The European Union's delay to high-risk AI system rules will raise compliance costs for organisations and expose people to poorly governed AI for longer, according to a new warning from ADC.
The European AI Act's obligations for high-risk systems have been pushed back under a provisional agreement between the European Parliament and the Council. Stand-alone systems under Annex III now face a December 2027 deadline instead of August 2026. High-risk AI used in regulated products moves to August 2028.
ADC, as reported by itbrief.co.uk, identified the lack of binding technical standards and practical guidance as the central problem. The European Commission has issued draft guidelines with examples, but they are not yet legally binding, and the exact boundaries of what counts as high-risk may still change.
The delay is not breathing space
"The delay is easily seen as breathing space," said Elianne Anemaat, Senior Manager, public & society, ADC. "But organisations that only act once all guidelines are final will create unnecessary extra work for themselves. AI systems are already running in processes that directly affect people."
Many organisations are already embedding AI into core processes before technical standards and compliance guidance have been settled. That creates a risk that systems will be designed, bought and integrated based on assumptions that later need to change. If organisations wait for the final rulebook before reviewing their systems, they may have to revisit architecture, suppliers and internal processes later and at greater cost.
The gap matters for organisations in the UK as well as the EU. Companies and public bodies that use or supply AI systems may still fall within the law's scope depending on how their systems are deployed and whom they affect.
Where high-risk AI is already running
AI tools are being used in fraud detection, recruitment, biometric identification and credit assessment. In those areas, organisations are making early choices about data flows, governance, testing and procurement without certainty over the final compliance requirements.
According to ADC, organisations that put core controls in place early will be better positioned if the final standards shift. It highlighted transparent data flows, logging, clear lines of responsibility, and models that can be tested and reviewed as measures that could reduce later disruption.
"Organisations that already put transparent data flows, proper logging, clear roles and testable models in place now will be able to align with the final standards much more easily later, without incurring unnecessary extra costs," said Anemaat.
ADC said the issue is not limited to compliance budgets or project delays. High-risk AI systems are increasingly being used in decisions that can affect a person's access to work, care, and education.
What this means for founders building with AI
If you are building or buying AI tools that touch hiring, lending, or identity verification, the clock is still running even if the deadline moved. The cost of waiting is not just a compliance penalty — it is the cost of rebuilding a system that was designed without logging, without clear data provenance, and without a testable model.
We have seen this pattern before in GDPR and financial services regulation. The teams that treated early guidance as final guidance spent less later. The teams that waited for certainty spent more.
Start with transparent data flows and logging. Those two things are cheap to add now and expensive to retrofit. If your AI vendor cannot tell you where training data came from or how decisions are logged, that is a red flag regardless of what the final rules say.
— Mira