The EU AI Act's New Timeline Doesn't Change What Compliance Teams Have to Do

You've likely heard about the European Union Artificial Intelligence Act (“EU AI Act”), which is the EU's law to regulate AI systems. While it applies to most AI systems built or deployed in the EU, it puts the heaviest obligations on a defined set of “high-risk” AI use cases. The EU AI Act also layers product-safety rules on top of AI embedded in regulated products, and requires enhanced transparency for AI that interacts with natural persons or generates synthetic content.

On May 7, 2026, EU lawmakers reached political agreement on revisions that moved out some of the EU AI Act compliance deadlines.

The Revised Timeline, at a Glance

Annex III covers the use cases many companies deploy: certain biometrics, critical infrastructure, AI in education and vocational training, employment uses (recruitment, selection, performance monitoring, promotion, termination), credit checking, life and health insurance risk and pricing, and a range of public sector functions including benefit eligibility, border and asylum control, law enforcement, justice, and elections.

Annex I covers AI that is a product or safety component of a product already governed by EU product safety rules: medical devices, toys, lifts, radios, and similar. The definition of “safety component” has also been narrowed. AI that just assists users or optimizes performance, without creating health or safety risks, sits outside the high-risk obligations.

Other changes are also worth tracking. The Commission can now switch off overlapping AI Act requirements where sector-specific rules already cover the same ground. Providers claiming exemption from high-risk classification still have to register in the EU database, but with less burdensome information.

In addition, the relaxed requirements for small businesses (for example simplified documentation, proportionate penalties, lighter quality management systems) now extend to small mid-cap companies, defined as companies with fewer than 750 employees and either turnover up to €150 million or balance sheet total up to €129 million.

Two key pieces are still pending that will shape how the new deadlines land in practice: the European Commission has to draft the regulations that operationalize the sectoral overlap rules, and CEN-CENELEC, the EU's joint standards bodies for general and electrotechnical standards, is still developing the harmonized European standards that high-risk providers will use for conformity assessment. Delays on either track will push more of the compliance burden onto the documentation that companies receive from their suppliers.

Start with AI Supplier Screening

The changes required for the EU AI Act are significant, and with this delay, the EU gave compliance teams enough time to actually do the work. Mapping every AI system in your environment, tracing it back to its model provider and any downstream fine-tuning vendors, and documenting a defensible basis for using each one is not a one-quarter project. Here's how we're approaching that work at Sayari:

• Build an AI supplier inventory. Behind every in-scope AI system there is a chain of suppliers: a model provider, sometimes a fine-tuning vendor or a data labeling shop, and almost always an AI-embedded SaaS layer between you and the underlying model. Build a single inventory with the baseline information you would collect for any high-risk third party (legal entity, jurisdiction, ultimate ownership, key subcontractors, and exactly which AI components they touch). If you can't pull that list today, that is where to start.
• Screen AI suppliers for ownership, jurisdiction, and sanctions exposure. Model providers and AI vendors are often early-stage companies with non-obvious ownership. Apply the same screening discipline you already use for manufacturers, distributors, and data vendors: trace ultimate beneficial ownership, check for sanctioned or blocked parties up the chain, and re-screen on a regular cadence. Article 26 puts ongoing oversight obligations on deployers of high-risk AI. The screening record is your evidence that the oversight is real.
• Renegotiate AI contracts before vendors are doing it. Article 11 (technical documentation) and Article 13 (transparency to deployers) put the documentation burden on providers, but as a deployer you only get what your contracts force them to give you. Get clear commitments on technical documentation, conformity assessment artifacts, risk management evidence, and timely notice of substantial modifications. The narrower “safety component” definition under Annex I will create gray areas; ask suppliers to classify and document their components against the final text once it is published.
• Map your sectoral overlaps. If you operate in medical devices, financial services, machinery, or another regulated space, the Commission's new authority to disapply overlapping AI Act requirements should reduce your compliance burden, but only if you know which of your AI components sit under which regime. Map each AI supplier and component against your existing sectoral compliance stack now, so when the implementing acts arrive you can claim the disapplication cleanly instead of starting that analysis from scratch.

The Takeaway

Compliance teams that start the work in 2026 will have time to put their AI suppliers through a few screening and contracting cycles before the key deadlines arrive. Teams that wait will spend the back half of 2027 playing catch up.

This blog is for informational purposes and isn't intended to be legal advice.