Executive Summary

The current EU AI Act is moving in two directions at once: The EU is postponing key high-risk obligations because standards, guidelines, and technical support tools are not yet fully in place. At the same time, it is strengthening protections against certain abusive AI applications, particularly AI systems that generate non-consensual intimate content or child sexual abuse material. The European Parliament finally approved the relevant simplification and prohibition rules in June 2026 with 423 votes in favor, 57 against, and 174 abstentions; formal adoption by the Council is still pending before the law can take effect.

For companies, this is more than just a compliance update. This trend shows that AI governance, data quality, transparency, system inventories, risk classification, and organizational capabilities are becoming strategic competitive factors. AI maturity is no longer just an internal self-assessment. It can be assessed from the outside based on public signals, regulatory readiness, visible competencies, and transparent structures.

An external AI maturity score should therefore never be interpreted as a definitive judgment. When properly understood, it is a visible maturity baseline: a public-signal score or an outside-in maturity estimate that shows how mature a company appears to be based on publicly observable signals. The true value emerges when companies claim, verify, supplement, and improve this visible assessment.

The strategic question is no longer, “Do we have AI tools?”
The strategic question is: Can we measure, compare, and manage our AI maturity?

What Happened? An Overview of the EU AI Act Update

The EU AI Act has been in effect since August 1, 2024. According to the European Commission, it is being implemented in phases: bans on certain AI practices and AI literacy requirements have been in effect since February 2, 2025; governance rules and requirements for general-purpose AI models have been in effect since August 2, 2025; and the majority of the rules are expected to take effect on August 2, 2026.

With the so-called Digital Omnibus on AI, the EU now aims to simplify certain aspects of implementation and reorder the timeline. The European Commission describes the package as part of its simplification agenda to strengthen Europe’s competitiveness and make the implementation of the AI Act more practical for businesses.

On May 7, 2026, the Council and the Parliament reached a provisional political agreement. On June 16, 2026, the European Parliament gave its final approval. Before the amendments take effect, the Council must still formally adopt them.

The Most Important Official Changes

Key points from the official data:

First: High-risk obligations are being postponed.
For stand-alone high-risk AI systems, the obligations are set to take effect on December 2, 2027. For AI systems embedded as safety components in regulated products, the deadline is set for August 2, 2028. The EU justifies this phased approach by stating that standards and support tools should be in place before the rules are applied.

Second: Watermarking and labeling requirements have been rescheduled.
The implementation of certain labeling requirements for AI-generated content has been postponed to December 2, 2026 . Until then, AI-generated content must be marked in a machine-readable format to increase transparency and traceability.

Third: New bans on “nudifier” tools, non-consensual intimate content, and CSAM.
The amendments prohibit AI systems that generate child sexual abuse material or depict, without consent, the intimate body parts or sexually explicit activities of identifiable individuals in images, videos, or audio. Providers may only place such systems on the EU market if appropriate technical safeguards prevent the creation of such content. Deployers who use such systems for this purpose are also subject to the ban. Companies will have until December 2, 2026, to adapt their systems.

Fourth: Less duplicate regulation for machinery products.
For machinery products, overlaps between the AI Act and sector-specific safety regulations are to be reduced. The political compromise is intended to ensure that machinery products are not subject to the same obligations under different regulatory frameworks at the same time, as long as an equivalent level of safety is maintained.

Fifth: Simplifications for small and medium-sized enterprises.
Certain relief measures for SMEs are to be extended to small mid-cap enterprises. At the same time, the powers of the AI Office will be strengthened, and responsibilities for certain general-purpose AI systems will be centralized.

Clearly Distinct: What is applicable law, what is a policy change, and what is commentary?

A. Current Legal Status and Official Information

The AI Act, Regulation (EU) 2024/1689, is now in effect. The European Commission describes it as the world’s first comprehensive legal framework for AI, aimed at promoting trustworthy, human-centered AI, addressing risks, and strengthening Europe’s role in the AI landscape.

The current AI Act takes a risk-based approach: certain AI practices are prohibited, high-risk systems are subject to strict obligations, certain systems must meet transparency requirements, and general-purpose AI models are regulated separately.

For violations of prohibited AI practices, Article 99 of the AI Act provides for fines of up to 35 million euros or 7 percent of global annual revenue, whichever is higher. For other violations, such as those related to the obligations of providers, deployers, or transparency requirements, the upper limits are lower.

