Aller au contenu principal
← All articles
Legal & market watch/7 May 2026

EU AI Act and industrial maintenance: 2026-2028 compliance guide

The 7 May 2026 Omnibus agreement, the 2026-2028 timeline and its link with the Machinery Regulation. Decoded for industrial maintenance, without alarmism.

Written by Cédric Jean

Update note, 22 May 2026: article originally published on 6 May 2026 on the basis of the European Parliament vote of 26 March 2026, enriched on 22 May to incorporate the trilogue agreement of 7 May 2026 (Digital Omnibus on AI). Formal adoption by the Parliament and the Council is expected before 2 August 2026. The exact dates and wording may still evolve marginally before final adoption. This article informs on the current state of play, it is not a legal analysis. For a specific case, consult a lawyer specialised in the AI Act.

The 26 March vote in two sentences

On 26 March 2026, the European Parliament voted by 569 votes to 45 to postpone the application of the AI Act to high-risk systems: December 2027 for standalone AI, August 2028 for AI embedded in regulated products (European Parliament, official press release). For industrial maintenance, the timeline slips, the direction stays the same. Platforms such as Mimorian, which model industrial equipment and support technicians in their diagnostic reasoning so that every intervention enriches the plant's collective memory, are already making the design choices (human oversight, traceability, European hosting) that are consistent with the trajectory of the AI Act.

The Omnibus agreement of 7 May 2026, and what changes for industrial machinery

On 7 May 2026, the Council of the European Union, the European Parliament and the Commission reached a provisional trilogue agreement on the Digital Omnibus on AI (Council of the EU, official press release of 7 May 2026). The agreement confirms the two new compliance deadlines, adds a new prohibition under Article 5 (generation of child sexual abuse material and non-consensual intimate imagery), and clarifies the articulation between the AI Act and the Machinery Regulation.

For AI in an industrial environment, the major point lies in this last clarification. The Machinery Regulation (EU) 2023/1230 has been moved from section A to section B of Annex I of the AI Act (IAPP, EU agrees to amend AI Act, clarifies overlap with machinery rules). Consequence: AI systems covered by the Machinery Regulation are no longer directly subject to the obligations of Chapter III of the AI Act. The sectoral regime applies in its own right, with health and safety requirements specific to high-risk AI systems that the Commission will have to integrate into Annex III of the Machinery Regulation via delegated acts, to be adopted by 2 August 2028.

This is a transfer of the legal basis, not a complete exemption: what would have been covered twice (AI Act + Machinery Regulation) will be covered only once, by the sectoral framework, with its own set of requirements. The substantive requirements, documentation, human oversight, risk management, remain. They will be formulated differently, in the language and the timeline of the Machinery Regulation.

Formal adoption of the Omnibus by the Parliament and the Council is expected before 2 August 2026. The detailed decoding of the agreement, its practical implications, and the consolidated industrial maintenance timeline can be found in our dedicated article on the Omnibus agreement of 7 May 2026.

A scene witnessed 50 times this year

Friday morning, the workshop of an automotive component supplier in the Rhône area. A maintenance manager opens his inbox and finds the supplier questionnaire from his German customer. Twenty-three questions about AI. Traceability of recommendations, human oversight, data hosting, bias management, model audit. Deadline: three weeks. He calls his IT director: "Can you answer this for me? I can see we use AI on the CMMS, but I couldn't tell you what's inside the box."

This scene plays out everywhere. Regulatory pressure arrives through customer procurement before it arrives through the legislator. And even when the legislator steps back by a few months, the large-account buyers do not step back at all.

What exactly happened on 26 March 2026

The European Parliament adopted its negotiating position on the Digital Omnibus on AI, a text that postpones the application of the AI Act rules to high-risk systems. Final score: 569 votes in favour, 45 against, 23 abstentions (HowTheyVote.eu, vote 189384). Strong cohesion, with the right and the moderate left aligned.

