Read in Spanish MaboaSoft Engineering Team

EU AI Act on 2 August 2026: What Actually Applies to Your Mobile App (and What Got Postponed)

The Digital Omnibus moved the EU AI Act's high-risk deadlines to December 2027, but chatbot disclosure and AI-content transparency duties still start on 2 August 2026. Here is what mobile app owners and product teams must do now, what can wait, and where fines actually apply — plus a free self-assessment checker with a PDF report.

EU AI Act on 2 August 2026: What Actually Applies to Your Mobile App (and What Got Postponed)

If you build or run a mobile app in Europe, you have probably seen two kinds of headlines about the EU AI Act. One says everything changes on 2 August 2026. The other says Brussels just postponed the whole thing. Both are wrong, and the gap between them is exactly where product teams make expensive mistakes.

Here is the state of the law as of July 2026, after the Digital Omnibus — and what it means in practice for the apps we design, build, and modernize every week.

Legal state as of: July 2026. The Digital Omnibus on AI received political agreement on 7 May 2026 and was formally endorsed by the European Parliament (16 June) and the Council (29 June); publication in the Official Journal is expected in July 2026. This article is an engineering-team explainer, not legal advice.

What got postponed (does NOT apply from August 2026)

The Omnibus is a sequencing correction, not a retreat. The technical standards needed for high-risk conformity assessment simply were not ready, so the deadlines moved:

  • High-risk systems under Annex III — recruitment and HR decision tools, credit scoring, biometric identification, education scoring, access to essential services: postponed from 2 August 2026 to 2 December 2027.
  • High-risk AI embedded in regulated products (Annex I — medical devices, machinery, vehicles): postponed from 2027 to 2 August 2028.
  • Machine-readable marking of AI-generated content (Article 50(2)) for systems already on the market before 2 August 2026: a grace period until 2 December 2026. New systems launched after 2 August 2026 must comply from day one.
  • National AI regulatory sandboxes: member-state deadline moved to 2 August 2027.

If your roadmap panic was built around “high-risk compliance by August 2026,” you just got sixteen months back. Use them — a real compliance framework takes that long to build properly.

What DOES apply from 2 August 2026

This is the part the “everything is postponed” headlines miss. Three things activate on that date:

  • Article 50 transparency duties. If your app contains a chatbot or conversational AI assistant, users must be clearly informed they are interacting with a machine, unless it is obvious to a reasonable user. If your app generates or manipulates images, audio, video, or text, that output must be identifiable as AI-generated (with the December 2026 grace period only for systems already on the market).
  • Full penalty powers for general-purpose AI model providers. This targets foundation-model companies, not app builders — but it matters if you fine-tune or redistribute models.
  • Full market surveillance powers for national authorities. Enforcement stops being theoretical.

Violations of transparency duties carry fines of up to €15 million or 3% of worldwide turnover.

What is already in force (since earlier)

  • Prohibited practices (since 2 February 2025): social scoring, manipulative techniques causing harm, exploitation of vulnerable groups, emotion recognition in workplaces and schools, untargeted scraping of facial images. Fines here reach €35 million or 7% of turnover.
  • AI literacy (Article 4, since 2 February 2025): providers and deployers must ensure staff working with AI systems understand them. This applies to almost everyone and almost nobody has noticed.
  • GPAI model obligations (since 2 August 2025) for foundation-model providers.
  • New from 2 December 2026: a prohibition on AI systems for generating non-consensual intimate imagery (“nudifiers”) and CSAM — relevant to anyone shipping image-generation features, because the ban extends to systems where such misuse is a foreseeable outcome without adequate safeguards.

Who is exposed to fines and bans

The AI Act works like GDPR in one crucial way: it follows the user, not your company registration. It applies to providers placing AI systems on the EU market, to deployers located in the EU, and to providers or deployers anywhere in the world whose system output is used in the EU.

The penalty ladder:

ViolationMaximum fine
Prohibited practices€35M or 7% of worldwide turnover
High-risk and transparency (Art. 50) violations€15M or 3%
Incorrect information to authorities€7.5M or 1%

Two pieces of good news for smaller teams. For SMEs and startups, the fine is capped at the lower of the fixed amount or the percentage. And the Omnibus extended the simplified SME regime — reduced fines, standardized documentation templates, sandbox access — to companies with up to 750 employees and €150 million in annual revenue. If you are reading this as a founder, you are almost certainly in that bracket.

Where mobile apps actually stand: four real-world scenarios

Regulation only becomes useful when you map it to a codebase. These are the situations we see most often in mobile design, development, and legacy modernization work.

1. The booking chatbot in a services app

A salon, clinic, or trades-business app adds an AI assistant that answers questions and books appointments. This is a limited-risk system. From 2 August 2026 the app must disclose, clearly and at the start of the interaction, that the user is talking to an AI. In practice that is a design task, not a legal one: a persistent “AI assistant” label, a first-message disclosure, and an honest bot avatar. You are in violation if, after that date, your bot presents itself ambiguously as a human agent.