B. Changes that have been adopted by the legislature but have not yet fully taken effect

The omnibus amendments adopted in May and June 2026 have not yet fully entered into force as of the time of this research. The European Parliament has approved them, but formal adoption by the Council is required before they can enter into force.

For companies, this distinction is crucial: The direction is clear, and planning should begin, but the changes will not become legally binding until the formal legislative process is complete and the legislation is published.

C. Assessment by Law Firms and Policy Analysts

Global Policy Watch describes the package as the first amendment to the EU AI Act since its adoption in 2024 and as a mix of timeline extensions, targeted simplifications, and a few substantive policy changes. The analysis highlights in particular the postponement of high-risk obligations, the new prohibitions, and the importance of pending standards.

Gibson Dunn notes that the changes will not take legal effect until they are formally adopted and published in the Official Journal. At the same time, the firm emphasizes that August 2, 2026, remains an active compliance date, particularly for transparency obligations that have not been fully deferred.

Hogan Lovells characterizes the package as a limited, targeted adjustment: The core architecture of the AI Act will not be rewritten. Companies should continue to take inventory of their AI systems, determine risk categories, and establish governance frameworks.

White & Case emphasizes that not all high-risk obligations have been deferred to the same extent and that companies should continue to review their use of AI and develop a compliance roadmap.

Why This Development Is More Strategically Relevant Than a Compliance Update

The obvious interpretation is: Companies are getting more time.
The strategically more important interpretation is: Europe is making AI operational, classifiable, verifiable, and comparable.

This is a whole new level of regulation. It’s not just about whether a single tool is permitted. It’s about whether an organization can transparently demonstrate which AI systems it uses, how they are classified, who is responsible, what data is used, what risks exist, how bias is managed, how output is labeled, and how the organization learns over time.

The structural problem underlying this news is not that “AI is becoming increasingly important.” The structural problem is that most companies lack a robust, comparable basis for making decisions regarding AI.

They invest in tools. They test use cases. They launch pilot projects. They discuss governance. But many leadership teams cannot answer one simple question precisely:

Where do we really stand compared to our peers?

This is exactly where strategic blindness arises. Without measurability, AI becomes a collection of isolated initiatives. Without comparability, governance becomes a matter of internal opinion. Without prioritization, AI investment becomes a portfolio of hope, pressure, and vendor narratives.

The EU AI Act makes this blindness more apparent. Not because regulation automatically leads to maturity, but because regulation forces companies to demonstrate their maturity.

What This Trend Reveals About AI Maturity

1. Compliance is not the same as AI maturity—but it does highlight a lack of maturity

A company can be AI Act-compliant without having a high level of AI maturity. Compliance measures whether minimum requirements are met. AI maturity measures whether an organization can use AI effectively from a strategic, technical, cultural, and economic perspective.

Nevertheless, the two are interconnected. Without an AI system inventory, it is difficult to classify systems reliably. Without an understanding of data quality, it is difficult to assess the risks of bias. Without a clear ownership structure, it is difficult to effectively implement human oversight. Without building AI literacy, it is difficult to responsibly empower those who deploy AI.

Compliance is the minimum standard. Maturity is the ability to turn that into a competitive advantage.

2. The EU is postponing deadlines because operational implementation is more difficult than reaching a political agreement

The postponement of high-risk obligations does not indicate that AI governance is unimportant. It shows the opposite: The path from legal text to operational corporate practice is challenging.

The European Commission points to the lack of—or pending—standards and support tools. The Commission’s FAQ also notes that harmonized standards play an important role because they can provide companies with a presumption of conformity; at the same time, the standardization work was not completed within the originally desired timeframe.

For boards and CEOs, this sends a clear message: Those who wait until all standards are finalized will lose time. Those who establish their own maturity baseline now will be able to implement future requirements more quickly, more effectively, and at a lower cost.

3. AI risks are increasingly being assessed through visible structures

The new bans on non-consensual intimate AI content and CSAM do not only apply to obvious “bad actors.” They also apply to providers and deployers whose systems could foreseeably be misused in the absence of technical safeguards. The European Parliament explicitly states that providers may not place such systems on the market unless they have adequate technical safeguards in place to prevent the creation of such content.

This changes the strategic logic. Companies must not only specify what their AI system is supposed to do; they must also demonstrate what avenues for misuse they anticipate, what controls are in place, and how they prevent systems from being used in ways that violate fundamental rights.

