The AI Act delay to 2027 changes nothing about the urgency of governing your data
The European Parliament voted to delay high-risk AI obligations to December 2027. What actually changes for French SMBs and mid-sized companies, and what does not.
On June 16, 2026, the European Parliament voted to delay the heaviest obligations of the AI Act, those covering high-risk systems under Annex III (recruitment, credit, biometrics, education), from August 2, 2026 to December 2, 2027. The news travelled fast among the business owners I work with, and the reaction was the same every time: "we have an extra year and a half, we can ease off."
That is exactly the wrong conclusion. During a recent engagement, a business owner asked me whether we could pause the data mapping work we had just started. His reading of the delay was understandable, but wrong on substance.
What changes with this vote: the deadline for full technical documentation, formalized risk management systems, and structured human oversight of high-risk AI. What does not change: certain prohibited practices, in force since February 2025. Obligations for general-purpose models, in force since August 2025. And above all, GDPR, which never had a moratorium and applies to any personal data processed by an AI system, AI Act or not.
The CNIL restates this in its 2026 guidance: any AI system processing personal data needs a clearly identified legal basis, and a data protection impact assessment is mandatory for high-risk uses in HR, healthcare, or customer scoring. That requirement has not moved and will not move because of the Digital Omnibus.
The real risk is not short-term regulatory exposure, it is organizational. An SMB that discovers in 2027, under pressure, that it runs eight uncatalogued AI tools, three of which process sensitive HR data, ends up in the same rush it would have faced under the original timeline. The delay does not remove the work, it just moves the date when its absence becomes visible.
This is precisely what the first two steps of the IMPACT method address in my client work: Inventory, to map every real AI usage across the company, declared or not, and Mission, to build a realistic compliance roadmap instead of a last-minute scramble. Companies that treat this extra time as preparation time gain a structural head start over those that treat it as a reprieve.
The AI Act delay changes a date. It changes nothing about the need to know what your teams actually do with AI, or about the GDPR obligation that has always applied. The companies that understand this are already moving forward, while those waiting for 2027 will pick up the work two years behind instead of one year ahead. A 5-day diagnostic shows you exactly where you stand.
Let's take action
Ready to structure your AI transformation?
Free 30-minute diagnostic to identify your top priorities and estimate concrete ROI for your organization.
Book my free diagnostic →Related articles

ChatGPT vs Claude in 2026: Which AI to Choose for Your SMB?
Operational comparison between ChatGPT 5.5 Instant and Claude Sonnet 4.6 for 5 SMB use cases: copywriting, data analysis, customer service, accounting, content creation. Verdict by sector with objective criteria.

GPT-4o mini Goes Free: What It Concretely Changes for French SMBs
OpenAI makes GPT-4o mini freely accessible up to a monthly threshold. For French SMBs, 5 immediate use cases and the GDPR limits to know before launching.

Generative AI in business: 5 trends SMBs need to know in 2026
Overview of the 5 generative AI trends most impacting SMBs in 2026: autonomous agents, augmented search, low-code automation. A decision framework for prioritizing AI investments.