Regulatory timelines, insurance market signals, and the context you need to make informed decisions about AI governance certification.
The EU AI Act is the world's first comprehensive AI regulation. On June 29, 2026, the Council of the EU gave final green light to the Digital Omnibus on AI, formally postponing high-risk AI system obligations to fixed extended deadlines. The amended timeline is now law.
| Date | Milestone | Status |
|---|---|---|
| Aug 1, 2024 | EU AI Act entered into force | In force |
| Feb 2, 2025 | Prohibited AI practices ban effective | In force |
| Aug 2, 2025 | GPAI model obligations and governance provisions effective | In force |
| Jun 29, 2026 | Digital Omnibus on AI formally adopted by the Council of the EU | Enacted |
| Dec 2, 2026 | Watermarking / synthetic content transparency (Art. 50(2)) applies to legacy systems; new Art. 5 prohibition on non-consensual intimate-image AI and CSAM generators | Effective |
| Aug 2, 2027 | Member States must stand up at least one national AI regulatory sandbox | Upcoming |
| Dec 2, 2027 | High-risk AI obligations — standalone systems (Annex III) | Upcoming |
| Aug 2, 2028 | High-risk AI obligations — AI embedded in regulated products (Annex I) | Upcoming |
The delay is now law.
The Digital Omnibus on AI was formally adopted on June 29, 2026, following the European Parliament's first-reading approval on June 16, 2026. Standalone high-risk AI obligations (Annex III) now apply from December 2, 2027; AI embedded in regulated products (Annex I) from August 2, 2028. Penalties remain unchanged at up to €35 million or 7% of global annual turnover. The extended runway is time to certify and remediate before enforcement — not a reason to pause. Article 50 transparency obligations and the new Article 5 prohibitions still take effect on the December 2026 timeline. Organizations that certify now will be positioned ahead of competitors when the December 2027 deadline arrives.
Major insurers are actively excluding AI from liability coverage. This isn't a future risk — it's happening now. Independent certification is the governance signal insurers need to move from blanket exclusion to risk-tiered pricing.
Introduced an "absolute" AI exclusion from professional liability and D&O coverage — no exceptions, no carve-outs.
Excluded generative AI from professional liability coverage, specifically targeting AI-generated outputs and decisions.
Released standardized AI exclusionary forms in January 2026, providing template language for the entire insurance industry to exclude AI risk.
Carriers following suit with AI-specific exclusions across multiple lines including D&O, E&O, and fiduciary liability.
Warned about "silent AI" risk — existing policies inadvertently covering AI losses without proper assessment or pricing.
Without independent AI governance certification, organizations face uncovered exposure across Directors & Officers, Errors & Omissions, and Fiduciary Liability policies.
The world's first comprehensive AI regulation. Classifies AI systems by risk level and imposes requirements for high-risk systems including risk management, data governance, transparency, human oversight, and conformity assessment. Penalties up to €35M or 7% of global revenue.
Voluntary U.S. federal framework for managing AI risk across the lifecycle. Four core functions: Govern, Map, Measure, Manage. Increasingly referenced in U.S. government procurement and state-level AI legislation.
International standard for AI management systems. Establishes organizational-level requirements for responsible development, provision, and use of AI. The first ISO standard specifically for AI governance.
General Data Protection Regulation. Governs the processing of personal data across the EU. AI systems that process personal data must comply with GDPR requirements for data minimization, purpose limitation, and individual rights. Penalties up to €20M or 4% of global turnover.
Global ethical framework adopted by 193 member states. Establishes principles for fairness, transparency, accountability, privacy, safety, and human oversight in AI development and deployment.
The Clause 5 Framework also addresses requirements from ISO 23894 (AI Risk Management), ISO 22989 (AI Concepts), IEEE P7000 series, OECD AI Principles, and emerging U.S. state-level AI regulations including Colorado, Illinois, and Connecticut.