Obligation	Original Date	Updated Date (Digital Omnibus)
Absolute prohibitions (Art. 5)	February 2, 2025	No change — already enforceable
High-risk systems — Annex III	August 2, 2026	December 2, 2027
High-risk systems — Annex I (regulated products)	August 2, 2027	August 2, 2028
General-Purpose AI models (GPAI)	August 2, 2025	No change — already enforceable

Spain has moved fastest among EU member states: the Consejo de Ministros approved the Ley Orgánica de gobernanza de IA on May 26, 2026, transposing the EU AI Act into Spanish national law. AESIA (the Spanish AI supervisory authority, based in A Coruña) has published 16 practical compliance guides in Spanish and operates the EU's first regulatory sandbox.

---

Why the Deadline Extension Is Not a Compliance Holiday

Three market pressures make the Digital Omnibus delay operationally irrelevant for most enterprises:

Absolute prohibitions are already law. Article 5 of the EU AI Act prohibits AI systems that manipulate users through subliminal techniques, exploit the vulnerabilities of specific groups, or enable social scoring by public authorities. These prohibitions have been enforceable since February 2025 — no extension applies. Enterprises with systems that could be construed as falling into these categories face enforcement exposure today.

Transparency obligations are already in force. Under Article 50 (in effect since August 2025), any chatbot or voice AI system that a user might reasonably mistake for a human must clearly identify itself as AI at the first point of contact. This is not a fine-print disclaimer obligation — it requires active, clear disclosure before or at the start of interaction. Non-compliance with Article 50 is auditable now.

Enterprise procurement is already requiring compliance documentation. Across banking, insurance, and telecommunications, enterprise legal and procurement teams have been including EU AI Act compliance in vendor questionnaires since early 2026. An enterprise vendor that cannot produce an AI system inventory, risk classification, and transparency protocol loses contracts — regardless of where the regulatory calendar stands.

---

How to Classify Your AI Systems Under the EU AI Act

Before building a compliance roadmap, every organization needs to know what it has in production:

Step 1 — Build your AI system inventory. Include all chatbots, voice assistants, recommendation systems, scoring tools, HR screening tools, and any system that makes or assists in decisions affecting people. Most organizations are surprised by how many systems they find.

Step 2 — Screen for absolute prohibitions (Art. 5). Regardless of Annex, any system that uses subliminal manipulation, exploits vulnerability, or enables biometric categorization based on protected characteristics is banned outright. Flag these immediately.

Step 3 — Check for Annex III (directly high-risk). The most affected sectors: banking and insurance (credit scoring, claims management), healthcare (diagnostic support, triage), education (student evaluation), and employment (candidate screening and evaluation). If your system operates in these sectors and influences decisions about individuals, Annex III likely applies.

Step 4 — Verify Article 50 compliance for all interactive systems. Every chatbot and voice agent in production must identify itself as AI. If any user could reasonably mistake the system for a human, the system is non-compliant today — not in 2027.

Step 5 — Document the inventory. The GDPR Record of Processing Activities is the foundation, but the EU AI Act requires additional documentation: the intended purpose of the system, data provenance, performance benchmarks, and human oversight protocols.

---

Four Obligations Enterprises Must Address Now

Even with Annex III deadlines extended, four obligations apply to AI agents in production before December 2027:

Obligation 1 — Active transparency (Art. 50, already in force)

Chatbots and voice AI systems must identify as AI at the outset of every interaction — clearly, not buried in terms and conditions. If your customer service agent could be mistaken for a human in the first 30 seconds, you have an Article 50 compliance gap. Audit your disclosure practices across all touchpoints.

Obligation 2 — Behavioral auditability

The EU AI Act doesn't just require that systems be deployed correctly — it requires organizations to document how systems behave in production. That means knowing what every agent does, how it handles uncertainty, and how it escalates to human agents. Organizations that sample 1-3% of interactions cannot credibly document AI system behavior.

According to LEXIC.AI deployment data (2025), enterprises that implemented 100% interaction auditing identified systematic behavioral failures that 1% sampling had entirely missed. Full auditability is the only technically credible basis for EU AI Act compliance documentation.

Obligation 3 — Human oversight protocol

Article 14 of the EU AI Act requires that high-risk AI systems be designed to allow effective human oversight. In practice: define which interaction types trigger human escalation, who receives the escalation, within what timeframe, and how the human decision is documented. This protocol must be operational — not theoretical — before the system's compliance deadline.

Obligation 4 — Risk assessment (for Annex III systems)

Article 9 requires a risk management system covering the full lifecycle of high-risk AI systems. The right time to build this risk assessment is now — when there is enough time to remediate findings. An organization that starts this in November 2027 will not have time to fix what it finds.

---

The Governance Gap Most Enterprises Are Ignoring

On June 11, 2026, the OWASP GenAI Security Project released State of Agentic AI Security and Governance v2.01. The most-cited finding: "Most organizations are deploying agents faster than they can govern them. Governance is still operating at the maturity levels designed for AI copilots while teams are shipping and running custom and multi-agent systems."

