EU AI Act Deal Would Delay High-Risk Rules to 2027, Ban Abusive AI Content

The EU’s AI Act, long hailed as the world’s most comprehensive artificial‑intelligence framework, received its first major overhaul in May 2026. By shifting Annex III high‑risk obligations to late 2027 and postponing Annex I product‑embedded requirements to 2028, Brussels aims to give industry a longer runway to certify hiring, credit‑scoring, biometric and other critical systems. This calendar reset reflects political compromise over conformity‑assessment procedures, yet it also signals that regulators recognize the practical challenges of rolling out complex technical standards across diverse sectors.

A more consequential change is the expansion of Article 5, which now categorically bans AI tools that create child sexual abuse material (CSAM) or depict identifiable individuals in non‑consensual intimate contexts. Law firms interpret the language as extending liability to general‑purpose generative AI platforms unless they implement robust technical safeguards and policy controls. With fines of up to €35 million (roughly $38 million) or 7 % of global turnover, the provision adds a powerful deterrent and forces companies to embed content‑filtering mechanisms, watermarking, and rigorous monitoring into their development pipelines.

Practitioners should treat the delay as a strategic planning window rather than a pause. Compliance teams must continue mapping existing AI systems against the high‑risk categories, preparing evidence for conformity assessments, and updating procurement criteria for 2026‑2027 contracts. Meanwhile, legal and e‑discovery groups need to incorporate the Article 5 ban into incident‑response playbooks, ensuring rapid detection of AI‑generated CSAM or nudifier content. As multinational vendors juggle divergent U.S., U.K. and EU AI regimes, the EU’s timetable will become a benchmark for global risk‑management strategies.