The EU AI Omnibus trilogue negotiations are aiming to wrap before the August 2026 high-risk deadline. A final vote is expected in June. The AI Office's Unit A3, which enforces the whole thing, has roughly 40 staff planned. The DSA enforcement team has 160.
That ratio tells you everything about what happens next.
Unit A3 is outnumbered 4:1 before the first enforcement action
A coalition of industry bodies and civil society groups just published a warning. They're asking for €100M annual budget and 100 staff by 2030 for Unit A3. Right now they're getting neither.
The DSA, which covers content moderation for platforms, has 160 people. The AI Office, which covers every high-risk AI system deployed in the EU, gets 40. That's not a rounding error. That's a structural gap.
What this means in practice: enforcement will be slow, reactive, and focused on the biggest targets first. Small and mid-size AI vendors won't see an inspector for years. But the compliance paperwork still needs to be filed on time.
This staffing disparity creates a procedural bottleneck that the Omnibus negotiations have not addressed. The DSA's 160-person team can triage complaints, conduct audits, and issue fines in parallel across multiple platforms. The AI Office's 40-person unit must cover the entire lifecycle of high-risk systems — from conformity assessments and notified body coordination to post-market monitoring and incident reporting. Each high-risk system requires technical documentation review, risk management verification, and ongoing surveillance. With a 4:1 ratio against them, Unit A3 will inevitably prioritize the largest deployers — the hyperscalers and foundation model providers — leaving the rest of the market in a regulatory gray zone. For smaller vendors, this means the risk of non-compliance is low in the short term, but the cost of preparing for an eventual inspection remains fixed. The paperwork burden does not scale with enforcement probability. Every provider must still maintain logs, update technical documentation, and register their system in the EU database. The gap between de jure requirements and de facto enforcement will widen, creating a two-tier compliance reality: those who can afford to wait and those who cannot afford to be caught unprepared.
Your prospects are staring at a deadline they can't meet
August 2026 is the hard deadline for high-risk AI systems to comply with the AI Act. That includes:
- AI used in hiring and employee management
- Credit scoring and insurance pricing
- Biometric identification and categorisation
- Critical infrastructure management
- Education and vocational training access
Every company deploying these systems needs a conformity assessment, technical documentation, risk management system, and human oversight protocols. Most of them haven't started.
We've been tracking this since the UAE rewrote its safety rules earlier this year. The pattern is the same everywhere: regulators announce, companies ignore, deadline approaches, panic buying begins.
The UAE gave companies 90 days to comply with new safety rules. The EU is giving 18 months. The response curve looks identical, just stretched.
What makes this deadline uniquely dangerous is the structural bottleneck forming at the EU AI Office. The same office tasked with interpreting the Act, issuing codes of practice, and managing the public database of high-risk systems is already under-resourced compared to the Digital Services Act (DSA) enforcement machinery. The DSA has a dedicated board, national coordinators, and a central enforcement unit with hundreds of staff. The AI Office, by contrast, is operating with a fraction of that capacity while facing a compliance scope that cuts across every regulated industry in Europe. Companies expecting rapid guidance or pre-approval pathways will find a queue, not a concierge. The conformity assessment process itself requires notified bodies — independent auditors — that barely exist at scale today. Most member states have not designated a single notified body for AI. Without that infrastructure, even a company that starts its technical documentation tomorrow will face validation delays measured in months, not weeks. The window between "we should do something" and "we physically cannot get an audit slot" is closing faster than the calendar suggests.
Who needs your compliance solution right now
Three buyer personas are worth your time this quarter:
Legal and compliance teams at mid-market AI vendors. These are the people who know the deadline exists and are quietly terrified. They have budget for external tools because hiring a full-time AI compliance officer costs more than a software subscription. They're searching for "AI Act compliance checklist" and "EU AI Office guidance" right now. What they haven't yet realized is that the Omnibus negotiations are introducing cross-cutting obligations that tie the AI Act to the Digital Services Act, GDPR, and sector-specific regulations like the Medical Device Regulation. A checklist won't cut it. They need a system that maps overlapping requirements — for example, where an AI-powered hiring tool must simultaneously satisfy AI Act transparency rules, GDPR data minimization principles, and DSA risk assessment protocols for platform intermediaries. The compliance burden multiplies at each intersection, and manual tracking across these frameworks is already breaking down inside mid-market firms.
