APREX · EST. 2026
The EU has made significant changes to its Artificial Intelligence Regulation, known as the AI Act. Through what is called the «Digital Omnibus on AI,» a preliminary political agreement was reached on May 7, 2026, on a package of adjustments that postpone deadlines, clarify definitions, and introduce new provisions regarding the use of sensitive data. For Norwegian companies supplying to or operating in the EU market, these changes are highly relevant.
Two categories, two new deadlines
The AI Regulation operates with two main categories of high-risk AI systems. The first, called Annex III, covers use-based high-risk — i.e., AI used in recruitment, credit scoring, biometric identification, law enforcement, and education admissions. The deadline for fulfilling obligations here has now been postponed from August 2, 2026, to December 2, 2027, according to research based on the agreement.
The second category, Annex I, applies to AI systems embedded in regulated products — such as medical devices, machinery, toys, and radio equipment. Here, the deadline is moved from August 2027 to August 2028, a one-year postponement.
An important exception: Systems already placed on the EU market before the respective deadlines are exempt from the requirements — unless they undergo significant changes afterward.
Core obligations remain
Despite the deadline postponements, it is important to emphasize that the fundamental requirements for providers of high-risk AI systems have not been removed. Companies falling under the regulation must still establish systems for risk management, ensure high data quality in training datasets, prepare technical documentation, and ensure that there are mechanisms for human oversight. In addition, CE marking, registration in the EU database, and a quality management system are required.
New guidelines and clarifications
The EU Commission published on May 19, 2026, draft guidelines to make it easier for companies to determine whether their AI systems actually qualify as high-risk. The guidelines contain concrete examples of systems that fall within and outside the definitions, which has been requested since the original regulation was adopted.
Among the more specific changes is a reclassification of the Machinery Directive ((EU) 2023/1230), which is moved from Annex I section A to section B. This means that AI-enabled machinery will be regulated to a greater extent by sector-specific legislation, rather than a parallel double requirement from both the AI Regulation and existing safety regulations.
For Norwegian technology companies selling into the EU, this is not an exemption — it is a window that should be used for actual preparation
Extended access to sensitive data
A new Article 4a allows sensitive personal data — in the AI Regulation's terminology called «special categories» — to be used to detect and correct biases in AI models. However, access is narrow: it applies only exceptionally, and only when strictly necessary and not possible to achieve the same result with alternative data. Strict security requirements apply.
What does this mean for Norwegian businesses?
Norway is, through the EEA Agreement, linked to the EU's internal market and is expected to implement the AI Regulation into Norwegian law. This means that Norwegian businesses offering AI solutions in the EU — or using such systems in high-risk contexts — will have to comply with the revised regulations.
The deadline postponement provides more time, but compliance experts warn against interpreting it as a signal that the work can be delayed. The fundamental requirements for documentation, risk management, and human oversight are demanding to implement, and companies that wait until the deadline approaches risk running out of time.
The source for this article is Let's Data Science's coverage of the revised AI Regulation, supplemented with more detailed research on the specific regulatory changes that resulted from the Digital Omnibus agreement from May 2026.