How to Be Compliant and Ready for the EU AI Act: A Practical 2026 Guide

In May 2026 the EU did something many teams had quietly hoped for. It pushed the toughest AI Act deadlines back. The high-risk obligations everyone was racing to meet by August are no longer due this summer.

The change comes from the Digital Omnibus on AI, proposed by the European Commission in November 2025 as a targeted set of amendments to the AI Act. After the April trilogue stalled, the Council and Parliament reached a provisional agreement on 7 May 2026, confirmed by member states in the Council shortly after. The headline dates:

• Annex III high-risk systems (use-based: recruitment and HR, biometrics, critical infrastructure, education, access to essential services, law enforcement) move from 2 August 2026 to 2 December 2027, a sixteen-month deferral.
• Annex I high-risk systems (AI embedded in regulated products such as medical devices and machinery) move to 2 August 2028.
• Transparency for AI-generated content (watermarking under Article 50(2)) slips only three months, to 2 December 2026.
• A new Article 5 prohibition targets AI used to generate non-consensual intimate imagery and child sexual abuse material, applying from 2 December 2026.

Two things did not move. Transparency obligations for deployers still apply from 2 August 2026, including disclosing when people interact with AI and labelling AI-generated or manipulated content. Obligations for general-purpose AI models have applied since August 2025, and the prohibited practices in Article 5 since February 2025. The Omnibus rolled none of those back.

It is also not law yet. The amendments take effect only once they are formally adopted and published in the Official Journal, expected before August 2026. Until then, the original timeline is the legal baseline. Build for the new dates, but treat them as firm rather than locked. For the full breakdown, see our guide to what the AI Omnibus changed, or the glossary entries on the EU AI Act and the AI Omnibus.

The relief only goes so far. The systems that gained the most time are the ones that need the most preparation, and that preparation has to happen either way. The AI Act takes a risk-based approach: obligations depend on what a system does and how much risk it carries. Everything starts with knowing what you have. These five steps build on each other.

You cannot govern, classify, or document what you cannot see. The first task, and the one most teams underestimate, is building a complete, living inventory of every AI system in the organization: what it does, what business purpose it serves, what data it relies on, and who owns it.

This inventory feeds the technical documentation the Act expects under Article 11 and Annex IV, and every step that follows depends on it. In practice, AI use cases scatter across teams, vendors, and shadow projects, which is why a one-time spreadsheet falls out of date the moment a new system ships.

With Dawiso: a centralized list of AI systems gives you one consistent view of every model and use case, including its purpose, the data it draws on, and the validation it has been through. Each entry sits next to the data assets it touches, so the inventory stays current as your landscape changes instead of going stale in a static file.

Once you can see your systems, you classify them. Which fall under the prohibited practices in Article 5? Which are high-risk under Annex III or Annex I? Which carry only transparency obligations? This classification decides which rules apply to you, and it leans on judgment more than on tooling.

Getting it wrong is expensive in both directions. Over-classify and you load light systems with paperwork they never needed. Under-classify and you miss obligations that carry administrative fines of up to €35 million or 7% of global annual turnover under Article 99. The point is to make the call once, record the reasoning, and be able to defend it.

With Dawiso: risk assessment lets you evaluate each use case from several angles using predefined, expert-designed assessment logic aligned to frameworks like the AI Act and ISO 42001. Classification becomes structured and repeatable rather than a debate every time, and the verdict stays attached to the system it describes.

AI systems are only as trustworthy as the data behind them. The Act's data-governance expectations, Article 10 for high-risk providers and the Article 26 duty on deployers to ensure input data is relevant and representative, come back to one question: can you show where your data came from and how it flows?

For most teams that question turns into a manual investigation every time an auditor or a regulator asks. Tracing a model's training set back through a chain of transformations and source systems by hand takes days, and the answer is out of date as soon as a pipeline changes.

With Dawiso: data provenance and interactive lineage let you trace every data flow, watch how it changes, and assess the sensitivity of the data feeding your AI models. That turns "we think the data is fine" into something you can demonstrate, and it doubles as the evidence base for overlapping regimes like GDPR.

Compliance and oversight both depend on people reading AI systems and their data the same way. When "customer," "revenue," or "active user" means three different things across three teams, the documentation and human oversight that Article 14 requires turn into guesswork.

A risk officer signing off on a high-risk system needs to know that the "approval rate" on the model card means what the data team thinks it means. Without a shared definition, the human in the loop is reviewing a system they only half understand.

With Dawiso: a semantic layer and business glossary translate complex data structures into business-friendly terms and standardize definitions across the organization. Data engineers and risk officers read the same system the same way, because the definition lives next to the asset rather than in someone's head. Ask what a term means and Dawiso returns the one governed definition, with the sources behind it.

The biggest mistake is treating AI Act readiness as a project with an end date. Systems change, new models ship, data sources shift. Documentation written once and filed away is out of date within a quarter. Readiness is a state you maintain, not a box you tick.

This is exactly where the extra sixteen months change the game. A team that builds governance into how AI ships, rather than bolting it on before a deadline, reaches December 2027 with an inventory that is already accurate and classifications that are already defensible.

With Dawiso: governance workflows keep the inventory, classifications, and documentation accurate over time, with clear ownership and human-in-the-loop review. You stay ready instead of re-preparing before every deadline.

There is a larger payoff hiding in all of this. The inventory, the lineage, and the shared definitions are not only a compliance cost. They are the same metadata foundation that makes enterprise AI actually work.

Most AI initiatives disappoint because of missing context, not regulation. An agent that does not know what your data means, where it came from, or which definition is the right one produces answers no one can trust. The catalog, lineage, and glossary you build to satisfy the AI Act are what an AI context layer needs to ground agents in governed, trustworthy knowledge.

Through Dawiso's Context Layer and Model Context Protocol (MCP) support, that governed context feeds directly into your AI, with the access controls and traceability compliance expects. The same record serves both your AI Act evidence and your AI strategy.

Every obligation the AI Act keeps comes back to the same question: can you show, with evidence, what your AI uses and where that data came from? That is a metadata and governance problem, and it is the one Dawiso is built to solve.

The Data Catalog holds the living inventory of data assets and the systems that consume them. Interactive Data Lineage traces data end to end, so technical documentation stops being manual archaeology. The AI Governance solution ties classification, ownership, and policy to the assets themselves rather than to a spreadsheet that drifts out of date. For a wider view of the obligations beyond classification, our guide to governing AI safely walks through GDPR, copyright, and internal policy alongside the Act.

The Omnibus bought you time. The teams that use it to build a governed, AI-ready foundation will meet the 2027 and 2028 deadlines without a fire drill, and they will have a better data platform to show for it.