EU AI Act amendments: What businesses need to know

On 16 June 2026, the European Parliament approved targeted amendments to the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. as part of the AI Digital Omnibus Regulation. 

The text still needs formal approval from the Council before it becomes law, though the content is now settled. This is expected before 2 August 2026, when key AI Act obligations are currently due to start applying. 

These changes will affect many organisations that operate across the EU, place AI systems on the EU market, or use AI to processA series of actions or steps taken in order to achieve a particular end. data about EU residents.  

What are the main changes? 

The amendments focus on making the AI Act easier to apply in practice and include: 

• More time to comply with high-risk AI rules 
• New deadline for labelling AI-generated content 
• Clearer rules on which systems count as safety components 
• Tighter rules on using sensitive personal data for bias testing 
• Return of registration requirements for certain high-risk AI systems 

What’s still required?

From 2 August 2026: General transparency obligations under the AI Act will apply. Businesses using AI systems that interact with people must make this clear to users. 

From 2 December 2026: AI-generated content must be labelled in a machine-readable way. In practice, this means using labels such as watermarks, so that AI content can be easily identified. 

Separately, a new prohibition on AI tools that generate non-consensual intimate images or child sexual abuse material also takes effect on 2 December 2026. Companies have until then to ensure relevant systems cannot be used to produce this type of content. 

Deadlines extended for high-risk AI

The most significant change is the postponement of the 2 August 2026 compliance deadline for high-risk AI systems. This covers AI used in areas such as recruitment, credit scoring, education, law enforcement, essential public services, migration and border control, and justice. 

• Standalone high-risk AI systems will now need to comply from 2 December 2027. 
• AI systems built into regulated products as safety components will have until 2 August 2028. 

Scope changes that could affect your sector

The amendments also clarify how some AI systems should be classified. 

A tighter definition of ‘safety component’ now means that an AI system should only fall into this category if it is designed to prevent or reduce risks to people’s health and safety, or to property. For manufacturers, this is a helpful clarification. 

Machinery products have also been carved out of the most demanding parts of the AI Act, reducing regulatory overlap for that sector. 

What’s getting stricter?

The EU AI Office will have clearer and stronger powers, including exclusive authority to supervise certain AI systems built on general-purpose AI models, where the same provider developed both the model and the system. 

If your AI stack includes large foundation models, expect more structured scrutiny at the European level. 

There are also tighter rules on using sensitive personal dataInformation which relates to an identified or identifiable natural person., such as health or biometric data, for bias testing. This type of data processing will only be allowed in limited circumstances, where it is strictly necessary and supported by appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the.... For many organisations, this is where AI compliance and data protection will need to work closely together. 

The registration obligation is back

An earlier draft of these amendments had removed the requirement to register certain high-risk AI systems in the EU database. Parliament has now reinstated this requirement. Notably, this applies even where a provider has concluded that its system does not meet the high-risk threshold under Article 6(3) of the AI Act. This is a nuance that may catch many businesses off guard. 

DPO view

David Smith, DPO and AI Sector Lead at The DPO Centre offers this initial advice for organisations who come under the EU AI Act: 

‘While implementation dates for certain aspects of the Act have been pushed back, organisations should not be taking their eye off the ball. The extra time should be used to proactively plan a clear and risk-based approach to AI compliance.

Basic transparency obligations still land this calendar year, and while the AI literacy obligations appear to have been relaxed in the text, it will remain crucial for organisations to ensure staff have adequate training to safely use AI, especially where systems use personal data or if there is a direct impact on individuals.

All indications are that the EU will use the pause in enforcement of high-risk systems obligations to produce further practical guidance, but good governance goes beyond the requirements of formal regulation. Wise companies will be laying the foundations now by cataloguing use cases and assessing the risks they pose, well ahead of enforceable law.’  

Need help preparing for the EU AI Act?

Our specialist team can support you with AI risk assessments, data protection, AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values. , and EU AI Act readiness. Contact us to find out how we can help.