Artificial Intelligence ("AI") does not stand still, and neither does its regulation. On 7 May 2026, the Council and the European Parliament reached a provisional political agreement on a set of targeted amendments aimed at streamlining certain aspects of the AI Act. These changes are part of a broader push to simplify EU legislation. Through the digital omnibus package, proposed on 19 November 2025, the Commission is seeking to boost Europe's competitiveness by cutting unnecessary complexity while preserving the core safeguards of the AI Act (Regulation (EU) 2024/1689), in force since 1 August 2024.
With the publication of the final compromise text on 13 May 2026, the direction of travel is now clear. The adjustments emerging from the trilogue negotiations focus squarely on making the AI Act more operational, less theoretical, and more usable. So, what does this mean for your business?
Fast-track overview – key takeaways
- Use the additional time strategically: while implementation deadlines have been deferred, this does not diminish the underlying obligations. This is the moment to fine-tune your AI compliance roadmap and align it with upcoming EU guidance and tools;
- Leverage available simplifications: proactively assess whether you qualify as an SME or small mid-cap (SMC) to ensure that available flexibilities are effectively leveraged;
- Take advantage of flexibility, but document it: regulators expect effort and justification; clear internal documentation will be essential;
- Reassess your AI systems: the refined definition of "safety component" may affect the qualification of certain systems as high-risk. A reassessment of existing classifications is therefore advisable;
- Prepare for ongoing obligations, not just a go-live milestone: identify recurring operational obligations that require sustained resource allocation; do not merely focus on a one-time compliance exercise.
Below, we break down the key updates, and what they mean in practice for your business.
High-risk AI systems: timeline alignment
A particularly notable change concerns the timelines for obligations related to high-risk AI systems. The original deadline of 2 August 2026 has been postponed, and not without reason. The legislator recognises that compliance requirements can only be effective if the necessary supporting infrastructure is in place. This adjustment is therefore not simply about granting extra time. Rather, it aims to align the application of the rules with the actual availability of the systems and structures needed to support them, ensuring a more coherent and legally certain implementation across the EU.
Against this backdrop, the EU has opted for a pragmatic approach, introducing two new milestones:
- 2 December 2027 for standalone high-risk AI systems within the meaning of Annex III; and
- 2 August 2028 for AI systems embedded as safety components in products governed by sectoral EU safety legislation (Annex I).
A crucial aspect of the transitional regime is that the AI Act applies to high-risk AI systems already on the market before the date of application of Chapter III only where those systems undergo significant design changes from that date onwards. This is highly significant: a system placed on the market before 2 December 2027 (for Annex III systems) or before 2 August 2028 (for Annex I systems) will benefit from the grace period, provided its design remains unchanged from those dates. However, the threshold of a "significant change" is still to be defined, and this is a significant gap which can lead to a lot of legal uncertainty.
On 19 May 2026 the Commission published draft guidelines on the classification of high-risk artificial intelligence systems under the EU AI Act, providing further clarification of the applicable provisions and setting out practical examples to guide the assessment across different sectors and use cases.
Watermarking: implementation with grace period
The obligations with respect to the watermarking obligation, set out in Art. 50 AI Act, would normally apply from 2 August 2026. However, the legislator introduced a four-month grace period for generative AI systems, allowing those already on the market before 2 August 2026 to comply with Article 50(2) by 2 December 2026.
Meanwhile, the compliance toolbox is still being built. Alongside the upcoming (voluntary) code of practice on AI-generated content, the Commission published, on 8 May 2026, draft guidelines to clarify how the transparency obligations under Article 50 should be applied in practice.
Machinery regulation sidesteps dual compliance burden
A significant simplification has been introduced regarding the relationship between EU product safety legislation and the AI Act. Where AI Act obligations previously applied on top of existing sectoral safety rules, creating a dual compliance regime, this double burden has now been lifted, albeit not across the board.
The legislator recognises both the risk of regulatory duplication and the continued need to safeguard against harms arising from AI in machinery. The result is a targeted approach: only the limited provisions referred to in Article 2(2) of the AI Act apply to AI-enabled machinery, effectively excluding the sector from the full set of high-risk requirements.
This streamlined treatment, however, does not extend to other product safety-related systems. There, dual compliance remains the default. That said, the framework is not without flexibility. Certain AI Act requirements may be limited or set aside, provided two conditions are met: first, that existing sectoral legislation already ensures an equivalent or higher level of protection for health, safety, or fundamental rights; and second, that the overall level of protection under the AI Act is not undermined.
Further detail on the scope and application of these adjustments, including the systems concerned and the requirements that may be affected, is to be clarified by the European Commission by 2 August 2027.
Safety component: function over integration
The definition of "safety component" plays a decisive role in determining whether certain AI systems qualify as high-risk. It has now been refined in line with the AI Act's risk-based approach.
Under the revised definition, an AI system only qualifies as a safety component if its intended purpose is to prevent or mitigate risks to the health and safety of persons or property. This narrower definition has practical consequences, as not every AI system that ends up in a regulated product automatically qualifies as a "safety component".
AI systems that are merely there to make a product smarter, faster, or more convenient, such as AI systems designed for user assistance, performance optimisation, service efficiency, automation, convenience, or quality control of non-safety-related aspects, fall outside this scope. The mere fact that such systems are integrated into products subject to safety regulation is no longer sufficient to trigger high-risk obligations, provided their failure does not create risks to health or safety.