The numbers behind the finding: prompt injection attacks increased 340% in 2026. Every threat that was classified as theoretical in the July 2025 edition of the report now has a documented CVE or a real-world incident on record.

The structural problem OWASP identifies is exactly what the EU AI Act is designed to address: AI systems are being deployed without adequate governance. The Digital Omnibus extension gives organizations time to close that gap. Not time to ignore it.

The Microsoft Work Trend Index 2026 found that 97% of enterprises report having AI agents in production — but only 23% report seeing measurable ROI. The gap between deployment and measurable value is, in most cases, a governance gap: organizations cannot tell what the agents are actually doing in production.

---

Key Questions to Ask About Your AI Agents Today

The following questions reveal where compliance gaps are most likely to exist:

On transparency: Does every AI agent clearly identify itself as AI before interacting with customers or employees? Is the disclosure visible in the first interaction, not in linked documentation?

On behavioral auditability: What percentage of agent interactions is reviewed — 1%, 10%, 100%? Is the review manual or automated? Can you produce a behavioral report for a specific agent for any given week in the last 12 months?

On human oversight: When should an agent escalate to a human? Does escalation actually happen, or does the agent continue beyond its competence boundary? Is human escalation logged?

On risk documentation: Does your organization have a written risk classification for each AI system in production? When was it last updated? Does it reflect how the system is actually being used, or how it was originally designed to be used?

---

Lexic Compass: AI Act Readiness Assessment for Conversational Agents

LEXIC.AI's Lexic Compass service delivers a complete audit of conversational AI agents — text chatbots and voice agents — covering EU AI Act requirements for high-risk systems and the Article 50 transparency obligations already in force.

The assessment includes:

• Risk classification of each system under the EU AI Act
• Behavioral evaluation of the agent in production (based on 100% of audited interactions)
• Identification of transparency failures, anomalous behaviors, and escalation gaps
• Prioritized remediation plan with regulatory timeline mapping

Organizations including Bankinter, Repsol, and Cellnex have used LEXIC.AI's Active Listening Engine to gain full visibility over 100% of their AI system interactions with customers.

---

Frequently Asked Questions — EU AI Act and Chatbots

Which chatbots are affected by the EU AI Act?

All AI systems that interact with users have at minimum the transparency obligation under Article 50, which has been in effect since August 2025. Systems deployed in regulated sectors (banking, insurance, healthcare) may qualify as high-risk under Annex III, with additional compliance obligations from December 2027.

Does the Digital Omnibus cancel EU AI Act obligations?

No. It extends the compliance deadline for Annex III and Annex I systems. The absolute prohibitions under Article 5 and the transparency obligations under Article 50 remain on their original timeline and are currently enforceable.

What documentation do we need for our AI agents before 2027?

At minimum: a system inventory, risk classification, documentation of training data provenance, a human oversight protocol, an incident register, and (for Annex III systems) a risk management system document.

How do we know if our chatbot complies with Article 50 today?

The system must clearly identify itself as AI before or at the start of interaction, in a manner that is explicit and comprehensible. If a user could reasonably believe they are speaking with a human without the system making this disclosure, there is an Article 50 violation.

What are the penalties for EU AI Act non-compliance?

Infringements of high-risk AI obligations can result in fines of up to 3% of global annual turnover. Violations of the absolute prohibitions can reach 6% of global annual turnover. In Spain, AESIA is the competent authority.

When should we start preparing, given the 2027 deadline?

Immediately. Risk assessments for complex AI systems take 3-6 months. Behavioral governance systems — the capability to audit 100% of agent interactions — take additional time to deploy and validate. Organizations that start in Q4 2026 will be well-positioned; those that start in 2027 will not.

---

Key Takeaways

• The Digital Omnibus delays Annex III to December 2, 2027 — but absolute prohibitions and Article 50 transparency obligations are enforceable now.
• Spain is the most advanced EU member state in AI Act implementation: AESIA operational, 16 guides published, national law passed May 26.
• Enterprise procurement teams are already requiring EU AI Act compliance documentation in vendor questionnaires.
• 97% of enterprises have AI agents in production; only 23% can demonstrate measurable ROI — the gap is a governance gap.
• Auditing 100% of agent interactions is the only credible foundation for EU AI Act behavioral documentation.
• The Digital Omnibus extension is a window to build — not to defer.

---

Sergio Llorens is CEO of LEXIC.AI (Predictify Solutions S.L.), a Total Customer Intelligence platform with a Dual Helix architecture: Active Listening Engine for 100% interaction auditing, and Digital Workforce Platform for intelligent automation. LEXIC.AI operates in Spain, Europe, and LATAM with clients including Bankinter, Repsol, and Cellnex.

---

Related reading

• Total Customer Intelligence for AI Contact Centers
• AI Voice Agent Quality Assurance for Enterprise
• Automated Call Center QA Framework
• Cómo preparar tu empresa para el EU AI Act (ES)

---

If your organization is operating AI agents in the EU and needs an EU AI Act readiness assessment, contact info@lexic.ai about the Lexic Compass diagnostic.