The European Parliament has approved major changes to the EU's Artificial Intelligence Act (AIA), establishing clear implementation deadlines and introducing a ban on AI systems that create non-consensual intimate images. On March 26, 2026, lawmakers voted 569 to 45 in favor of simplifications that give companies more time to prepare while addressing emerging harms like deepfake pornography .

What Are the New Compliance Deadlines for High-Risk AI?

One of the biggest changes is clarity on when companies must actually follow the rules. The Parliament established two distinct timelines for different categories of AI systems, replacing the previous uncertainty that had frustrated businesses trying to plan their compliance strategies .

• December 2, 2027: Companies must comply with rules for high-risk AI systems specifically listed in the regulation, including those using biometric technology, operating in critical infrastructure, education, employment, essential services, law enforcement, justice systems, and border management.
• August 2, 2028: AI systems covered by existing EU sectoral laws on safety and market surveillance get an extended timeline, recognizing that these products already face other regulatory requirements.
• November 2, 2026: Providers must comply with watermarking requirements for AI-generated audio, images, video, and text content that indicates the material's artificial origin.

These fixed dates represent a significant shift from the original regulation's vague timelines. Companies now have concrete targets for when guidance and technical standards will be ready, reducing the guesswork that has plagued AI governance across Europe .

Why Is the Ban on "Nudifier" AI Systems Important?

Perhaps the most striking addition to the revised AIA is a new prohibition on what lawmakers call "nudifier" systems. These are AI tools that create or manipulate images to make them sexually explicit or intimate while making them appear to show a real, identifiable person without that person's consent .

This ban addresses a growing real-world problem. Deepfake pornography has become a harassment tool, particularly targeting women, and the technology has become increasingly accessible. By explicitly banning these systems at the regulatory level, the EU is moving faster than many other jurisdictions to criminalize the underlying technology rather than just the misuse of it .

The regulation does include a carve-out: AI systems with effective safety measures that prevent users from creating such images would not fall under the ban. This distinction acknowledges that some legitimate uses of image manipulation technology exist, but the default position is prohibition .

How Can Companies Prepare for the New AI Regulations?

The Parliament's amendments also introduced flexibility measures designed to help companies, especially smaller ones, navigate the new rules without excessive burden. Here are the key ways businesses can prepare for compliance:

• Leverage Extended Support for Growing Companies: The regulation now extends compliance flexibility measures to small mid-cap enterprises (SMCs), not just small and medium-sized enterprises (SMEs). This helps companies that are scaling up and outgrowing traditional SME status maintain some regulatory relief as they grow.
• Understand Sectoral Law Integration: If your AI product is already regulated under EU sectoral laws covering medical devices, radio equipment, toy safety, or other areas, your AI Act obligations can be less stringent. This prevents overlapping regulatory burdens and recognizes that sector-specific safety rules may already address AI-related risks.
• Plan for Bias Detection and Correction: Service providers can now process personal data to detect and correct biases in AI systems, but only when strictly necessary and with appropriate safeguards. Companies should develop protocols for bias testing that comply with these new data protection guardrails.

The Parliament's approach reflects a pragmatic recognition that companies need time and flexibility to implement complex AI governance. Rather than imposing identical rules across all sectors and company sizes, the revised AIA creates a tiered system that acknowledges different contexts require different solutions .

What happens next is negotiations between the European Parliament and the Council to finalize the law's exact wording. These discussions will determine whether the flexibility measures and clear deadlines survive into the final regulation that companies will actually need to follow .

For AI companies operating in Europe or serving European customers, these changes represent both opportunity and obligation. The extended timelines provide breathing room to build compliant systems, but the new nudifier ban signals that Europe is willing to move quickly on AI harms that affect real people, even if broader AI governance remains in flux.