On May 7, 2026, the European Parliament and the Council of the European Union reached a provisional agreement on a set of targeted amendments to the Regulation (EU) 2024/1689 (the “EU AI Act”), which seek to simplify several aspects of the Act. The deal follows marathon overnight negotiations and comes just months before the original August 2, 2026 compliance deadline for high-risk AI systems—a deadline that many stakeholders warned was unachievable given the absence of finalized harmonized standards, compliance tools, and designated national authorities. 

Background

The European Commission first proposed the amendments to the EU AI Act on November 19, 2025, in response to widespread concerns that the AI Act's implementation timeline was running ahead of the practical infrastructure needed to support it—a situation which could have left stakeholders noncompliant without a reasonable path towards compliance. Key implementation challenges included the lack of harmonized technical standards, delays in the appointment of conformity assessment bodies and national competent authorities, and guidance gaps for organizations navigating high-risk AI system requirements. The Commission's stated objectives were to simplify the regulatory framework, promote innovation, and reduce the compliance burden on businesses — particularly small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs) — without abandoning the AI Act's core risk-based architecture. 

Key Amendments at a Glance

Postponement of High-Risk AI Deadlines. One significant change is the deferral of the compliance deadlines for high-risk AI systems. Under the original Act, obligations for high-risk AI systems listed in Annex III (covering areas such as biometrics, employment, education, law enforcement, critical infrastructure, and border management) were set to become effective August 2, 2026. The amendments would replace this with a new deadline of December 2, 2027. For AI systems embedded in regulated products under Annex I (such as medical devices, machinery, toys, and lifts), the deadline moves to August 2, 2028. 

New Prohibition on "Nudifier" Apps and CSAM. The co-legislators added a new prohibited practice under Article 5, banning AI systems used to generate non-consensual sexually explicit or intimate content (so-called "nudification" apps) or child sexual abuse material (CSAM), after a significant push by stakeholders which noted the incredible risks associated with such systems. Compliance with this prohibition is required by December 2, 2026. 

Clarification of Overlap with Sectoral Laws. Another negotiating focus was the interplay between the AI Act and existing EU product safety legislation, particularly the Machinery Regulation ((EU) 2023/1230 which implemented a number of new cybersecurity requirements to reinforce machinery safety features). Under the amendments to the AI Act, machinery is carved out from direct AI Act applicability where overlapping rules already exist, with AI-specific health and safety requirements to be addressed through delegated acts under the EU's Machinery Regulation itself. For other sectors—including medical devices, connected cars, and toys—the Commission is empowered to adopt implementing acts to manage the interplay given the plethora of industry-specific regulations that exist in this space already. 

Extended Regulatory Exemptions. Certain simplified requirements previously available only to SMEs (small to medium enterprises) are now extended to small mid-cap companies. These include simplified technical documentation requirements and special consideration in the assessment of penalties. 

Processing Sensitive Data for Bias Detection. The agreement expands the legal basis for processing special categories of personal data (such as data revealing racial or ethnic origin) where strictly necessary to detect and correct bias in both high-risk and non-high-risk AI systems, subject to appropriate safeguards. 

Reinforced AI Office Powers. The EU AI Office's supervisory competence is clarified and expanded, particularly over AI systems built on general-purpose AI models where the model and system are developed by the same provider, and over AI systems embedded in very large online platforms and search engines. 

Regulatory Sandboxes. The deadline for Member States to establish national AI regulatory sandboxes is postponed from August 2, 2026 to August 2, 2027. 

Watermarking and Transparency Obligations. The grace period for providers to implement transparency solutions for AI-generated content under Article 50(2) has been reduced from six months to three months, with a new compliance deadline of December 2, 2026. 

Retained High-Risk Systems Database Registration. Despite the Commission's original proposal to remove the obligation, providers must continue to register AI systems in the EU's high-risk systems database, even where they self-assess as non-high-risk. 

Next Steps

The provisional agreement must still be formally endorsed and adopted by both the European Parliament and the Council of the EU. The text will then undergo legal-linguistic revision before publication in the Official Journal of the European Union. The Council has indicated that formal adoption will take place "in the coming weeks," and both co-legislators intend to complete adoption before August 2, 2026 — the date on which the original high-risk obligations would otherwise begin to apply. Once formally adopted, the amendments will be published in the Official Journal and enter into force three days after publication. 

Key Upcoming Compliance Dates: The revised timeline introduces several near-term milestones that organizations should be tracking:

• December 2, 2026: Compliance deadline for the new Article 5 prohibition on nudifier and CSAM-generating AI systems, and for the watermarking/transparency obligations under Article 50(2).
• August 2, 2027: Deadline for Member States to establish national AI regulatory sandboxes.
• December 2, 2027: Application date for high-risk AI obligations under Annex III (biometrics, employment, education, law enforcement, critical infrastructure, border management).
• August 2, 2028: Application date for high-risk obligations for AI embedded in Annex I regulated products (medical devices, machinery, toys, lifts, etc.) .

What Should Organizations Do Now? While the new deadlines provide additional runway, organizations should not treat this as a reason to pause compliance efforts. The AI Act's risk-based architecture remains intact, and the registration, documentation, and governance obligations continue to require significant lead time for implementation. Organizations developing or deploying AI in the EU should continue inventorying their AI systems, classifying them by risk level, conducting gap analyses, and establishing internal governance structures.