New prohibition: AI-generated intimate content
The AI Act already identifies a number of prohibited practices in Article 5, ranging from subliminal manipulation to social scoring and certain forms of real-time biometric identification. The recent political agreement adds a notable new category to that list: so-called "nudifiers".
Specifically, the updated rules prohibit AI systems that generate child sexual abuse material (CSAM) or non-consensual intimate content. The prohibition operates at two levels:
- Provider level: placing on the market or putting into service such a system is prohibited where this is the intended purpose, or where it is a reasonably foreseeable and reproducible outcome and the system lacks adequate safeguards to prevent that outcome; and
- Deployer level: using such a system to generate the prohibited content is prohibited, regardless of the system's intended design.
Providers have until 2 December 2026 to bring any affected systems into compliance.
AI literacy: proportionate by design
The preliminary press release did not mention anything on amendments regarding AI literacy. However, the final text reflects a clear softening of the original approach. It departs from the recognition that a one-size-fits-all obligation to ensure a high level of AI literacy is not suitable for all providers and deployers. At the same time, the legislator emphasises that AI literacy should remain a strategic priority, irrespective of regulatory pressure or potential sanctions.
Against this backdrop, Article 4 of the AI Act has been realigned. Providers and deployers are now required to take appropriate measures to support the development of AI literacy among their staff and others involved in the use and operation of AI systems on their behalf. Importantly, this is framed as an obligation of effort, not of result, as it does not require any guaranteed or measurable level of AI literacy for individual persons.
In addition, public authorities are expected to play a complementary role. The European Commission and Member States are tasked with supporting compliance efforts. In parallel, the AI Board will issue recommendations, including common objectives, to further promote AI literacy across the EU.
Small mid-cap enterprises (SMCs): the avoidance of a regulatory cliff edge
Small and mid-sized companies receive special attention under the revised framework. In addition to SMEs, the AI Act now formally recognises "small mid-cap enterprises" (SMCs), which are companies that have outgrown the SME category but still face challenges comparable to smaller businesses when it comes to regulatory burden. To support a smoother transition from SME to SMC status, the legislator introduces targeted relief measures. The aim is to avoid a regulatory "cliff edge" where companies are suddenly subject to the full weight of obligations designed for large enterprises.
In practical terms, this translates into a number of simplifications which include, amongst others: submission of simplified technical documentation, flexible quality management requirements and reduced administrative fines, with the "lower of" percentage-versus-amount approach applied.
Enforcement: a material financial risk
The EU AI Office has market surveillance powers and can recover the full costs of its supervisory and enforcement activities from non-compliant operators. In addition to fines under Article 99, the AI Office may impose periodic penalty payments of up to 5% of average daily income or annual worldwide turnover per day for continued non-compliance. A five-year limitation period applies to enforcement actions.
At Member State level, the penalty framework has been calibrated to reflect the position of smaller businesses. Member States shall take into account the interests of SMEs, including start-ups, and SMCs, and their economic viability when imposing penalties, with specific adjustments to fine caps for smaller businesses.
Post-market monitoring: plan ahead for ongoing obligation
One aspect of the AI Act that is easy to underestimate is that several obligations are ongoing rather than one-off. Post-market monitoring is a prime example. Providers of high-risk AI systems are required to establish and maintain a post-market monitoring plan, which is a living document that must be updated over the system's lifetime and evaluate continuous compliance with the AI Act obligations.
The amendment removes the empowerment to adopt a harmonised monitoring template by implementing act, and instead requires the Commission to adopt guidance, including a template, by 2 September 2027.
Businesses waiting for that template before building their monitoring infrastructure should factor this date into their planning. However, building internal monitoring processes now will put your business in a strong position.
Additional elements
- Regulatory sandboxes: by 2 August 2027, each Member State must establish at least one AI testing environment ("sandbox"), alone or together with others. The EU may also create its own sandbox, giving priority to small businesses and start-ups. Testing AI in real-world conditions outside sandboxes is also allowed for certain high-risk systems.
- Processing sensitive data: the framework introduces a broader possibility to process special categories of personal data for the purposes of bias detection and correction, including in relation to AI systems that are not classified as high-risk.
- One-stop-shop oversight: the EU AI Office gains exclusive supervisory and enforcement competence over (i) AI systems built on general-purpose AI (GPAI) models where the model and system share the same provider and (ii) AI systems integrated into designated very large online platforms (VLOPs) or very large online search engines (VLOSEs).
- Interplay with the Cyber Resilience Act: where high-risk AI systems fall within the scope of the Cyber Resilience Act (Regulation (EU) 2024/2847) and the conditions of Article 12(1) of that Regulation are fulfilled, such systems shall be deemed to comply with the cybersecurity requirements set out in Article 15 of the AI Act.
What is next and what are the key takeaways?
While the core regulatory ambitions of the AI Act remain intact, the targeted amendments seek to ensure that the framework is both workable in practice and aligned with market realities. It should be emphasised, however, that these amendments have not yet been formally adopted. The text remains subject to approval by both the European Parliament and the Council, with adoption envisaged before 2 August 2026.
Businesses anticipating these developments and embedding them into their compliance strategy will be best positioned to navigate the evolving EU AI regulatory landscape. If you would like tailored advice on the implications of these developments for your organisation, or assistance in further developing your AI strategy, we would be happy to support you.
Authors:
Erik Valgaeren, Partner at Stibbe
June Van Hool, Junior Associate at Stibbe
