EU Delays the AI Act's High-Risk Rules to 2027, Adds Ban on AI Image Abuse

The European Union is easing the timetable for its landmark AI Act. Under a provisional agreement reached on 7 May 2026 by negotiators from the European Parliament, the Council and the Commission — a package known as the Digital Omnibus — the bloc will postpone the rules governing "high-risk" AI systems that were due to take effect on 2 August 2026, while adding a new prohibition aimed at AI-generated sexual-abuse material.

What did the EU agree to change?

The omnibus pushes the high-risk obligations back by more than a year. Requirements for stand-alone "high-risk" systems listed in Annex III — uses such as hiring, credit scoring and biometric identification — move from 2 August 2026 to 2 December 2027, a 16-month deferral. Rules for AI embedded in already-regulated products (Annex I) slip from 2 August 2027 to 2 August 2028. According to the law firm Gibson Dunn, the agreed text "replaces the Commission's originally proposed conditional trigger mechanism with these fixed dates" — meaning the new deadlines are absolute rather than tied to whether the necessary technical standards are ready.

Why is Brussels hitting pause?

The delay answers an implementation effort that, by late 2025, was visibly behind; the Commission tabled the Digital Omnibus on 19 November 2025. As the law firm Covington summarized, "the delayed timeframes reflect the challenges with operationalizing several provisions of the AI Act, particularly for high-risk systems requiring testing, documentation, and third-party assessment." The extra time is meant to let European standards bodies such as CEN-CENELEC finish the harmonized standards that companies and auditors need before high-risk compliance can be assessed in practice.

What is not being delayed?

Much of the Act is untouched. The bans on "unacceptable-risk" practices and the AI-literacy duties have applied since 2 February 2025, and the obligations for general-purpose AI models, governance and penalties since 2 August 2025 — none of which the omnibus rolls back. The package also adds a new prohibition: under Article 5, AI systems that generate non-consensual intimate imagery or child sexual abuse material — where such output is a "reasonably foreseeable and reproducible outcome" — become banned, with a transitional period to 2 December 2026.

Why are critics worried?

Some lawmakers and civil-society groups warn the delay widens an oversight gap created by the Act's non-retroactivity. Green MEP Sergey Lagodinsky has called the relevant provision "a loophole" and "a weak spot." Former AI Act co-negotiator Laura Caroli warns that high-risk tools such as hiring systems may remain outside the Act indefinitely unless they are substantially altered, if deployed before the new deadline. Bram Vranken of the Corporate Europe Observatory argues that "a large part of high-risk AI systems that have been placed on the market before December 2027 will never have to comply with the rules." Campaigners also note that 69 per cent of the Commission's AI-related meetings in 2025 were with industry, against 16 per cent with NGOs.

What happens next?

The agreement still needs formal sign-off. Covington expects "final approval anticipated in June and publication expected in July" 2026 — before the original 2 August date it supersedes. The AI Office is also to gain exclusive competence over enforcement where a general-purpose model and the system built on it come from the same provider. Until the amended text is published in the Official Journal, the original deadlines technically remain on the books.

The omnibus buys developers and regulators time to build the standards the Act assumed would already exist. It also means the EU's most demanding AI obligations now arrive more than a year later than planned — and, critics argue, that some high-risk systems already in use may slip through the gap entirely.