NACH
·Tarek Nachnouchi

The AI Act delay to 2027 changes nothing about the urgency of governing your data

The European Parliament voted to delay high-risk AI obligations to December 2027. What actually changes for French SMBs and mid-sized companies, and what does not.

On June 16, 2026, the European Parliament voted to delay the heaviest obligations of the AI Act, those covering high-risk systems under Annex III (recruitment, credit, biometrics, education), from August 2, 2026 to December 2, 2027. The news travelled fast among the business owners I work with, and the reaction was the same every time: "we have an extra year and a half, we can ease off."

That is exactly the wrong conclusion. During a recent engagement, a business owner asked me whether we could pause the data mapping work we had just started. His reading of the delay was understandable, but wrong on substance.

What changes with this vote: the deadline for full technical documentation, formalized risk management systems, and structured human oversight of high-risk AI. What does not change: certain prohibited practices, in force since February 2025. Obligations for general-purpose models, in force since August 2025. And above all, GDPR, which never had a moratorium and applies to any personal data processed by an AI system, AI Act or not.

The CNIL restates this in its 2026 guidance: any AI system processing personal data needs a clearly identified legal basis, and a data protection impact assessment is mandatory for high-risk uses in HR, healthcare, or customer scoring. That requirement has not moved and will not move because of the Digital Omnibus.

The real risk is not short-term regulatory exposure, it is organizational. An SMB that discovers in 2027, under pressure, that it runs eight uncatalogued AI tools, three of which process sensitive HR data, ends up in the same rush it would have faced under the original timeline. The delay does not remove the work, it just moves the date when its absence becomes visible.

This is precisely what the first two steps of the IMPACT method address in my client work: Inventory, to map every real AI usage across the company, declared or not, and Mission, to build a realistic compliance roadmap instead of a last-minute scramble. Companies that treat this extra time as preparation time gain a structural head start over those that treat it as a reprieve.

The AI Act delay changes a date. It changes nothing about the need to know what your teams actually do with AI, or about the GDPR obligation that has always applied. The companies that understand this are already moving forward, while those waiting for 2027 will pick up the work two years behind instead of one year ahead. A 5-day diagnostic shows you exactly where you stand.

Let's take action

Ready to structure your AI transformation?

Free 30-minute diagnostic to identify your top priorities and estimate concrete ROI for your organization.

Book my free diagnostic →

Related articles