Updates to the AI Act and Product Liability Directive — Key Changes for Industrial Companies

Author: Maria Aholainen Read time: 4 min

On 7 May 2026, the EU institutions reached a provisional political agreement on the Digital Omnibus on AI that will amend the EU AI Act. The Digital Omnibus is exceptional in nature: it amends obligations for high-risk AI systems that have not even become applicable yet.

However, the Digital Omnibus does not alter the basic structure of the AI Act. The AI Act remains risk-based, and the majority of the obligations concern high-risk AI. This blog outlines two specific changes that will affect industrial companies:

• Extension of deadlines for high-risk AI
• Exclusion of AI systems embedded in machinery from the scope of the AI Act

The final text of the AI Act has not yet been published, and the legislative amendment still requires formal approval in accordance with the EU legislative process, but the future content of the AI Act is now otherwise clear. Formal adoption and publication in the Official Journal are expected in the coming weeks.

Companies should start adapting their operations with the new regulatory framework.

High-Risk AI Postponed to 2027 and 2028

One of the most significant changes concerns the deadlines for the application of high-risk AI (Annexes I and III). Following political agreement, high-risk AI has been granted an extension by over a year compared to the original deadline. The new deadlines are outlined below.

The Commission’s original proposal for a conditional mechanism, under which application would have been triggered by a separate Commission decision, has been rejected. Instead, new fixed deadlines have been set for high-risk AI. The aim of the changes to the timetable is to ensure that technical standards and regulatory guidelines are in place before the rules become applicable.

Despite the Digital Omnibus, 2 August 2026 remains a valid date. The Article 50 transparency obligations for AI systems, including the requirement to disclose to users when they interact with AI, largely remain on the original schedule. Businesses who are subject to these obligations must stay ready for this date regardless of the Digital Omnibus.

The new schedule in brief:

• High-risk AI (Annex I — product safety, e.g. machinery, medical devices, and toys): original schedule 2 August 2027, new schedule 2 August 2028
• High-risk AI (Annex III — e.g. recruitment and HR): original schedule 2 August 2026, new schedule 2 December 2027
• Watermarking AI-generated content (AI Act Art. 50(2)): original schedule 2 August 2026, new schedule 2 August 2026 (new) and 2 December 2026 (already placed on the market)
  

Exclusion of Industrial AI

The most concrete change compared to the original AI Act is the clarification of the relationship between the Machinery Regulation and the AI Act. The aim of the change is to reduce regulatory overlap.

AI systems embedded in products covered by the Machinery Regulation will be largely exempted from the AI Act obligations. The Digital Omnibus also narrows the definition of a safety component for the classification of high-risk AI systems. AI functions used solely for non-safety purposes, i.e. for user assistance, performance optimisation, or quality control, fall outside the scope of the high-risk obligations of the AI Act by virtue of being embedded in regulated products, provided that their failure or malfunction does not pose health or safety risks.

New Product Liability Risks for AI Products

The EU Product Liability Directive (the “PLD”) has been updated and must be transposed into national law by 9 December 2026. In Finland, the Government Proposal is expected in autumn 2026 (week 37).

The PLD will apply to products placed on the EU market or put into service after 9 December 2026. Products placed on the market or put into service before this date remain subject to the old regime. However, any substantial modification or update to such a product after this date may bring it within the scope of the new PLD.

From an AI perspective, the most essential change in the PLD is the broadening of the definition of a product. The new definition brings stand-alone software and AI within the scope of the PLD, and the providers of AI systems are treated as manufacturers. Therefore, liability may arise from defective software or the failure to provide necessary security updates.

The PLD introduces new aspects that must be taken into account when assessing defectiveness, several of which are particularly significant for AI. Pursuant to the PLD, a product’s defectiveness is presumed where the claimant demonstrates that it does not comply with mandatory product safety requirements. For AI systems, this means that a breach of the AI Act’s safety obligations or a breach of sector-specific legislation, such as the Machinery Regulation, the Batteries Regulation, or the Cyber Resilience Act (CRA), serve as the basis for assessing defectiveness, and a breach thereof creates a presumption of defectiveness. The manufacturer must then rebut that presumption.

In cases involving technically complex systems, such as AI systems, courts may presume both the defect and the causal link based solely on probability, in which case the burden of proof effectively shifts to the manufacturer. As AI systems are constantly evolving and manufacturers provide updates throughout the product’s lifecycle, liability may also arise for defects that emerge after the product has been placed on the market.

Given the evidentiary presumptions, documentation will become critical: technical documentation, risk assessments, and other compliance documentation are required to rebut the presumption of defectiveness. Furthermore, businesses should map their supply chains and ensure a clear allocation of responsibilities for product safety and updates.