Why This Alert Is Important

European Union legislators have reached a provisional agreement to amend the EU AI Act, significantly delaying compliance deadlines for high-risk systems and reducing regulatory duplication for industrial sectors. These changes provide much-needed breathing room for enterprises to align their AI governance with evolving technical standards.

Overview Text

On May 7, 2026, the European Parliament and the Council of the EU finalized a "Digital Omnibus" package to reform the EU AI Act. The most significant update is a postponement of the looming compliance deadlines for high-risk AI systems. Originally slated for August 2026, the deadline for standalone high-risk systems (such as those used in biometrics, employment, and law enforcement) has been moved to December 2, 2027. AI systems embedded in regulated products, including medical devices and toys, now have until August 2, 2028.A critical focus of the deal was resolving "double regulation" concerns. The agreement carves out machinery from direct AI Act applicability where overlaps exist, shifting AI-specific health and safety oversight to the EU Machinery Regulation. Additionally, the reform introduces a strict ban on AI-powered apps used to generate non-consensual sexually explicit content with a compliance deadline of December 2, 2026. The package also allows for the processing of personal data when "strictly necessary" to detect and correct algorithmic bias, provided proper safeguards are in place.

What It Covers

Key Implications or Developments

• The amendments signal a strategic shift by the EU toward a more "workable" and industry-friendly regulatory framework. For international enterprises and large public sector organizations, the extended deadlines offer a critical window to conduct thorough Data Protection Impact Assessments (DPIAs) and establish robust AI inventories without the immediate threat of non-compliance penalties. However, the retention of the high-risk systems database registration requirement means that transparency remains a non-negotiable pillar of the Act.T
• he specific carve-out for the machinery sector highlights a move toward sectoral specialization. Organizations operating in industrial manufacturing will now primarily interface with the Machinery Regulation for AI safety, rather than managing two parallel compliance tracks. Conversely, the new prohibitions on apps that generate CSAM and non-consensual sexual content demonstrate that the EU will still act decisively against high-harm applications. Furthermore, the extension of SME-style regulatory exemptions to "small mid-cap" companies will likely ease the administrative burden for a broader range of mid-sized organizations. These reforms aim to balance the "Brussels Effect" of high-standard regulation with the practicalities of global AI competition.

Expert Analysis from Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product Marketing, Data Governance, Exterro

The EU's recent amendments to the AI Act offer a collective sigh of relief for global enterprises, but this extension shouldn't be treated as a vacation. While pushing high-risk compliance to late 2027 and resolving "double regulation" for the machinery sector provides much-needed breathing room, the foundational obligations remain strict. The regulators' message is clear: we are giving you the time to get this right.This is your window to transition from reactive scrambling to proactive AI governance. You cannot effectively govern AI without first mastering your data. Your immediate priority should be establishing a comprehensive AI asset inventory and mapping the personal data feeding those models.

Data Privacy Tip

Use this extended timeline to refine your AI asset inventory and map the personal data feeding these models. This will lay the foundation for proactive AI governance and cross-regulatory compliance. For tips that can help with this process, check out our whitepaper, The Risks Hiding in Your Data.

‍