Overview
The European Union’s AI Act, first introduced to establish a risk-based framework for artificial intelligence, has taken a significant turn. In early 2025, negotiators from the European Parliament and European Council struck a provisional deal to soften key deadlines, giving enterprises more breathing room. This guide breaks down what changed, why it matters, and how your organization can adjust its compliance roadmap. Originally, high-risk AI systems faced an August 2, 2026 deadline. Under the new agreement, stand-alone high-risk systems now have until December 2, 2027, and those integrated into products covered by EU sectoral safety rules (e.g., medical devices, machinery) get until August 2, 2028. The deal also reduces overlapping rules, narrows the definition of high-risk, and extends exemptions to mid-sized companies. While final adoption is pending, this guide provides actionable steps to prepare.
Prerequisites
Before diving into the steps, ensure you have:
- A basic understanding of the EU’s regulatory structure (Parliament, Council, Commission).
- Knowledge of your AI system’s intended use and risk profile.
- Access to your organization’s product safety and compliance teams.
- Familiarity with sector-specific regulations (e.g., Medical Device Regulation, Machinery Directive).
Step-by-Step Instructions
Step 1: Review Original vs. New Deadlines
The original AI Act set August 2, 2026 as the compliance date for all high-risk systems. The provisional deal pushes that back significantly:
- Stand-alone high-risk AI systems: December 2, 2027
- AI systems used in products under EU sectoral safety laws: August 2, 2028
- AI regulatory sandboxes: Member states now have until August 2, 2027 to set them up (originally August 2, 2026)
- Watermarking obligations for AI-generated content: Effective December 2, 2026 (earlier than the Commission’s proposed February 2, 2027)
Action: Update your compliance calendar accordingly. Mark December 2026 for watermarking readiness, and plan for high-risk compliance by late 2027 or 2028 depending on system type.
Step 2: Determine if Your System Is High-Risk
The deal narrows what counts as a “safety component” under the AI Act. Previously, any AI feature that assists users could be classified high-risk. Now, only features whose failure creates health or safety risks are automatically high-risk. Performance-improving AI (e.g., a recommender in a non-critical product) is not automatically high-risk.
Action: Conduct a risk assessment focusing on health and safety impact. Document reasons if your system is not high-risk. See Common Mistakes for pitfalls.
Step 3: Match Your AI System to the Correct Deadline
If your AI is a stand-alone software product (e.g., credit scoring tool), use the December 2, 2027 deadline. If your AI is embedded in a product like a medical device or a lift, your deadline is August 2, 2028. Systems that straddle both categories (e.g., an AI-powered safety feature in a smart toy) fall under product-integrated rules.
Action: Categorize each AI system. Create a matrix listing system name, type (stand-alone or product-integrated), and applicable sectoral law.
Step 4: Check Eligibility for SME and Mid-Cap Exemptions
Previously, only small and medium-sized enterprises (SMEs) enjoyed certain flexibilities (e.g., reduced documentation). The deal now extends those exemptions to small mid-cap companies (typically up to 499 employees). This reduces administrative costs and recurring compliance burdens.
Action: Verify your company’s headcount and turnover against EU definitions. If eligible, update your compliance strategy to leverage simplified procedures.
Step 5: Plan for Sandbox Availability
Regulatory sandboxes allow you to test AI systems under supervision before full deployment. Member states must establish these by August 2, 2027 (one year later than originally planned). Sandboxes are particularly useful for high-risk systems where uncertainty remains.
Action: Contact your national authority (e.g., data protection agency or AI office) to inquire about upcoming sandbox opportunities. Prepare a sandbox application outlining your system and testing objectives.
Step 6: Prepare for Earlier Watermarking Obligations
Watermarking requirements for AI-generated content (text, images, audio) now start on December 2, 2026 — about two months earlier than the original Commission proposal. This applies to all providers of general-purpose AI systems, not just high-risk ones.
Action: Implement technical solutions for content provenance (e.g., digital watermarks, metadata tagging) by late 2026. Test in sandbox environments if possible.
Step 7: Navigate Overlaps with Sectoral Laws
The deal removes overlapping rules for AI in machinery products and creates a mechanism to resolve conflicts for medical devices, toys, lifts, and watercraft. Now, AI features in these products follow only sectoral safety rules, as long as equivalent protection is ensured. The mechanism involves consultation between the AI Office and sectoral regulators.
Action: For each product, identify which regulation takes precedence. Work with legal teams to ensure harmonized compliance. If ambiguity persists, flag it to the national authority.
Step 8: Engage with the AI Office vs. National Authorities
The deal clarifies that the EU AI Office (based in Brussels) will supervise general-purpose AI models centrally. National authorities retain responsibility for law enforcement, border management, judiciary, and financial institutions. This means you may have two points of contact depending on your AI’s domain.
Action: Determine your primary supervisory body. For general-purpose models (e.g., large language models), register with the AI Office. For sector-specific applications (e.g., AI in policing), coordinate with your national authority.
Common Mistakes
- Confusing the two new deadlines: Don’t assume all high-risk AI has the same date. Stand-alone systems have a 2027 deadline; product-integrated systems have 2028.
- Assuming all AI is high-risk: The narrowed definition means performance-enhancing AI without safety risks may be low-risk. Over-classifying leads to unnecessary compliance costs.
- Ignoring sectoral law overlaps: If your AI is in a medical device, you must still comply with the Medical Device Regulation first. The AI Act does not replace sectoral rules.
- Missing mid-cap exemptions: Companies with up to 499 employees may now qualify. Assuming only SMEs get relief could mean missing simplified procedures.
- Delaying watermarking work: The December 2026 deadline is earlier than expected. Start technical implementation now.
- Forgetting sandbox deadlines: Member states have until 2027 to set up sandboxes, but you can start engaging them early.
Summary
The provisional deal on the EU AI Act provides much-needed relief for enterprises by extending high-risk compliance deadlines (2027 for stand-alone, 2028 for product-integrated) and reducing administrative burdens. Mid-cap companies gain exemptions, and the definition of high-risk is narrowed. However, watermarking obligations start sooner (December 2026). Key actions: update your risk classification, check eligibility for simplifications, engage with sandbox offerings, and resolve overlaps with sectoral laws. Formal adoption is expected before August 2025, so prepare now to avoid last-minute scrambles.