AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →
Must ComplyRegulationEUUnacceptable riskHigh risk

Amendments to Regulation (EU) 2024/1689 (EU AI Act Amendments 2026)

Issued by

European Commission

liveEffective 2026-07-03EU AIA AMDVerified July 2026
Official document →

These amendments to the EU AI Act (Regulation (EU) 2024/1689) introduce a new prohibition on AI-generated non-consensual sexually explicit content, expand the enforcement powers of the AI Office over general-purpose AI (GPAI) models, and extend simplified compliance pathways to small mid-cap companies. They apply to enterprises deploying or developing AI systems within the EU, including those using GPAI models or consumer-facing content generation tools. Organizations must update their prohibited-use policies, GPAI governance procedures, and SME-tier compliance documentation accordingly.

Applies To

Large enterpriseSMBAI developerAI deployer

Overview

The 2026 amendments to Regulation (EU) 2024/1689 make targeted but material changes to the original EU AI Act framework. A new prohibition is introduced specifically targeting AI systems that generate non-consensual sexually explicit imagery, commonly referred to as nudification applications, adding this category to the list of unacceptable-risk uses. The AI Office receives reinforced supervisory and enforcement powers over GPAI model providers, including strengthened authority to investigate, audit, and sanction non-compliant model operators across the EU. Small mid-cap companies benefit from extended access to simplified compliance requirements, reducing documentation and conformity assessment burdens previously applicable only to micro and small enterprises. The amendments do not alter the core risk-tier architecture or fundamental obligations of the original Act but represent binding regulatory changes enforceable under the same penalty regime, which includes fines of up to 35 million EUR or 7% of global annual turnover for violations of prohibited-use provisions. Enterprises must integrate these changes into existing EU AI Act compliance programs rather than treating them as a standalone instrument.

Key Requirements

  • Prohibit deployment or provision of AI systems that generate non-consensual sexually explicit content; this use case is now classified as unacceptable risk subject to the highest penalty tier (up to 35 million EUR or 7% of global annual turnover).
  • GPAI model providers must comply with expanded AI Office oversight, including obligations to respond to audits, information requests, and investigations initiated by the AI Office under its reinforced mandate.
  • Enterprises qualifying as small mid-cap companies may utilize simplified compliance procedures for conformity documentation and technical file requirements; organizations must verify eligibility thresholds to apply this pathway.
  • Existing prohibited-use inventories and acceptable-use policies must be updated to reflect the new nudification prohibition as a binding unacceptable-risk category.
  • GPAI risk management frameworks must be reviewed to account for the AI Office's expanded enforcement scope, including any contractual or operational dependencies on third-party GPAI model providers.
  • Organizations must ensure that any GPAI model providers in their supply chain are aware of and compliant with the reinforced AI Office powers, as downstream deployers may be implicated in non-compliance scenarios.

What Your Organization Must Do

  • Audit all AI systems and third-party tools in the product and operations portfolio to identify any capability to generate sexually explicit imagery and immediately withdraw or disable non-consensual nudification functionality.
  • Update enterprise acceptable-use policies, employee guidelines, and product terms of service to explicitly prohibit uses now classified as unacceptable risk under the amended Act.
  • Review and revise vendor contracts with GPAI model providers to include representations of compliance with the AI Office's reinforced oversight requirements, and establish contractual rights to audit or receive compliance attestations.
  • Reassess whether your organization qualifies as a small mid-cap company under the amended definitions, and engage legal counsel to determine eligibility for simplified conformity assessment procedures.
  • Brief the legal, compliance, and product teams on the expanded AI Office enforcement powers and establish an internal escalation protocol for AI Office information requests or investigations.
  • Integrate the new prohibited-use category and GPAI oversight obligations into the organization's existing EU AI Act compliance program, updating the risk register, internal audit schedule, and board-level AI governance reporting accordingly.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

When do the 2026 EU AI Act amendments take effect and do they require a separate compliance program?
The amendments take effect on July 3, 2026. They do not function as a standalone instrument; organizations must integrate the new obligations into their existing EU AI Act compliance programs, updating risk registers, acceptable-use policies, and GPAI governance procedures accordingly.
What is the penalty for deploying a nudification AI tool under the amended EU AI Act?
Deploying AI systems that generate non-consensual sexually explicit content is classified as unacceptable risk under the amendments, triggering the highest penalty tier: fines of up to 35 million EUR or 7% of global annual turnover, whichever is higher.
Do the 2026 amendments change the core risk-tier structure of the original EU AI Act?
No. The amendments add a specific prohibited-use category for non-consensual sexually explicit content generation and expand AI Office enforcement powers over GPAI providers, but they do not alter the foundational risk-tier architecture or primary obligations established in Regulation (EU) 2024/1689.
What new obligations do GPAI model providers face under the 2026 EU AI Act amendments?
GPAI model providers must comply with reinforced AI Office supervisory powers, including mandatory responses to audits, information requests, and investigations. Downstream deployers should revise vendor contracts to include compliance representations and rights to receive compliance attestations from their GPAI model suppliers.
Which companies qualify for simplified compliance procedures under the 2026 EU AI Act amendments?
Small mid-cap companies gain access to simplified conformity documentation and technical file requirements previously limited to micro and small enterprises. Organizations should verify eligibility against the amended definition thresholds with legal counsel before applying this pathway.
Does a downstream AI deployer face liability if its GPAI model provider is non-compliant with the expanded AI Office requirements?
Yes, deployers may be implicated in non-compliance scenarios involving their GPAI model supply chain. Organizations should establish contractual audit rights, require compliance attestations from providers, and implement internal escalation protocols for any AI Office information requests or investigations.