AI Act Amendments Approved: What the Revised Timelines Mean for Businesses

On 16 June 2026, the European Parliament approved agreed amendments to the EU Artificial Intelligence Act as part of the wider Digital Omnibus on AI package. The measure forms part of the EU’s broader effort to simplify parts of its digital regulatory framework while maintaining the core architecture of the AI Act. 

The amendments follow a political agreement reached between the EU co-legislators on 7 May 2026 and are intended to address a number of implementation issues that had emerged since the AI Act entered into force, including the availability of harmonised standards, the designation of competent authorities and the practical readiness of businesses to comply with certain obligations. 

Although the amendments provide additional time in a number of important areas, they should not be viewed as a pause on AI Act compliance. Rather, they provide organisations with a clearer implementation runway and an opportunity to put more robust AI governance arrangements in place before the next major compliance milestones. 

The amendments must still complete the remaining formal stages before entering into force, including Council approval and legal-linguistic finalisation. It is intended that the process will be completed in time to provide certainty before the next major AI Act application dates.

Key Changes for Businesses

More time for high-risk AI compliance

The most significant practical change is the revised timeline for high-risk AI systems.

For standalone high-risk AI systems falling within Article 6(2) and Annex III of the AI Act, the relevant obligations are now expected to apply from 2 December 2027. These categories include AI systems used in areas such as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and border management, and the administration of justice. 

A later deadline of 2 August 2028 will apply to high-risk AI systems that are embedded in products as safety components and are already subject to EU sectoral legislation. 

For businesses, this extension is obviously helpful, but it should not result in delay to ensuring compliance. Organisations will still need to identify whether their AI systems fall within the high-risk categories, allocate responsibility between providers, deployers and other actors in the AI value chain, and begin preparing the governance, technical documentation and monitoring arrangements that will be required.

Watermarking and transparency obligations delayed in part

The amendments also revise the timing for certain transparency obligations. In particular, the obligation relating to machine-readable labelling of AI-generated content under Article 50(2) has been postponed until 2 December 2026. 

Other transparency obligations remain tied to the existing application timetable and are expected to apply from 2 August 2026.

Businesses that develop, procure or deploy generative AI tools should therefore continue to assess whether their systems produce synthetic outputs and whether appropriate labelling, disclosure and user-facing transparency measures are required.

New prohibition on certain harmful AI-generated material

The amendments introduce a new prohibition targeting AI systems designed to generate certain harmful material, including non-consensual intimate content and child-exploitation material, something that has featured as a concerning development in the use of AI systems since the EU AI Act came into force. The prohibition is expected to apply from 2 December 2026.

For providers and deployers, this reinforces the importance of assessing not only the intended functionality of AI systems, but also foreseeable misuse and the adequacy of technical safeguards. 

AI literacy obligation recalibrated

The amendments adjust the AI literacy obligations set out in Article 4 of the Regulation. Instead of requiring providers and deployers to ensure a sufficient level of AI literacy, the revised approach focuses on taking measures to support the development of AI literacy.

This is a softer formulation, but it remains significant. In practice, organisations should still be able to demonstrate that staff who use, procure, manage or oversee AI systems have received appropriate training and guidance. This will be particularly important where AI tools are used in HR, customer services, professional services, regulated decision-making or other higher-risk operational contexts.

Our previous article on the Act’s literacy requirements still serves as a useful guide for businesses in how to adopt a 3-stage process to tackle the issue of AI literacy.  From a governance perspective, businesses should consider adopting a proportionate AI literacy programme covering:

• permitted and prohibited AI use cases;
• data protection and confidentiality risks;
• human oversight requirements;
• escalation pathways;
• procurement controls; and
• the risks of over-reliance on AI-generated outputs.
  

Bias monitoring and sensitive data

Article 4a will be inserted into the Act to provide that special categories of personal data may be processed for the purposes of detecting and correcting bias, but only where a strict necessity standard is met and appropriate safeguards are in place. 

This change is important for both providers and deployers. It recognises that bias testing may, in some cases, require the use of sensitive data, while also making clear that such processing must be limited, justified and accompanied by safeguards.

Organisations should ensure that any bias testing or monitoring involving sensitive data is supported by a documented legal basis, data minimisation assessment, access controls, retention limits and, where necessary, a data protection impact assessment.

Clearer concept of “safety component”

The amendments also clarify the meaning of a “safety component” for the purposes of the AI Act. The revised approach focuses on whether the component is intended to prevent or reduce risks to health and safety. This clarification should help distinguish between AI tools that perform a true safety function and those that merely improve performance, efficiency or user experience. That distinction will be important when assessing whether an AI system falls within the high-risk framework.

Support extended to small mid-cap companies

The amendments extend certain SME-style simplifications to small mid-cap companies. This reflects a broader EU policy objective of supporting businesses that have grown beyond the SME threshold but do not yet have the resources of large enterprises. 

Small mid-cap companies are those which employ between 250 and 750 persons with a turnover of up to €150m. There are believed to be 38,000 SMC in the EU according to the Commission.

For these businesses, the amendments may reduce some compliance burdens, but they do not totally remove the need for structured AI governance.

Enhanced role for the EU AI Office

The amendments strengthen the supervisory role of the EU AI Office, particularly in relation to certain AI systems incorporating general-purpose AI models and systems connected with very large online platforms or very large online search engines. 

This reflects the increasing regulatory significance of general-purpose AI models and the concentration of AI capability within large digital platforms. National competent authorities will continue to have a role in specified circumstances, but the EU AI Office will play a more prominent part in supervision and enforcement.

EU database registration retained

The amendments also retain a registration obligation for certain AI systems in the EU database, despite earlier proposals to reduce or remove aspects of that requirement. The European Parliament’s legislative materials indicate that the obligation will be simplified and proportionate, including for certain systems assessed as not being high-risk. 

Providers should therefore continue to factor registration requirements into their compliance planning, particularly where they are relying on an assessment that a system does not fall within the high-risk category.

What These Changes Mean for Businesses

While the amendments provide welcome relief from immediate pressures, they do not alter the overall direction of travel. The AI Act remains a significant compliance regime and businesses should use the extended timelines constructively.

For many businesses, the immediate priority will be to understand where AI is already being used across the organisation. This includes not only externally procured AI tools, but also embedded AI functionality in existing software, internally developed tools and employee-led use of publicly available generative AI systems.

Businesses should not wait until the new deadlines approach. The extended implementation periods should instead be used to move from initial awareness to practical readiness.

How Byrne Wallace Shields Can Help

Byrne Wallace Shields advises clients across a range of sectors on AI regulation, data protection, governance, technology contracts and emerging digital regulation.

If you have questions about how the AI Act or the Digital Omnibus amendments may affect your organisation, or if you would like to discuss your AI governance and compliance roadmap, please contact a member of the Byrne Wallace Shields team.