That's AI maturity in practice: not the ability to demonstrate, but the ability to control.

4. AI maturity becomes visible from the outside

Companies reveal more than they often realize. Not through confidential data, but through visible signals:

Hiring Profiles. AI Roles. Governance Communications. Public Policies. Product Information. Developer Activities. Patents. Standards. Certifications. Partnerships. AI Use Case Communications. Board Responsibilities. Security and Privacy Signals. Transparency Regarding GenAI Use.

These signals do not paint a complete picture. But they do provide a visible baseline. The market is beginning to evaluate companies not only based on whether they talk about AI, but also on whether their public structure reflects AI maturity.

That is the essence of the new reality: Your public AI maturity score already exists.

Not as a final judgment. But as an observation. As a comparison. As a signal.

Companies Become Visible to the Outside World

In traditional digital strategy, the focus was primarily inward: workshops, internal self-assessments, project lists, maturity models, and interviews. These have value. But they are no longer enough.

AI is changing how companies are perceived from the outside. Why?

Because AI maturity is reflected in visible organizational patterns. A company that is seriously operationalizing AI leaves its mark: in role profiles, technical job postings, governance documents, partner networks, product communications, compliance notices, data strategies, publications, and platform signals.

A company that only tests AI pilots leaves a different kind of trail: lots of announcements, little structure. Lots of tools, little ownership. Lots of proofs of concept, little governance. Lots of vendor projects, little data foundation.

That's not a moral judgment. It's an analytical assessment.

A public-signal score can interpret these visible indicators. An outside-in maturity estimate can show how mature a company appears from a market perspective. A visible maturity baseline can establish the starting point.

But it must never be the end of the analysis. It is the beginning.

Why Visible AI Maturity Must Become Measurable

Visibility without control creates a reputational risk. Control without visibility creates an internal illusion.

Companies need both: an external baseline and internal verification. Only then can corporate intelligence emerge.

From Public Signal to Verified Score

A Public Signal Score provides an external perspective. It can reveal what signals a company is already sending. It can also highlight areas where nothing is publicly apparent. However, it does not automatically take into account internal data architecture, actual project quality, governance processes, decision-making logic, security controls, or the depth of implementation.

That is why the correct approach is not to defend against it, but to verify it.

Claim your business. Complete your profile. Improve your score.

This isn't just a campaign tactic. It's a principle of governance. Companies should not ignore public perceptions, but rather build on them—not as a PR exercise, but as a strategic foundation for decision-making.

AI Maturity Must Become Comparable

Without a point of comparison, any AI strategy remains relative. One company may be convinced internally that it is well-positioned, but may lag behind its industry peers. Another company may be less vocal, but may be significantly further ahead in terms of data infrastructure, governance, and talent.

Comparability affects the quality of decisions.

It doesn't just ask, "Are we good?"
It asks, "Are we good enough—for our industry, size, risk exposure, and ambition?"

That is the difference between reporting and steering.

AI ROI Requires Maturity Intelligence

Many AI investments fail not because the models are poor. They fail because organizations are not mature enough to generate value from models.

The ROI of an AI project doesn't depend solely on the tool. It depends on data quality, process integration, adaptability to change, ownership, governance, employee expertise, technical architecture, and strategic prioritization.

Those who fail to measure these dimensions are optimizing AI investments blindly. This leads to a common misallocation: Companies invest in visible tools even though the bottleneck lies in the data foundation. They invest in pilot projects even though governance is lacking. They invest in automation even though processes are not standardized. They invest in generative AI even though security and accountability have not been clarified.

AI ROI doesn't start with a use case. It starts with a maturity baseline.

Strategic Implications for CEOs, Boards, CIOs, CDOs, and Leadership Teams

For CEOs: AI is no longer just a tool—it’s a strategic issue

CEOs should not view AI as a collection of individual initiatives. The EU AI Act shows that AI readiness will consist of governance, risk management, data capabilities, transparency, and implementation discipline.

The key question for CEOs is: Which AI investments measurably increase our competitiveness—and which ones are just for show?

You don't need another dashboard for that. What you need is an objective basis for decision-making that combines maturity, benchmarking, and prioritization.

For Boards: AI Governance Becomes a Matter of Oversight

Boards don't need to understand every model. But they do need to know whether the company has a strategic grasp of AI.

