Hello, this is Hamamoto from TIMEWELL.
"I hear the EU has loosened its AI regulation. We can afford to wait and see for a while." Lately I have been hearing this kind of remark often from people at Japanese companies that are moving ahead with AI adoption. The reason is that on May 7, 2026, the news broke that the Council of the EU and the European Parliament had reached a provisional agreement on "simplifying" the AI Act, and the postponement of high-risk AI enforcement was widely reported.[^1] But once you read the text of the agreement, I came to feel that dismissing it with the single word "loosened" is dangerous. What was postponed, what was left intact, and what was actually brought forward are all mixed together.
In this article, I will organize what is changing under the amendment package known as the Digital Omnibus on the basis of primary sources, and then propose how Japanese companies should use the resulting grace period, as implementation steps centered on ISO/IEC 42001. To state my conclusion up front: I read the postponement not as good news, but merely as the preparation deadline shifting a little.
One more thing before we begin. The reason I keep returning to primary sources here is that "AI regulation news" travels through layers of summarization, and each layer tends to round off the nuance in favor of a cleaner headline. By the time a story reaches a busy executive, "high-risk enforcement postponed" has often quietly become "the AI Act is delayed," which is simply not true. Reading the agreement and the practitioner commentary directly is the only way to separate the part that genuinely buys you time from the part that does not.
What Moved and What Did Not Under the Digital Omnibus
The first thing to keep in mind is that this agreement is, for now, only a provisional political agreement. It will become legally binding only after formal adoption and publication in the Official Journal of the EU. According to commentary from the law firm Gibson Dunn, formal adoption is expected before August 2, 2026, and until then the content may still be tweaked.[^2] My position is that it is too early to treat this as confirmed information.
On that basis, what took center stage in the reporting was the postponement of high-risk AI enforcement. Stand-alone high-risk AI systems classified under Annex III, originally due to apply from August 2, 2026, are expected to be pushed back to December 2, 2027, and product-embedded systems under Annex I that are integrated into regulated products are expected to move from August 2, 2027 to August 2, 2028.[^2] That works out to a grace period of one year to a year and a half. The reason for the postponement is that the technical standards and support tools meant to underpin enforcement have lagged behind; it was a pragmatic judgment that running the rules ahead on their own would leave the field unable to comply.[^3]
Alongside the postponement, there are things that did not move, and things that in fact became stricter. Article 50, which sets transparency requirements for generative-AI content, was in principle kept to the original schedule of August 2, 2026. Systems already placed on the market are given a four-month grace period until December 2, 2026, but anything placed on the market after that applies immediately.[^4] Furthermore, new prohibitions concerning the generation of non-consensual intimate images and CSAM (child sexual abuse material) have been added to Article 5.[^2] Far from being relaxed, the net cast over socially unacceptable uses has been tightened.
The framework for fines has also basically been retained. The cap of up to EUR 35 million or 7% of global annual turnover for prohibited practices was not changed by this agreement.[^5] If the banner of "simplification" leads you to imagine a relaxation of penalties, you will be caught off guard. The point that easily gets lost is the difference between "scheduling relief" and "obligation relief." What this agreement adjusted was largely the former — when the rules begin to apply. The substance of the obligations themselves, especially the lines drawn around what society will not tolerate, was not loosened. For a company doing business with the EU market, that distinction is the difference between a planning question and a design question, and the two cannot be answered with the same posture of waiting.
AI Security training, taken seriously
A 2-day intensive course fully aligned with OWASP, NIST, ISO/IEC 42001, and METI. Take it as executives, practitioners, or both.
The Core of "Simplification" Is SME Consideration and Procedural Relief
So what exactly is being "simplified"? My reading is that the heart of this package lies not in relaxing penalties, but in easing the burden on small and medium-sized enterprises and on procedures.
