and acceptable use documentation for each AI tool your team uses.
You should keep a record of when you reviewed it and what it covers.
Step 5: Check your client-facing disclosures.
If you're delivering AI-assisted content to clients, confirm that your contracts or delivery notes reflect that appropriately.
Step 6: Add a control at the browser layer.
Article 4 requires your team to understand what goes into AI systems. The practical version of that is preventing accidental data submissions before they happen.
If your team works with client data, confidential information, or personal data subject to GDPR alongside the AI Act, you need a control that works at the point of input.
Sequirly sits between your team and whatever AI tool they have open, catching sensitive data before it reaches an external model. It runs locally in the browser, so Sequirly itself never sees what your team typed.
Run a free audit of your current AI exposure at Sequirly Free AI Audit Tool to see where your team's data is actually going before you need to explain it to a regulator.