EU AI Act Amended: Compliance Deadlines Pushed, But New Risks Emerge

Negotiators from the Council of the European Union, the European Parliament, and the European Commission have reached a provisional agreement on the first amendment package to the EU AI Act, dubbed the “Digital Omnibus on AI.” Compared to the Act adopted in June 2024, this package brings both relief and stricter regulations, demanding fundamental strategic adjustments from market players.

Deferred Deadlines: A Breather or a Dangerous Postponement?

The most notable change is the staggered deferral of compliance deadlines. In practice, this provides more time for preparation, but how companies use this extra time is critical.

• For Annex III use-based High-Risk AI Systems (HRAIS), the start of obligations is postponed from 2 August 2026 to 2 December 2027, a deferral of 16 months.
• Obligations for Annex I product-regulated HRAIS will take effect one year later, on 2 August 2028, instead of 2 August 2027.
• The provider’s obligation under Article 50(2) for AI systems generating or manipulating synthetic content is postponed by 4 months to 2 December 2026.
• Member States will have an additional year to establish regulatory sandboxes, with the new deadline set for 2 August 2027.

From an AIQ standpoint, this deferral is not an invitation to relax but an opportunity for proactive action. Companies should use this gained time to conduct in-depth security audits, LLM red teaming exercises focused on the OWASP LLM Top 10 vulnerabilities, and a thorough review of their entire AI supply chain. Those who start preparing now will have a competitive advantage when the tightened deadlines arrive, compared to those who leave compliance to the last minute.

New Prohibitions and Increased Supply Chain Responsibility

While deadlines are being pushed back, the Act is becoming significantly stricter in other areas. Two new explicit prohibitions have been introduced, effective from 2 December 2026:

• The use of AI systems to generate or manipulate non-consensual intimate material.
• The use of AI systems to generate or manipulate child sexual abuse material (CSAM).

In a corporate context, this means that auditing model safety guardrails and monitoring outputs will become a top priority. This is directly linked to the OWASP LLM Top 10 vulnerabilities LLM05: Supply Chain Vulnerabilities and LLM06: Sensitive Information Disclosure, as providers must ensure their models cannot be used for such prohibited purposes.

The stricter rules extend to the entire AI value chain. The amendment to Article 25(4) requires that the “AI model” used in a high-risk system must be covered by the written agreement. In parallel, Article 99(4) introduces a new category of infringement for breaches of information-sharing obligations (Article 25(2) and (4)), with fines of up to 3% of worldwide turnover or €15 million. This clearly extends liability to model developers and suppliers.

GDPR and the AI Office: New Data Protection and Supervisory Frameworks

The amendment also addresses a crucial data protection issue. The new Article 4a allows the use of special category data for the detection and correction of bias in AI systems, under strict safeguards. AIQ’s position is that this is a pragmatic step that acknowledges the practical need to analyze sensitive data for debiasing. However, this authorization will require extremely thorough Data Protection Impact Assessments (DPIAs) and the highest level of technical and organizational measures (TOMs), creating a new audit focus for GDPR compliance.

On the supervisory side, the AI Office gains exclusive competence over certain systems:

• AI systems based on General-Purpose AI (GPAI) models from the same provider.
• Systems integrated into a very large online platform or search engine under the Digital Services Act (DSA).

This centralization could make supervision more effective, but it also means that the largest players will be subject to the strict scrutiny of a single, highly specialized authority.

Audit Takeaways and Next Steps

The “Digital Omnibus” package sends a clear message to the market: a deferral is not an exemption. Companies must act now.

From an audit perspective, the key actions are:

1. Update Risk Assessments: Re-evaluate whether an AI system qualifies as high-risk under the clarified definitions, especially considering the reclassification of the Machinery Regulation and the narrowed definition of a “safety component.”
2. Review Supplier Contracts: Due to the new information-sharing obligations backed by fines of up to €15 million, all AI supplier contracts must be reviewed and amended to comply with the requirements of Article 25.
3. Conduct Technical Security Audits: The new prohibitions make red teaming of models essential to discover their resilience against attempts to generate prohibited content.
4. Verify GDPR Compliance: If a company uses special category data for bias correction, its legal and technical framework must be audited immediately.

The amendments will enter into force on the third day following their publication in the Official Journal. Although the compliance deadlines may seem distant, the legal and technical foundations for secure and compliant AI operations must be laid now.