Enterprise procurement teams buying AI tools. Every large company in the EU is now required to vet its AI vendors for compliance. Procurement teams need to show due diligence. They'll buy a solution that generates vendor assessment reports and compliance documentation. But the deeper need here is defensibility. When the AI Office eventually audits a deployed system — and it will, despite being under-resourced — procurement teams must prove they didn't just collect paperwork but actually verified model behavior, training data provenance, and human oversight mechanisms. The Omnibus negotiations are hardening these verification standards, moving from self-declaration toward third-party conformity assessment for high-risk systems. Procurement teams that wait for final text will scramble; those who pre-build audit-ready vendor workflows now will have a competitive advantage in closing deals faster than peers stuck in manual review cycles.
Consultancies serving regulated industries. The Big Four and boutique compliance firms are building AI Act practices. They need tools to scale their delivery. If you sell a platform that lets them audit clients faster, they'll pay. The overlooked angle here is that consultancies are also racing to standardize their methodology before the AI Office publishes its official codes of practice. Early movers who codify their audit templates into software will lock in client relationships before competitors can replicate the workflow. Moreover, the Omnibus negotiations are creating a secondary market: consultancies need to advise clients on how the AI Office's resource constraints affect enforcement timelines. A tool that helps them model regulatory risk scenarios — e.g., "if the AI Office prioritizes social scoring systems over chatbots, what does that mean for your deployment roadmap?" — becomes indispensable for strategic advisory, not just compliance reporting.
We wrote about how Series A funding rounds create buying signals a few weeks back. The same logic applies here: regulatory deadlines are the strongest buying signal you can track. They're non-negotiable, time-bound, and carry financial penalties for missing them.
The enforcement gap creates a compliance arbitrage
Here's the contrarian take: the AI Office being under-resourced is good for your pipeline.
When enforcement is weak, companies delay compliance. They wait until the last possible moment. That creates a compressed buying window where everyone needs the same solution at the same time. Prices go up. Decision cycles shorten. The vendors who built pipeline before the panic win.
If the AI Office had 160 staff and started auditing tomorrow, compliance would be a slow, steady market. Instead, it's going to be a spike. August 2026 is the spike.
This enforcement gap doesn't just delay action — it creates a structural compliance arbitrage that savvy sales teams can exploit. The AI Office, currently operating with a fraction of the Digital Services Act's enforcement headcount, cannot conduct proactive market surveillance. They will rely on complaints and self-reporting. That means the first companies to face scrutiny will be the ones that draw attention: high-profile deployers, vocal critics, or those caught in a competitor's complaint. The rest will calculate that the probability of an audit before the deadline is low, so they allocate budget elsewhere. But when the Office finally ramps up — likely through external contractors or delegated national authorities — the scramble will be disorderly. Unlike the DSA's phased rollout with clear tiered obligations, the AI Act's risk categories are still being interpreted. Companies that assumed their internal tool or low-risk classification would pass unnoticed will face retroactive compliance demands. That's when your solution becomes non-negotiable, not nice-to-have.
Start building your prospect list now. Target companies that have publicly announced AI products in regulated verticals. Look for job postings for AI compliance roles — that's a company that knows the deadline exists. Check their careers page for "AI Ethics Officer" or "Responsible AI Lead."
One signal we track: companies that published AI principles or ethics frameworks in 2024-2025 but haven't hired anyone to implement them. They've done the easy part. The hard part is coming.
What we'd do next
Here’s the thing: most of those 200 companies won’t even know they’re on the hook. The AI Act’s high-risk classification is broader than most founders realize — it catches not just medical devices or recruitment tools, but also insurance underwriting, credit scoring, and any system that profiles EU citizens for access to essential services. So step one isn’t just building the list; it’s filtering by the actual use case, not the product category. A CRM that scores leads? Probably fine. A CRM that scores loan applicants? High-risk, full stop.
Once you’ve got that list, the compliance check needs to go deeper than a surface scan. Most companies will have a risk assessment document somewhere — but the AI Office is already signaling that they’ll look for evidence of continuous monitoring, not just a one-time filing. So your outreach should flag the gap between “we have a document” and “we have a process.” That’s the kind of specific, non-salesy observation that gets a reply from a CTO who’s been told by legal to “figure this out by August.”
And the timing matters more than most realize. The DSA’s enforcement ramp-up has already shown that the EU’s regulatory machinery moves faster than companies expect. The AI Office may be under-resourced, but they’re not under-motivated. They’ll prioritize the clearest violations first — and a company with no visible compliance posture is an easy target. Your email should frame the deadline not as a distant threat, but as a window that’s closing faster than their internal review cycle can keep up with.