Under the agreement, SMEs (small and medium-sized enterprises) and SMCs (small mid-cap companies) are given formal definitions, and several forms of consideration are expected to be introduced. Specifically: simplified technical documentation, quality management system requirements scaled to the size of the company, lower fine caps, and priority access to AI regulatory sandboxes.[^5] Even if the absolute amount of the fines does not change, a different yardstick is prepared for operators with smaller resources — that is the design.
On the procedural side, the burden of registering with the central database is also lightened. Section B, paragraphs 7 and 9 of Annex VIII are deleted, narrowing down the information to be submitted while keeping the registration obligation itself.[^5] As for regulatory sandboxes, the deadline for establishing national-level sandboxes is extended by one year to August 2, 2027, while a new EU-level sandbox is created, with priority access granted to SMEs and small mid-caps, including startups.[^5]
Personally, what caught my attention was that the wording of the AI literacy obligation (Article 4) has been softened. Until now it was an outcome-oriented obligation to "ensure a sufficient level of literacy," but it has shifted to a gentler phrasing: "take measures to support the development of literacy."[^2] It looks as though the obligation has been lightened, but I actually think the opposite. Because the law no longer says "ensure it," what is now tested is whether a company can judge for itself how much is enough and explain it. Once the externally given standard disappears, you have no choice but to hold the standard internally.
Let me lay out the changes so far side by side, comparing the original schedule with the current agreement.
| Item | Original schedule | After Digital Omnibus (provisional) |
|---|---|---|
| Annex III stand-alone high-risk AI | August 2, 2026 | December 2, 2027 |
| Annex I product-embedded high-risk AI | August 2, 2027 | August 2, 2028 |
| Article 50 transparency (watermarking, etc.) | August 2, 2026 | Unchanged (already-placed systems get grace until December 2, 2026) |
| Regulatory sandboxes (national level) | August 2, 2026 | August 2, 2027 |
| Fine cap for prohibited practices | EUR 35 million / 7% of turnover | No change |
| SME/SMC consideration | Limited | Added: simplified documentation, lower fines, priority access |
The sources are based on the aforementioned commentary from Gibson Dunn and Mishcon de Reya.[^2][^5] Looking at the table, you can see that what was extended is mainly the "heavy" high-risk obligations, while the "social lines" such as transparency and prohibitions were left in place. Rather than feeling reassured by the postponement, the more urgent task is the work of sorting out which obligations apply to your own company.
The Postponed Grace Period Is the Time to Build Governance
This is where the main point begins. I do not read the fact that enforcement has been pushed back as "a longer period during which you can do nothing." Rather, I see it as "a secured preparation period for putting the foundations of governance in place."
The reason lies in the reality that AI governance worldwide has not caught up. In a survey McKinsey conducted in 2026 covering roughly 500 organizations, only about 30% of organizations had reached maturity level 3 or above in strategy, governance, and the control of agentic AI.[^6] Organizations running agentic AI in earnest somewhere in their operations stood at 23%, and even including those that have made a pilot start, the figure was 62% — a picture in which oversight has not kept pace with the speed at which the technology is spreading.[^6] Now that we are entering the age of agents, in which AI shifts from "something you use" to "something that acts autonomously," a lag in governance translates directly into the probability of incidents.
Regulators recognize this lag too. On April 7, 2026, NIST in the United States published a concept note for an AI RMF profile for trustworthy AI in critical infrastructure.[^7] It is an attempt to translate into practice how AI can be operated in a trustworthy form in domains where a stoppage stops society — energy, water, transportation, industrial control systems. It is a voluntary guideline with no legal force, but the fact that regulators are moving in concert toward "converting frameworks into operations" cannot be overlooked. Even while the EU is postponing enforcement, the work of building standards around the world has not stopped.
Companies that use the postponement for "waiting," and companies that use it for "groundwork." When the enforcement date arrives, the gap between the two will become impossible to close. An AI management system is not something that works the moment you buy and install it; it takes time to take root in an organization — from taking inventory of risks to managing data and building human-oversight procedures. By my estimate, companies that start building the foundation now will just barely make it in time for enforcement.
