Brussels reaches an agreement to streamline the AI Act and prohibit nudification applications.

      Following two unsuccessful trilogues, Parliament and the Council have finally reached a compromise that extends the compliance deadline for high-risk AI systems to December 2027, reduces administrative burdens for smaller firms, and incorporates a long-awaited prohibition on non-consensual intimate imagery into Europe’s key AI legislation.

      On Wednesday, the European Commission announced that representatives from both the Parliament and the Council had come to a political agreement on the so-called AI Omnibus, a set of amendments aimed at easing the implementation of the bloc's main Artificial Intelligence Act while adding a ban on AI-generated non-consensual intimate imagery.

      It took three attempts to achieve this agreement. The negotiations on April 28 broke down after around twelve hours over the evaluation of regulated products with integrated AI. A subsequent session on Wednesday, arranged with little notice before a fallback date of May 13, managed to finalize the discussions.

      Henna Virkkunen, the executive vice-president for tech sovereignty, who advocated for the simplification initiative last November, expressed that the agreement would allow companies to “focus on building, not on paperwork,” emphasizing that Europe can maintain its rules-based approach while making regulations more feasible for the industry.

      **Shifting Deadlines and Reduced Paperwork**

      The pivotal change is the revised timeline. Requirements for standalone high-risk AI systems, as outlined in Annex III, which includes areas like biometrics, education, employment, essential services, law enforcement, justice, and border management, will now take effect from December 2, 2027, instead of August 2, 2026. Regulations for AI integrated into regulated products under Annex I will begin on August 2, 2028.

      For companies in the process of developing compliance programs, this extension offers roughly sixteen additional months. Brussels emphasizes that the delay is due to the ongoing development of standards, not a backtrack: completing standardized guidelines from CEN-CENELEC and a more comprehensive library of guidance documents is essential before these obligations can be enforced.

      **Easing the Burden for Smaller Firms**

      Smaller companies will see more tangible relief, as the agreement broadens existing simplifications for SMEs to include small mid-cap firms, providing them with standardized technical documentation, reduced fees, and improved access to regulatory testing environments. The overarching goal, reiterated in the Commission’s press release, is to adapt obligations based on the size of the organization rather than apply a uniform compliance approach across all entities in the supply chain.

      **New Ban on Non-Consensual Imagery**

      The most contentious aspect is the new ban on AI systems that create child sexual abuse material or generate non-consensual intimate images of identifiable individuals. Legislators have been advocating for this since the late-2025 Grok nudification scandal, and Parliament established it as a non-negotiable point in the trilogue discussions.

      The updated text prohibits the marketing and use of AI tools designed primarily to undress individuals in images or to depict identifiable persons in sexually explicit situations without consent. Companies have until December 2, 2026, to adjust their existing products accordingly.

      This prohibition does not apply if developers have put in place adequate safety measures to prevent the generation and misuse of such content, a provision created to protect general-purpose models that already screen such outputs.

      **Political Confirmation and Pending Steps**

      TNW had reported on the political understanding regarding intimate deepfakes when Parliament incorporated it into its mandate in late March; the trilogue text generally aligns with that position, although enforcement now falls under national market-surveillance authorities and the AI Office instead of sector-specific regulators.

      Critics will point out that the package maintains the fundamental structure of the AI Act. The risk-based framework remains. Rules for foundation models, effective since August 2025, are unchanged. The Code of Practice for general-purpose AI providers continues to be voluntary. Despite moving the watermarking requirement for AI-generated content from February to December 2026, it remains compulsory.

      Civil society organizations, with over forty having signed a letter opposing the Omnibus in April, argue that the narrative of simplification obscures substantive cuts to fundamental rights protections, especially in the context of biometric identification and AI use in educational settings. Their apprehensions remain valid post-agreement: the trilogue did not alter the core obligations, only their timing and documentation requirements.

      On the other hand, the industry views the package as a component of a wider initiative for competitiveness that includes GDPR simplification and a review of the Data Act. This agreement supports that interpretation: every concession within the AI Omnibus is procedural, rather than substantial.

      The political agreement requires formal approval from the Parliament’s plenary session and from ministers in the Council, expected to occur before the summer recess. If this does not happen, the initial high-risk deadline of August 2, 2026, will apply, a situation the Commission has sought to avoid for the past six months.

      Simultaneously, national authorities will have the task of ensuring