
The EU AI Act Delay Is Not a Gift. It's the Last Warning.
The EU Parliament just voted to push back key AI Act high-risk deadlines. I can hear the champagne corks popping from here in Jönköping. Swedish boardrooms are exhaling. CTOs are shelving compliance projects. Everyone is celebrating extra time.
They're celebrating the wrong thing.
Here's the number that should keep you awake: only 35% of Swedish companies have adopted generative AI at all. That means 65% of firms have built exactly nothing. No AI strategy. No compliance infrastructure. No internal governance. And now the EU just told them they can wait a little longer. This is not a gift. This is a training exercise in procrastination at continental scale, and it is going to end badly.
The Delay Is Real. The August Deadline Is Also Real.
Let me be specific about what is happening right now. The EU Parliament's vote delays the high-risk classification deadlines. The timelines for things like AI systems in critical infrastructure, employment, law enforcement. Those got pushed back. Fine.
But the transparency obligations? Those are still arriving in August 2026. That's weeks away. S&P Global and Sidley Austin both confirm this. If you're deploying any AI system that interacts with humans, generates synthetic content, or makes decisions affecting people, you need transparency mechanisms in place. Not planned. In place.
How many Swedish companies are ready for that? Based on what I see from our work as an AI development company in Europe, I'd put it under 15%. And that's being generous.
Sweden's Compliance Problem Is a Culture Problem
I run a tech company in Jönköping. Not Stockholm. Not San Francisco. Jönköping. That gives me a specific vantage point on Swedish tech culture, and what I see is a pattern that repeats every single regulatory cycle.
GDPR happened. Swedish companies panicked in the last six months before enforcement, hired consultants at absurd rates, slapped cookie banners on everything, and called it done. Most of them still aren't actually GDPR compliant in any meaningful sense. They're just not big enough to get caught.
The AI Act is going to be different. The penalties are bigger. The scope is wider. And unlike GDPR, which mostly affected how you stored data, the AI Act affects how you build things. That's a much harder problem to cram for.
Yet here we are again. A free tool just launched in Sweden specifically to help companies parse their EU cybersecurity obligations. Dagens Infrastruktur covered it. Think about what that signals. Swedish firms can't even understand what they're supposed to comply with. They need hand-holding tools just to read the requirements. And these are the companies celebrating a deadline extension.
The 35% number is damning
Tech-insider.org reports that only 35% of Swedish companies have adopted generative AI as of 2026. The report cites EU regulation as both a motivator and a blocker. That duality tells you everything. Companies know they should be building with AI. They also know the regulatory environment is complex. So they do neither. They don't build. They don't prepare for compliance. They sit.
In Jönköping, I talk to manufacturing companies, logistics firms, SaaS founders. The pattern is the same. "We'll wait until it's clearer." Clarity is not coming. The regulation is already published. What they're actually waiting for is someone else to go first and get punished, so they can learn from the wreckage. That's not a strategy. That's cowardice dressed up as prudence.
Meanwhile, in San Francisco and Shenzhen
Here's what makes this genuinely dangerous, not just for individual companies but for European competitiveness as a whole.
American companies are shipping AI products at a pace that makes my head spin. OpenAI, Anthropic, Google, Meta. They are iterating on models, deploying agents, and building infrastructure with minimal regulatory friction. The US has no equivalent of the AI Act. There are executive orders and voluntary commitments, sure. But nothing with the teeth of what the EU is building.
Chinese companies are doing the same, but with state backing and a domestic market of 1.4 billion people to train on. DeepSeek proved earlier this year that you don't need a billion-dollar compute budget to build competitive models. You need focus and speed.
Europe has neither right now. We have process. We have frameworks. We have committees discussing frameworks. And now we have a delay on top of the frameworks, which means the committees will discuss for even longer.
I'm not anti-regulation. I think AI governance matters. At HEIMLANDR.IO, we build AI agent systems and we want clear rules. Clear rules let us build with confidence. But the EU's approach isn't creating clarity. It's creating a moving target. Every delay, every amendment, every extension trains European builders to hesitate. And hesitation in a market moving this fast is death.
The compliance gap is a competitive gap
Let me put this in concrete terms. A Swedish SaaS company that wants to deploy an AI-powered customer service agent today has to worry about: AI Act transparency requirements (August 2026), high-risk classification (delayed but coming), GDPR data processing implications, the upcoming Cyber Resilience Act, and potentially NIS2 if they serve critical sectors.
A competitor in Austin, Texas has to worry about: shipping the product.
