EU Tentative Deal Delays High‑Risk AI Rules to 2027 and Bans Nudification Tools
What Happened — European leaders reached a provisional agreement to simplify the EU AI Act. The deal postpones enforcement of high‑risk AI provisions to December 2027 and adds a ban on AI‑driven nudification tools, effective 2 December 2024.
Why It Matters for TPRM —
- Delayed compliance windows give vendors more time to adjust controls, but also extend the period of regulatory uncertainty.
- The explicit ban on nudification tools creates a new compliance requirement for any AI service that generates synthetic imagery.
- Exemptions for mid‑cap firms reshape the vendor landscape, potentially shifting risk exposure toward larger providers.
Who Is Affected — Technology vendors offering AI SaaS, API providers, cloud‑hosted AI platforms, and downstream enterprises that integrate high‑risk AI (biometrics, HR, law‑enforcement, critical‑infrastructure).
Recommended Actions —
- Review contracts with AI‑related suppliers to confirm they can meet the December 2027 deadline and the nudification ban.
- Validate that vendors have documented processes for bias detection, correction, and data‑subject consent.
- Update third‑party risk questionnaires to capture EU AI Act compliance status and any exemption claims.
Technical Notes — The agreement does not introduce a new technical vulnerability; it is a regulatory change. It narrows the scope of the AI Act by exempting mid‑cap enterprises and permits limited personal‑data processing for bias mitigation. The nudification ban targets generative models that create non‑consensual sexual imagery. Source: The Record