The EU Council adopted a negotiating position on March 13 that pushes high-risk AI system deadlines to late 2027 and 2028. For organizations operating across the EU–MENA corridor, the change requires a careful reading, not a sigh of relief.
In March 2026, the compliance picture for organizations operating across the EU–MENA corridor shifted in ways that require a careful reading, not a sigh of relief.
In an earlier piece on this site, I outlined what the EU AI Act means for organizations with cross-border exposure between Europe and MENA: how extraterritorial reach works, what risk tiering requires in practice, and why MENA-based organizations with European operations, partnerships, or clients are already in scope. That framing remains accurate. What has changed is the enforcement timeline, and the change is more complicated than most coverage suggests.
What the EU Council Decided on March 13
On March 13, 2026, the Council of the European Union adopted its negotiating position on the Digital Omnibus VII package. This legislative simplification initiative amends the AI Act's implementation timeline. The Council mandate establishes new backstop dates for high-risk AI system obligations:
Stand-alone high-risk AI systems (those listed in Annex III — which covers employment, education, credit scoring, biometric identification, critical infrastructure, and other high-stakes applications) now have a compliance deadline of December 2, 2027, pushed from the original August 2026 target.
High-risk AI systems embedded in regulated products (listed in Annex I — medical devices, machinery, vehicles) move to August 2, 2028.
The Council mandate also added new provisions not in the original Commission proposal: an explicit prohibition on AI systems generating non-consensual intimate imagery or child sexual abuse material, now inserted as a prohibited practice under Article 5. It also reinstated the obligation for providers to register AI systems in the EU database even where they self-classify their systems as outside the high-risk tier.
The Commission gains a new obligation to issue sector-specific implementation guidance: a concession to businesses that have struggled to determine their own compliance obligations without it.
What Has Not Changed
The Council mandate is not law. It is a negotiating position. The European Parliament's IMCO and LIBE committees adopted their own position on March 18, five days after the Council, by 101 votes in favour. A plenary vote is scheduled for March 26. After that, trilogue negotiations between the Parliament, the Council, and the Commission will produce the final text, with adoption not expected before mid-2026 at the earliest.
Until the Digital Omnibus VII is formally adopted, August 2, 2026 remains the legally binding deadline for high-risk AI systems. Organizations that treat December 2027 as a confirmed date are making a planning error.
General Purpose AI model obligations are already in force and are unchanged by any of this. Prohibited practices under Article 5, including the newly added NCII/CSAM prohibition, apply immediately upon adoption of the final text. The fundamental compliance architecture of the Act is intact.
Why an Extended Runway Is Not a Reduced Obligation
The Council's own mandate explains the reasoning behind the delay: the compliance infrastructure — harmonised standards, notifying bodies, national competent authorities — has not been built fast enough to make the original August 2026 deadline practically achievable. This is a structural readiness problem on the EU side, not a signal that the Act's requirements have softened.
Several provisions in the Council mandate actually tighten obligations relative to what was proposed:
The registration requirement for providers who self-classify their systems as non-high-risk has been reinstated. This matters for MENA-based providers selling AI into the EU market who might have assumed a light-touch compliance path.
The strict necessity standard for processing special-category personal data in bias detection has been restored: a direct compliance concern for organizations running AI systems that handle sensitive data categories about EU residents.
The new NCII/CSAM prohibition applies to any AI content-generation tool with EU market exposure. Organizations operating AI systems capable of generating synthetic media need to assess their compliance with this prohibition independently of the high-risk timeline question.
The MENA Dimension
For organizations in the Gulf with EU-linked supply chains, financial relationships, or market exposure, the extended timeline provides additional runway for conformity assessments on high-risk systems. That runway is real, but it runs to December 2027 at most, not indefinitely, and it is conditional on the Parliament and Council reaching agreement before August 2026.
Baker Botts' recent advisory to Gulf energy executives flags a point worth underlining: many operational AI systems already in use in energy, infrastructure, and industrial applications meet the high-risk threshold under Annex III or Annex I, even if their operators have not classified them as such. The deadline extension does not change their classification. It changes when enforcement begins.
For Morocco and Tunisia, the situation is different. Both countries operate under EU association agreements that create direct trade-linked regulatory alignment pressure. The Digital Omnibus VII delay in Brussels does not translate into a delay in domestic AI governance timelines for EU-adjacent North African markets. Morocco's Digital X.0 Framework Law and the anticipated National Agency for AI Governance are on a domestic schedule that responds to Morocco's own strategic positioning, not to Brussels' compliance calendar.
For organizations with operations across both Gulf and North African markets, the practical implication is that compliance planning cannot track a single EU timeline. It requires a jurisdiction-by-jurisdiction assessment of where obligations apply, at what stage, and on what timeline.
What Organizations Should Do Now
The safest approach, given where the legislative process stands, is to prepare as if August 2026 is the operative deadline while planning on the assumption that December 2027 becomes the enforced date. Organizations that deprioritize compliance work on the basis of the delay may find themselves without recourse if trilogues run late and the original calendar applies by default.
Three immediate priorities remain unchanged from any earlier assessment:
An AI system inventory with genuine coverage, including third-party and procured systems, is the foundation of any defensible compliance position. This work is valuable regardless of what the final deadline is.
Governance structures adequate to the Act's requirements (accountability chains, human oversight mechanisms, logging) take time to build and embed. The additional runway is most useful to organizations that start building now.
Organizations with MENA operations should monitor the Parliament's plenary vote on March 26 and the subsequent trilogue process. The final text may tighten timelines relative to the Council's position, or introduce further changes to prohibited practices and registration requirements.
Rabii Agoujgal is an AI governance professional based in Casablanca, Morocco, specializing in the MENA region and the EU–MENA regulatory corridor. He works with regulated enterprises, international development organizations, and government clients on AI governance strategy, compliance readiness, and policy advisory, in Arabic, French, and English.