- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
EDPB approves Europrivacy as global GDPR certification tool
April 27, 2026
On 7 May 2026, EU lawmakers reached a provisional agreement to simplify certain aspects of the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. and delay key compliance deadlines for high-risk AI systems.
What the proposed EU AI Act delay means for organisations
For organisations using, developing, procuring or embedding AI systems, this is a significant update, giving businesses more time to prepare. However, the AI Act is still moving forward, and it does not reduce the need for strong AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values. . Organisations should use the extended timeline to understand where AI is being used across the business, what risks it creates, and what controls will be needed.
Under the current AI Act timetable, many high-risk AI rules are due to apply from 2 August 2026. The proposed changes would move that deadline to:
- 2 December 2027 for stand-alone high-risk AI systems
- 2 August 2028 for high-risk systems built into regulated products, such as medical devices, machinery, toys, and lifts
Other key changes include:
- National sandboxes would need to be in place by 2 August 2027
- Providers would have until 2 December 2026 to implement transparency measures for AI-generated content
The update is part of the EU’s wider digital simplification agenda, known as the Digital Omnibus package, which was unveiled on 19 November 2025. Its goal is to reduce unnecessary compliance burden, give businesses more legal certainty, and make the AI Act easier to apply across the EU.
Expert view: Why the EU AI Act delay is not a reason to pause
David Smith, DPO and AI Sector Lead at The DPO Centre gives this initial advice for organisations:
‘The proposed delay should not be seen as a pause button. It is breathing space and organisations should use it wisely. AI governance takes time to get right, particularly where personal dataInformation which relates to an identified or identifiable natural person., automated decisions or high-risk systems are involved. The businesses that start now will have a clearer view of where AI is being used, where the risks sit, and ensure accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. is properly implemented.
‘Those that wait for the final deadline may find themselves trying to retrofit governance after AI is already deeply embedded across the organisation. This would be a costly exercise, making risks harder to identify, controls harder to implement, and accountability harder to prove. My advice is to use this time to build a clear AI inventory, review potential high-risk use cases, and make sure your governance and oversight is practical, documented, and ready to scale.’
What happens next?
The deal is not yet final, and this provisional agreement still needs endorsement by the Council and European Parliament, followed by legal and linguistic checks before formal adoption.
We will continue to monitor the progress and provide updates as the EU AI Act timeline develops.
For regular updates on data protection, AI governance and regulatory change summaries of the latest news, subscribe to The DPIA newsletter
For practical guidance on who should lead AI governance within your organisation, read our blog AI Officer vs DPO: Defining roles in AI Governance