EU Parliament Delays Core AI Act Enforcement to 2027, Bans Deepfake 'Nudifier' Apps

On June 16, 2026, the European Parliament overwhelmingly approved the "Digital Omnibus" package, fundamentally rewriting the enforcement timeline for the world's most comprehensive artificial intelligence law. By a vote of 423 to 57, lawmakers agreed to delay the most stringent corporate compliance requirements of the EU AI Act by 16 months, pushing the deadline for "high-risk" systems from August 2026 to December 2027.[1][2][7]

The legislative maneuver offers a massive reprieve to global technology companies and enterprises that were racing to meet an impending summer deadline. However, the package is not purely a concession to industry. While corporate governance rules were delayed, the Parliament simultaneously accelerated consumer protections, instituting a strict ban on AI "nudifier" applications—software used to generate non-consensual explicit deepfakes—which will take effect by December 2026.[1][4][7]

This dual approach reflects the European Union's ongoing struggle to operationalize its landmark AI regulation. Policymakers are attempting to balance the urgent need to protect citizens from immediate digital harms against the practical reality that the technical standards required to audit complex enterprise AI systems simply do not yet exist.[2][7]

The core of the delay centers on "Annex III" high-risk AI systems. Under the original framework, any AI deployed in sensitive areas—such as recruitment, credit scoring, biometric identification, law enforcement, or critical infrastructure—faced a hard compliance deadline of August 2, 2026.[5][6][8]

To meet that original deadline, companies needed to complete rigorous conformity assessments, establish continuous human oversight mechanisms, and build extensive technical documentation proving their models were free from discriminatory bias.[5][6]

However, as the deadline approached, both regulators and the tech industry realized the necessary harmonized standards—the specific technical benchmarks companies must test against—were not ready. Enforcing the August 2026 deadline without these standards would have forced companies to guess at compliance, risking fines of up to €35 million or 7% of global annual turnover.[2][4][6]

The Digital Omnibus package resolves this by moving the Annex III deadline to December 2, 2027. For AI systems embedded as safety components in physical products (Annex I), the deadline is pushed even further, to August 2, 2028.[1][8]

Legal experts warn that the delay does not change the fundamental criteria for what constitutes a high-risk system. Draft guidelines released earlier this year clarified that human involvement in an AI process does not remove its high-risk status. If an AI system's intended purpose falls under Annex III, it remains subject to the strict oversight rules, regardless of whether a human makes the final decision.[3]

Furthermore, complex multi-agent AI pipelines will be assessed as a single entity. If a company chains together several low-risk models to perform a high-risk task—such as screening resumes—the entire architecture will be regulated under the 2027 high-risk framework.[3][5]

While enterprise compliance is delayed, the Parliament took aggressive action against immediate societal harms. The Omnibus package introduces an outright ban on AI systems designed to generate child sexual abuse material or create sexually explicit deepfakes of identifiable individuals without their consent.[1][2][7]

These "nudifier" apps have proliferated rapidly, overwhelmingly targeting and degrading women. Providers of open-source models and commercial APIs will be legally barred from placing these systems on the EU market unless they incorporate adequate technical safeguards to prevent the generation of such material.[1][7]

Companies have until December 2, 2026, to bring their systems into compliance with the deepfake ban. The prohibition extends beyond the developers to the "deployers"—meaning platforms or individuals utilizing the technology for malicious purposes will also face severe penalties.[1][6]

Alongside the deepfake ban, the Parliament adjusted the timeline for Article 50 transparency obligations. Originally slated for August 2026, the requirement to watermark and label AI-generated content in a machine-readable format has been aligned with the December 2, 2026 deadline.[1][6][8]

This watermarking mandate applies broadly, capturing not just high-risk systems but any AI interface interacting with the public or generating synthetic media. The brief delay is intended to give the industry time to adopt standardized cryptographic provenance techniques, such as those developed by the Coalition for Content Provenance and Authenticity.[6]

Despite the 16-month extension for high-risk systems, compliance engineers are urging organizations not to halt their governance programs. Building the necessary infrastructure—such as automated logging, data governance frameworks, and incident-reporting runbooks—often takes more than a year of engineering effort.[5][6]

"Organizations that pause compliance preparations pending political certainty are making a high-risk bet," noted one technical readiness guide. The foundational work of inventorying AI systems and mapping data flows remains critical, as the underlying requirements of the AI Act have not changed, only the enforcement date.[6]

The Omnibus package also clarified overlapping regulations, specifically removing redundant requirements for AI used in machinery products. Products with AI functions that merely assist users or optimize performance will not automatically face high-risk obligations unless their failure poses a direct health or safety risk.[1]

Before the new timelines become official law, the package must be formally adopted by the Council of the European Union. Given the broad consensus achieved in the Parliament and the urgent need for regulatory clarity, formal adoption is expected to proceed without significant hurdles, officially resetting the clock for global AI compliance.[1][2]