(+351) 21 24 10006  ·  info@bconcepts.pt
Carnaxide, Lisbon
The AI Act Was Delayed to 2027. Here Is What to Do With the 17 Months You Just Gained
Inteligência Artificial

The AI Act Was Delayed to 2027. Here Is What to Do With the 17 Months You Just Gained

Equipa bConcepts 14/07/2026 9 min

For months, 2 August 2026 was circled in red on the calendar of every European company using artificial intelligence to make decisions that affect people. It was the date on which obligations for high-risk AI systems became enforceable. In June, Brussels moved the date — and a lot of people exhaled for the wrong reasons.

On 16 June, the European Parliament approved the AI Act simplification package; on 29 June, the Council gave it the final green light. Stand-alone high-risk systems — the Annex III ones, covering recruitment, credit, insurance, education and access to essential services — now only have to comply from 2 December 2027. Systems embedded as safety components in products already governed by sectoral legislation (Annex I) get until 2 August 2028. Seventeen extra months in the first case. Close to two years in the second.

The easy reading is that the problem has been pushed to the next budget, the next committee, the next someone. The useful reading is different: Europe has just handed companies the rarest thing in any data programme — time. And the question left on the table is both mundane and decisive: what are you going to do with it?

A delay is not an amnesty

It is worth separating what changed from what did not. What changed, above all, are the deadlines for high-risk systems, plus some administrative simplification: less overlap with sectoral rules, relief for mid-cap companies, and one meaningful clarification — it is now possible to process the personal data strictly necessary to detect and correct bias, with safeguards. Anyone who has tried to audit a scoring model without being allowed to look at the very sensitive attributes they were trying to protect knows exactly how tight that knot was.

The AI Act Was Delayed to 2027. Here Is What to Do With the 17 Months You Just Gained

Everything else is unchanged. The bans on unacceptable practices and the AI literacy duty have applied since February 2025. The rules for general-purpose models have applied since August 2025. And there are obligations arriving imminently: the window for labelling artificially generated content was shortened — the grace period went from six months to three, landing on 2 December 2026 — and new prohibitions take effect at the same time, including the generation of non-consensual intimate content.

In other words: the simplification package is not a general retreat. It is a redistribution of deadlines. Some things slipped to 2027 and 2028; others arrive this year.

The deadline that matters is not the one from Brussels

Here is the point that rarely makes it into a legal memo. Look at what the party responsible for a high-risk system will have to demonstrate: a documented risk management system, robust data governance, detailed technical documentation, automatic event logging, effective human oversight, and guarantees of accuracy, robustness and cybersecurity. Then conformity assessment, an EU declaration, CE marking and registration in the European database.

Strip away the regulatory vocabulary and what remains is a list of data engineering best practices. Data governance means knowing which data feeds the model, where it comes from, who touches it and in what condition it arrives. Automatic logging is observability. Accuracy and robustness over time is drift monitoring. Technical documentation is the lineage nobody ever wrote down because it lived in two people's heads.

None of these can be bought in November 2027. All of them are built — slowly, with discipline, on top of systems that many companies still do not have.

The regulator gave you more time. It did not give you better data. That part is still our job.

The question almost nobody can answer

Before any compliance plan, there is a disarming question: how many AI systems is your company running right now?

In most organisations, the first answer is a number. The second, after a proper look, is a different one — usually three to five times larger. Not because anyone hid anything, but because AI stopped being a project and became a feature. It arrives embedded in the recruitment software, in the customer support tool, in the e-commerce recommendation engine, in the ERP anomaly detection module, in the assistant the marketing team signed up for on a departmental card. None of it went through the architecture committee. And a lot of it makes decisions about people.

The regulation does not distinguish between the model you trained and the model that shipped inside the SaaS you bought. If the system is used to screen job applications, it is high-risk — whether it was built by you, by a vendor, or by an intern enthusiastic about an API.

An inventory is worth more than a committee

The first deliverable of a serious programme is not a twelve-page AI policy with three signatures. It is an inventory: a living list of every AI system in use or in development and, for each one, four columns almost nobody can fill in on the first attempt.

  • Purpose and decision affected — what does this system decide, suggest or classify, and about whom?
  • Input data — which sources feed it, how often, and who is accountable for the quality of those sources?
  • Business owner — not the data scientist: the person who signs off on the decision when the model gets it wrong.
  • Risk classification — based on actual use, not on the vendor's brochure.

