EU Parliament Delays AI Act High-Risk Deadlines to 2027 and Bans Nudifier Apps

# EU Parliament Delays AI Act High-Risk Deadlines to 2027 and Bans Nudifier Apps

The European Parliament has voted overwhelmingly to push back the AI Act's most consequential compliance deadlines by more than a year, while simultaneously introducing a new prohibition on AI-powered nudifier applications. The twin moves, adopted by 569 votes to 45 with 23 abstentions during the March 2026 plenary session, mark the most significant revision to the landmark regulation since its adoption in 2024 and set the stage for trilogue negotiations that could reshape how and when companies must comply with Europe's AI rulebook.

The delays are part of the seventh Digital Omnibus package on simplification, first proposed by the European Commission on November 19, 2025. Under the original AI Act timeline, rules governing high-risk AI systems were set to take effect on August 2, 2026. The Parliament's adopted position now proposes two staggered deadlines: December 2, 2027 for stand-alone high-risk AI systems listed under Annex III, covering applications in biometrics, critical infrastructure, education, employment, essential services, law enforcement, justice, and border management; and August 2, 2028 for AI systems embedded in products already regulated under EU sectoral legislation on safety and market surveillance.

The rationale is straightforward: the compliance infrastructure has not arrived on time. Harmonized standards from European standardization bodies remain unfinished. Conformity assessment procedures lack operational detail. Regulatory guidance documents that companies need to classify their systems and build governance frameworks have been delayed or are still in draft form.

Why the Delay Was Inevitable

Co-rapporteur Michael McNamara (Renew, Ireland) framed the Parliament's position as pragmatic rather than permissive. "I'm glad that it was possible to achieve a compromise acceptable to the majority of the Parliament and at least the centrist parties," McNamara said after the vote. He emphasized that the extensions reflect real-world gaps in readiness, not a softening of regulatory ambition.

The delays have drawn sharp criticism from civil society organizations. TechPolicy.Press warned that the extended timeline lets high-risk AI systems "dodge oversight" during a period when deployment is accelerating. Healthcare diagnostics, hiring algorithms, credit scoring tools, and law enforcement applications will continue operating without the risk assessments, documentation requirements, and human oversight mechanisms that the AI Act was designed to mandate.

Yet industry groups and legal analysts have largely endorsed the pragmatic logic. A detailed analysis by law firm A&O Shearman, published as trilogue negotiations opened, identified multiple unresolved technical questions around conformity assessment infrastructure that would have made the original August 2026 deadline unworkable for most companies. The International Association of Privacy Professionals (IAPP) reached similar conclusions, noting that key guidance documents from the European Commission arrived late or incomplete, leaving companies without clear compliance pathways.

Both the Council and Parliament have now converged on fixed postponement dates rather than open-ended extensions, a signal that co-legislators want to preserve regulatory certainty even as they grant additional time. A political agreement on the consolidated text is expected at the next trilogue meeting on April 28, 2026. If that timeline holds, endorsement by Parliament and the Council could follow in May and June, with publication in the Official Journal potentially arriving in July, just ahead of the original August 2 deadline.

The Nudifier Ban: A New Prohibited Practice

Alongside the delay, MEPs introduced a provision that was not in the Commission's original proposal: a ban on AI systems that generate or manipulate sexually explicit or intimate images resembling an identifiable real person without that person's consent. The so-called nudifier prohibition would join the AI Act's existing list of banned practices, which already includes social scoring, manipulative subliminal techniques, and certain forms of real-time biometric surveillance.

Greens MEP Kim van Sparrentak described the ban as "a huge win for women's rights and child protection," adding that "women across the EU were being targeted by tools that stripped them of their dignity and made them vulnerable to blackmail and abuse."

McNamara noted that the nudifier ban, if agreed in the final trilogue text, could start applying almost immediately after publication, potentially as early as July 2026, making it one of the fastest-acting provisions in the AI Act's history. The ban would not apply to AI systems with effective safety measures that prevent users from creating such images, a carve-out that could prove contentious in negotiations as co-legislators debate what constitutes an "effective" safeguard.

Watermarking Gets a Tighter Deadline

In a counterpoint to the high-risk delays, MEPs proposed accelerating the timeline for AI content watermarking and transparency rules. The Parliament's position sets November 2, 2026 as the deadline for watermarking rules on AI-created audio, image, video, and text content, three months earlier than the Commission's proposed February 2027 date. The move reflects growing urgency around synthetic media and deepfakes, particularly in the context of upcoming elections and escalating disinformation campaigns across the bloc.

What This Means for Companies

The practical impact splits along two axes. For companies deploying stand-alone high-risk AI systems, the December 2027 deadline provides approximately 16 additional months to complete risk classification exercises, establish governance frameworks, prepare technical documentation, and build monitoring systems. For manufacturers embedding AI into regulated products such as medical devices, machinery, and vehicles, the August 2028 deadline grants a full two-year extension.

But the breathing room comes with a caveat. Companies that treat the delay as license to defer compliance planning entirely may find themselves scrambling. The Jacques Delors Centre, a Brussels-based think tank, has warned that the omnibus approach risks sending a signal that the EU is retreating from its regulatory ambitions, potentially undermining the competitive advantage that early AI governance was supposed to provide European firms. OneTrust's analysis of the omnibus package echoed this concern, noting that organizations should use the additional time to build robust compliance infrastructure rather than wait for final deadlines to approach.

The trilogue negotiations that began in April 2026 will determine whether the Parliament's positions survive intact. The Council's own negotiating mandate largely aligns on the fixed-date approach for delays, but the nudifier ban and watermarking timeline may face pushback from member states with different priorities. A consolidated text could emerge within weeks, potentially before the original August 2 deadline renders the question moot.

For Europe's AI ecosystem, the message is paradoxical but clear: the most ambitious AI regulation in the world is simultaneously being strengthened with new prohibitions and weakened by infrastructure delays. Whether companies read that as an invitation to prepare or an excuse to wait will determine whether the AI Act achieves its purpose when the extended deadlines finally arrive.