Europe Blinked and Hit Snooze on Its Own AI Alarm

In late May, writing about the package that Brussels had nicknamed the AI omnibus, I told my readers it was not a retreat. I described it as a regime settling into its enforcement posture, smoothing the path to compliance while keeping the obligation to comply firmly in place. I stand by part of that. But I owe an update, because the detail that has become clear since changes the picture. A large part of what Europe agreed on 7 May 2026 was not a streamlining at all. It was a delay, and not a small one.

Here is what the political agreement between the Council and the Parliament actually does. The obligations for standalone high-risk AI systems, the ones listed in Annex III of the Act, covering AI used in health services, hiring, education, biometric identification, creditworthiness, and law enforcement, were due to become applicable on 2 August 2026. They have been moved to 2 December 2027. That is a slip of 16 months. The obligations for high-risk AI embedded in regulated physical products, the category that contains medical devices, were due on 2 August 2027. They have been pushed to 2 August 2028, a full additional year. This is the first substantive amendment to the AI Act since it was adopted in 2024, and its headline effect is to hand the hardest parts of the law considerably more runway.

I want to be precise about what did not move, because the delay has been reported in some places as if Europe had gutted its own law, and that is not true either. The transparency obligations under Article 50, the rules that require a system to disclose when you are interacting with AI, remain on their original schedule and take effect this August. A new prohibition was actually added, banning AI systems that generate non-consensual intimate imagery and child sexual abuse material. The headline penalties are untouched, still up to €35 million or 7% of global turnover for the prohibited practices. So the architecture of the law stands. What changed is the timing of its most demanding obligations, and timing is precisely the part that matters to anyone who was building toward a date.

Two Stories, and Both Are True

There are two ways to tell the story of this delay, and the temptation is to choose the one that flatters whatever you already believed. I am going to resist that, because I think both are true at the same time.

The charitable story is about readiness. The harmonised technical standards that high-risk compliance depends on, the ones being drafted by the European standards bodies, were genuinely not finished. Asking companies to comply with obligations whose detailed standards do not yet exist is asking them to aim at a target nobody has drawn. On that reading, the 16 months is a pragmatic admission that the scaffolding fell behind, and that forcing the original date would have produced expensive paperwork rather than real safety.

The uncharitable story is about pressure. The delay arrived after a sustained campaign by large technology companies, and by several accounts by the current US administration, to soften Europe's digital rules. More than 50 civil-society and digital-rights organisations signed a letter opposing any postponement. At least one member state, Malta, asked for more time simply to scrutinise the proposal. Analysts at TechPolicy Press argued that by combining a delay with the law's non-retroactive design, the bloc risks leaving some of its most sensitive AI applications outside meaningful oversight altogether. The Corporate Europe Observatory documented, article by article, how industry shaped the rollback. One Commission consultation on the package reportedly drew 11 or 12 participants, all but one of them from industry.

You do not have to pick. Standards can be genuinely late and powerful interests can genuinely use that lateness to win a delay they wanted anyway, for reasons of their own. Both happen in the same room, often in the same sentence. What I take from it is a question. When a safety timeline moves, the right thing to ask is who carries the risk during the extra time. In this case, for the part of the Act that governs health, the answer is patients.

What the Delay Means for Health Specifically

For the systems I work closest to, the consequence is concrete. AI built into a medical device, a diagnostic imaging tool, a piece of software that monitors a patient, continues for now to be governed by the existing medical-device and in-vitro diagnostic regulations, and the additional AI Act layer that was meant to sit on top of them has just been deferred to 2 August 2028. The existing law is real and it is not nothing. But it was written for devices that are fixed at the point of approval, not for systems that learn, drift, and change behaviour between one model update and the next. The AI Act layer was the part designed to address exactly that, continuous performance, post-market monitoring, the obligations that assume a system keeps moving after it ships. That is the layer that just slipped.

There is a sensible provision in the package that I genuinely welcome. It empowers the Commission to limit duplicate AI Act requirements where sectoral law, such as the medical-device regulation, already imposes equivalent obligations. Nobody is served by a manufacturer filing the same evidence twice under two regimes that do not talk to each other. But equivalence has to be demonstrated, not assumed, and the honest truth is that the medical-device regulation was not built for adaptive algorithms. So the practical effect, for the next two years, is that the gap the AI Act was meant to close for medical AI stays open a while longer, and the people standing in that gap are the ones relying on the technology to be right about their bodies.

The Part That Worries Me Most

If the delay were only a delay, I could make my peace with it. What unsettles me is how it interacts with a quieter feature of the law, which is that the Act is largely not retroactive. Its high-risk obligations bite hardest on systems placed on the market after the relevant date, and treat what is already deployed far more gently. Stretch the date out by 16 months, and you widen the window in which a system can be put into service and run much of its useful life before the strict obligations ever attach to it. For a particular cohort of systems entering health settings between now and the end of 2027, the delay is closer to an exemption.

