EU simplifies toughest AI Act

The European Union has not reopened the AI Act from scratch. It has changed how some of the law will be applied, with the European Commission, Parliament and Council agreeing in early May to simplify implementation and extend parts of the timetable for high-risk systems. (digital-strategy.ec.europa.eu) The most concrete change is for high-risk AI systems listed in Annex 3, which include uses in employment, education, migration and other sensitive areas. Those rules will now apply from December 2, 2027, according to the Commission, rather than on the earlier timeline many companies had been preparing for. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) That matters because the AI Act still keeps its risk-based structure and its bans on prohibited uses. What has shifted is the emphasis: less immediate pressure to meet a near-term deadline for some high-risk systems, and more reliance on guidance, templates and implementation tools from the Commission and the AI Office. (digital-strategy.ec.europa.eu) ### So what actually changed? The Commission said on May 7 that the political agreement on its “Digital Omnibus on AI” would make implementation easier for EU businesses while preserving the law’s safety and fundamental-rights aims. The agreement sets a “clear implementation timeline” for high-risk systems and moves Annex 3 systems — including employment-related AI — to a December 2, 2027 application date. (digital-strategy.ec.europa.eu) For AI embedded in regulated products such as toys or lifts, the timetable is later still: those rules apply from August 2, 2028. The Commission said the sequencing is intended to leave time for technical standards and support tools to be in place before obligations bite. (digital-strategy.ec.europa.eu) ### Did Brussels weaken the law’s core bans? The AI Act’s core architecture remains in place. The Commission’s AI Act page still describes a four-tier, risk-based regime and lists prohibited practices including harmful manipulation, social scoring, untargeted scraping of internet or CCTV material for facial-recognition databases, and emotion recognition in workplaces and schools. (digital-strategy.ec.europa.eu) So this is not a rollback of the headline prohibitions. It is a simplification of how companies get to compliance, especially in categories where documentation, conformity assessment and legal uncertainty had become a major operational issue. That framing comes from the Commission’s own simplification material and implementation guidance plans. (digital-strategy.ec.europa.eu) ### Why are critics focused on implementation, not just timing? The Commission has put much of the next phase in guidance documents and voluntary tools. In a December 2025 update, it said the AI Office would prepare guidelines in 2026 on high-risk classification, transparency requirements, serious-incident reporting, obligations for providers and deployers, substantial modification, post-market monitoring and simplified quality-management elements for SMEs and small mid-caps. (digital-strategy.ec.europa.eu) That gives regulators more room to shape the law through practice documents rather than new legislation. Critics of the broader implementation process have argued that voluntary compliance tools and negotiated guidance can advantage large companies that have the staff and lobbying access to shape them, though that critique depends on outside analysis rather than a formal Commission statement. (digital-strategy.ec.europa.eu) ### Where does the GPAI code fit in now? The general-purpose AI code of practice remains voluntary. The Commission says providers that sign it can use it to demonstrate compliance with the AI Act’s obligations on transparency, copyright, and — for the most advanced models — safety and security. (digital-strategy.ec.europa.eu) The Commission and the AI Board have said signing the code can reduce administrative burden and provide more legal certainty than trying to prove compliance through other methods. That makes the code a practical compliance route, even though it is not the only one. ### Why should hiring-software vendors care? The AI Act explicitly treats hiring decisions as a sensitive area. The Commission’s AI Act page uses hiring as an example of where opaque AI decisions can unfairly disadvantage people, and the simplified timetable now specifically covers employment systems in the Annex 3 high-risk bucket that moves to December 2, 2027. (techpolicy.press) For vendors, that means the main question is becoming operational: how to document systems, run post-market monitoring, handle incident reporting, and show compliance across the value chain. (digital-strategy.ec.europa.eu) The Commission has already said those are among the subjects for 2026 guidance. The next formal milestones are the Commission’s 2026 guidance package and the December 2, 2027 application date for Annex 3 high-risk systems, including AI used in employment. (digital-strategy.ec.europa.eu) (digital-strategy.ec.europa.eu) (digital-strategy.ec.europa.eu)