articleNovember 28, 2025
The European Commission is proposing amendments to the AI Regulation. The most important of the proposed changes would be to delay the launch of high-risk rules until uniform standards and support tools are in place. This is in line with the position of the Confederation of Swedish Enterprise, which emphasizes that regulations must be practically practicable before they come into force.
The aim of the EU’s AI Regulation, which sets out harmonized rules for artificial intelligence, is to promote trustworthy AI in Europe. The AI Act is being phased in, and rules regarding prohibited AI activities and general purpose AI models are already in place today. What remains, and what is most business-critical, are the provisions for systems classified as high risk in Appendices I and III (see fact box).
These include risk management, documentation, data governance, logging, robustness, and human oversight requirements. Under the current schedule, Annex III requirements will apply from 2 August 2026 and Annex I requirements from 2 August 2027, but the high-risk rules will be postponed.
There are several reasons for this.
First, the development of unified standards has been delayed. The high-risk rules of AI regulation are meant to be operationalized through standards, and without standards, companies lack a practical and legally sound way to demonstrate compliance.
Secondly, the Commission wants to avoid a scenario where rules start to be applied before standards, common specifications and supervisory regimes are in place. This can result in high costs and the risk of fragmented national interpretations, making it difficult for companies to meet requirements on time and remain compliant. Postponing implementation is therefore a way to avoid a regulatory framework that is practically unworkable.
Adjustment is essential
However, this suspension only resolves the immediate question of when the rules apply, not how the regulatory framework will work in practice alongside other EU legislation. Therefore, many companies need to be more strategic about aligning their AI regulations with things like the General Data Protection Regulation (GDPR), the Digital Services Act (DSA), the Cyber Resilience Act (CRA), and the upcoming Swedish cybersecurity law implementing the NIS2 Directive.
The European Commission’s AI Secretariat will play a central role in developing common templates, guidance and practical tools to harmonize implementation and reduce administrative burden and regulatory fragmentation across Member States. But we are not there yet.
What can businesses do now?
First, AI systems need to be classified early, as the differences between Annex III and Annex I rules determine the entire planning process from investment to contract.
Second, companies need to start building internal governance structures. That is, roles, documentation, records, and risk processes that can be established without regard to detailed criteria.
Third, it would be wise to align regulatory workstreams to ensure that GDPR, DSA, CRA, NIS2, and AI regulations are handled within a common compliance framework rather than as separate projects.
Businesses need to stay on track
Pause provides valuable rest space, but it’s not a pause button for business departments. Timelines remain fluid. Negotiations in Brussels are likely to take longer, with no standardization work completed and overlaps with other EU rules remaining. Therefore, companies should prepare for multiple scenarios, including the possibility that high-risk requirements may come into effect earlier than the proposed date.
Companies that have already mapped their AI systems, strengthened their internal governance, and adjusted their compliance processes will be best prepared when the clock starts again in 2027, 2028, or even earlier.
Text: Adam Ack
Proposal to postpone high-risk rules in AI regulation
Appendix III: High-risk areas
Examples: Recruitment, Credit Assessment, Education, Biometrics
– Latest proposed start date: December 2, 2027 (previously August 2, 2026)
– Faster start possible: Yes, if standards and supporting tools are deemed ready
– Transition period in case of early start: 6 months
Appendix I: High risks under the Product Safety Act
Examples: medical equipment, machinery, personal protective equipment
– Proposed start date: August 2, 2028 (previously August 2, 2027)
– Faster start possible: Yes, by decision of the European Commission
– Transition period in case of early start: 12 months
What does this mean for businesses?
– The timeline is determined by the completion of the standard, but the latest start date is fixed.
– Businesses will receive compliance support, but should prepare for the rules to be implemented sooner.
– If the start is brought forward, the adaptation window will be relatively short. 6-12 months.
Please also read
EU listens to Nordic GDPR proposals, but some questions remain
Please also read
av regelverk integration for data delning and digital omnibus