Three clarifications so as not to misread the scope of the vote:

  • This is a step, not yet a law. The Parliament adopts a position. The trilogues, negotiations between the Parliament, the Council of the EU and the Commission, were launched right after the vote (European Parliament Legislative Train Schedule).
  • The final text is not yet published. The Cypriot presidency of the Council is aiming for an agreement by May 2026, ahead of the general date of application of 2 August 2026 set by the original AI Act.
  • The AI Act regulation adopted in 2024 (EU 2024/1689) remains applicable for as long as the Omnibus is not adopted in its final version (text of the regulation, EUR-Lex).

In other words, the direction is known, the exact version of the text is not yet.

The two new dates and who they concern

The Digital Omnibus on AI proposes two distinct dates, depending on the nature of the AI system:

CategoryDescriptionProposed date of application
Annex III (standalone)Standalone high-risk AI: biometrics, critical infrastructure, education, employment, essential services, justice, border control2 December 2027
Annex I section B (embedded)High-risk AI integrated into products covered by EU sectoral safety legislation2 August 2028

Converging sources: European Parliament, press release of 26/03/2026, silicon.fr, donneespersonnelles.fr.

Which products are concerned by the 2 August 2028 deadline? The official press release explicitly cites machinery, medical devices, radio equipment and toys. Autonomous vehicles and industrial robots are also covered through the Machinery Regulation (Machinery Regulation 2023/1230) and the associated sectoral texts.

On the machinery side, the neighbouring timeline is taking shape. Regulation (EU) 2023/1230 enters into application on 20 January 2027 (EU-OSHA, Machinery Regulation). It introduces specific requirements for software components that perform a safety function, including AI, and imposes third-party conformity assessment for certain categories (TÜV Rheinland, New Machinery Regulation EU 2023/1230). For an industrial company, the subject is therefore not just "AI Act", it is "AI Act + Machinery Regulation", and the two timelines interlock.

Sectoral framework for industrial AI and Machinery Regulation 2023/1230

Once it is established that AI systems within the scope of the Machinery Regulation fall outside Chapter III of the AI Act, the question becomes: what applies instead, and on what timeline.

Regulation (EU) 2023/1230 enters into application on 20 January 2027 (EU-OSHA, Machinery Regulation). It replaces the Machinery Directive 2006/42/EC in a directly applicable manner, without national transposition. For software components that perform a safety function, including AI, it introduces specific requirements and provides for third-party conformity assessment for certain categories (TÜV Rheinland, New Machinery Regulation EU 2023/1230).

The Omnibus of 7 May 2026 adds a building block. The Commission is now empowered to adopt delegated acts amending Annex III of the Machinery Regulation, to integrate the health and safety requirements specific to AI systems classified as high-risk. These delegated acts constitute the sectoral version of what the AI Act provided for directly on traceability, human oversight, risk management and technical documentation. Timeline: adoption before 2 August 2028, in line with the general deadline for embedded systems.

For an industrial company, the practical reading is as follows. If the AI in question is integrated as a safety component into a machine covered by the Machinery Regulation, the reference regulatory counterpart becomes the Machinery Regulation, and the critical timeline crystallises around 20 January 2027 (entry into application of the regulation) and 2 August 2028 (integration of the AI delegated acts into Annex III). If the AI does not perform a safety function within the meaning of the Machinery Regulation, it remains within the potential scope of the AI Act, according to the criteria of Annex III, with a general deadline of 2 December 2027.

Where an AI platform for maintenance sits in all this

This is where sorting becomes useful, and it is also where many discussions go off the rails. A few concrete criteria to guide the diagnosis.

1. Is the tool a safety component of a regulated machine?

If the AI is integrated into a machine within the meaning of the Machinery Regulation, and it performs a safety function (human presence detection, intelligent emergency stop, supervision of a collaborative robot), it falls within the Annex I section B scope of the AI Act. Deadline: 2 August 2028. The Machinery Regulation specifies that AI modules using learning techniques that perform a safety function are subject to specific requirements (TÜV Rheinland).

2. Is the tool standalone, separate from the machine?

If the platform helps technicians diagnose a fault, structure documentation, and capture know-how, without directly controlling the machine or performing a safety function, the connection to Annex I section B is less direct. Any connection to Annex III depends on the use cases. Many maintenance productivity tools are simply not classified as high-risk.

