EU Locks in CSAM Ban and SME Relief as Enforcement Deadline Looms

In a significant move on May 7, 2026, the European Council and Parliament have reached provisional agreement on targeted amendments to the EU AI Act that clarify governance boundaries while introducing new safety prohibitions—particularly around non-consensual intimate content and child sexual abuse material (CSAM).

What Changed and Why It Matters

The amendments address three critical gaps facing Europe’s AI enforcement landscape:

1. New CSAM and Non-Consensual Content Prohibition For the first time, the Act explicitly prohibits AI systems from generating non-consensual sexual and intimate content or CSAM. This closes what many regulators saw as a dangerous loophole in the original framework.

2. AI Office Competence Clarity The deal clarifies which systems fall under EU-level AI Office supervision versus national authorities. Law enforcement, border management, judicial authorities, and financial institutions remain under national competence—a critical point for Ireland and other member states operating distributed enforcement models.

3. SME and Mid-Cap Relief The Commission’s proposed extensions grant certain regulatory exemptions previously available only to SMEs now also to small mid-caps. This addresses a genuine compliance burden that was pushing smaller EU innovators toward non-compliance or relocation.

The Practical Timeline Shift

Two deadline changes take effect:

  • AI Regulatory Sandboxes: Postponed from 2025 to August 2, 2027
  • Transparency Requirements for Generated Content: Grace period reduced from 6 to 3 months, with final deadline December 2, 2026

For Irish enterprises and EU builders, this creates a two-tier compliance calendar. High-risk systems still face August 2, 2026 enforcement under the original Act. But transparency obligations for deepfakes, synthetic media, and generated content now compress to December 2026.

What This Means for Your Compliance Strategy

For High-Risk System Builders: The CSAM prohibition and non-consensual content rules aren’t new in principle, but explicit EU-level language strengthens enforcement expectations. If your system could generate intimate or exploitative content, assume auditors will scrutinise safeguards heavily.

For SMEs and Mid-Caps: If your company qualifies as a small mid-cap under EU size criteria, audit your current exemptions against the new extended list. This could reduce documentation requirements and testing obligations.

For Irish Enterprises: The clarity on national versus EU competence matters particularly for financial services and law enforcement AI systems. Your sectoral regulator likely gains explicit authority here—clarify this with your Data Protection Office or sectoral supervisor before August.

For Transparency Compliance: The three-month grace period is shorter than expected. If your system generates any synthetic content (images, voice, video, text), begin transparency testing now for December deadline.

Open Questions Still Pending

The amendments don’t fully resolve:

  • How “small mid-cap” is defined in practice across member states
  • Which specific exemptions extend beyond SMEs
  • How CSAM detection and reporting obligations interact with the new prohibition
  • Enforcement priorities if both Commission and national authorities have concurrent interest

What’s Next

These amendments move to formal adoption in coming weeks. The real test begins August 2, 2026, when high-risk enforcement kicks in at full force. For Irish and European compliance teams, the next 14 months are critical—regulatory sandboxes now won’t arrive until 2027, meaning you’re operating in a live enforcement environment without formal safety-testing pathways.

Start with the CSAM prohibition: audit your content moderation, filtering, and incident response now.

Source: European Council and Parliament