Questions relevant to the board include:

What AI systems do we use? Which of them are high-risk? What responsibilities do we have? What data risks exist? What signals are we sending to the outside world? How do we compare to the rest of the industry? Where do reputation or compliance risks arise? Which investments are prioritized?

If these questions cannot be answered, the problem is not a lack of regulation. It is a lack of corporate intelligence.

For CIOs and CDOs: The Data Foundation Is Becoming a Competitive Infrastructure

The EU AI Act addresses data quality, documentation, traceability, risk management, and technical robustness in several sections. High-risk providers must address, among other things, risk management, data quality, technical documentation, logging, transparency, human oversight, accuracy, cybersecurity, and robustness.

For CIOs and CDOs, this means that AI maturity is becoming an architectural issue. Legacy systems, fragmented data landscapes, a lack of classifications, and unclear data ownership are not just technical debt—they are strategic risks.

For CDOs and Transformation Leads: AI Maturity Is Portfolio Management

Transformation teams must be able to prioritize AI initiatives—not based on hype, political pressure, or vendor promises, but on maturity and impact.

Which initiatives improve the data foundation? Which ones reduce governance risk? Which ones increase AI literacy? Which ones enable technical reusability? Which use cases have truly scalable ROI potential?

AI Maturity makes these questions manageable.

For HR and Leadership Teams: AI Literacy Is Becoming an Organizational Signal

AI literacy is not just a peripheral training program. It is part of an organization’s ability to use AI responsibly. The European Commission notes that AI literacy requirements have been in effect since February 2025.

Leadership teams should therefore not ask, “Have our employees attended GenAI training?”
They should ask, “Can our teams assess AI risks, data quality, use-case prioritization, and responsible use within their area of responsibility?”

That is the difference between awareness and maturity.

The structural problem: Europe invests, but doesn't measure enough

Europe wants AI sovereignty, AI factories, better regulation, more innovation, and greater competitiveness. The European Commission refers to AI factories, the AI Office, the AI Act Service Desk, and a broader AI ecosystem to strengthen Europe.

But infrastructure alone is not enough.

Compute without adoption is capacity without impact.
Regulation without Maturity Intelligence is control without prioritization.
Funding without benchmarking is allocation without perspective.

If Europe wants to become more competitive in a targeted way, it needs more than just AI regulations. It needs a common benchmark for assessing how mature companies, industries, and ecosystems actually are.

That is the missing link between AI regulation and AI adoption.

A European AI maturity benchmark would not treat every company the same. It would highlight differences. It would show which industries need to strengthen their data foundations, which regions have talent gaps, which companies need to address governance gaps, and which organizations already have structural advantages.

Without this benchmark, Europe remains vulnerable to strategic blindness: a lot of activity, but little comparability.

Why the AI Act Is a Maturity Test

The EU AI Act is not a traditional maturity model. But it acts as a stress test for AI maturity.

He asks indirectly:

Can a company take inventory of its AI systems?
Can it classify risks?
Can it document responsibilities?
Can it ensure output transparency?
Can it anticipate misuse?
Can it monitor data quality and bias?
Can it operationalize human oversight?
Can it explain its current status to the board?

These questions are not legal details. They are management issues.

That is why the current delay should not be misinterpreted as a green light. More time does not mean less pressure. More time means that companies have the opportunity to build AI maturity before regulation and the market force them to do so.

Companies that take advantage of this opportunity will systematically manage AI. Companies that wait will later have to address compliance, data quality, governance, talent, and tool proliferation all at once.

CorpIn's Approach: Corporate Intelligence Instead of Tool-Based Thinking

In this context, a new category is emerging: Corporate Intelligence for AI Maturity.

CorpIn embodies this approach. It is not a traditional consulting firm. It is not just another AI tool provider. Rather, it is a corporate intelligence layer that makes AI maturity measurable, comparable, and manageable—at the corporate, industry, and, eventually, European levels.

The key difference lies in the combination of three perspectives:

Maturity Signals: What does the organization reveal about its data, systems, governance, capabilities, culture, and strategic direction?
Benchmark Signals: How does the company compare to its peers, the industry, and its size class?
Priority Signals: Where should leadership invest first, pause, or refocus?

An outside-in score can reveal public signals. A verified company profile can supplement and correct this view. A benchmark can turn this into a basis for informed decision-making.