That is the heart of what the critics at TechPolicy.Press and elsewhere have been arguing, and I have come round to thinking they are right. A 16-month slip described as breathing room can function, for the systems that arrive during it, as something much closer to a permanent pass. The people who will never be covered by the protection are the patients interacting, over the next two years, with precisely the high-risk tools the strict regime was written to govern. When a safety rule is postponed, somebody is always volunteered to absorb the risk in the meantime, and it is rarely the people who lobbied for the postponement.

There is a wider signal here. For years the EU AI Act has been the anchor of the strict approach, the reference point every other jurisdiction measured itself against. The United States, under the current administration, has moved deliberately the other way, toward a lighter touch. So when the strictest regulator in the world softens its own timeline under pressure, it moves the global baseline, because everyone calibrates to the anchor, and the anchor just drifted.

The Gulf Is at Risk of Drawing the Wrong Lesson

I spend a great deal of my time thinking about how all of this lands in the Gulf and the wider MENA region, because the region is writing its own frameworks now, on a comparatively clean sheet, with the rare advantage of watching how the mature regimes behave under load. The danger in a moment like this is that the wrong lesson is the easiest one to reach for. That lesson sounds like this. Even Europe blinked, even the strictest regulator on earth pushed its rules back under pressure, so the smart move for an ambitious region is to keep its own regime light and let the technology run.

I think that reading is exactly backwards. What this spring actually demonstrates is how expensive it is to write obligations before the standards that make them workable exist. Europe delayed because it tried to switch on the obligation before the instrument panel was built. The lesson for a region drafting from scratch is to sequence the two together, to write the standard and the duty as one piece of work, so that the date you set is a date you can actually hold. A framework built that way is the thing that lets serious developers commit, because the rules are legible and the trust underneath them is real.

The UAE has just given that idea a concrete shape. In June 2026, Sheikh Mohammed bin Rashid Al Maktoum approved the creation of a single federal Artificial Intelligence and Data Authority, reporting directly to the Cabinet and chaired by the Minister of State for Artificial Intelligence, Omar Sultan Al Olama. It folds three previously separate bodies, the AI Office, the digital-government arm of the telecoms regulator, and the Emirates Data Office, into one mandate spanning national AI strategy, digital government, and the integration of government data. This is the same country that became, in 2017, the first in the world to appoint a minister for artificial intelligence, and it is not moving slowly: a Cabinet framework to shift half of all government services to agentic AI within two years, and a 90-day sprint that has just drawn more than 300 officials from 50 federal entities. Speed is plainly not what the Gulf lacks.

The question I keep pressing is whether that institutional energy gets aimed at the unglamorous half of the work as deliberately as it is aimed at deployment. Consolidating data and AI governance into one accountable authority is exactly the structural move that makes a coherent rulebook possible. The opportunity is to treat an authority like that as an accelerator of adoption as well as the place where the standard and the obligation are written together, on time, so the region never faces the choice Europe just made, between enforcing rules nobody was ready for and postponing them under pressure. Build the instrument panel alongside the engine, and you never have to ground the plane.

What I Am Telling the Builders Who Ask

The advice I keep giving has not changed because a deadline moved, and that is the whole point. I build and advise on precisely the systems this regime is reaching for. CIGMA, the social-impact wellness platform I founded, and its companion MOA, were built from the start to stay inside narrow, honest boundaries about what they claim and what they do. Through EthicaLabs I advise organisations on the governance architecture they will need when the obligations land, on whichever date they finally land. And after 13 years in digital health, with WhatsHealth now taking shape, I have watched enough cycles to know what a delay does to a roadmap if you let it.

What it does, in the unprepared organisation, is invite a pause. The deadline moved, so the governance work that was urgent in April becomes a problem for next year, and the calendar quietly reopens. That is the same mistake the deregulation crowd made two years ago, simply pointed in the opposite direction. The work that high-risk compliance requires, a living evidence base that reflects the system actually running today, a documented and enforced scope, a named answer to who is accountable when it errs, a decision history you can reconstruct on demand, takes far longer than 16 months to build well. Treating the delay as time off is how you arrive at the new date doing the work in public, under audit, the way the least-prepared always do.

The organisations that will be standing comfortably in December 2027 are the ones treating these 16 months as build time rather than as a reprieve. There is nothing about that work that is incompatible with moving fast. It is incompatible only with moving carelessly, and a postponed deadline does not make carelessness any cheaper.

I have started telling teams to write the new dates on the wall and then refuse to be soothed by how far away they look. The work between now and then is the slow accumulation of the evidence, the scope, and the accountability that cannot be conjured in a single quarter once the deadline finally stops moving.

The Ramyfications Worth Holding Onto

The risk that Europe's high-risk rules were written to address, that a capable system acting in a consequential setting will get something wrong and that nobody will be clearly answerable for it, is exactly as present in 2027 as it was going to be in 2026. All that changed is how long we have agreed to live with it unaddressed.

I would still rather build for the world those rules describe than for the world the delay invites people to imagine, the one where the date never quite arrives. The date will arrive. It always does. The interesting work, the work I most want to be having conversations about, is in using the extra time the way it was nominally granted for, to build the unglamorous infrastructure properly.