European Union lawmakers and member states reached a provisional agreement on 7 May to revise the EU Artificial Intelligence Act through a broader “Digital Omnibus on Artificial Intelligence” simplification package. The changes are designed to ease compliance pressure on businesses by delaying enforcement of key high-risk rules, reducing overlap with sector-specific regulation, and extending certain relief measures to a wider group of smaller companies. The core structure of the law remains intact, with high-risk systems in sensitive areas still subject to regulation and transparency obligations still moving forward.
The most significant shift for employers is a delay to the high-risk regime for systems used in employment and other sensitive categories. Enforcement of rules covering high-risk Artificial Intelligence systems in areas such as employment, biometrics, critical infrastructure, education, migration, and border control is pushed to December 2, 2027, from the previous August 2, 2026, deadline. For Artificial Intelligence systems that qualify as regulated products or safety components, the deadline is extended to August 2, 2028. The agreement also delays watermarking obligations for Artificial Intelligence-generated content until December 2, 2026, and adds a new prohibition on systems that create child sexual abuse material or depict, without consent, the intimate parts of an identifiable person or an identifiable person engaged in sexually explicit activities. Compliance with this prohibition begins December 2, 2026.
Several additional changes narrow the scope of compliance and clarify legal obligations. Machinery products will generally need to comply with sectoral safety rules rather than both the EU Artificial Intelligence Act and sectoral rules, and the European Commission may limit the Act’s application in other sectors where existing laws already contain similar Artificial Intelligence-specific requirements. The definition of “safety component” is tightened so systems that merely assist users or optimize performance will not automatically be treated as high-risk if failure or malfunction does not create health or safety risks. The reform also extends some exemptions previously limited to Small and Medium-sized Enterprises to small mid-cap companies. In addition, providers must again register systems in the EU’s high-risk database, including where they believe an exemption applies.
The agreement also clarifies that organizations may process special category data, including race, health, or sexual orientation, where strictly necessary for bias detection and correction in both high-risk and non-high-risk Artificial Intelligence systems. That legal basis now covers both providers and deployers, while safeguards such as pseudonymization and access controls remain mandatory and the strict necessity standard remains unchanged. Businesses operating in the EU are encouraged to use the extended timeline to audit systems, identify tools used in hiring and workforce management, map vendor roles, review contracts, and prepare compliance plans ahead of the new deadlines. The provisional agreement still requires formal adoption by the European Parliament and the Council, after which it will be published in the EU’s Official Journal and enter into force three days later.