3. Is the system certified by a third party?

The Annex I section B obligations only apply if the product must already undergo third-party conformity assessment (notified body) under the sectoral legislation (artificialintelligenceact.eu, Annex I).

4. What is the overall risk profile?

The AI Act distinguishes four levels: unacceptable risk (prohibited), high risk (regulated), limited risk (transparency), minimal risk (free). Not every AI tool is high-risk by default. This nuance is central to avoid panicking over tools that do not fall within the hard scope of the regulation.

These criteria provide guidance. They do not replace a legal opinion on a real case.

How much does compliance cost, orders of magnitude

The figures published in 2025 by sectoral analyses give useful ranges to keep in mind, even if the final cost depends on the exact scope of the system and the organisation. For a system classified as high-risk, the average initial compliance cost exceeds €50,000 per system, excluding continuous monitoring, and third-party conformity assessments range between €10,000 and €40,000 per system (SQ Magazine, EU AI Act Compliance Cost Statistics 2026). The annual costs of maintaining a Quality Management System (QMS) required by the regulation run from €10,000 to €25,000 depending on complexity.

On the penalties side, the regulation set a hard framework: up to €35M or 7% of worldwide turnover for prohibited AI practices, up to €15M or 3% of worldwide turnover for failures on the obligations applicable to high-risk AI (2021.AI, AI Act Penalties).

These orders of magnitude are not the final bill for an industrial company: they target the providers of high-risk systems. But they give the scale. An AI provider who has not anticipated its obligations will pass the cost on to its customers when it has to catch up in a hurry.

The GDPR precedent, and why waiting is a bad idea

Three reasons why using the postponement as a licence to procrastinate is a losing strategy.

The harmonised standards will arrive during the postponement. The Commission has time to publish the technical standards that will concretely define how to demonstrate compliance. Those who have already aligned their architecture (traceability, human oversight, data governance, bias management) will absorb the standards like an update. Those who start from scratch will discover the real cost of an overhaul, within a constrained timeframe and with a saturated market of legal firms.

Industrial customers are asking for guarantees as early as 2026. An observable sectoral finding, not an academic study: supplier AI questionnaires are getting longer, large-account buyers already demand contractual commitments on traceability, human oversight and data sovereignty. Around 90% of companies anticipate significant operational adjustments tied to the governance, risk and transparency obligations carried by the AI Act (SQ Magazine, EU AI Act Compliance Cost Statistics 2026). This pressure precedes the legal deadline.

The GDPR precedent speaks for itself. The GDPR was adopted in April 2016 and applied in May 2018. Many organisations waited until March 2018 to deal with it. On the CNIL side, the panic effect is documented: 189,877 calls received in 2018, up 22% on 2017, and 8 million visits to cnil.fr, up 80% (CNIL, 2018 activity report). Over the first seven years of application, around €5.65 billion in fines were imposed (CMS, GDPR fines exceed EUR 5 billion). The first to build compliance in by design gained a lasting commercial advantage, not just the absence of a penalty.

The pattern repeats with the AI Act. The postponement does not change the trajectory, it shifts the entry bar.

What to do concretely between now and 2027

Three practical angles of attack for a maintenance manager or an industrial IT director.

Map the AI uses already in place. Before discussing compliance, you need to know where AI actually runs in the maintenance information system. CMMS with a predictive module, computer vision on the line, documentation copilot, diagnostic platform, modules embedded in sensors. This mapping is rarely done properly, and it conditions everything else.

Pull the "human oversight" criterion out of the supplier questionnaires. For each AI tool used or assessed, two discriminating questions: does the technician see why the AI puts forward a recommendation, and can they reject it while explaining why? If the answer is no, the tool is probably difficult to bring into compliance, regardless of the timeline. If the answer is yes, the regulatory work ahead comes down to formalising and documenting.

Tell apart the suppliers who already talk compliance from those who don't know. A serious supplier knows how to say which box it falls into, by default, and why. It does not promise full compliance (no one can, the final text does not exist), but it can explain its architecture choices in the face of the AI Act. The others will do this work in a panic in 2027.

What guides our design choices at Mimorian

Without prejudging the exact legal classification of an AI platform for maintenance, certain practices produce value regardless of the final regulatory status. Three choices structure the Mimorian architecture:

  • Explicit human oversight (Human in the Loop). Each diagnostic hypothesis is ranked by probability and presented to the technician. Validation, correction, motivated rejection: the final decision stays human, and the reasoning enriches Mimorian's own reasoning.
  • Traceability from prompt to answer to action. The whole reasoning chain stays visible, from the source document to the displayed diagnosis. Auditable after the fact, with no black box.
  • Data in Europe. Sovereign hosting, GDPR compliance by design, a requirement consistent with the spirit of the AI Act.

These are design choices, not claims of legal compliance. Formal compliance is verified case by case, with a lawyer, against a final text.

What are the two new dates of application of the AI Act?

The Digital Omnibus on AI proposes two distinct dates. 2 December 2027 for standalone high-risk AI (Annex III: biometrics, critical infrastructure, employment, justice and essential services). 2 August 2028 for high-risk AI embedded in regulated products (machinery, medical devices, radio equipment, toys, autonomous vehicles).

Is AI for industrial maintenance high-risk under the AI Act?

Not by default. The AI Act classifies systems into four levels (unacceptable, high, limited, minimal). A platform that helps technicians diagnose a fault without directly controlling a machine or performing a safety function is generally not classified as high-risk. The classification depends on the architecture, the use cases and the third-party certification applicable to the product.

How much does AI Act compliance cost for a high-risk system?

For a system classified as high-risk, the average initial cost exceeds €50,000 per system, excluding continuous monitoring. Third-party conformity assessment ranges between €10,000 and €40,000 per system. Maintaining a Quality Management System runs from €10,000 to €25,000 per year depending on complexity (SQ Magazine, 2026).

Should you wait until 2027 to align with the AI Act?

No. Three reasons. The harmonised standards will arrive during the postponement, and those who have already aligned their architecture will absorb them without an overhaul. Large-account buyers already demand contractual commitments on traceability and human oversight in their supplier questionnaires. The GDPR precedent showed that the first to build compliance in by design gain a lasting commercial advantage, not just the absence of a penalty.

Conclusion

The vote of 26 March 2026 opened the sequence. The trilogue agreement of 7 May 2026 refined it. Three useful dates to remember: 2 December 2027 for standalone high-risk AI (Annex III), 2 August 2028 for AI embedded in a regulated product (Annex I), 20 January 2027 for the entry into application of the Machinery Regulation, which becomes the reference regulatory counterpart for AI in industrial machinery. Formal adoption of the Omnibus is expected before 2 August 2026.

For a maintenance manager or an industrial IT director, the guiding line fits in one sentence: use the postponement as a time budget, not as a licence to procrastinate. Map the uses, demand human oversight and traceability from suppliers, and tell apart those who have already done the work under the applicable regime (AI Act directly or Machinery Regulation depending on the scope).

For a consolidated recap of the 2026-2028 timeline, the articulation of the AI Act + Machinery Regulation and an action plan by deadline, see our AI Act compliance guide for industrial maintenance, designed as an operational support for Compliance, IT and Maintenance functions.

For an overview of the subject, read our complete guide: What is trustworthy AI in industry? The complete guide for maintenance.

Request a demo | Try Mimorian

Sources :

CJ
Cédric JeanCo-founder & CEO

With a background in B2B SaaS, he founded Mimorian so that field know-how is available to everyone who needs it, the moment they need it. He owns the overall vision and the trade-offs between field, technical and commercial priorities.

LinkedIn →

Read next

Three world visions of AI: innovation, control and trust

AI Act May 2026: impact on industrial maintenance

The six pillars of trustworthy AI

The next breakdown is an opportunity.

Show us an asset that gives you trouble. We will show you what Mimorian does with it in 30 minutes.

Try Mimorian →Request a demo