European Union Delays AI Act Obligations for High-Risk Systems Until December 2027
Political agreement between the Council and Parliament postpones the August 2026 deadline and opens a 19-month window for compliance, but fines and the extraterritoriality clause remain intact.
On 7 May, the Council of the European Union and the European Parliament reached an agreement that postpones the main obligations of the AI Act for those operating artificial intelligence systems classified as high-risk. The new deadline is December 2027, effectively 19 months beyond the original schedule, which anticipated requirements to start from August this year.
The negotiated package, internally referred to as the "AI Omnibus", covers the systems listed in Annex III of the legislation: applications in recruitment, credit scoring, public safety, and critical infrastructure. For systems embedded in regulated products, such as medical devices and vehicles, the deadline extends even further: to August 2028. The agreement still requires formal ratification, but firms such as Hogan Lovells and Latham & Watkins assess that the process should be expedited given the imminent original deadline.
What does not change is the fines. Penalties of up to €35 million or 7% of global revenue remain in place for violations of prohibited practices. Non-compliance with obligations regarding high-risk systems can incur costs of up to €15 million or 3% of revenue. The postponement of the compliance timeline has not suspended the sanctions regime.
For Brazilian consultancies with clients in Europe, the extraterritoriality clause also remains unchanged. Any AI system that produces effects on EU residents is subject to the same obligations, regardless of where the company is based. With over 50% of organisations still lacking a systematic inventory of the AI systems in operation, according to research by Credo AI published in April, the additional timeframe is welcome, but it does not address the underlying issue.
The prevailing sentiment in the market is one of regulatory pragmatism: the postponement reflects the immaturity of the supporting technical standards, not a weakening of the law. Obligations concerning General Purpose AI (GPAI) have been in effect since August 2025, and the parallel obligations of GDPR, NIS2, and DSA continue to demand governance measures. In Brazil, Bill 2338/2023 is progressing through Congress with a structure similar to the European model and may leverage the EU's movement as an argument for equally gradual timelines.