United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
The changes—part of a broader EU simplification push following a provisional agreement reached between the Parliament, Council, and Commission on 7 May 2026—push back key compliance deadlines, introduce an outright ban on artificial intelligence (AI) tools used to generate nonconsensual intimate imagery, and resolve a long-standing overlap in the rules governing AI used in industrial machinery.
The EU Council still needs to sign off before any of this takes legal effect, but it is expected to do so before 2 August 2026. This article provides a broader cross-sector overview of the amendments. For more commentary on the implications for employers and HR teams specifically, please see our recent article, “EU Reaches Provisional Agreement to Delay Rules for AI Use in Employment Decisions.”
Quick Hits
- Key deadlines extended. For AI deployed in high-risk settings—e.g., hiring, education, law enforcement—the main compliance deadline shifts from 2 August 2026 to 2 December 2027. AI built into regulated products like medical devices and machinery gets until 2 August 2028.
- Certain apps are banned. AI systems generating nonconsensual intimate imagery or child sexual abuse material (CSAM) are outlawed from 2 December 2026. The ban covers both the companies that build these tools and those that deploy them.
- AI content labelling deadline extended. Tools already on the EU market before 2 August 2026 have until 2 December 2026 to add machine-readable labels identifying outputs as AI-generated.
- Machinery double-compliance resolved. AI-enabled machinery products will no longer need to satisfy both the EU AI Act and existing product safety laws simultaneously.
What Has Changed
Deferred Deadlines for High-Risk AI
The AI Act’s heaviest obligations fall on AI used in high-risk contexts. For employers, that principally means AI that is involved in recruitment decisions, performance evaluations, and access to essential services. Under Annex III to the AI Act, “high-risk” employment systems include AI used to place targeted job advertisements, filter applications, evaluate candidates, make decisions affecting employment terms, promotions, terminations, task allocation, and monitor or evaluate workers’ performance or behaviour. These requirements are now deferred by sixteen months—to 2 December 2027—largely because the industry technical standards that businesses need to benchmark compliance against are not yet ready. That is a legitimate reason for the extension, but it does not mean organisations can stand down. Enforcement bodies are already operational, a number of obligations are already live, and the original 2 August 2026 deadline stays on the books until the Council formally adopts this package.
Ban on ‘Nudifier’ Apps
From 2 December 2026, offering, selling, or using AI systems in the EU that generate realistic intimate imagery of an identifiable individual without the individual’s consent—or that produce CSAM—will be illegal. For tool developers, liability arises where this is the intended function or a foreseeable outcome without adequate safeguards; for businesses deploying third-party tools, liability arises where the tool is deliberately used for this purpose, including by disabling the developer’s own safety controls. The European Parliament’s co-rapporteur for the Civil Liberties, Justice and Home Affairs Committee, put it plainly: these apps “impact real people, overwhelmingly women, with the purpose of humiliating, degrading and objectifying them.”
Other Changes
Manufacturers of AI-enabled machinery escape the dual-compliance burden that existed under the original text: going forward, they need only satisfy the relevant product safety rules, with AI-specific requirements to be folded into those rules by 2028. Separately, AI features that do no more than assist users or optimise performance will not automatically attract the heavier compliance obligations, unless a failure could create a health or safety risk. Businesses that need to use sensitive personal data to test their AI systems for bias now have a clearer (if tightly constrained) basis to do so. And the small and medium-sized enterprises (SME) compliance exemptions have been extended to cover a broader group of growing mid-sized businesses.
What This Means for Employers
The extended deadline matters most to organisations that use AI in hiring and workforce management—tools for screening candidates, assessing performance, or allocating work all fall squarely in the high-risk category. The extra time is welcome, but those who have not yet taken stock of their AI landscape should start now rather than treating December 2027 as the new starting gun. The rules banning the most harmful AI applications and requiring staff who work with AI to have an appropriate level of AI literacy are already in effect. Employers using a vendor’s AI system for employment purposes are also required to follow the vendor’s instructions for use, which vendors are legally obliged to provide—making vendor contract review an immediate practical priority.
Any business offering or deploying AI content-generation tools needs to pay attention to the nudifier ban. The 2 December 2026 deadline is under six months away. Tool developers should be auditing their systems now; deploying organisations should be reviewing their acceptable-use policies and checking what their vendor contracts actually say about liability for misuse. For more discussion of the compliance steps employers can take now in relation to high-risk employment AI, including a breakdown of the Annex III categories and human oversight obligations, see our previous article, “EU Reaches Provisional Agreement to Delay Rules for AI Use in Employment Decisions.”
Key Dates
- 2 August 2026: AI content labelling applies to new tools. Most remaining AI Act provisions take effect.
- 2 December 2026: Content labelling is extended to existing tools. The nudifier and CSAM ban takes effect.
- 2 December 2027: Full compliance is required for high-risk AI in employment, education, law enforcement, and similar settings.
- 2 August 2028: Full compliance is required for AI in regulated physical products such as medical devices and machinery.
Note: The extended deadlines above are not yet legally binding. The EU Council must still formally approve the text, and it must be published in the Official Journal of the European Union before it takes effect. Council approval is expected before 2 August 2026, at which point the original EU AI Act deadlines will be superseded.
Looking Ahead
This is a recalibration, not a retreat. The core framework of the EU AI Act is unchanged, and the speed with which the nudifier ban was added—responding directly to a series of high-profile incidents—shows that the EU legislature is prepared to act quickly when it sees a clear problem. As noted in our earlier article on this topic, the delay in compliance deadlines does not change the underlying obligations for high-risk workplace AI; it simply provides additional time to prepare. More Commission guidance is expected in the coming months, including practical examples to help businesses work out where their AI tools fall within the EU AI Act’s risk tiers.
Ogletree Deakins’ Cross-Border Practice Group, Cybersecurity and Privacy Practice Group, and Technology Practice Group will continue to monitor developments and will provide updates on the Cross-Border, Cybersecurity and Privacy, Employment Law, and Technology blogs as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
