EU eyes targeted AI Act amendments to create legal certainty
Published: 12 November 2025, 10:02 GMT+1
Europe's Tech Commissioner, Henna Virkkunen, says the Commission will table "targeted amendments" to the AI Act next week as part of a broader digital simplification package. The goal: provide legal certainty to industry while key technical standards are still missing ahead of the next enforcement phase in August.
Speaking at Web Summit in Lisbon, Virkkunen made clear the Commission remains committed to the law's core principles. But she signaled temporary relief may be needed to bridge the standards gap and reduce administrative friction across AI, data, and cybersecurity rules.
What's on the table
- Targeted amendments to the AI Act, presented on 19 November, pending approval by the College of Commissioners.
- A broader "digital omnibus" to streamline compliance, touching AI, data policy, and cybersecurity.
- According to circulating drafts, a potential one-year grace period that would defer fines for misuse until August 2027.
Context legal teams should note
The AI Act has phased obligations tied to risk. The next milestone lands in August, but several technical standards aren't ready. That gap raises practical questions for conformity assessments, documentation, and enforcement timing.
Big Tech and the US administration led by Donald Trump have criticized the rules for overreach. Meanwhile, CEOs from over 40 major European firms asked for a two-year pause before key duties kick in. The Commission says it won't cave to external pressure, but it is open to targeted, time-bound adjustments.
Michael O'Flaherty, Human Rights Commissioner at the Council of Europe, warned against diluting core protections. Efficiency is welcome, he said, but not at the expense of safety and rights.
Why this matters for in-house counsel and compliance
- Standards lag: Without finalized harmonized standards, teams face uncertainty on "what good looks like" for risk management, data governance, logging, transparency, human oversight, and post-market monitoring.
- Enforcement timing: A grace period would adjust when fines bite, not the direction of travel. Prepare for enforcement, but pace resourcing against credible timelines.
- Stacked obligations: Expect coordination with data rules and cybersecurity requirements. Alignment with instruments like the NIS2 Directive could be part of the simplification effort.
What could change (and what likely won't)
- Likely: Clarifications that reduce duplicative filings, ease documentation where standards are pending, and sequence obligations more predictably.
- Possible: Time-limited grace periods for enforcement to August 2027, especially where standards are essential to demonstrate conformity.
- Unlikely: Any rollback of the law's central risk-based approach or safety and rights protections. The Commission signaled firm commitment to the main principles.
Action checklist for legal teams
- Map systems: Maintain an inventory of AI use cases and classify them under the AI Act risk categories. Flag likely high-risk systems early.
- Prep the core files: Keep living drafts of risk management, data governance measures, technical documentation, traceability/logging, human oversight, and post-market monitoring plans.
- Track standards: Monitor CEN-CENELEC and ISO/IEC developments. Where standards are missing, document interim controls and rationale.
- Procurement clauses: Update vendor and model provider contracts with conformity, data quality, logging, incident reporting, and audit rights.
- Rights impact focus: Where applicable, plan rights and safety assessments and stakeholder engagement to support defensibility if challenged.
- Cross-reg alignment: Reconcile AI Act controls with GDPR, product safety, and cybersecurity duties to avoid contradictions and rework.
- Scenario plan: Model both timelines-no grace period vs. one-year grace. Stage budgets, hiring, and tooling accordingly.
Key dates
- 19 November: Commission to present the simplification package with targeted AI Act amendments (subject to College approval).
- Next August: Next phase of AI Act obligations set to apply; standards gap is the immediate friction point.
- Draft signal: Potential grace period would delay fines for misuse until August 2027. Treat as provisional until adopted.
Authoritative resources
Upskilling your team
If you're building an AI compliance playbook and need structured training for legal roles, here's a curated starting point:
Bottom line: Expect precision tweaks, not a U-turn. Use any grace period to tighten documentation, align contracts, and pressure-test risk controls so you're audit-ready when standards land.
Your membership also unlocks:
