EU AI Act for Ecommerce After the May 2026 Delay: What's Still Mandatory, What Got Pushed, and What to Do Before December

If you run an ecommerce store serving EU customers and you have an AI chatbot, a shopping assistant, or AI-generated product content, you have probably read that the EU AI Act hits a hard deadline on August 2, 2026. You may also have read, more recently, that the deadline was delayed. Both are partly true, and the gap between them is causing a lot of bad planning.

Here is what actually happened. On May 7, 2026, EU lawmakers reached political agreement on revisions to the AI Act through the Digital Omnibus package. The revisions push back the heaviest obligations, the ones for high-risk AI systems. But the transparency obligations that most directly affect ecommerce, the rules about AI chatbots and AI-generated content, were not pushed back nearly as far. The delay to AI-generated content transparency was cut to three months, landing compliance at December 2, 2026.

So the headline "the AI Act deadline was delayed" is true for high-risk systems and misleading for ecommerce. Most stores do not run high-risk AI. Most stores run limited-risk AI: a chatbot, a recommendation engine, AI-written product descriptions. For that category, the relevant date moved from August 2026 to December 2026, not to 2027 or 2028.

This post is a plain-language account of what an ecommerce business actually has to do, what got delayed and what did not, and a practical checklist for the months between now and December. It is not legal advice; we are a technical agency, not a law firm, and you should confirm specifics with a lawyer. But the technical and operational shape of compliance is something we can lay out clearly.

The risk tiers, and where ecommerce sits

The AI Act sorts AI systems into four tiers, and your obligations scale with the tier.

Unacceptable risk systems are banned outright. Social scoring, manipulative AI that exploits vulnerabilities. The prohibitions have been enforceable since February 2025. Almost no ecommerce store is in this tier, though it is worth knowing that AI which manipulates or exploits vulnerable groups, including by design choices that exploit minors or financial vulnerability, is prohibited, not merely regulated.

High risk systems carry the heaviest obligations: risk management systems, data governance, technical documentation, human oversight, conformity assessments, CE marking, EU database registration. This is the tier whose deadlines the May 2026 Digital Omnibus pushed back, in some cases to December 2027 and August 2028. Most ecommerce AI is not high-risk. High-risk covers AI used in employment decisions, credit decisions, education, critical infrastructure, law enforcement. A standard product-recommendation engine or support chatbot is generally not high-risk.

Limited risk is where most ecommerce AI lands. Chatbots, shopping assistants, AI-generated content. The obligation here is transparency: people must be told they are interacting with an AI, and AI-generated content must be identifiable. This tier was not given the long delay. The transparency rules under Article 50 take effect, with the AI-generated content piece landing at December 2, 2026.

Minimal risk is everything else, spam filters, basic personalization, inventory forecasting. Largely unregulated.

The practical takeaway: figure out which of your AI systems are limited-risk, because that is the tier with a near-term deadline and the tier almost every store has exposure to.

What an ecommerce store typically has to do

Strip away the legal language and the obligations for a typical store with limited-risk AI come down to a short list.

Disclose AI interaction. If a customer is talking to an AI chatbot or shopping assistant, the system has to make clear they are interacting with an AI, not a human. This is not a buried line in the terms of service. It needs to be evident at the point of interaction. For most stores this is a UI change: a label, an intro message, a persistent indicator.

Label AI-generated content. Where AI generates content that a customer sees, product descriptions written by AI, AI-generated images, AI-produced marketing copy, that content needs to be identifiable as AI-generated. The mechanism, watermarking, metadata, visible labels, is the subject of a Code of Practice the Commission has issued; the December 2, 2026 date is specifically the transparency deadline for AI-generated content.

Keep documentation. Even for limited-risk systems, you should be able to say what AI systems you run, what they do, what data they use, and what their outputs are. This is lighter than the high-risk technical documentation burden, but "we have no idea what AI is running on our store" is not a defensible position.

Understand you are a deployer, not just a buyer. This is the point most stores miss. The AI Act places obligations on both providers (the company that built the AI) and deployers (you, the store using it). Your chatbot vendor has their own provider obligations, but you are independently accountable for the transparency disclosures, for using the system appropriately, and for human oversight. You cannot fully outsource compliance by buying a tool. Request compliance documentation from your vendors, but build your own program.

What got delayed and what did not

Because the reporting has been muddled, here is the clean version.

Delayed significantly: the high-risk system obligations under Annex III. The Digital Omnibus links the start of these obligations to the availability of harmonized technical standards, and since those standards are not expected to be ready by August 2026, the practical effect is a push toward December 2027 for new or substantially modified high-risk systems, and further out for some sector-specific obligations. If you somehow run high-risk AI, you got real breathing room.

Delayed only slightly: the transparency obligation for AI-generated content. The delay was reduced from six months to three, putting compliance at December 2, 2026.

Not delayed: the prohibitions on unacceptable-risk practices, enforceable since February 2025. The general-purpose AI model obligations, in effect since August 2025. And the core transparency principle that people must know when they are dealing with an AI.

Also worth knowing: the Digital Omnibus expands some relief that was previously available only to SMEs to a broader class of small mid-cap companies, including simplified technical documentation and consideration in how penalties are applied. If you are a mid-sized business, this is genuinely helpful, though it mostly matters for the high-risk tier.

The net effect for a normal ecommerce store: your chatbot and AI-content transparency obligations are real and land in December 2026. The scary high-risk obligations probably never applied to you, and if they did, they moved out.

The penalties, in proportion

The numbers that circulate are large: up to 35 million euros or 7 percent of global turnover for prohibited practices, 15 million or 3 percent for high-risk non-compliance, 7.5 million or 1 percent for supplying misleading information to regulators.

Two things to keep in proportion. First, the largest figures attach to the prohibited-practices tier, which almost no ecommerce store touches. Second, enforcement of transparency obligations for a small store running a labeled chatbot is not where regulators are going to focus their attention. The realistic risk for a typical store is not a headline fine; it is being non-compliant in a way that surfaces during due diligence, a partnership, an acquisition, an enterprise customer's vendor review, and becomes a problem at the worst time.

The proportionate response is not panic. It is doing the limited-risk checklist properly and on time, keeping the documentation, and not treating "we bought a tool" as the end of the obligation.

The practical checklist for now through December

Here is what we would have an ecommerce store do in the months before the December 2026 transparency deadline.

• Inventory your AI. List every AI system touching your store and customers: chatbot, shopping assistant, recommendation engine, AI product-description generation, AI image generation, AI-driven email or ad personalization. Include the ones embedded in apps and platforms you did not build.
• Classify each one. For each system, determine the risk tier. Most will be limited-risk or minimal-risk. If anything looks high-risk, that is the one to get a lawyer's read on.
• Fix the disclosure UX. For any customer-facing AI, especially chatbots and shopping assistants, make the AI interaction evident at the point of use. This is usually a front-end change: a label, an opening message, a persistent indicator.
• Label AI-generated content. Decide and implement how AI-generated product copy, images, and marketing content are identified. Align with the Commission's Code of Practice on transparency of AI-generated content.
• Collect vendor documentation. Ask every AI vendor for their compliance documentation and their statement of provider obligations. Keep it on file. It does not discharge your deployer obligations, but you need it.
• Write your own light documentation. A simple internal register: what AI you run, what it does, what data it uses, what it outputs, who owns it. Lighter than high-risk technical documentation, but it has to exist.
• Assign human oversight. For customer-facing AI, define how a human can review, intervene in, or override the system. Document who that is.
• Confirm specifics with a lawyer. The shape above is technical and operational. The legal specifics, especially edge cases around what counts as high-risk for your particular setup, need a lawyer who tracks this.

Most of this is a few days of work for a typical store, concentrated in the disclosure UX and the AI-generated-content labeling. The inventory and classification step is the one teams skip and the one that makes the rest possible: you cannot comply for AI systems you have not catalogued.

Where this overlaps with what you already do

If you are an EU store, you have done GDPR work. You may have done Cookie Consent Mode V2. The AI Act compliance work is adjacent to both and reuses the same muscles: knowing what systems you run, knowing what data flows through them, being able to document it, and being honest with customers about what is happening.

The chatbot disclosure work in particular often surfaces during the same review as consent and tracking work. If you are already revisiting your server-side tracking and consent setup, folding the AI disclosure UX into that pass is efficient. And if your AI chatbot turns out to need rebuilding, to add proper disclosure, to add human oversight, to fix the labeling, that is a custom software project, and it is worth scoping deliberately rather than bolting a disclaimer onto a tool that was not built with this in mind.

FAQ

Is my product recommendation engine high-risk under the AI Act?

Generally no. High-risk under Annex III covers AI used in areas like employment, credit, education, and critical infrastructure. A standard ecommerce recommendation engine is typically limited-risk or minimal-risk. The exception worth a lawyer's check is anything that could be read as manipulative or as exploiting vulnerable groups, which is treated much more strictly.

Do I need to do anything if my chatbot is from a big vendor who handles compliance?

Yes. The AI Act places independent obligations on you as the deployer, separate from your vendor's provider obligations. The vendor's compliance does not discharge yours. You still need the disclosure UX, the appropriate-use practices, and human oversight. Get the vendor's documentation, but build your own program.

What exactly happens on December 2, 2026?

That is the transparency deadline specifically for AI-generated content, after the Digital Omnibus reduced the delay from six months to three. The broader transparency principle, that people must be told they are interacting with an AI, is part of the Article 50 obligations taking effect in this window. Confirm the precise applicability for your systems with a lawyer.

Did the August 2, 2026 deadline disappear?

For high-risk systems, the heaviest obligations were pushed back significantly by the May 2026 Digital Omnibus, in some cases to December 2027 and August 2028. For the limited-risk transparency obligations that affect most ecommerce stores, the relevant timeline is the December 2026 window, not a long delay.

We use AI to write product descriptions. Does that need a label?

Under the AI-generated content transparency obligation, AI-generated content that customers see should be identifiable as AI-generated. The exact mechanism is the subject of the Commission's Code of Practice. Plan to have a labeling or identification approach in place for the December 2026 timeline, and confirm the specifics for your content types with a lawyer.

Is this just an EU problem, or does it affect UK and Canada stores?

The AI Act applies based on whether your AI's output meaningfully touches the EU, through sales, access, or downstream integration. A UK or Canada store selling to EU customers can be in scope. The UK and Canada also have their own evolving AI and data rules. If you serve EU customers, assume the AI Act can apply regardless of where you are based.

Where to go from here

The first move is the AI inventory. It is low effort, it is the prerequisite for everything else, and most stores find it clarifying just to see the list of AI systems they are actually running.

If you want help with the technical side, rebuilding a chatbot to add proper disclosure and human oversight, implementing AI-generated-content labeling across your storefront, or folding the AI disclosure UX into a broader consent and tracking pass, get in touch. We are a technical agency, so we handle the implementation, not the legal opinion; for the legal specifics you will want a lawyer, and we are happy to work alongside one. You can read more about our custom software work for the build side.

For related reading, our server-side tracking guide covers the consent and tracking work that often happens in the same pass as AI disclosure.