2. The app that generates images or text for users

A real-estate app that generates listing descriptions, or a marketing app that produces social images. Output must be identifiable as AI-generated. If your app was on the market before 2 August 2026, machine-readable marking becomes mandatory on 2 December 2026; if you launch after August, you comply at launch. Architecturally this means watermarking or metadata at the generation layer — far cheaper to design in now than to retrofit under deadline. You are in violation if synthetic content leaves your app unmarked after your applicable date.

3. The legacy app getting AI features during modernization

This is where our Xamarin and Cordova migration work meets the AI Act directly. Teams modernizing an end-of-life codebase to Flutter almost always use the rewrite to add AI features — a support bot, smart search, photo enhancement. The migration moment is the cheapest point in the entire product lifecycle to build compliance in: disclosure UI in the design system, a content-marking layer in the generation pipeline, audit logging in the architecture. Bolting these onto a finished app later costs multiples more. (And if the original team is long gone, run repository discovery first — you cannot classify an AI feature you have not yet found in the code.) If the rewrite ships after 2 August 2026, Article 50 duties apply from your launch day — there is no grace period for new systems.

4. The feature that quietly crosses into high-risk

A staffing app adds AI ranking of job applicants. A fintech feature scores creditworthiness. A gym app adds face-recognition check-in. Each of these lands in Annex III high-risk territory — risk management, data governance, human oversight, technical documentation, conformity assessment, EU database registration. The deadline is now 2 December 2027, which sounds far away and is not: high-risk compliance is a year-plus program. The engineering decision that matters today is scoping — often a small product change (a human makes the final ranking decision; check-in uses a QR code instead of a face) keeps a feature out of the high-risk category entirely. That conversation belongs in design reviews now, not in legal reviews later.

Check your app in five minutes — free, with a PDF report

To make this triage concrete, we built a free self-assessment checker: a short questionnaire (in English and Spanish) that classifies your AI feature into a risk tier, lists your actual obligations with the correct post-Omnibus deadlines, and generates a PDF report you can share with your team or your lawyer.

It is a self-assessment aid, not legal advice — but it turns “should I be worried?” into a concrete checklist in a few minutes.

A practical checklist for mobile teams (July 2026)

  1. Inventory every AI-powered touchpoint in your app — including third-party SDKs.
  2. Classify each one: prohibited / high-risk / limited / minimal. (Our checker does this.)
  3. Chatbots: ship disclosure UI before 2 August 2026.
  4. Generative features: plan content marking — 2 December 2026 for existing systems, launch day for new ones.
  5. Anything touching hiring, credit, biometrics, or essential services: start the high-risk program now for December 2027, or redesign the feature out of the category.
  6. Train the team that works with AI systems — the Article 4 literacy duty already applies.
  7. Date-stamp your compliance assumptions. The Omnibus just proved the law moves.

If you are planning AI features, modernizing a legacy app, or unsure which side of these lines your product falls on, book a 20-minute call — we will walk through your specific case.

FAQ

Does the EU AI Act apply to my app if my company is not based in the EU?

Yes, it can. The AI Act has extraterritorial reach: it applies to providers placing AI systems on the EU market and to providers or deployers outside the EU whose system output is used in the EU. Where your company is registered does not decide the question — where your users are does.

Is a simple booking chatbot in my app high-risk under the AI Act?

Almost never. A booking or FAQ chatbot is a limited-risk system under Article 50. Your main duty from 2 August 2026 is to clearly disclose that the user is talking to an AI system, unless that is already obvious. High-risk categories cover areas like recruitment decisions, credit scoring, and biometric identification — not appointment scheduling.

What changed with the Digital Omnibus in 2026?

The Omnibus, agreed in May 2026 and formally endorsed by the European Parliament and the Council in June 2026, deferred high-risk obligations for Annex III systems from 2 August 2026 to 2 December 2027, and for AI embedded in regulated products from 2027 to 2 August 2028. It also delayed machine-readable marking of AI-generated content for systems already on the market until 2 December 2026, and added a new prohibition on AI tools for non-consensual intimate imagery and CSAM from 2 December 2026. Transparency duties for chatbots still start on 2 August 2026.

What are the fines under the EU AI Act?

Up to €35 million or 7% of worldwide annual turnover for prohibited practices, up to €15 million or 3% for high-risk and transparency violations, and up to €7.5 million or 1% for supplying incorrect information to authorities. For SMEs and startups the fine is capped at the lower of the fixed amount or the percentage, and the simplified SME regime now extends to companies with up to 750 employees and €150 million in revenue.


This article summarizes Regulation (EU) 2024/1689 as amended by the Digital Omnibus on AI, based on official EU communications and major law-firm analyses available in July 2026. It is general information, not legal advice. For decisions about your specific product, consult a qualified lawyer.