EU legislators agree to delay for high-risk AI rules

Background to the AI Omnibus

When the AI Act (Regulation (EU) 2024/1689) was adopted in 2024, its staggered implementation timeline envisaged that obligations for certain high-risk AI systems (HRAI) would begin to apply from August 2026. However, it quickly became clear that key elements needed for compliance would not be fully in place on time given the significant operational uplift required and the reliance on yet-to-be-developed technical standards. There has also been considerable geopolitical pressure on the EU to reduce the regulatory burden on technology companies from digital regulation.

In response, the European Commission proposed the Digital Omnibus on AI in November 2025. The proposal did not seek to reopen the core architecture of the AI Act. Instead, it introduced a limited set of targeted adjustments aimed at:

• aligning implementation timelines with the availability of standards and tools;
• reducing administrative burden, particularly for smaller organizations (small mid-cap enterprises, “SMCs”, a new category introduced in the Omnibus process); and
• clarifying the interaction between the AI Act and existing sectoral regimes.

The political agreement announced today largely maintains that approach.

Key changes in the provisional agreement

Although the final legislative text is not yet available, both institutions have outlined the key changes reflected in their agreement:

1. Extended timelines for HRAI

The most significant change is the postponement of obligations for HRAI. For standalone high-risk AI systems that are classified under Annex III of the AI Act, the application of the relevant requirements is deferred until December 2, 2027. Similarly, the obligations that apply to high-risk AI systems that are embedded in regulated products in Annex I are deferred until August 2, 2028.

These dates, which will replace the current deadlines, namely August 2, 2026 for standalone high-risk AI systems and August 2, 2027 for high-risk AI systems embedded in regulated products, are intended to ensure that businesses have access to the necessary technical standards and compliance tools that the Commission is expected to develop before obligations take effect.

2. Reduced overlap with sectoral legislation

Another key area of focus is the interaction between the AI Act and existing EU product safety frameworks, such as in relation to medical devices, toys, and machinery. The agreement aims to reduce duplication and clarify how requirements apply to AI systems embedded in regulated products, particularly where the product safety legislation and AI Act may include overlapping obligations. Although the changes being proposed appear to be less significant in simplifying the position on product safety rules than had been proposed. The machinery regulation has also been entirely exempted from being considered HRAI.

This has been a contentious issue throughout the legislative process and reflects longstanding concerns about “double regulation” for certain categories of products.

3. Additional prohibited practices for NCII and CSAM

The agreed revisions will also introduce a targeted expansion of prohibited AI practices under Article 5, building on the Commission’s proposal and subsequent negotiations.

Most notably, the agreement adds a prohibition on AI systems used to generate non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM), including so-called “nudifiers”, reflecting evolving risks associated with synthetic content, as proposed by the proposals of the Council and the Parliament in March 2026.

4. Delay to provider transparency obligations

In addition to HRAI, the Omnibus will also result in the watermarking obligations that apply to providers of AI systems under Article 50(2) of the AI Act being postponed until December 2, 2026. This period is shorter than the six month delay that had been previously proposed. All other transparency obligations, including those that apply to deployers, will continue to apply from August 2, 2026.

5. Other targeted adjustments

The political agreement also includes a number of more technical changes, including:

• broader scope for the use of sensitive personal data in bias detection and mitigation, subject to strict necessity;
• governance refinements, including a stronger role for the AI Office in certain areas; and
• targeted simplification measures, including the extension of certain compliance flexibilities to small mid-cap companies, reduced administrative burdens, and improved access to regulatory sandboxes and real-world testing environments.

Taken together, these changes are intended to improve the operability of the framework without altering its fundamental structure.

What happens next?

The agreement reached on May 7, 2026 is a provisional political agreement. It must still be formally endorsed and adopted by the co-legislators before it becomes law. Given the proximity of the original August 2026 deadline, the legislative process is expected to proceed on an accelerated timeline in the coming weeks.

Practical implications for businesses

For businesses developing, deploying, or distributing AI systems in the EU, the immediate takeaway is that we now have clear direction on both the limited nature of the reforms to the AI Act and when the core provisions relating to HRAI will apply.

In practical terms, organizations should be taking immediate steps to prepare for compliance. This includes performing scoping assessments to determine the application of the Act to their business and developing AI governance frameworks that align with the AI Act’s risk-based approach.

Importantly, the revised provisions do not fundamentally alter the AI Act’s core architecture. With the risk-based classification structure and the obligations that apply to HRAI, general-purpose AI models, and prohibited practices remaining unchanged.

Authored by Dan Whitehead, Christian Tinnefeld, Julian Flamant, Valerio Natale, and Alex Rutherford.