The EU Just Gave Facial Recognition an Extra 16 Months Without Rules

ASML, Airbus, Siemens, and SAP asked for more time. The EU said yes. Facial recognition, border surveillance, and predictive policing tools get to operate without compliance requirements until December 2027.

Gray surveillance camera mounted on a pole with shallow depth of field

TL;DR: On May 7, 2026, the EU Council and Parliament struck a deal to delay high-risk AI system compliance from August 2, 2026 to December 2, 2027. That's 16 extra months where facial recognition, biometric identification, law enforcement AI, border control algorithms, and predictive policing tools operate across Europe with zero compliance requirements. AI embedded in regulated products like medical devices and machinery gets until August 2028. The official reason: "standards aren't ready." The real reason: ASML, Airbus, Ericsson, Nokia, SAP, Siemens, and Mistral AI lobbied hard, warning Europe would "over-regulate itself out of the global AI race." France and Germany backed them. The EU that branded itself the world's AI regulation leader just told its own rules to wait.

What the EU Actually Delayed

Two months ago, we wrote about the EU AI Act's August 2026 deadline, the date when high-risk AI rules were supposed to kick in. Real-time facial recognition limits. Emotion detection bans at work. Clearview-style scraping prohibitions. Biometric categorization restrictions.

That deadline is dead.

The "Digital Omnibus on AI" (a simplification package negotiated between the European Parliament and Council) pushes the entire high-risk compliance framework back by 16 months [1]. The new dates:

  • December 2, 2027: Stand-alone high-risk AI systems: facial recognition, biometric identification, law enforcement tools, border control AI, migration processing, education algorithms, employment screening, critical infrastructure
  • August 2, 2028: AI systems embedded in regulated products: medical devices, machinery, automotive safety systems, toys

The original August 2026 deadline was the centerpiece of the EU's AI regulation strategy. It was supposed to be the moment the world's toughest AI law actually started working. Instead, it's the moment the EU admitted it wasn't ready.

Seven Companies Wrote a Letter. The EU Listened.

The delay didn't happen because of some technical discovery. It happened because some of Europe's biggest companies complained.

ASML, Airbus, Ericsson, Nokia, SAP, Siemens, and Mistral AI publicly demanded regulatory relief. Their argument: Europe risked "over-regulating itself out of the global AI race" [2]. France and Germany backed the push. Technology trade groups piled on.

Commission President Ursula von der Leyen reframed the retreat as creating "a simple, innovation-friendly environment" that still protects citizens [2]. Executive Vice-President Henna Virkkunen put it this way: "We make it easier to innovate without lowering the bar on safety" [1].

But the bar didn't stay where it was. The bar got moved 16 months into the future. That's not maintaining safety standards. That's delaying them.

Swedish MEP Arba Kokalari was more blunt: "We now make the AI rules more workable in practice, remove overlaps and pause the high-risk requirements" [3]. Pause. Not strengthen. Not clarify. Pause.

16 Months Is a Long Time When You're Being Surveilled

Here's what operates without high-risk compliance requirements until at least December 2027:

  • Facial recognition by police: Law enforcement agencies across 27 EU member states can deploy facial recognition with no AI Act compliance framework in place. The ACLU has documented 14 wrongful arrests from facial recognition in the US alone. Europe has no equivalent tracking
  • Border control AI: Frontex and member state border agencies use algorithmic decision-making to flag travelers, assess asylum claims, and manage migration flows. No compliance requirements until 2027
  • Predictive policing: AI systems that predict where crimes will happen (and who will commit them) continue operating without mandatory bias testing or transparency requirements
  • Employment screening: AI resume scanners, interview scoring systems, and automated hiring tools that filter millions of job applicants across the EU. No compliance deadlines until 2027
  • Biometric categorization: Systems that sort people by race, ethnicity, sexual orientation, or political beliefs based on biometric data. Still no compliance clock running

Every month of delay is a month where these systems operate in the regulatory gap between "we passed a law" and "the law actually applies." People get misidentified. Asylum seekers get flagged by untested algorithms. Job applicants get filtered by biased AI. And nobody has to report it, test for it, or fix it, for another 19 months.

Meanwhile, US States Aren't Waiting

The timing is brutal for the EU's credibility. While Brussels hits pause, American states are accelerating.

In the past three weeks alone:

  • Colorado passed HB 1210, banning surveillance pricing and algorithmic wage-setting, with a private right of action
  • Colorado also passed SB 189, a sweeping AI governance law that Governor Polis signed
  • Connecticut passed SB-4, creating a data broker registry, centralized deletion mechanism, and surveillance pricing ban
  • Maryland signed the first US surveillance pricing ban into law

The EU spent years positioning itself as the global leader in AI regulation. The AI Act was supposed to be the GDPR of artificial intelligence: the law the rest of the world would copy. Instead, Colorado and Connecticut are moving faster on algorithmic accountability than the entire European Union.

