Something strange happened to the EU AI Act between 2023 and 2026. When it was first unveiled, Ursula von der Leyen called it the law that would “transpose European values to a new era.” When the revised version was finalized this May, she described it as creating “a simple, innovation-friendly environment.” That’s not a small shift in rhetoric — and it’s worth asking what actually changed.

The big amendments, finalized May 7th, did two significant things. First, they pushed back the implementation deadline for high-risk AI systems — the kind deployed in employment decisions, critical infrastructure, and biometric identification — from August 2026 to December 2027. Requirements for AI integrated into products already covered by sector-specific regulations got pushed back even further, to August 2028. Second, they carved out industrial applications entirely: AI used in car manufacturing and semiconductor lithography machines is now exempt from the high-risk framework.

Germany pushed hard for that industrial exemption. Chancellor Friedrich Merz was explicit about it — he wanted Germany’s legacy manufacturing sector to have free rein with AI, and he got it. This is the EU doing what the EU often does: compromise that leaves no one fully satisfied but everyone vaguely accommodated.

So does this mean the AI Act is broken? Some commentators are saying exactly that. But Nicole Lemke, a senior policy researcher at the European think tank Interface, has a more nuanced read: “The fundamental ambition of the legislation has not changed as dramatically as some commentators would say. The AI Act was always, and still is, based on a risk-based architecture.”

She’s right to push back. The revisions left the timetable for general-purpose AI model rules completely intact. The rules covering OpenAI, Anthropic, Mistral, and everyone else building frontier models are still set to take effect in August. That’s the core of the Act — the part that actually regulates the most powerful AI systems — and it hasn’t budged.

What’s changed is the periphery. The high-risk system rules, the ones that would have caught AI used in hiring algorithms and surveillance tools, have been delayed because the European Commission hasn’t finished writing the guidance that would tell companies how to comply. That’s a bureaucratic failure more than a political one. And the industrial carve-out is real, but it’s also targeted — it covers specific sectors, not AI broadly.

The August deadline for foundation model compliance is the thing to watch. When those rules land, companies will have to disclose training data, publish summaries of content used, and meet certain safety standards. That’s when we’ll see whether the AI Act’s teeth are real or whether Europe’s ambitious regulatory framework is mostly bark.

For now, the Act has been softened around the edges but its spine is intact. The story of the EU AI Act in 2026 isn’t about retreat — it’s about the messy business of actually implementing ambitious regulation against an industry that moves faster than any legislative timeline anticipated.