The EU has a new provisional agreement on amendments to the AI Act, announced May 7, 2026. If this sounds like deja vu—yes, the EU is amending AI regulation it barely finished writing. That’s because the original AI Act had problems, and the European Commission’s Digital Omnibus aimed to fix them. Here’s what actually changed and why it matters.

The big win for industry: more time. The compliance timeline for high-risk AI systems has been pushed back significantly. Rules for AI systems outlined under Annex III (the high-risk categories) will now apply from December 2, 2027—a 17-month extension from the original deadline. Rules for AI systems integrated into products subject to product safety regulation (Annex I) get an extra year, applying from August 2, 2028. Companies subject to the AI Act just got a meaningful reprieve.

But there’s a new restriction. The provisional agreement introduces an Article 5 amendment that prohibits AI systems designed to generate harmful content—specifically non-consensual sexual content and child sexual abuse materials. If your AI system lacks appropriate safeguards against these uses, it’s banned. This is a direct response to the proliferation of deepfake tools and the recognition that some AI capabilities are genuinely dangerous in ways that require hard stops, not just guidelines.

The transparency obligations got tighter, not looser. Here’s the twist: while high-risk systems got a grace period, the transparency requirements—watermarking, content labeling—now have a shorter compliance window. Providers must implement solutions by December 2, 2026, reducing their time from six months to three. The Code of Practice on Transparency of AI-Generated Content is expected in the coming months, but the clock is ticking.

SMEs get real relief. The agreement extends compliance privileges to a new category: “small mid-cap” organizations—companies with fewer than 750 employees and less than €150 million annual turnover. These organizations get simplified technical documentation requirements and more proportionate penalties for non-compliance. It’s a recognition that the original AI Act was written with big tech in mind and that startups need different treatment.

There’s a new sandbox. The agreement creates an EU-level AI regulatory sandbox operated by the AI Office, with priority access for SMEs, startups, and small mid-caps. It also postpones the national sandbox deadline by one year to August 2, 2027. This is explicitly designed to promote innovation—the EU wants to avoid choking off AI development while regulating it.

The provisional agreement must be formally endorsed by August 2, 2026—the date high-risk obligations would have applied under the original regulation. If it fails to finalize, the existing provisions apply. That’s a tight timeline, but the political signal is clear: the EU is trying to balance innovation and safety, even if it’s doing so through multiple rounds of amendment.

For organizations, the key takeaway is this: the December 2, 2026 deadline for transparency obligations is real and approaching. Whether you’re labeling AI-generated content or building systems that could be used for harm, the compliance window is narrowing, not widening.