After encountering setbacks in two trilogue sessions, Parliament and Council have finally reached a compromise that extends the high-risk compliance deadline to December 2027, eases paperwork for smaller companies, and incorporates a long-sought ban on non-consensual intimate imagery in Europe’s major AI legislation.
The European Commission announced on Wednesday that negotiators from Parliament and Council have achieved a political consensus on the AI Omnibus, a series of amendments intended to soften the implementation of the EU’s main Artificial Intelligence Act and include a ban on AI-generated non-consensual intimate images.
It required three rounds to achieve this. The unsuccessful session on 28 April ended after about twelve hours of negotiation over how AI integrated into regulated products should be evaluated for conformity. A session on Wednesday, hastily arranged before a fallback date on 13 May, bridged the differences.
Henna Virkkunen, the executive vice-president for tech sovereignty who advocated for simplification measures in the College of Commissioners last November, stated that the agreement would allow businesses to “focus on building, not on paperwork,” presenting it as evidence that Europe can maintain its rules-based approach while making them practical for industries.
Deadlines extended, paperwork reduced
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
The primary change is the timeline. Obligations for standalone high-risk AI systems listed in Annex III, covering biometrics, education, employment, essential services, law enforcement, justice, and border management, will now commence from 2 December 2027 rather than 2 August 2026. Rules for AI embedded in regulated products under Annex I will take effect on 2 August 2028.
This gives companies with partially developed compliance programs roughly sixteen additional months. Brussels emphasizes the delay results from incomplete standards work, not a withdrawal: harmonized standards from CEN-CENELEC and comprehensive guidance libraries are required before obligations begin.
Smaller companies receive clearer relief. The agreement extends simplifications already available to SMEs to small mid-cap companies, including templated technical documentation, reduced fees, and easier access to regulatory sandboxes. The aim, as reiterated through the Commission’s press release, is to match obligations with organizational size rather than imposing a single compliance model on all providers in the chain.
A ban on nudification, integrated into the law
The most controversial aspect is the new ban on AI systems that produce child sexual abuse material or generate non-consensual intimate images of identifiable individuals. Lawmakers have advocated for this since the late-2025 scandal involving Grok’s nudification scandal, and Parliament made it a critical issue for the trilogue.
The text now prohibits the marketing and use of AI tools primarily intended to undress people in images or depict identifiable individuals in sexually explicit scenarios without consent. Companies have until 2 December 2026 to ensure existing products comply.
The prohibition is waived if developers have effective safety measures to prevent such generation and misuse, a compromise negotiated to protect general-purpose models that already screen such outputs.</