On 29 June 2026, the Council of the European Union gave final approval to the Digital Omnibus on AI, postponing the EU AI Act's high-risk obligations from 2 August 2026 to 2 December 2027 for standalone systems and to 2 August 2028 for AI embedded in regulated products. The vote landed five weeks before the original cliff edge, after two failed trilogues in April and May 2026 that left compliance teams building toward a deadline that might or might not survive.

The delay is not a retreat from enforcement. In the same stretch of 2026, the European Commission fined Temu 200 million euros under the Digital Services Act, the Irish High Court upheld a 530 million euro GDPR fine against TikTok, and national supervisors moved from "observation mode" to active DORA inspections across the banking and insurance sectors. Europe's AI, data and platform rulebook is being rewritten and enforced at the same time, on different clocks that rarely move together.

For AI governance leads, DPOs and digital compliance officers covering the EU, UK and Switzerland, that combination, moving deadlines plus live fines, is the actual operating environment for the rest of 2026.

Is the EU AI Act's high-risk deadline still 2 August 2026?

Not once the Digital Omnibus on AI is published in the Official Journal, which is expected in July 2026, three days after which it enters into force. Regulation (EU) 2024/1689 originally set 2 August 2026 for Annex III high-risk systems, covering recruitment, credit scoring, biometric identification, education, migration and law enforcement use cases, and 2 August 2027 for Annex I product-embedded systems. The European Parliament approved the Omnibus text on 16 June 2026 with 423 votes in favour, and the Council's 29 June 2026 sign-off fixed the new dates at 2 December 2027 and 2 August 2028 respectively.

Two obligations move in the opposite direction. The grace period for watermarking and labelling AI-generated content under Article 50 was cut from six months to three, bringing forward a new deadline of 2 December 2026 for systems already on the market, and the Omnibus adds an outright ban on generating non-consensual sexual or intimate content and AI-generated child sexual abuse material, a provision with no delay attached. Until the text clears the Official Journal, the original 2 August 2026 date remains legally binding, so organizations classifying systems under Annex III cannot simply stand down.

How aggressively is the European Commission enforcing the Digital Services Act?

Aggressively enough to have issued two nine-figure fines within six months. On 5 December 2025, the Commission fined X 120 million euros, its first DSA non-compliance decision, for the deceptive design of the blue checkmark verification badge, an advertising repository that fell short of Article 39 disclosure rules, and researcher access barriers that breached Article 40(12). X gave 60 working days to fix the checkmark issue and 90 to submit a full remediation plan, and appealed the decision to the General Court of the European Union in February 2026, making it the first judicial test of DSA enforcement.

On 28 May 2026, the Commission fined Temu 200 million euros, 0.38% of its 53 billion euro global turnover, for failing to run an adequate risk assessment capable of identifying illegal and dangerous products on its marketplace. Temu has until 28 August 2026 to submit a corrective action plan, and the Commission's broader investigation into Temu's recommendation systems and content moderation remains open. Both cases were built on Article 34 and 35 systemic risk obligations, the same provisions that keep every very large online platform and search engine under continuous Commission scrutiny, an area where per-platform regulatory monitoring catches a new investigation the day it opens rather than the day it makes headlines.

Which regulator actually decides a GDPR case when data crosses borders?

Under the one-stop-shop mechanism, it is the data protection authority where the company has its main EU establishment, and for most global platforms that means Ireland. The Irish Data Protection Commission's 2 May 2025 decision fined TikTok 530 million euros, 45 million for failing to properly inform users under Article 13(1)(f) and 485 million for unlawful transfers of EEA user data to China under Article 46(1), after finding TikTok could not verify that its Standard Contractual Clauses gave EEA data protection essentially equivalent to what GDPR requires. On 3 June 2026, the Irish High Court upheld both the liability finding and the fine amount, though it sent the order suspending future transfers back to the regulator for reconsideration, leaving TikTok able to keep moving European data to China while that specific point is revisited.

The Irish DPC's cumulative fines now total 4.04 billion euros since 2018, still led by the 1.2 billion euro Meta decision from 2023. Across all EU supervisory authorities, DLA Piper's January 2026 survey puts 2025 enforcement at approximately 1.2 billion euros, matching 2024 and pushing the bloc-wide total since GDPR's 2018 entry into force to 7.1 billion euros. For a compliance officer, the practical lesson is that lead-authority selection is not administrative housekeeping, it determines which regulator's enforcement posture, timeline and appetite for cross-border fines actually governs the file.

