EU Delays High-Risk AI Rules to 2027, Adding NCII Bans in Sweeping Act Overhaul

The European Union has blinked. Less than two years after the AI Act entered into force as the world’s first comprehensive AI regulatory framework, the EU Council and European Parliament reached a provisional agreement on May 7 to delay, simplify, and partially restructure its most demanding compliance obligations. The deal — described by Brussels as a “streamlining” exercise — gives businesses deploying AI in high-stakes domains like employment screening, education, and biometric surveillance significantly more time to comply. Critics are less charitable, arguing that the delay effectively exempts the most consequential AI systems from meaningful oversight during the period when AI capabilities are advancing fastest.

What Changed and When

The original AI Act established a tiered compliance timeline. General-purpose AI model obligations took effect in August 2025. The high-risk system rules — the meat of the regulation, covering AI applications that could affect people’s access to employment, education, credit, and public services — were due to kick in for most providers by August 2026.

The May 7 provisional agreement moves that deadline to December 2, 2027 for Annex III systems: the category that covers AI used in employment screening tools, education platforms, credit scoring, biometric identification systems, and access to essential public services. That is a 16-month extension from the original date.

Annex I systems — AI embedded in regulated physical products like medical devices, toys, and industrial machinery — received a one-year extension, from August 2027 to August 2028. These systems were already on a longer runway given the complexity of integrating AI compliance into existing product certification regimes.

The deal also creates a new regulatory category: “small mid-cap enterprises,” defined as companies above the existing SME thresholds but below large corporation definitions. Businesses falling into this new band receive proportionally reduced compliance obligations compared to large organizations, a concession that acknowledges the practical burden the AI Act would impose on the mid-tier European tech ecosystem.

What Got Accelerated

The agreement is not uniformly permissive. The transparency obligations around AI-generated content — requiring systems to disclose when output has been artificially generated — had a six-month grace period under the original Act. The provisional deal cuts that to three months, with the resulting deadline falling on December 2, 2026. For companies deploying generative AI in consumer-facing products across the EU, the deadline for watermarking and disclosure compliance just got tighter, not looser.

New Prohibitions Added

Perhaps the most significant addition to the Act is the explicit prohibition on AI systems used to generate non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM). The original Act’s prohibition framework did not specifically enumerate these use cases; the May 7 agreement adds them explicitly. Given the proliferation of deepfake generation tools in 2025 and 2026, the addition reflects legislative catch-up with a real-world harm that has been extensively documented by law enforcement agencies across EU member states.

The agreement also maintains, and in some respects expands, prohibitions on real-time remote biometric identification in public spaces, emotion recognition in workplace and education contexts, and social scoring systems.

Industrial AI Exempt

One provision that received less attention in the legislative coverage is the exemption for AI in industrial applications covered by the Machinery Regulation. Manufacturing-floor AI systems, robotic welding, predictive maintenance tools, and similar operational AI fall outside the AI Act’s scope entirely when they are already regulated under existing machinery safety frameworks. This carve-out is significant for EU industrial manufacturers competing against Chinese and American counterparts who do not face comparable regulatory overhead.

The Competitiveness Argument

The context for the delay is impossible to separate from the broader European conversation about AI competitiveness. In December 2025, the Draghi Report on European competitiveness explicitly identified the AI Act’s compliance timeline as a structural disadvantage for EU-based AI developers relative to American and Chinese counterparts. The European Commission under President von der Leyen has been under sustained pressure from member state governments — particularly France and Germany — to avoid regulatory configurations that accelerate AI talent and capital flight to the United States.

The May 7 deal is, in part, an answer to that pressure. By extending the high-risk AI timeline, Brussels is buying time for its domestic AI ecosystem to mature before facing the full weight of compliance costs. The counterargument — made loudly by civil liberties organizations including AlgorithmWatch, Access Now, and the European Digital Rights initiative — is that the systems being given extra runway are precisely the ones that pose the most direct risk to fundamental rights, and that “streamlining” is a euphemism for regulatory capture.

What Businesses Should Do Now

For compliance teams, the practical takeaway is nuanced. The delay is provisional — the deal requires formal endorsement and adoption by both co-legislators before it becomes binding law, a process expected to conclude in the coming weeks. Businesses should not assume the December 2027 deadline is certain until it is formally enacted.

More importantly, the delay does not affect the Act’s provisions that have already entered into force. The GPAI model obligations covering frontier AI developers are live. The prohibited practices list — now extended by the NCII and CSAM additions — takes effect alongside the existing prohibitions timeline. Transparency and watermarking obligations will have a December 2026 deadline for many consumer-facing deployments.

For organizations that had been building toward August 2026 readiness for Annex III systems, the provisional deal offers optionality but not absolution. Companies that accelerate their compliance programs now, while the regulatory environment is still relatively uncrowded, will be better positioned when the December 2027 deadline arrives — with regulators who by then will have 18 months of enforcement experience and significantly less patience for organizations claiming they ran out of time.

The EU AI Act is not going away. It just got a later alarm.