That's the gap. It's not a small gap. And it's growing with every delay, because the delays don't reduce the total compliance burden. They just compress it into a shorter window later.
Where This Goes: 2027-2030
Let me tell you what I think happens next, and I'm not being optimistic.
2027: The delayed high-risk deadlines finally arrive. European companies scramble. A compliance consulting industry explodes in size. Actual AI development in Europe slows even further because engineering talent gets pulled into compliance projects instead of product work. The first major enforcement actions hit, probably against a mid-size company, not a tech giant, because tech giants have legal departments and mid-size companies don't.
2028: The gap between US/Chinese AI capabilities and European AI capabilities becomes visible to mainstream media. Politicians start talking about a "European AI moonshot" or some similar branding exercise. Meanwhile, European companies are increasingly dependent on American AI infrastructure because they never built their own.
2029-2030: The path toward AGI accelerates. Models become capable enough that the AI Act's classification system starts to look outdated. A system designed to categorize specific use cases doesn't map well onto general-purpose systems that can do everything. The EU starts drafting new regulation. The cycle repeats.
The companies that survive and thrive through this will be the ones that treat compliance as engineering, not as a legal afterthought. Build governance into your architecture. Make it part of how you ship, not something you bolt on before an audit.
What to Actually Do About This
Enough diagnosis. Here's what I think builders should do right now.
First, don't celebrate the delay. Use it. You have a window. A small one. Build your compliance infrastructure now, while the pressure is low and consulting rates haven't spiked. If you're a CTO, this means documentation systems, model cards, audit trails, and transparency mechanisms. Not next quarter. Now.
Second, separate compliance from innovation. The biggest mistake I see Swedish companies make is letting regulatory uncertainty freeze their entire AI strategy. Build your AI products. Build your compliance layer. Do both in parallel. If you need to hire an AI developer in Sweden who understands both sides, we do that work at HEIMLANDR. But whoever you work with, don't let one block the other.
Third, invest in tooling. The compliance tooling ecosystem is maturing fast. Stop treating governance as a manual spreadsheet exercise.
What to Look At
Here are specific tools and repos worth evaluating right now:
CISO Assistant (4,198 stars on GitHub). Open source GRC platform that supports 150+ frameworks including the AI Act, GDPR, NIS2, and DORA. If you're a mid-size company trying to understand which requirements actually apply to you, this is a serious starting point. It does automatic control mapping across frameworks, which means you can see where your GDPR work already covers AI Act obligations. That overlap is real and most companies don't realize it.
Prowler (14,000+ stars). The most widely used open-source cloud security platform. If your AI systems run on AWS, Azure, or GCP (and they do), Prowler automates security and compliance checks across your cloud environment. This is the kind of tool that should be in every European engineering team's CI/CD pipeline right now.
Bearer (2,691 stars). Code security scanning that specifically surfaces privacy risks. If you're building AI systems that process personal data (and again, you are), running Bearer against your codebase will tell you where your exposure is before a regulator does.
immudb (8,988 stars). An immutable database built on zero-trust principles with tamper-proof audit trails. When the AI Act's transparency requirements demand that you prove what data your model was trained on and what decisions it made, having an immutable record becomes very attractive. Worth investigating for audit trail architecture.
The Uncomfortable Truth
Here's what nobody in Swedish tech wants to hear. The delay doesn't help you. It hurts you. It hurts you because it confirms the pattern. European tech treats regulation as an event, not a practice. Something to prepare for when the deadline approaches, not something to build into how you operate every day.
American companies don't have this problem because they don't have the regulation. Chinese companies don't have this problem because their regulation is designed to accelerate, not constrain. European companies have a unique challenge: regulate seriously AND move fast. We're currently doing neither.
From Jönköping, I watch this with a mix of frustration and opportunity. Frustration because Sweden has extraordinary engineering talent, strong infrastructure, and a culture of trust and collaboration that should make us perfect for responsible AI development. Opportunity because every company that freezes creates space for companies that move.
At HEIMLANDR, we're building. We're building AI agents, SaaS platforms, and compliance-aware systems for clients who understand that waiting is the riskiest option on the table. The wall is coming. The delay just means you'll hit it at higher speed.
Start building your compliance infrastructure today. Not because the deadline demands it. Because your survival does.
Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.
CEO & Writer
CEO of HEIMLANDR.IO. Punk rock tech from Jönköping, Sweden. Building AI systems, blockchain infrastructure, and writing about where this industry is actually heading — no echo chamber, no hype.