Three dates. One compliance problem.
August 2, 2026 is the date the EU AI Act currently requires high-risk AI system providers to meet full obligations. It’s in the enacted text. It has not changed. For compliance purposes, it is the only deadline that carries legal weight today.
December 2, 2027 is the date the EU Council’s agreed negotiating position proposes for stand-alone high-risk AI systems. August 2, 2028 is the proposed date for high-risk AI embedded in regulated products. Both figures come from the Council’s agreed position, confirmed via the EU Council’s official communications.
None of that changes anything, yet. And the planning problem it creates is the reason this brief exists.
What the Council actually did
The EU Council agreeing a negotiating position is a specific procedural event, not a legislative outcome. The Council’s position is its mandate going into trilogue, the three-way negotiation between the Council, the European Parliament, and the European Commission. The Parliament must agree before any amendment becomes law. No trilogue timeline has been confirmed as of this publication.
The Council’s position includes more than the deadline extensions. The amendments reportedly include reinforcing the AI Office’s supervisory powers, according to legal analysts tracking the proposals. The package also reportedly extends certain SME regulatory exemptions to small mid-cap companies (SMCs), though that provision could not be independently confirmed from primary sources. One element is confirmed: the Council’s position explicitly prohibits AI-generated non-consensual intimate imagery, per DPO Centre’s reporting.
The Council’s position on the deadline shift represents up to 16 months of additional runway for high-risk AI system providers, if the Parliament agrees, and if the final enacted text preserves the specific dates the Council proposed.
Both of those conditions are contingent.
The compliance planning problem
Compliance professionals now face a structural planning challenge that goes beyond “wait and see.” It has three components.
First, the August 2026 deadline is live. Organizations that have been tracking prior coverage of the Council’s conditional trigger mechanism, covered in this hub’s earlier brief on the vote, know the Council has been signaling flexibility for months. That signal is now a formal negotiating position. But signals and negotiating positions aren’t enacted law. Compliance programs cannot treat a proposed extension as a granted one.
Second, trilogue can produce outcomes that differ materially from either party’s opening position. The Parliament may accept the Council’s dates, propose different dates, or condition the extension on requirements the Council hasn’t included. Until trilogue concludes, no one knows what the enacted amendment will say.
Third, the extension, if enacted, applies differently to different product categories. Stand-alone high-risk systems and systems embedded in regulated products face distinct proposed deadlines that reflect different regulatory logic. Organizations with both types of AI deployments need to track both tracks separately, not treat the extensions as a single blanket relief.
A scenario-based planning framework
Given that uncertainty, compliance teams have two defensible approaches.
Scenario A, Plan to the August 2026 deadline. Complete conformity assessment, documentation, and technical requirements on the current timeline. If the amendment is enacted before August 2026 with extended dates, the work done is not wasted, it becomes the foundation for ongoing compliance. This scenario protects against trilogue failure or delay.
Scenario B, Plan to dual timelines. Maintain August 2026 as the working deadline while documenting the specific milestones that would shift if the amendment is enacted. This requires building a compliance roadmap with explicit branch points: “If amendment enacted by [date] with December 2027 dates, then [specific deferred actions].” This approach requires more planning discipline but is operationally realistic for organizations managing large portfolios of AI systems.
Neither scenario involves pausing compliance work on the assumption that the extensions will arrive in time to be useful.
What the other amendments mean for compliance teams
The NCII prohibition is clean in its compliance implication: organizations developing or deploying generative AI with image or video output need to evaluate whether their systems could produce non-consensual intimate imagery and build explicit technical and policy controls against it. This isn’t a deadline issue, it’s a design requirement that should be addressed regardless of when the amendment is enacted.
The AI Office powers reinforcement, if confirmed in the final text, may affect how GPAI model providers interact with supervision, a cross-pillar concern for organizations with both high-risk deployments and general-purpose AI assets.
The SMC exemption extension, if it survives trilogue, is material for organizations in that category. But given it couldn’t be confirmed from primary sources, treat it as something to watch rather than something to plan around.
The bottom line
The EU Council has done something meaningful. Formally agreeing a negotiating position with specific dates gives the market a clearer signal than it had last month. December 2, 2027 and August 2, 2028 are now the Council’s stated targets.
They’re not your new compliance deadlines. August 2, 2026 is.
Build your program to meet what’s law. Document the branch points that would apply if the amendment passes. Monitor trilogue progress. And don’t let the headline dates substitute for the planning discipline the enacted text still demands.