EU streamlines AI Act compliance, introduces deepfake prohibition

The European Parliament has agreed to amend the EU AI Act to eliminate regulatory overlap with existing machinery legislation and expand prohibited practices to include deepfake-based fraud, according to the International Association of Privacy Professionals.

The amendments, approved by Parliament’s Internal Market and Consumer Protection Committee, address two critical friction points that emerged since the Act’s initial passage in March 2024. The changes clarify which AI systems fall under the AI Act versus the Machinery Regulation, whilst adding explicit prohibitions on using synthetic media to manipulate individuals into harmful decisions.

The machinery overlap created particular confusion for manufacturers of industrial equipment incorporating AI components. Under the original framework, companies faced dual compliance pathways—conformity assessments under both the AI Act and machinery-specific rules. The amendment establishes that AI systems embedded in machinery certified under the Machinery Regulation are exempt from separate AI Act conformity procedures, provided they meet equivalent safety standards.

“This removes a significant administrative burden,” notes the IAPP analysis. Manufacturers of robotics, automated production lines, and smart manufacturing equipment—sectors representing substantial portions of Europe’s industrial base—gain clarity on which regulatory framework governs their products.

The deepfake provisions extend the Act’s prohibited practices beyond its original scope. The AI Act already banned AI systems that deploy subliminal manipulation or exploit vulnerabilities. The amendment explicitly covers synthetic media used to deceive individuals into financial transactions, legal commitments, or other consequential decisions without their knowledge of the content’s artificial nature.

This addition responds to documented cases of deepfake-enabled fraud, including the February 2024 incident where criminals used AI-generated video to impersonate a company executive, resulting in a $25 million transfer from a Hong Kong subsidiary. The News International reported that such synthetic media attacks have proliferated across financial services and corporate environments.

For enterprises, the compliance calculus shifts favourably in industrial sectors whilst tightening for those deploying generative AI in customer-facing contexts. Manufacturing firms gain regulatory certainty and reduced assessment costs. Conversely, businesses using AI-generated content in marketing, customer service, or communications face heightened disclosure obligations and potential liability for synthetic media misuse.

The amendments preserve the Act’s risk-based architecture whilst refining its boundaries. High-risk systems still require conformity assessments, transparency obligations remain for general-purpose AI models, and the European AI Office retains enforcement authority. The changes represent calibration rather than fundamental restructure.

Financial services institutions, which handle both industrial AI systems (trading algorithms, risk models) and customer-facing applications (chatbots, personalised communications), must now navigate distinct compliance requirements depending on use case. The machinery exemption offers no relief for consumer-facing AI, whilst the deepfake provisions create new documentation requirements for any synthetic content generation.

The amendments also clarify that AI components within medical devices follow sectoral regulations rather than duplicating AI Act procedures—a parallel exemption to the machinery provision that benefits healthcare technology manufacturers.

These changes arrive as the AI Act’s implementation timeline advances. The prohibition on banned practices, including the new deepfake restrictions, takes effect six months after the Act’s entry into force. Obligations for general-purpose AI models follow at 12 months, with full high-risk system requirements at 24 months.

Brussels has signalled additional technical guidance will emerge from the European AI Office before the deepfake provisions activate. Industry observers anticipate clarification on what constitutes adequate disclosure of synthetic media and which authentication standards satisfy the transparency requirements.

The amendments require formal adoption by the full Parliament and Council, though passage appears certain given committee-level consensus. Member states must then transpose the revised framework into national law, with implementation varying across the bloc’s 27 jurisdictions.

The EU’s approach continues to influence regulatory development globally, with jurisdictions from California to Singapore referencing the AI Act’s risk taxonomy. These amendments demonstrate Brussels’ willingness to adjust the framework based on implementation feedback—a flexibility that may determine whether the Act becomes a template for global AI governance or a cautionary tale of regulatory overreach.