The EU has always been that student who hands things in early. So when Brussels announced on May 7th that it was pushing back several key deadlines in the AI Act — the world’s first comprehensive AI law — you could feel the surprise ripple through policy circles. But read the fine print, and “postponement” doesn’t quite capture what’s happening.

What’s actually on the table is the first real overhaul of the EU AI Act since it was adopted in June 2024. Negotiators from the Council, Parliament, and Commission reached a provisional agreement on the “Digital Omnibus on AI” — a package of amendments that does three things at once: it kicks some deadlines down the road, it restructures the relationship between the AI Act and existing product safety rules, and it adds something genuinely new — explicit prohibitions on AI-generated intimate imagery and CSAM without consent.

The timeline is now staggered, not monolithic

The single August 2026 enforcement cliff is gone. High-risk AI systems under Annex III — that’s use-based classification covering things like AI used in hiring decisions, credit scoring, and customer profiling — now have until December 2, 2027. That’s a 16-month breather. Annex I systems — product-regulated categories like medical devices and lifts — get until August 2, 2028. National regulatory sandboxes, which member states were expected to have running by August 2026, also get that extra year.

The reasoning is pragmatic rather than political. standards-setting bodies like CEN-CENELEC simply weren’t going to have the technical guidelines ready in time. The EU was essentially legislating into a void of operational infrastructure. Pushing deadlines is embarrassing for Brussels, but less embarrassing than enforcing requirements nobody knows how to satisfy.

The Machinery Regulation shuffle

The more technically interesting change is buried in how the AI Act’s Annex I gets restructured. AI-enabled machinery has moved from Section A to Section B — meaning sector-specific product safety rules now take precedence over the AI Act’s high-risk obligations for those products. Instead of running two compliance tracks in parallel, manufacturers now deal primarily with the Machinery Regulation, with the Commission adopting delegated acts by August 2028 to incorporate AI-specific health and safety requirements. It’s a tacit acknowledgment that layering AI Act obligations on top of existing product safety frameworks created unworkable complexity.

Also refined: the definition of “safety component.” AI systems used purely for convenience, efficiency, or performance optimization will no longer automatically qualify as high-risk unless their failure could genuinely endanger health or safety. That’s a meaningful narrowing for a lot of enterprise AI tooling.

The new prohibitions are where it gets personal

The addition of Articles 5(1)(ea) and 5(1)(eb) — banning AI systems that generate non-consensual intimate imagery and CSAM — is the most visible moral line the Act has drawn since the February 2025 ban on social scoring. These take effect in December 2026. The framing distinguishes between providers and deployers: providers get hit if their system’s intended purpose includes this material, or if they failed to install adequate safeties against foreseeable misuse. Deployers face action only if they actively use the system for generating prohibited material, including by circumventing provider safeguards. Accidental output is explicitly excluded.

The carve-outs for national law defenses are narrow enough to satisfy most member states but broad enough to generate the usual compliance ambiguity about what “without right” actually means across jurisdictions.

What’s the upshot? The EU is not weakening the AI Act — it’s building a staircase instead of a cliff. Whether that staircase leads somewhere useful or just delays the reckoning remains to be seen.