EU delays AI Act obligations

The European Union has provisionally agreed to push back some of the AI Act’s most demanding compliance deadlines, while adding at least one new prohibition. On May 7, 2026, negotiators from the Council of the EU and the European Parliament reached a political deal on targeted amendments to the bloc’s AI rules as part of the Digital Omnibus on AI. The change delays obligations for many stand-alone high-risk AI systems from August 2, 2026 to December 2, 2027, according to the Council and legal analyses published after the deal. It also adds a ban on AI systems that generate non-consensual sexual or intimate content. ### So what exactly was delayed? The biggest deadline change applies to Annex III high-risk AI systems — the stand-alone systems covered by the AI Act’s use-based list. Those obligations were due to start on August 2, 2026 and would now apply on December 2, 2027 under the provisional agreement, a 16-month delay. Legal summaries say that bucket includes systems used in areas such as employment, education and access to healthcare. (consilium.europa.eu) A second deadline change applies to product-regulated high-risk systems under Annex I. Those systems, which include AI embedded in regulated products, would move from August 2, 2027 to August 2, 2028. The European Parliament’s legislative tracker says the new timetable sets December 2, 2027 for stand-alone high-risk systems and August 2, 2028 for high-risk systems embedded in products. (insideprivacy.com) ### Does this mean the EU is backing away from the AI Act? The European Commission said no. In a statement on May 7, the Commission said it welcomed “simpler, innovation-friendly rules” while maintaining benefits for “European society, safety and fundamental rights.” The Council said the agreement was meant to streamline implementation and reduce recurring administrative costs, while keeping the broader framework in place. (insideprivacy.com) The legal changes described by Inside Privacy are narrower than a rewrite of the whole law. The package includes timeline extensions, limited simplification measures, and a small number of substantive policy changes, rather than a repeal of the high-risk regime. ### What new bans were added? The provisional deal adds a new prohibited AI practice covering the generation of non-consensual sexual and intimate content, according to the Council. (digital-strategy.ec.europa.eu) The Commission described the measure as a ban on “nudification” apps, and Euronews reported that Parliament and Council had agreed to prohibit systems that generate intimate images of people without prior consent. (insideprivacy.com) That matters because the Omnibus does two things at once: it delays parts of the compliance calendar for high-risk systems and accelerates restrictions on a politically sensitive category of AI misuse. TechTimes reported that the ban on AI-generated sexual abuse imagery and related watermarking rules would arrive on a faster track than the postponed high-risk obligations. (consilium.europa.eu) ### Were any other dates changed? Article 50 transparency obligations were also adjusted for some synthetic-content systems. Inside Privacy said that, for systems placed on the EU market or put into service before August 2, 2026, the obligation to mark outputs in a machine-readable and detectable format moves from August 2, 2026 to December 2, 2026. Systems placed on the market after August 2, 2026 must comply from the date they are placed on the market or put into service. (techtimes.com) National AI regulatory sandboxes were also pushed back. Inside Privacy said the requirement for member states to establish at least one national sandbox shifts from August 2, 2026 to August 2, 2027. ### Why was the timetable moved? The European Commission proposed linking the start of some high-risk rules to the availability of standards and compliance tools. (insideprivacy.com) The Parliament’s legislative tracker said the proposal was meant to address delays in establishing standards, designating national authorities and setting up conformity-assessment bodies. Inside Privacy said the extension gives standards bodies such as CEN-CENELEC more time to prepare the technical standards and guidance needed for compliance. ### What happens next? The agreement is still provisional. The Council press release says it was updated on May 18, 2026 with the letter sent by the Council presidency to the European Parliament with a view to a first-reading agreement. Until the text is formally adopted, the current law remains the law on the books, but the political direction is now clear: December 2, 2027 for stand-alone high-risk systems, August 2, 2028 for embedded product AI, and a new ban on non-consensual intimate-image generation. (europarl.europa.eu) (consilium.europa.eu)