EU AI Act Amendments: Why the High-Risk Delay Is Not a Compliance Holiday

The EU is already negotiating amendments to the AI Act before many companies have finished reading the law properly. That is not a typo. The political process has moved into trilogue discussions on targeted changes, and this week those talks reportedly stalled after long negotiations.

The most relevant issue for regulated-product companies is simple to state and hard to solve: how should the AI Act treat high-risk AI systems that are already covered by existing EU product safety legislation, including medical devices and toys?

A delay to high-risk AI obligations would be useful. But it is not a compliance holiday. It is time to build the evidence model properly.

What appears to be changing

According to public reporting and Oliver Patel’s summary of the negotiations, one sticking point is the treatment of high-risk AI systems under Annex I, Section A of the AI Act: systems that are safety components of products, or themselves products, regulated under existing Union harmonisation legislation.

Today, these systems can face the full set of high-risk AI requirements. For medical device manufacturers, this creates a familiar but uncomfortable question: how much of the AI Act should be assessed through the existing MDR or IVDR conformity assessment route, and how much becomes a separate AI governance layer?

There is also broad institutional support for moving the high-risk AI application date from 2 August 2026 to 2 December 2027. The Commission’s position appears more conditional, linking timing to the availability of standards. The final text is not settled, and the EU has a talent for late-night compromise. Still, the direction is clear enough for planning.

Why this matters for MedTech and regulated products

For a low-risk chatbot, a delay mostly changes the roadmap. For a medical device with AI functionality, it changes the integration problem.

These companies already live with quality management systems, risk management, clinical evaluation, post-market surveillance, cybersecurity, software lifecycle controls, and conformity assessment. The AI Act does not arrive on an empty desk. It lands on top of existing regulatory machinery.

The practical question is therefore not “Do we comply with the AI Act separately?” The better question is:

• Which AI Act requirements can be evidenced through existing MDR, IVDR, or product-safety processes?
• Where do new controls need to be added, especially for data governance, transparency, human oversight, accuracy, robustness, and logging?
• How will Notified Bodies interpret duplicated or overlapping evidence?
• Which standards, common specifications, and guidance documents will become the practical benchmark?

The dangerous interpretation: “we can wait”

The worst response to a likely deadline extension is to pause. That creates a false sense of safety and usually produces a rushed remediation project later.

If the date moves to December 2027, companies gain time to make AI governance boring. That is good. Boring is what mature compliance looks like. But boring only happens when evidence requirements are mapped early into design controls, software lifecycle documentation, risk management, supplier controls, clinical claims, and post-market processes.

Waiting until the final legal text is perfect is also unrealistic. The final text may clarify scope and timing, but it will not remove the need for disciplined documentation, traceable risk controls, representative data, monitoring, and accountable human oversight.

What leadership should do now

Executives do not need to chase every Brussels rumour. They do need a pragmatic readiness plan that can absorb legal changes without starting from zero each time.

1. Inventory AI functionality in regulated products. Include embedded AI, cloud services, decision-support features, data-processing pipelines, and third-party AI components.
2. Classify where each system sits under the AI Act logic. Pay special attention to Annex I product-safety routes and whether the AI system is a product, a safety component, or a supporting tool.
3. Map AI Act obligations to existing QMS evidence. Do not duplicate documents for sport. Reuse existing controls where they are genuinely sufficient, and identify gaps where they are not.
4. Strengthen data governance. Training, validation, test data, bias analysis, representativeness, and data provenance will be painful if left until the end.
5. Prepare for standards-based conformity. Track harmonised standards and guidance, but do not wait for them before defining internal expectations.
6. Build a change-control bridge between regulatory, quality, product, and AI teams. The AI Act is not only a legal task. It is an operating-model task.

The standards dependency is real

The Commission’s reported position, linking the application date to the availability of standards, reflects a practical truth: many AI Act requirements need operational interpretation. Companies need to know what “sufficient” looks like for data governance, risk management, technical documentation, logging, transparency, and human oversight.

But standards are not magic. They help define acceptable practice; they do not design your product controls for you. A company that waits passively for standards will still need to translate them into procedures, templates, technical files, verification evidence, supplier contracts, and release gates.

My view

The stalled trilogue is not surprising. The EU is trying to amend a complex horizontal law while keeping it compatible with sector-specific product regulation. That is difficult, especially where medical devices and other safety-critical products are concerned.

For MedTech leaders, the sensible posture is neither panic nor complacency. Treat the potential delay as a chance to reduce duplication, align AI Act evidence with the QMS, and create a clean story for conformity assessment.

If the deadline moves, use the time. If it does not move as expected, you will still be better prepared. That is the point of good regulatory strategy: it survives political noise.

Conclusion

The AI Act amendment process may give high-risk AI providers more time, and regulated-product companies should welcome that. But the real advantage will go to organisations that use the extra runway to integrate AI governance into existing product-safety systems instead of treating it as a separate compliance binder.

The question is not whether the EU gives you another year. The question is whether your evidence model will be mature when the year disappears.