To turn AI governance from "someday" into "starting now," the visibility of where and what kinds of risks your company's AI use carries is the starting point. ZEROCK supports the groundwork of governance with a design philosophy that brings AI use and knowledge scattered across the organization under control. We also offer individual consultations for the stage where you are unsure where to begin.
Implementation Steps Centered on ISO/IEC 42001
So where to actually begin? What I recommend to Japanese companies is to make ISO/IEC 42001 the backbone of implementation.
ISO/IEC 42001, published in December 2023, is the world's first international standard for an AI management system (AIMS).[^8] It sets out the requirements for an organization to establish, implement, maintain, and continually improve an AI management system, with 38 controls organized in Annex A. Because it shares the same management-system structure as ISO/IEC 27001 for information security, the advantage is that companies already operating 27001 can introduce it by building on top of that mechanism.
Why ISO/IEC 42001 for EU AI Act readiness? Because the two mesh together in the relationship of "what should be achieved" versus "how it is operated and evidenced." According to ISACA's commentary, the AI Act's Article 9 (risk management) maps to a methodology for setting risk-acceptance criteria and assigning roles; Article 10 (data governance) maps to policies on the data lifecycle and provenance management; Article 11 and Annex IV (technical documentation) map to version-controlled model cards and document-control procedures; and Article 14 (human oversight) maps to oversight roles and training programs for operators.[^9] Many of the documents and procedures the AI Act demands are the kind that are naturally generated if you operate ISO/IEC 42001.
There is a caveat, however. Because ISO/IEC 42001 is not a harmonised standard under the AI Act, the effect of "obtain certification and conformity is presumed" does not apply.[^9] It is, at best, "a solid foundation that helps you achieve compliance," not an automatic passport.[^10] Misunderstand this point, and you will obtain certification and grow complacent. In the field of implementation, you sometimes hear the rule of thumb that "ISO/IEC 42001 covers roughly 70% of the high-risk documentation requirements," but I think this figure should be taken as an operational sense of scale rather than a strictly grounded value. The remaining 30% — the specific parts demanded by harmonised standards or individual laws — is precisely what you must fill in yourself.
As the order of implementation, let me list the steps I consider realistic.
- Take inventory of AI use and classify risk. Identify the AI systems in use across the company and pin down which ones fall under Annex III high-risk.
- Design the governance structure. Document policies, roles, and the division of responsibility regarding AI, and build in a management-level review process.
- Data governance and log management. Establish the provenance and quality of training and inference data, and a retention policy for logs.
- Prepare technical documentation and model cards. Create document-control procedures that can preserve the design specifications and test methods Annex IV demands.
- Human oversight and education. Operate override procedures, training for operators, and measures to develop AI literacy.
- Make continuous improvement a cycle. Embed auditing and corrective action as part of the management system.
This list maps directly onto the PDCA cycle of ISO/IEC 42001. The grace period of just over a year created by the postponement is just the right length to run through these six steps once. In practice, the order matters as much as the content. Skip the first step — the inventory — and every later step floats free of reality, because you end up writing policies for systems you have not actually located. I have seen companies start from step 2, drafting elegant governance charters, only to discover months later that shadow AI use in a single sales team had never been counted. The inventory is unglamorous, but it is the step that decides whether the rest is real or theatrical. If you would like to learn a little more about the basics of an AI management system, please also read Introduction to ISO/IEC 42001 (AIMS). For the full picture of what was postponed and what was brought forward under the Digital Omnibus, I follow it in detail in Behind the Digital Omnibus.
Three Misreadings Japanese Companies Are Prone To
Finally, let me name three misreadings around this agreement that Japanese companies are prone to. These are misunderstandings I have actually encountered many times while taking consultations.
The first is the misreading that "since it has been postponed, it is irrelevant for the time being." The AI Act is a law with extraterritorial application, and Japanese companies that provide AI systems or their outputs to the EU market can be subject to it. Transparency obligations and prohibitions have parts that were left unchanged, and what was postponed is limited to the heavy high-risk obligations. Unless you first sort out which of your products fall under which obligations, you cannot even judge whether the postponement applies to you.