What Didn't Get Delayed

Not everything got pushed back. A few things actually accelerated or stayed on schedule:

  • Nudifier app ban: AI tools that generate non-consensual sexual images, intimate imagery, or child sexual abuse material are prohibited immediately upon formal adoption. Irish MEP Michael McNamara called it "banning nudification apps...and the creation of child sexual abuse material using AI systems" [3]
  • Deepfake watermarking: The obligation to watermark AI-generated content moved up from February 2027 to December 2, 2026
  • Prohibited practices: The February 2025 bans on social scoring, manipulative AI, and some biometric uses remain in force
  • General-purpose AI transparency: Obligations for foundation model providers remain on their original timeline

The nudifier ban is genuinely important. But notice the pattern: the EU accelerated rules on content that generates public outrage (deepfake porn) while delaying rules on systems that powerful companies actually deploy (facial recognition, employment AI, border control). The things that cost industry money got postponed. The things that generate headlines got fast-tracked.

The "Standards Aren't Ready" Excuse

The official justification is that technical standards for compliance testing haven't been finalized. Companies, the argument goes, can't comply with rules when nobody has defined what compliance looks like [2].

There's some truth to this. The European standardization bodies (CEN and CENELEC) have fallen behind on developing the harmonized standards that the AI Act references. Without those standards, companies face genuine uncertainty about what "compliant" means.

But the standards gap didn't appear overnight. The AI Act was adopted in March 2024. The Commission had over two years to get the standards ready. The fact that they're not ready in May 2026 isn't an accident. It's a choice. Standardization bodies are staffed and funded based on political priorities. And the political priority, clearly, was not getting these standards done on time.

The delay also extends to SME exemptions. Small mid-cap enterprises (not just small businesses, but companies with up to 500 employees) now get expanded relief [3]. Regulatory sandbox access is widened. The Commission's AI Office gains centralized enforcement power over general-purpose AI. All of this tilts the playing field toward industry and away from the people these systems are deployed against.

What Happens Next

The May 7 deal is a provisional political agreement. It still needs:

  • Formal endorsement by the full Council of the EU
  • Formal vote by the European Parliament
  • Legal-linguistic revision (translation into 24 official languages)
  • Publication in the Official Journal

Adoption is expected before August 2, 2026, conveniently before the original high-risk deadline would have kicked in [3]. Once published, the new dates become binding.

The deal could still be modified in formal adoption, but provisional agreements between the Council and Parliament almost never change at that stage. This is done.

What This Means for You

  • If you're in the EU: The AI systems that scan your face at airports, score your job applications, and decide your credit aren't going to be regulated until December 2027 at the earliest. Assume they're operating without oversight, because they are
  • If you're a privacy advocate: Contact your MEPs. The formal vote hasn't happened yet. The provisional agreement is politically set, but public pressure on the record matters for future enforcement priorities
  • If you're applying for jobs in the EU: AI screening tools are everywhere, and they won't face compliance requirements for 19 more months. Ask employers directly whether AI is used in their hiring process. Many EU countries already require this disclosure under existing labor law
  • If you're crossing EU borders: Algorithmic risk-scoring at border checkpoints is expanding. You have no right to know how the algorithm assessed you, and won't until the high-risk rules apply
  • Watch the US states: Colorado, Connecticut, Illinois, and California are passing AI accountability laws right now. The regulatory action is in the states, not in Brussels

The Bottom Line

The EU AI Act was supposed to prove that democracies could regulate AI before it was too late. That ambitious laws could move at the speed of technology. That Europe wouldn't make the same mistake it made with social media: waiting until the damage was done.

Seven companies wrote a letter. France and Germany backed them. And the EU gave facial recognition, border surveillance, and predictive policing an extra 16 months to operate without rules.

The AI Act isn't dead. The prohibited practices (social scoring, manipulative AI, some biometric uses) still apply. The nudifier ban is real. But the heart of the regulation, the part that governs the systems most likely to harm people, just got pushed back to a date that most of us won't remember to check.

December 2, 2027. Mark it. And then watch whether it moves again.

References

  1. Biometric Update: "EU Pushes AI Act Deadlines for High-Risk Systems, Including Biometrics" (May 2026)
  2. The Register: "EU Hits Snooze on AI Act Rules After Industry Backlash" (May 7, 2026)
  3. European Parliament: "AI Act: Deal on Simplification Measures, Ban on 'Nudifier' Apps" (May 2026)
  4. ID Tech Wire: "EU Moves to Delay High-Risk AI Act Compliance to December 2027" (May 2026)
  5. Modulos: "EU AI Act Delayed: The Omnibus Deal" (May 2026)

Published: May 13, 2026