EU Council agrees to delay and simplify AI Act high-risk rules
TL;DR: The EU Council has agreed its negotiating position on simplifying the AI Act as part of the Omnibus VII legislative package. High-risk AI system rules will be delayed to December 2027 for standalone systems and August 2028 for those embedded in products. The Council also added a ban on AI-generated non-consensual intimate imagery and child sexual abuse material. UK businesses trading with EU clients will need to track these shifting deadlines carefully.
EU member states have agreed on how they want to amend the AI Act before it fully takes effect, adopting a negotiating mandate that will now go to talks with the European Parliament. The position maintains the Commission’s proposed delays while adding several new provisions.
What changes
The original AI Act timeline for high-risk system rules is being pushed back by up to 16 months, with new fixed dates: 2 December 2027 for standalone high-risk AI systems and 2 August 2028 for high-risk AI systems built into products. The delay is intended to give the Commission time to confirm that the necessary compliance standards and tools are actually available before enforcement begins.
Regulatory exemptions currently available to SMEs will be extended to small mid-cap companies. The Council also reinstated an obligation for AI providers to register their systems in the EU database even when they believe their systems are exempt from high-risk classification, closing a potential gap in oversight.
On data processing, the mandate keeps the option to process sensitive personal data for bias detection and mitigation, but reinstates a stricter necessity standard. National AI regulatory sandboxes, originally due sooner, now have a deadline of December 2027.
The Council’s additions
Beyond what the Commission proposed, member states added a prohibition on AI systems that generate non-consensual sexual and intimate content or child sexual abuse material. They also clarified which authorities supervise AI systems built on general-purpose models, carving out exceptions for law enforcement, border management, judicial bodies, and financial institutions where national regulators retain control.
A new requirement obliges the Commission to provide practical guidance to help businesses in regulated sectors comply with high-risk AI requirements without excessive burden.
What this means for UK businesses
The UK’s own AI regulatory approach diverges from the EU’s, but any UK company selling AI products or services into the EU market remains subject to the AI Act. The shifting compliance deadlines create a moving target. Companies that had been planning around the original timeline now have additional breathing room, but should not treat the delays as a signal to defer preparation. The December 2027 deadline for standalone high-risk systems is 21 months away.
Looking forward
The presidency will now open negotiations with the European Parliament. The pace of agreement within the Council was notably fast, reflecting political pressure to show that the EU can regulate AI without stifling competitiveness. Whether Parliament accepts the Council’s additions, particularly the deepfake prohibition, will shape the final text.