EU negotiators have reached a provisional agreement on changes to the bloc’s artificial intelligence rulebook, aiming to reduce compliance burdens while preserving the core structure of the AI Act.
The agreement, reached on 7 May between representatives of the Council presidency and the European Parliament, forms part of the EU’s wider simplification agenda and the so-called Digital Omnibus package. The text is intended to adjust the implementation of the AI Act, clarify the timetable for high-risk systems, and introduce additional safeguards against the misuse of AI-generated intimate content.
The AI Act, adopted in 2024, is the EU’s central legal framework for artificial intelligence. It places obligations on developers and deployers of AI systems according to risk level, with stricter rules for systems considered high risk, including those used in biometrics, critical infrastructure, education, employment, migration, asylum and border control.
Under the provisional agreement, rules for certain high-risk AI systems will apply from 2 December 2027. For high-risk systems integrated into regulated products, such as lifts or toys, the relevant rules will apply from 2 August 2028. The revised sequencing is intended to ensure that technical standards and support tools are available before obligations take effect.
The Commission had proposed the Digital Omnibus on AI five months ago as part of a broader drive to simplify the EU’s digital rulebook. The proposal sought targeted amendments rather than a reopening of the AI Act as a whole. Its stated objective was to make implementation easier for companies while maintaining safeguards relating to safety, fundamental rights and public oversight.
A central element of the agreement is the delayed application of rules for high-risk systems. The Commission had argued that companies needed a clearer transition period and that obligations should apply once relevant standards, guidance and compliance tools were in place. The new dates provide a fixed timetable rather than leaving implementation linked only to the later availability of standards.
The package also extends some regulatory simplifications available to small and medium-sized enterprises to small mid-cap companies. The aim is to reduce administrative burden for firms that may not fall within the strict SME category but still face limited compliance capacity compared with large technology companies.
The agreement includes provisions on the use of sensitive personal data for bias detection and mitigation. This is intended to allow providers to test and correct systems where necessary, while retaining limits on how such data may be processed. The final text will be important for firms developing systems in employment, public administration, financial services, education and other areas where discrimination risks are central to regulatory scrutiny.
The deal also strengthens the role of the AI Office, which is responsible for aspects of supervision and coordination under the AI Act. At the same time, the package is intended to reduce governance fragmentation between EU-level and national authorities. National bodies will continue to have responsibilities in areas such as law enforcement, border management, judicial activity and financial supervision.
One of the most politically sensitive additions concerns AI-generated sexual and intimate material. The agreement introduces a prohibition on AI practices involving the generation of non-consensual sexual or intimate content, as well as child sexual abuse material. The measure reflects growing concern about the use of generative AI tools to create synthetic images and videos without consent.
The Commission will also be required to issue guidance for economic operators whose high-risk AI systems fall under sectoral harmonisation legislation. That guidance is intended to help companies comply with high-risk obligations in a way that limits unnecessary administrative burden.
The agreement is not yet final law. It must still be endorsed by the Council and the European Parliament, followed by legal and linguistic review, before formal adoption by the co-legislators. Formal approval is expected in the coming weeks.
The broader policy context is the EU’s attempt to balance regulatory credibility with competitiveness. Businesses have warned that overlapping digital obligations can increase legal uncertainty and compliance costs, particularly for smaller firms and start-ups. EU institutions have also faced pressure to ensure that simplification does not weaken the substance of digital regulation.
The AI package is therefore likely to be read as an early test of whether the EU can revise implementation rules without retreating from the risk-based model of the AI Act. For companies, the revised timetable provides more certainty on compliance planning. For regulators, it creates additional time to prepare guidance, standards and supervisory structures before the most demanding parts of the regime apply.