Is GDPR itself being rewritten alongside the AI Act?

Yes, through the same Digital Omnibus package, proposed by the Commission on 19 November 2025 as COM(2025) 837. The proposal would redefine personal data so that pseudonymized data is not considered personal for an entity that lacks the means to re-identify the individual, let companies rely on GDPR's legitimate interest basis to train or operate AI models subject to safeguards, move cookie consent rules out of the ePrivacy Directive and into GDPR with one-click consent valid for six months, and create a single reporting point for data breaches and cybersecurity incidents.

The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion in February 2026 backing the administrative simplification pieces while explicitly urging co-legislators not to adopt the personal data redefinition, warning it would narrow the fundamental right to data protection beyond what a technical amendment should do. As of mid-2026 the file remains in the ordinary legislative procedure, with the Industry and Civil Liberties committees jointly responsible in Parliament, meaning the GDPR text a company is complying with today may not be the GDPR text in force by the time an AI training program it is designing now goes live.

What do the Digital Markets Act, Data Act and DORA add on top of AI Act and GDPR?

The Digital Markets Act supplies its own enforcement track against the same gatekeepers. On 22 April 2025, the Commission fined Apple 500 million euros for anti-steering violations under Article 5(4) and Meta 200 million euros for its pay-or-consent advertising model under Article 5(2), the first non-compliance fines issued under the DMA. The Commission's first triennial review, delivered 3 May 2026 as COM(2026) 178, found the regime fit for purpose with no legislative change needed, while specification proceedings opened against Google Play and Google Search in January 2026 remain active.

The Data Act became applicable on 12 September 2025, giving users of connected products and services the right to access data those products generate and, where feasible, to have it shared with third parties in real time. Design obligations requiring connected products to make data accessible by default take effect on 12 September 2026, and fair, reasonable and non-discriminatory contract terms apply to all B2B data-sharing agreements signed after September 2025, extending to certain long-duration legacy contracts from September 2027. Where personal data is involved, Data Act penalties track GDPR levels, up to 20 million euros or 4% of global turnover.

For financial entities specifically, DORA's grace period ended with 2025. Since Q1 2026, the ECB, BaFin, the AMF, the CSSF and other national competent authorities have moved from readiness reviews to formal supervisory assessments of ICT risk management, third-party contracts and incident reporting, backed by fines of up to 2% of worldwide turnover for institutions and up to 1 million euros personally for management body members who fail to act on ICT risk reports.

InstrumentStatus (July 2026)Key date to track
AI Act, Annex III high-riskOmnibus adopted, pending Official Journal publication2 December 2027 (was 2 August 2026)
AI Act, Article 50 transparencyGrace period shortened by Omnibus2 December 2026
DSA systemic risk enforcementActive, two fines issued, one under appeal28 August 2026 (Temu remedial plan)
GDPR (TikTok transfer case)Liability and fine upheld, remedy reopenedIrish DPC reconsideration pending
GDPR reform (Digital Omnibus)In ordinary legislative procedureNo adoption date set
DMA gatekeeper obligationsTwo fines issued, review complete, no changesGoogle specification proceedings ongoing
Data Act design obligationsCore rules applicable since Sept 202512 September 2026
DORA supervisory enforcementGrace period over, active assessmentsOngoing, per national competent authority

Eight instruments, eight timelines, and at least three of them changed materially in the first half of 2026 alone. A compliance function tracking this by spreadsheet is one missed Council press release away from building a program around a deadline that no longer applies, which is exactly the gap Obsidian's AI companion is built to close: not a substitute for legal judgment, but a verified regulatory companion that flags the moment a delegated act clears scrutiny or a fine becomes final.

What should a compliance team do next?

Start by separating the AI Act's binding text from its pending amendments: continue Annex III classification work on the assumption that 2 August 2026 could still apply, while tracking the Omnibus toward Official Journal publication so the new 2 December 2027 date is confirmed rather than assumed. In parallel, treat DSA and DMA enforcement as evidence of what regulators actually prioritize, systemic risk assessments and steering restrictions, rather than relying on the text of the regulations alone.

For teams managing GDPR exposure across several EU establishments, confirm which supervisory authority holds lead status for each processing activity and monitor the Digital Omnibus negotiations for changes to the personal data definition that could affect AI training programs already in flight. Obsidian's MCP for AI assistants lets that tracking run inside the tools compliance teams already use, and current plans show how per-jurisdiction monitoring keeps pace with a rulebook that changed three times in the first half of 2026.