Regulatory timelines, insurance market signals, and the context you need to make informed decisions about AI governance certification.
The EU AI Act is the world's first comprehensive AI regulation. The European Parliament and Council have aligned on the Digital Omnibus extension, pushing high-risk AI system obligations to fixed future dates. Trilogue negotiations are expected to conclude in May 2026, after which the extended timeline becomes law.
| Date | Milestone | Status |
|---|---|---|
| Aug 1, 2024 | EU AI Act entered into force | Passed |
| Feb 2, 2025 | Prohibited AI practices ban effective | Passed |
| Aug 2, 2025 | GPAI model obligations effective; governance provisions apply | Passed |
| Nov 2, 2026 | Watermarking / content origin rules (proposed) | Proposed |
| Dec 2, 2027 | High-risk AI systems obligations — standalone systems (Digital Omnibus) | Agreed |
| Aug 2, 2028 | High-risk AI systems — embedded in regulated products (Digital Omnibus) | Agreed |
Where the delay stands right now.
The Council of the EU adopted its position on the Digital Omnibus on March 13, 2026. The European Parliament adopted its position on March 26, 2026. Both co-legislators have aligned on the fixed extended deadlines — December 2, 2027 and August 2, 2028. Trilogue negotiations with the Commission are expected to conclude in May 2026, at which point the amended text will be formally enacted. Until formal adoption, the original August 2, 2026 deadline remains legally binding. Penalties remain unchanged at up to €35 million or 7% of global annual turnover. Organizations that certify now have time to remediate before enforcement — and will be positioned ahead of competitors when the final text is adopted.
Major insurers are actively excluding AI from liability coverage. This isn't a future risk — it's happening now. Independent certification is the governance signal insurers need to move from blanket exclusion to risk-tiered pricing.
Introduced an "absolute" AI exclusion from professional liability and D&O coverage — no exceptions, no carve-outs.
Excluded generative AI from professional liability coverage, specifically targeting AI-generated outputs and decisions.
Released standardized AI exclusionary forms in January 2026, providing template language for the entire insurance industry to exclude AI risk.
Carriers following suit with AI-specific exclusions across multiple lines including D&O, E&O, and fiduciary liability.
Warned about "silent AI" risk — existing policies inadvertently covering AI losses without proper assessment or pricing.
Without independent AI governance certification, organizations face uncovered exposure across Directors & Officers, Errors & Omissions, and Fiduciary Liability policies.
The world's first comprehensive AI regulation. Classifies AI systems by risk level and imposes requirements for high-risk systems including risk management, data governance, transparency, human oversight, and conformity assessment. Penalties up to €35M or 7% of global revenue.
Voluntary U.S. federal framework for managing AI risk across the lifecycle. Four core functions: Govern, Map, Measure, Manage. Increasingly referenced in U.S. government procurement and state-level AI legislation.
International standard for AI management systems. Establishes organizational-level requirements for responsible development, provision, and use of AI. The first ISO standard specifically for AI governance.
General Data Protection Regulation. Governs the processing of personal data across the EU. AI systems that process personal data must comply with GDPR requirements for data minimization, purpose limitation, and individual rights. Penalties up to €20M or 4% of global turnover.
Global ethical framework adopted by 193 member states. Establishes principles for fairness, transparency, accountability, privacy, safety, and human oversight in AI development and deployment.
The Clause 5 Framework also addresses requirements from ISO 23894 (AI Risk Management), ISO 22989 (AI Concepts), IEEE P7000 series, OECD AI Principles, and emerging U.S. state-level AI regulations including Colorado, Illinois, and Connecticut.