EU pushes high-risk AI Act duties to 2027 and 2028

The EU has given AI vendors more time on the hardest part of the AI Act, but not a free pass. High-risk rules that were due to apply on August 2, 2026 now split into two later deadlines: December 2, 2027 for stand-alone high-risk AI systems and August 2, 2028 for high-risk systems embedded in products.

The Council of the EU gave its final green light on June 29, 2026 to a new regulation designed to simplify AI rules as part of the Digital Omnibus package. The core issue is overlap. Products such as medical devices, toys, lifts and watercraft already sit under sector-specific safety laws, and the new text creates a mechanism to limit duplicated AI Act requirements where those regimes contain similar AI-specific obligations.

The delay does not soften every part of the regime. The regulation adds a ban on AI practices that generate non-consensual sexual or intimate content and child sexual abuse material. Systems that create nude images of real people or alter existing photos to expose intimate body parts are set to be prohibited from December 2026.

Transparency timing also gets sharper. Providers that need to implement transparency solutions for artificially generated content will have a three-month grace period instead of six months, with the new deadline set for December 2, 2026. National AI regulatory sandboxes, meanwhile, are pushed to August 2, 2027.

The package also clarifies when the AI Office supervises systems based on general-purpose AI models developed by the same provider, while keeping national authorities in charge for exceptions including law enforcement, border management, judicial authorities and financial institutions. The practical message for companies is mixed: compliance teams get breathing room on expensive high-risk documentation, but harmful-content controls and transparency work remain immediate market-access issues.