The second is the misreading that "obtaining ISO/IEC 42001 means you are done." As I noted earlier, this is not a harmonised standard, and no automatic presumption of conformity applies. Certification is not the goal; it is the means of acquiring a mechanism that continuously produces the evidence the AI Act demands. If operations stop after you obtain it, the documents will grow stale and lose their meaning.
The third is the misreading that "governance is nothing but a cost." As the McKinsey survey shows, organizations with mature governance are still a minority.[^6] Put the other way around, if you build the foundation now, it becomes a differentiator. A structure in which you can confidently entrust work to AI is proof of trust to customers and business partners, and it is also a precondition for using agentic AI on the offensive. Investment for defense turns into a foundation for offense. In procurement conversations, increasingly the first question is not "what can your AI do" but "how do you control it." A company that can answer the second question with documents already in hand, rather than promises, wins time and credibility that a competitor scrambling to retrofit governance simply cannot match.
The essence of the postponement news, as I read it, is not that the deadline moved, but that time you can use for preparation has been secured. How you use that time will completely change where you are standing on the enforcement date.
To Translate AI Governance Into Implementation
The postponement of the EU AI Act is, for Japanese companies, a "grace period for preparation," not an "exemption." With ISO/IEC 42001 as the backbone, run through the inventory of AI use, the management of data and logs, and the formalization of human oversight once during the year or so that has opened up. That accumulation will determine the burden on the enforcement date.
That said, the work of making AI use scattered across the company visible and bringing knowledge under control requires both wheels: tools and operational design. ZEROCK is designed to implement enterprise-AI governance on domestic servers and, through knowledge control, to make visible "who is using AI for what, and what information is flowing." It can be of help at the stage where you want to organize where to begin with AI governance.
Footnotes
[^1]: Artificial Intelligence: Council and Parliament agree to simplify and streamline rules — Council of the EU (Consilium) — 2026-05-07 — https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
[^2]: EU AI Act Omnibus Agreement – Postponed High-Risk Deadlines and Other Key Changes — Gibson Dunn — 2026-05 — https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
[^3]: EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions — Covington (Inside Privacy) — 2026-05 — https://www.insideprivacy.com/artificial-intelligence/eu-ai-act-update-timeline-relief-targeted-simplification-and-new-prohibitions/
[^4]: EU AI Act omnibus: what changed on 7 May 2026 and what it means — VerifyWise — 2026-05 — https://verifywise.ai/blog/eu-ai-act-omnibus-what-changed
[^5]: EU AI Act simplified? Unpacking the AI Omnibus Agreement of May 2026 — Mishcon de Reya — 2026-05 — https://www.mishcon.com/news/eu-ai-act-simplified-unpacking-the-ai-omnibus-agreement-of-may-2026
[^6]: State of AI trust in 2026: Shifting to the agentic era — McKinsey & Company — 2026 — https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era
[^7]: Concept Note: AI RMF Profile on Trustworthy AI in Critical Infrastructure — NIST — 2026-04-07 — https://www.nist.gov/programs-projects/concept-note-ai-rmf-profile-trustworthy-ai-critical-infrastructure
[^8]: ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system — ISO (International Organization for Standardization) — 2023-12 — https://www.iso.org/standard/42001
[^9]: ISO/IEC 42001 and EU AI Act: A Practical Pairing for AI Governance — ISACA — 2025 — https://www.isaca.org/resources/news-and-trends/industry-news/2025/isoiec-42001-and-eu-ai-act-a-practical-pairing-for-ai-governance
[^10]: A Practical Guide to the EU AI Act and How ISO/IEC 42001 Can Help You Achieve Compliance — SafeShield — 2025 — https://www.safeshield.cloud/a-practical-guide-to-the-eu-ai-act-and-how-iso-iec-42001-can-help-you-achieve-compliance