Brussels reaches an agreement to simplify the AI Act and prohibit nudification applications.

      Following two unsuccessful trilogues, the Parliament and Council have finally reached a compromise, extending the high-risk compliance deadline to December 2027, easing administrative burdens for smaller businesses, and incorporating a long-anticipated ban on non-consensual intimate imagery into Europe’s primary AI legislation.

      On Wednesday, the European Commission announced that the negotiators from both the Parliament and the Council achieved a political consensus on the so-called AI Omnibus—a bundle of amendments intended to relax the enforcement of the bloc's flagship Artificial Intelligence Act and add a prohibition on AI-generated non-consensual intimate imagery.

      It took three negotiation attempts to achieve this. The session on April 28 ended after about twelve hours of discussions regarding the conformity assessment of AI integrated into regulated products. A last-minute session on Wednesday, set to occur ahead of a fallback date of May 13, bridged the remaining gaps.

      Henna Virkkunen, the executive vice-president for tech sovereignty, who spearheaded the simplification efforts through the College of Commissioners last November, remarked that the agreement allows companies to “focus on building, not on paperwork.” She emphasized that this outcome demonstrates Europe’s ability to maintain its rules-based framework while making it more feasible for industry.

      Key changes include alterations to compliance deadlines and reductions in paperwork. The main adjustment is the timeline: obligations on high-risk AI systems specified in Annex III—covering areas such as biometrics, education, employment, essential services, law enforcement, justice, and border management—will now take effect from December 2, 2027, instead of August 2, 2026. Rules for AI integrated into regulated products according to Annex I will begin on August 2, 2028.

      For businesses currently developing compliance programs, this extension grants approximately sixteen additional months. Brussels maintains that this delay results from incomplete standards work, not a withdrawal; harmonized standards from CEN-CENELEC and a comprehensive set of guidance documents are necessary prerequisites for activating these obligations.

      Smaller businesses will receive more defined reductions in their regulatory burdens. The agreement expands existing simplifications available to SMEs to include small mid-cap companies, offering template technical documentation, reduced fees, and better access to regulatory sandboxes. The intention, reiterated in the Commission’s announcement, is to tailor obligations to the size of the organization rather than impose a uniform compliance model across the entire value chain.

      A notable and politically sensitive aspect of the agreement is the new ban on AI systems that produce child sexual abuse material or any non-consensual intimate images of identifiable individuals. This provision emerged following the controversy surrounding Grok's nudification scandal in late 2025, with the Parliament insisting it be a non-negotiable aspect of the trilogue.

      The new legislation prohibits the marketing and use of AI tools primarily designed to undress individuals in images or to portray recognizable persons in sexually explicit contexts without consent. Companies are required to ensure compliance for existing products by December 2, 2026.

      The prohibition does not apply to developers who have put effective safety measures in place to prevent misuse, a concession aimed at protecting general-purpose models that already filter such content.

      Reports from TNW highlighted the political agreement regarding intimate deepfakes when Parliament formalized it in its mandate in late March; the trilogue text aligns largely with that stance, though responsibility for enforcement now falls to national market-surveillance authorities and the AI Office, rather than sectoral regulators.

      Critics point out that while the core structure of the AI Act remains intact, the risk-based framework persists, and foundational model regulations, which have been in place since August 2025, are unchanged. The Code of Practice for general-purpose AI providers continues to apply voluntarily. Mandatory watermarking obligations for AI-generated content have shifted from February to December 2026 but remain in effect.

      Civil society organizations, over forty of which opposed the Omnibus in a letter in April, argue that the narrative of simplification conceals genuine reductions in protections for fundamental rights, particularly concerning biometric identification and the use of AI in educational settings. Their concerns remain valid: the trilogue did not revisit the substantive obligations, only adjustments to their timing and paperwork requirements.

      Conversely, the industry views this package as part of a broader competitiveness initiative, including GDPR simplifications and a review of the Data Act. This is reflected in the agreement, where every concession in the AI Omnibus is procedural rather than substantive.

      The political agreement still requires formal approval from both the Parliament’s plenary and the Council of ministers, which is anticipated before the summer break. Without this endorsement, the original compliance deadline of August 2, 2026, will remain, a scenario the Commission has been attempting to prevent for six months.

      National authorities are also tasked with a parallel responsibility: they must ensure that simplified documentation forms, sandbox templates, and small-medium company guidance are established well ahead of the new deadlines, or the promised relief on paper will not translate into actual relief.