It is a tedious exercise to run and a transformative one to have. It is what reveals where the real exposure sits, where investment pays off, and — almost always — where three tools are doing the same job badly.

A short case: 31 models and a spreadsheet

Picture a mid-sized insurer with 900 employees. When the board asked the data team for the list of AI systems in production, the initial answer was four: pricing, fraud, churn and a chatbot.

Six weeks of fieldwork later — interviews by department, a review of software contracts, an analysis of API connections — the list closed at 31. Nineteen were embedded in vendor tools. Seven had started life as proofs of concept and had never been formally promoted to production, despite running every single day. Three fed underwriting decisions — high-risk, with no argument to be had. And two, the most uncomfortable of all, were screening job applications using a model nobody in the building could explain.

The exercise cost roughly 25 person-days. What it avoided is harder to quantify and easy to imagine: the day a rejected candidate asks for an explanation and nobody can give one. The company did not become compliant that week — it got a map, which is a different thing and the thing that was missing. With the map in hand, it switched 6 systems off and consolidated 4. The licence savings paid for the exercise before compliance even entered the calculation.

The next twelve months, in order

If December 2027 is the horizon, then 2026 is the year to build foundations — not to write policies. A sequence that works:

  1. Inventory (1 to 2 months). Every system, vendor ones included. No judgement: whoever admits what they signed up for cannot be punished for it, or the inventory dies at birth.
  2. Classify (1 month). Risk by actual use. Most will land in minimal risk — and that is good news, because it concentrates effort on the few that genuinely matter.
  3. Instrument (3 to 4 months). Lineage, data catalogue and event logging for the high-risk systems. This is where the heavy lifting lives, and this is where almost every compliance programme derails, upon discovering that lineage simply does not exist.
  4. Monitor (ongoing). Accuracy, drift and bias, with thresholds and alerts. A model without monitoring is not an asset: it is a liability with a good reputation.
  5. Document (ongoing). If technical documentation is a project at the end, it will be fiction. If it is a by-product of the pipeline, it will be true.
  6. Rehearse human oversight (2 months). Writing that there is a human in the loop is not enough. You have to test whether that human has the information, the time and the authority to overrule the model — and what happens when they do.

Why this pays off even with no regulator at the door

It is worth saying what you rarely hear at a compliance conference: almost none of this list is wasted work if the regulator never knocks.

An inventory of AI systems is also an inventory of costs and redundancies. Lineage and a catalogue are what let you answer a business question in two hours instead of two weeks. Drift monitoring is what stops a pricing model spending six months being quietly wrong. Technical documentation is what turns an engineer's departure from a risk event into an ordinary Tuesday. And data governance is, at bottom, what you already ask of a semantic layer: one definition, one source, one answer.

Compliance, done well, is a by-product of doing data engineering properly. Done badly, it is a folder of PDFs nobody reads and a cost nobody recovers.

In summary

  • The AI Act has not been repealed: the high-risk deadlines moved to 2 December 2027 (stand-alone) and 2 August 2028 (embedded in products).
  • Obligations are arriving this year — notably the labelling of AI-generated content, landing in December 2026.
  • The regulation's technical requirements — data governance, logging, monitoring, documentation — are, in practice, data engineering. They cannot be bought in a hurry.
  • The first step is not a policy: it is an inventory of the AI systems actually in use, including those embedded in third-party software.
  • Done well, this work pays for itself in cost, speed of response and reliability — even if the regulator never shows up.

Slack is an advantage — for those who use it

Two companies are living through exactly the same delay. One will reopen the file in mid-2027, discover it has no lineage, no event logs and no reliable count of the models it runs, and will buy compliance by the kilo: fast, badly and expensively. The other will spend 2026 building the foundations it should already have had, and will arrive at December 2027 doing what it does every day.

The difference between them is not budget. It is having understood, in time, that the deadline that changed was not the deadline that mattered.

If someone asked you today for the complete list of AI systems your company uses — and the name of the person accountable for each one — how long would it take you to hand it over?

← Back to insights
Let's talk?

Ready to transform your data?

Book a free 30-minute meeting and find out how we can help your team make better decisions.

Book a Free Meeting
bConcepts