European Parliament delays implementation of parts of the EU AI Act

The European Parliament’s Thursday vote to delay parts of the EU AI Act adds more uncertainty to the already chaotic AI compliance universe. But analysts say that CIOs must proceed as though the compliance rules are in effect. 

In a statement, Parliament said that its members decided to “delay the application of certain rules on high-risk artificial intelligence (AI) systems, to ensure that guidance and standards to help companies with implementation are ready.”

There is a calendar problem with this, in that they voted to delay part of the AI rules in such a way that the deadlines will push right up against the date on which the EU has committed to making a final decision. 

Delay is not a reprieve

Analysts and consultants were virtually unanimous in their recommendations that enterprise CIOs must not wait and must instead operate as though the rules are already in effect.

“It’s good that they have clarified the extension [because] previously it was a moving target,” said Nader Henein, a Gartner VP analyst. “It’s not great that the final decision will happen so close to the old deadline that organizations have no choice but to proceed as originally planned. Since the first draft of the EU’s Digital Omnibus proposal back in November, our guidance to clients has been to treat any potential extension as an opportunity to better test-out and improve the process for cataloging and managing AI systems.”

Henein added: “The major gating factor for the current timeline was that regulators would not have been ready to enforce. This is still the case. Spain is one of a handful of countries who stood up a regulator, and even the EU AI board is behind on the kind of guidance needed by organizations to properly understand their obligations when it comes to high risk AI systems. Those obligations that, as it stands, come into effect on August 2.”

Cybersecurity consultant Brian Levine, executive director of FormerGov, said that the move to delay major AI Act restrictions until 2027 “leaves CIOs in a regulatory limbo, but it doesn’t change the underlying reality: enterprises still own the risk their AI systems create.”

“Whether Brussels enforces the rules next year or two years from now, the operational, legal, and reputational exposure from poorly governed AI is already here. CIOs shouldn’t treat the delay as a reprieve,” Levine said. “The organizations that wait for perfect regulatory clarity are the ones most likely to discover that their models have been quietly generating compliance, privacy, or safety liabilities long before any enforcement clock started ticking.”

Parliament proposed that “for high-risk AI systems specifically listed in the regulation–including those involving biometrics, and those used in critical infrastructure, education, employment, essential services, law enforcement, justice and border management,” the regulation would be applied on Dec. 2, 2027. For AI systems “that are “covered by EU sectoral legislation on safety and market surveillance,” it set a date of Aug. 2, 2028. The statement also noted that members are “in favor of giving providers until November 2, 2026 to comply with rules on watermarking AI-created audio, image, video or text content to indicate its origin.” 

Use time to prepare

Jason Hookey, executive counselor at the Info-Tech Research Group, said that he agreed with some of Parliament’s decision.

“The EU’s choice to delay high-risk AI obligations makes sense. Most people agree with the purpose of these rules, but there are concerns that organizations won’t be able to meet them without sufficient guidance, technical standards, or appropriate support. It’s important to note that the delay only changes the timeline, not the main goals around high-risk AI,” Hookey said. “Organizations that use this time well will be better prepared for compliance, control, and building market trust. Those who wait may only put off problems and miss out on the benefits of well-managed AI.”

Others pointed out that the European Union’s decisions are only recommendations to its many member states, who have the authority to make any changes they want for their countries. 

Procedural risk

EU resolutions operate at two levels, noted Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group. 

“There is a policy decision at the EU level and there is an implementation definition at the member states level. For this reason, even after the policy is set and published, they usually leave years-long implementation times for the member states to comply and release their own legislation that will define the implementation requirements for that member state,” Villanustre said. “I don’t think this particular case will be any different, so the actual deadline may be further in the future than what the draft legislation indicates.”

In addition, Doug Barbin, president of compliance firm Schellman, warned CIOs, “there’s also a real procedural risk here: if Council and Parliament negotiations drag past August 2026, the original deadlines stay on the books. CIOs who’ve been sitting on their hands are the most exposed to that scenario. The organizations investing in governance infrastructure now won’t be the ones in crisis mode later. This is extra time — use it.”

Barbin said the market is slowly shifting to broader strategies. “This is where compliance is going: less around specific actions and more about governance and risk,” he said.

High cost of waiting

Yvette Schmitter, CEO of the Fusion Collective consulting firm, said she is concerned that CIOs will take the wrong message away from what the European Parliament did. 

“I think it is bad in the sense that it gives people a false sense of security in that they have more time. [It is] trying to give them more time, but companies will never be ready,” Schmitter said. “Courts don’t care about your regulatory compliance timeline. When your AI system produces detrimental or discriminatory outcomes at scale, ‘we were waiting for final guidance’ won’t survive depositions.”

Sanchit Vir Gogia, chief analyst at Greyhound Research, argued that these decisions amount to mixed messages, which serve to deepen the AI regulatory confusion.

“The shift in timelines has removed a clear enforcement anchor, but it has not reduced the expectation of accountability. If anything, it has made decision-making harder. Enterprises are now operating in a mixed state where some obligations are already in force, others are expected later, and internal teams are interpreting risk in different ways. That combination creates confusion long before any regulator steps in,” he said, noting that many companies will want to slow down and wait for the final regulation.

“That instinct is misplaced,” he said. “Waiting assumes clarity will arrive early enough to act on it. In practice, clarity tends to arrive late, unevenly, and often after internal decisions have already been made. CIOs who choose to pause are not reducing exposure. They are simply postponing the moment when that exposure becomes visible.”

Gogia also suggested that there are hardcore financial costs associated with waiting.

“There is a belief that delays reduce spend. In reality, the opposite often happens. Work that is paused has to be restarted. Teams lose context. Designs are revisited. Governance added late is more expensive than governance built in from the start,” he said. “Vendor contracts entered into without clarity become difficult to unwind. None of this shows up immediately, which is why it is often underestimated. But over time, the cost of waiting tends to exceed the cost of acting with intent.”