EU’s AI Rules Get a Timeline Overhaul—But Not a Single Large Language Model Passes the Compliance Bar, Study Finds
24.06.2026 - 02:32:35 | boerse-global.de
The European Parliament voted on June 16 to dramatically re-jig the rollout of the AI Act, pushing high-risk obligations more than a year down the road. Yet just a week later, a fresh study landed that underlines how far the industry still is from meeting even the current standards: not one major language model currently achieves acceptable compliance.
The research, released June 23 by the Aithos Research Foundation, tested GPT?5.4, Gemini Pro 3, Claude Opus 4.6 and Mistral Large 3. GPT?5.4 came top, followed closely by Google’s and Anthropic’s systems, while Mistral Large 3 lagged significantly. The authors note progress on open-ended generation tasks, but stress that legally safe deployment still demands heavy human oversight plus specialised tools and context adjustments.
With 423 votes in favour and 57 against, the Parliament approved a substantial delay of core AI Act requirements. High?risk systems listed in Annex III—covering uses in HR, education and law enforcement—must comply only from December 2, 2027. For AI embedded in regulated products such as medical devices or machinery (Annex I), the deadline stretches further to August 2, 2028. The Parliament’s goal, among others, is to avoid double regulation for AI?powered machines. A formal sign?off from the Council of the European Union is expected before August.
None of this means companies can relax. Early governance duties—including inventory and risk analysis—kick in from August 2026. And the transparency obligations of Article 50 arrive on schedule: from August 2, 2026, providers must clearly mark chatbots, deepfakes and other AI?generated content. Existing systems get until December 2, 2026 to add machine?readable watermarks. Firms can still sign a voluntary code of conduct drafted by the EU AI Office until July 22, 2026, which creates a presumption of conformity and should lower regulatory burden.
Penalties for non?compliance are severe: up to €35 million or 7% of global annual turnover.
The education sector is especially exposed. AI tools that assess learning outcomes are classified as high?risk. Beyond the future technical documentation and CE?marking demands from late 2027, they already fall under the GDPR. Automated decisions with legal effect are only permissible under tight conditions—such as explicit consent. No CE?marked system for that use case is currently on the market.
Meanwhile, Germany is moving on its own front. On June 11, 2026, the Bundestag passed the KI?Marktüberwachungs? und Innovationsförderungsgesetz (KI?MIG), appointing the Federal Network Agency (BNetzA) as the national AI regulator. German data protection authorities have also issued the so?called Stuttgarter Impulse, demanding greater coherence between the AI Act and existing privacy rules.
With cyber?attacks in the DACH region rising 124% in 2025, the warning is clear: companies need to align governance structures and human?risk management with the AI Act, NIS?2 and DORA sooner rather than later.
