The DPO Centre says a provisional EU agreement to simplify parts of the AI Act gives organisations more time to prepare for high-risk compliance, while leaving the core governance challenge intact. Lawmakers reached the agreement on 7 May as part of the wider Digital Omnibus package, which is intended to reduce overlap with existing sector rules and improve legal certainty.
Under the proposed changes, many of the rules for stand-alone high-risk AI systems would move from 2 August 2026 to 2 December 2027. For high-risk AI systems embedded in regulated products such as medical devices, machinery, toys, and lifts, the deadline would move to 2 August 2028. The agreement still requires formal approval from the Council and the European Parliament before the revised timetable takes effect.
The update affects businesses operating across several regulatory layers, particularly where AI intersects with product safety, procurement, cybersecurity, and personal data. Advisers say companies still need a working view of where AI is being used, what data it relies on, which suppliers are involved, and whether any systems are likely to fall into a high-risk category.
David Smith, AI Sector Lead and DPO at The DPO Centre, said: “For businesses, that extra time will be welcome, but it shouldn’t be seen as a pause button. It is breathing space and organisations should use it wisely. AI governance takes time to get right, particularly where personal data, automated decisions, regulated products or high-risk systems are involved.”
He added: “Those that wait for the final deadline may find themselves trying to retrofit governance after AI is already deeply embedded across the organisation. This would be a costly exercise, making risks harder to identify, controls harder to implement, and accountability harder to prove. My advice is to use this time to build a clear AI inventory, review potential high-risk use cases, assess how personal data is being processed, and make sure governance and oversight are practical, documented, and ready to scale.”
Nik Kairinos, CEO and Co-founder of RAIDS AI, said the latest changes reflect a series of compromises, with stronger protections in some areas alongside further delays elsewhere. He warned that businesses should not read the revised dates as a signal that preparation can wait, particularly after recent changes that shifted more responsibility towards self-assessment and internal accountability for high-risk systems.
The EU AI Act remains the first legislation of its kind at this scale. The latest agreement changes the timetable, but not the ultimate destination.
