The EU Council agreed a position to streamline certain rules within the AI Act, confirmed by the Council’s official communications. Before examining what changed, compliance teams need to understand what this position actually is procedurally. The Council’s agreed position is an internal EU legislative milestone. It is not final law. Trilogue negotiations with the European Parliament must follow before the revised provisions become binding. The dates and obligations described here reflect the Council’s position, not the enacted statute. They may change.
With that framing in place, the substance matters.
The Revised Deadline Structure
Two compliance dates define the Council’s revised timeline for high-risk AI systems.
According to the EU AI Act implementation timeline, the Council’s position sets December 2, 2027 as the compliance deadline for stand-alone high-risk AI systems classified under Annex III. These are systems deployed in sensitive domains: education, employment, critical infrastructure access, law enforcement, migration and border control, and administration of justice.
High-risk AI systems embedded in regulated products governed by Annex I, meaning systems that are components of products already subject to EU product safety legislation, face an August 2, 2028 deadline, per reporting on the Council’s agreed position. One independent source cited a different date for this category. Human verification against the official Council document is recommended before these dates are treated as final.
The practical question for compliance teams is whether these dates represent acceleration or relief relative to their current planning assumptions. For organizations that had already aligned internal timelines to earlier published dates, the revised schedule provides additional runway. For organizations that had not yet started compliance planning, the deadlines are now more clearly defined, which removes an excuse more than it adds time.
What Did Not Change
Deadline revision does not mean obligation reduction. The AI Act’s high-risk classification criteria, conformity assessment requirements, transparency obligations, human oversight mandates, and documentation standards are not reported to have changed in the Council’s position. Organizations cannot interpret the revised timeline as a signal to narrow the scope of their compliance programs. The scope is what it was. The calendar shifted.
The Registration Requirement: Back on the Table
One element of the Council’s position deserves specific attention. The mandate is reported to reinstate or clarify the obligation for providers of high-risk AI systems to register those systems in the EU AI database. Exact confirmation requires review of the official Council text.
The registration obligation exists in Article 16 of the AI Act. Some organizations treating compliance as a phased effort may have deprioritized this obligation, particularly if internal assessments judged it administrative rather than substantive. If the Council’s position reinstates or sharpens this requirement, those organizations need to move it forward in their compliance roadmap. Registration readiness requires knowing which systems qualify as high-risk, maintaining that classification as systems evolve, and having the documentation to support the registration entry. None of that is fast to build.
New Prohibited Practices: Non-Consensual Synthetic Content
The Council’s position is reported to include new provisions addressing AI-generated non-consensual sexual and intimate content. The exact scope, whether this represents a new prohibited practice under the AI Act or parallel legislative action, requires verification against the official Council text. What is clear is the regulatory direction: the EU is moving to extend the AI Act’s prohibited practices framework to cover AI-generated intimate imagery without consent.
This development is not isolated. The same week, the EU Parliament approved the Council of Europe’s Framework Convention on Artificial Intelligence, an international treaty that extends AI governance obligations beyond EU borders. The UK is simultaneously fast-tracking legislation targeting non-consensual intimate deepfakes. The regulatory convergence on synthetic intimate imagery across three jurisdictions in a single week is a pattern compliance and legal teams should register.
Practical Compliance Recalibration
Organizations with active EU AI Act compliance programs should take three actions.
First, verify the revised dates against the official Council text at consilium.europa.eu before updating any internal planning milestones. The December 2, 2027 and August 2, 2028 dates are well-corroborated but not yet final law.
Second, audit whether the registration obligation is present and properly resourced in the current compliance program. If it had been deprioritized, the Council’s position is a signal to restore it.
Third, assess whether any AI systems in scope could generate non-consensual intimate content or CSAM. If so, that capability, or its absence, needs to be documented now, before a prohibition is enacted. Prohibition compliance is faster when the assessment has already been completed.
The EU AI Act has always been a multi-year compliance program, not a single deadline event. The Council’s revised timeline adds clarity on the schedule. It does not simplify the work.