TL;DR: The EU AI Act amendments push key high-risk AI deadlines to 2027 and 2028, while preserving the regulation’s risk-based obligations and adding new prohibited practices plus updated transparency timelines, according to OneTrust. The extra time reduces implementation pressure, but it does not reduce the need for inventories, documentation, ownership, and operational oversight.
NHIMG editorial — based on content published by OneTrust: The EU AI Act's New Timeline Gives Organizations More Time, Here's How to Use It
By the numbers:
- Standalone high-risk AI systems under Annex III will now become subject to the AI Act on December 2, 2027, instead of August 2, 2026.
- High-risk AI systems embedded within regulated products move from August 2, 2027, to August 2, 2028.
- Transparency obligations for AI-generated content remain a priority, with providers expected to implement transparency measures by December 2, 2026.
Questions worth separating out
Q: How should organisations use the extra time created by the EU AI Act amendments?
A: They should use it to make governance repeatable, not to slow down.
Q: Why do delayed AI Act deadlines not reduce governance pressure?
A: Because the amendments change timing, not the underlying obligations.
Q: What is the main governance mistake organisations make when regulations move dates?
A: They treat the delay as proof that the control model has become easier.
Practitioner guidance
- Refresh AI inventories against the revised timeline Reconcile every deployed or procured AI system against the new high-risk dates, then record owner, purpose, data exposure, and regulatory classification in one living register.
- Embed approval gates into existing workflows Add AI governance checkpoints to procurement, product intake, privacy reviews, and risk sign-off so controls are captured when decisions are made, not recreated later for audit.
- Standardise evidence collection across functions Require documentation of risk decisions, human oversight, and monitoring in a format that legal, privacy, security, and operational teams can all reuse.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- A breakdown of how the amended dates map to standalone high-risk systems versus embedded regulated products.
- The article’s own guidance on embedding governance into procurement, privacy impact assessment, and product approval workflows.
- The national implementation examples that show how Member State enforcement is taking shape across Europe.
- The specific ways OneTrust positions its AI governance workflow support across the AI lifecycle.
👉 Read OneTrust's analysis of the EU AI Act amendment timeline →
EU AI Act timeline changes: what should governance teams do now?
Explore further
Deadline relief is not control relief. The EU AI Act amendments buy time, but they do not buy readiness. The compliance burden still rests on inventories, documentation, oversight, and accountable operating processes that many organisations have not yet normalised. Practitioners should read the delay as a governance maturation window, not a reprieve.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who should own AI Act readiness across the organisation?
A: No single team can own it alone. Legal, privacy, security, procurement, product, and risk functions each control part of the workflow, so ownership has to be shared and explicit. The best indicator of readiness is whether those teams can produce the same evidence set without rework when a regulator asks for it.
👉 Read our full editorial: EU AI Act amendments extend deadlines, but governance demands stay