EU grants 16-month AI Act relief

EU negotiators have agreed to rewrite the AI Act’s rollout calendar without reopening the law’s core structure. On May 7, the Council presidency and European Parliament negotiators reached a provisional agreement under the Digital Omnibus on AI, the first formal amendment package since the AI Act was adopted in June 2024. The deal delays the most demanding obligations for some high-risk systems, adds a new ban tied to non-consensual sexual content, and adjusts transparency timing for synthetic media. (consilium.europa.eu) The practical effect is uneven. Hiring, education and other stand-alone high-risk systems listed in Annex III get 16 more months before the main compliance obligations apply, while product-linked systems such as some medical devices move by one year. At the same time, some prohibitions and transparency rules move faster than companies expected. (consilium.europa.eu) ### Which AI systems just got more time? The May 7 agreement moves the application date for stand-alone high-risk AI systems in Annex III from August 2, 2026 to December 2, 2027. That category includes use cases such as employment-related systems and certain education, critical infrastructure and biometric applications under the AI Act’s risk structure. (consilium.europa.eu) Product-regulated high-risk systems in Annex I get a shorter reprieve. The agreement shifts their deadline from August 2, 2027 to August 2, 2028, covering AI used as a safety component of, or constituting, products governed by sectoral legislation such as medical devices and other harmonized product rules. (insideprivacy.com) ### Why did Brussels push the dates back? The Council of the EU said the Commission had proposed delaying the rules for high-risk systems by up to 16 months so they would start once standards and compliance tools were available. Inside Privacy said the delay reflects implementation problems around testing, documentation and third-party assessment, while William Fry said harmonized standards and national authority designations were lagging the original timetable. (insideprivacy.com) Marilena Raouna, Cyprus’s deputy minister for European affairs, said the agreement would reduce recurring administrative costs and support smoother, more harmonized implementation across the bloc. Her statement came in the Council’s May 7 release announcing the provisional deal. (consilium.europa.eu) ### What is being tightened instead of delayed? The same agreement adds a new prohibited practice covering AI used to generate non-consensual sexual and intimate content or child sexual abuse material, according to the Council and legal analyses of the text. TechTimes reported that so-called nudifier apps would have to exit by December 2026 under the faster-track changes. (consilium.europa.eu) Article 50 transparency rules are also being adjusted rather than broadly postponed. Inside Privacy said providers of systems generating or manipulating synthetic content that were already on the market before August 2, 2026 would need machine-readable marking and detectability by December 2, 2026, a four-month delay rather than a longer deferral. Systems placed on the market after August 2, 2026 must comply when they are placed on the market or put into service. (consilium.europa.eu) ### What changed for companies outside the headline delay? The Council said negotiators extended some regulatory exemptions for small and medium-sized enterprises to small mid-caps and reduced requirements in a limited number of cases. The provisional text also reinstates the obligation for providers to register systems in the EU database for high-risk systems when they consider those systems exempt from high-risk classification. (consilium.europa.eu) Inside Privacy said the package also postpones the obligation for each member state to establish at least one national AI regulatory sandbox from August 2, 2026 to August 2, 2027. ### Where do AI agents fit into this rewrite? (insideprivacy.com) WatersTechnology reported on May 18 that AI agents still do not formally exist as a defined category in the EU AI Act, leaving companies to work through compliance questions by analogy to existing categories. That means the Omnibus deal changes timelines and some obligations, but does not settle how autonomous or semi-autonomous agents should be classified under the law. That gap matters because firms building agentic systems still have to decide how to document autonomy, human oversight and auditability without a dedicated legal definition in the statute. (consilium.europa.eu) WatersTechnology framed that as regulatory limbo rather than a resolved policy question. ### What happens next in Brussels? (insideprivacy.com) The May 7 text is still provisional. The Council said the agreement was updated on May 18 with a letter from the Council presidency to the Parliament aimed at a first-reading agreement, and William Fry said the package still needs formal endorsement by both institutions, legal-linguistic revision and publication in the Official Journal. The next fixed dates in the package are December 2, 2026 for certain synthetic-content transparency obligations, December 2, 2027 for Annex III high-risk systems, and August 2, 2028 for Annex I product-linked systems if the deal is formally adopted. (waterstechnology.com) (consilium.europa.eu)