This is how the transition from AI activity to AI maturity takes place—from self-assessment to comparability, and from compliance pressure to strategic management.

That is the essence of CorpIn – Defining Corporate Intelligence.

European AI Maturity Awards 2026: Visibility for Verified Maturity

When AI maturity becomes measurable, it also creates a new opportunity for visibility. The 2026 European AI Maturity Awards can stand for exactly that: not the most high-profile AI story, but demonstrable, benchmarkable maturity.

The key is the logic: Public Signals can raise a company's profile. Verified Maturity puts it in the running.

This makes the Awards not just a PR event, but a benchmarking opportunity. Companies are invited to establish their public baseline, complete their profiles, improve their maturity, and compare themselves with their peers.

Public signals may get you noticed. Proven maturity gets you into the race.

What Companies Should Do Specifically Right Now

The AI Act provides more time for certain high-risk obligations. But this time should not be viewed as a break. It is a strategic window.

Companies should now:

1. Take inventory of AI systems.
Which AI systems are being developed, purchased, integrated, or used? Who is the provider, who is the deployer, and who is the owner?

2. Identify risk categories.
Which systems could be high-risk? Which ones affect employment, education, credit, infrastructure, access to services, security, or sensitive decision-making?

3. Review public signals.
What AI maturity signals is the company sending publicly? Is there visible governance? AI roles? Data literacy? Technical capabilities? Transparency regarding AI use cases?

4. Evaluate the data foundation.
AI governance without data quality remains theoretical. Companies should systematically assess data accessibility, classification, ownership, quality, and integrability.

5. Operationalize governance.
Policies alone are not enough. What matters most are responsibilities, decision-making authority, escalation procedures, monitoring, documentation, and reporting to the board.

6. Build AI literacy in a targeted manner.
Not as generic training, but rather role-specific: leadership, IT, HR, legal, operations, sales, marketing, and finance each require different AI maturity competencies.

7. Prioritize AI investments.
Not every use case deserves a budget. Prioritization should be based on maturity, impact, ROI potential, risk, data availability, and scalability.

8. Verify the visible baseline.
A public-signal score is not a final judgment. But it is a starting point. Companies should claim it, complete it, and actively improve it.

Conclusion: Europe Is Already Being Graded

The EU AI Act shows where the market is headed: AI isn't just being used. AI is being controlled, classified, documented, labeled, regulated, and compared.

This changes the strategic reality for companies.

If you don’t measure AI maturity, you won’t be able to manage it.
If you don’t manage it, you’ll misprioritize your AI investments.
If you can’t compare it, you’ll overestimate or underestimate your competitive position.
If you ignore public signals, you’ll leave it up to others to interpret how mature your organization appears to be.

The future does not belong to the companies with the most AI pilots. It belongs to the organizations that translate AI into measurable, repeatable benefits.

To achieve this, Europe needs a common benchmark. Companies need a verifiable baseline. Management teams need corporate intelligence.

Europe is already being rated.
Claim your company. Complete your profile. Improve your score.
Compete for the 2026 European AI Maturity Awards.

Sources

Official and institutional sources

1. European Commission: AI Act — Official Overview, Timeline, Governance, and Omnibus Simplification.
2. European Commission: Navigating the AI Act — FAQs on objectives, risk classes, high-risk systems, transparency requirements, and standardization.
3. European Commission: Simplification of AI regulations and new bans on “nudification” apps.
4. European Parliament: AI Act — Final Approval of Simplification Measures and Ban on “Nudifier” App, June 16, 2026.
5. European Parliament: Agreement on Simplification Measures and a Ban on “Nudifier” Apps, May 7, 2026.
6. Council of the European Union: Council and Parliament Agree to Simplify and Streamline AI Rules, May 7, 2026.
7. European Parliamentary Research Service: Digital Omnibus on AI — Adoption in plenary, June 2026.
8. AI Act Service Desk: Article 99 — Penalties.

Legal and Policy Analyses

9. Global Policy Watch: EU AI Act Update — Timeline Relief, Targeted Simplification, and New Prohibitions, June 2026.
10. Gibson Dunn: EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Key Changes.
11. Hogan Lovells: EU lawmakers agree to delay rules on high-risk AI.
12. White & Case: EU Reaches Agreement on Digital Omnibus Package to Simplify AI Rules.
13. Taylor Wessing: The EU Digital Omnibus on AI — What the Political Deal Means.