EU reaches provisional deal to ban AI-generated nudification deepfakes and confirms December 2027 delay to high-risk AI Act provisions in digital omnibus package
European Union member states and European Parliament lawmakers have reached a provisional agreement on a watered-down version of the EU AI Act's high-risk provisions as part of the European Commission's broader digital omnibus package — a legislative bundle designed to streamline and simplify EU digital regulation. The deal has two headline outcomes. First, it confirms the postponement of enforcement of high-risk AI system rules — covering biometrics, critical infrastructure, education, employment, law enforcement, and border management — from the previous deadline of 2 August 2026 to 2 December 2027, giving companies and regulators over an additional 16 months to prepare. Second, the provisional deal includes a new ban on the use of AI to create pornographic deepfakes and sexualised imagery, a measure that survived the broader softening of the regulation. The delay to high-risk provisions is the most commercially significant element for City firms and their clients. AI systems used in financial services hiring decisions, credit scoring, and fraud detection that fall within the Act's high-risk categories now have additional runway before mandatory compliance obligations — including conformity assessments, transparency documentation, and human oversight requirements — take effect across EU member states. The digital omnibus package was explicitly designed to reduce the compliance burden on European businesses that had raised concerns about the Act's original implementation timeline being too compressed. However, the retention of the deepfake prohibition signals that the EU is not abandoning its core consumer protection principles even while extending the timeline for enterprise compliance.
Why this matters
The December 2027 delay gives financial services clients — banks, insurers, and fintech companies deploying AI in employment, credit, and fraud detection — a longer window to build compliant governance frameworks, but it also reduces the urgency of immediate legal spend on conformity assessments, shifting advisory demand from near-term sprint compliance to longer-horizon programme work. For UK firms advising EU-operating clients, this is a live practice area because UK businesses with EU operations remain within the AI Act's territorial scope. The retention of the deepfake ban as an immediate prohibition is a reminder that the EU is sequencing its AI regulation rather than abandoning it — meaning the compliance runway will close, and the firms that complete governance frameworks earliest will have a competitive advantage.
On the Ground
A trainee on an AI governance advisory matter would assist with drafting a regulatory impact assessment memo mapping a client's AI systems against the EU AI Act's high-risk categories, markup data processing agreements to account for AI-specific obligations, and help prepare vendor due diligence questionnaires for third-party AI tool providers.
Interview prep
Soundbite
The 2027 delay buys time but doesn't cancel the compliance obligation — AI governance programmes can now be phased rather than rushed.
Question you might get
“A financial services client deploys an AI tool for credit scoring decisions in the EU. What steps should their legal team take now following the confirmation of the December 2027 deadline for high-risk AI Act compliance?”
Full answer
The EU has provisionally agreed to delay enforcement of high-risk AI Act provisions to December 2027 while simultaneously introducing an immediate ban on AI-generated nudification deepfakes, as part of the digital omnibus package. For law firms and their clients, the delay is commercially meaningful: financial services companies deploying AI in high-risk categories — credit scoring, hiring, fraud detection — now have additional runway before conformity assessments and human oversight requirements become mandatory. The wider context is a deliberate EU strategy of sequencing AI regulation to reduce near-term compliance burdens on European businesses while maintaining core prohibitions on the most harmful AI applications. The critical implication for advisers is that the delay should be used to build robust governance frameworks rather than to defer the work, because the December 2027 deadline is firm.
My notes
saved