AI Act High-Risk Rules Delayed to December 2027

Parliament and Council just extended your AI Act high-risk deadline by 16 months. Annex III stand-alone systems are now due 2 December 2027, not 2 August 2026. Before you reschedule everything, this is still a provisional agreement. Formal adoption needs to clear before 2 August 2026 or the old deadline stands.

The extension is Brussels acknowledging what most of us already knew. Ambitious regulation without ready standards, supervisory authorities, or implementation tools is mostly a political promise. You get more time and legal certainty but the public waits longer for some of the most important protections.

What Changed in May

AI Act high-risk: 16 months bought, provisionally. Parliament and Council agreed to push the Annex III stand-alone deadline to 2 December 2027. Product-embedded high-risk AI under Annex I goes further, to 2 August 2028. Formal adoption must still complete before 2 August 2026 for the delay to take legal effect. The same agreement prohibits AI-generated non-consensual intimate imagery and CSAM from 2 December 2026. Separately, the Commission opened consultation on Article 50 transparency obligations covering chatbot disclosures, deepfake labelling, and emotion recognition. Deadline: 3 June 2026.

ESRS: 70% of datapoints gone, one consultation left. The Commission looked at years of sustainability reporting work and cut 70% of mandatory datapoints in a Have-Your-Say consultation that opened 6 May. If you spent significant budget on CSRD readiness last year, you may want to sit down. A new voluntary standard also caps what CSRD reporters can demand from suppliers with 1,000 or fewer employees. For companies still in scope (over 1,000 employees, over €450M net turnover), the consultation closes 3 June 2026. This is the last open window before delegated acts are adopted.

Yango: €100M for shipping European data to Russia. The Dutch DPA fined Yango €100M for transferring Norwegian and Finnish driver data to Russia, driver licences, GPS tracks, IBANs, chat logs. The AP acted jointly with Norwegian and Finnish regulators. Yango has appealed.

It seems that new digital rules are being delayed but fines under the existing ones, like GDPR are going up. Every company routing EU data through higher-risk jurisdictions will need to demonstrate actual protection in practice, not just paper compliance. Documented transfers are necessary. They are no longer sufficient.

New on RegDossier

NIS2 Compliance Checker: five questions, tells you your tier and next obligations.

Coming Up in June

3 June 2026.
Two Commission consultations close on the same day: the revised ESRS datapoints and the Article 50 AI Act transparency guidelines. Both are official public consultations. Both go on the record. Each is worth 20 minutes of your time.

11 June 2026.
CRA notifying authorities must be designated. EU member states must name their national conformity assessment authorities by this date. Without designation, third-party assessment for important and critical connected products cannot proceed. If you manufacture for the EU market, check whether your member state has done this.