A New Direction for EU AI Act Implementation
The Council of the European Union has taken a significant step towards refining the implementation rules of the EU AI Act. On May 13, 2026, the Permanent Representatives Committee confirmed a compromise text aimed at simplifying the regulation and reducing compliance burdens. The decision followed informal inter-institutional negotiations on May 6 and amends the Regulation on AI (EU) 2024/1689 and the Regulation on civil aviation (EU) 2018/1139 as part of the “Digital Omnibus on AI” package.
The rationale behind these amendments is the recognition that delayed standards, national governance structures, and conformity assessment frameworks have created heavier compliance burdens than initially expected. The proposal addresses several key areas, including AI literacy, conformity assessment, regulatory sandboxes, and obligations for high-risk systems.
Do you have a question about AI security? You can reach us here:
An Extension for High-Risk Systems
Perhaps the most critical element of the compromise text is the postponement of the application dates for obligations concerning high-risk AI systems. In practice, this gives developers and companies more time to prepare.
- For systems classified as high-risk under Article 6(2) and Annex III, the new deadline is December 2, 2027.
- For systems classified as high-risk under Article 6(1) and Annex I, the new deadline is August 2, 2028.
From an AIQ standpoint, this delay is crucial for the market. It does not signify a weakening of the regulation but is a pragmatic move that acknowledges the time required to develop and audit complex systems. Companies should use this extra time not for complacency, but for strategic planning. Now is the time to review internal processes, build risk assessment frameworks, and conduct proactive security audits, such as LLM red teaming, to avoid a last-minute scramble as the deadlines approach.
Strict Prohibitions: Drawing the Red Lines
While the regulation offers more flexibility in some areas, it draws hard lines in others. The text introduces two new, explicit prohibitions targeting the most dangerous uses of artificial intelligence:
- It will be prohibited to place on the market, put into service, or use AI systems that generate or manipulate realistic non-consensual intimate images, videos, audio, or similar material of identifiable people.
- It will also be prohibited to use AI systems that generate or manipulate child sexual abuse material (CSAM), subject to limited lawful exceptions.
In a corporate context, this means that the safety filters and moderation capabilities of generative AI models must be more robust than ever. These prohibitions are directly linked to vulnerabilities in the OWASP LLM Top 10, particularly Prompt Injection (LLM-01), which attackers could use to bypass safety controls and generate illicit content. Compliance requires thorough, targeted testing and auditing of models to ensure they cannot be exploited for such harmful purposes. This is also relevant from a GDPR perspective, as non-consensual intimate content severely violates the data rights of the individuals involved.
What This Means in Practice
The proposed changes send a clear message to the market. The EU is committed to supporting innovation—as shown by the adjustments to regulatory sandboxes and the treatment of small and mid-cap enterprises—but it will not compromise on security and fundamental rights. The revised wording on AI literacy, which requires member states to support public readiness but not guarantee a specific level for each individual, also reflects an alignment with practical realities.
AIQ’s recommendation is as follows: decision-makers should treat the delayed deadlines as a strategic opportunity to strengthen their compliance programs. Development teams must integrate security into their systems from the design phase, with a particular focus on proactively preventing prohibited use cases. Compliance is not a one-time task but a continuous activity that evolves with technology, and there is now more time than ever to prepare for it.