The EU AI Act is reshaping how businesses build, buy, and deploy artificial intelligence. AI is no longer a future technology, it is embedded in hiring platforms, credit decisioning engines, customer service tools, and fraud detection systems used by companies every day.

Since 1 August 2024, those systems have been regulated by law. Regulation (EU) 2024/1689,  the EU AI Act, entered into force across all EU Member States, including Cyprus, as the world’s first comprehensive legal framework for artificial intelligence. The framework has since been amended: on 7 May 2026 the EU Parliament and Council reached a provisional agreement under the Digital Omnibus on AI package, refining key obligations and timelines that Cyprus businesses must now plan around.

What is the EU AI Act?

The EU AI Act establishes a risk-based regulatory architecture that applies to any business developing, deploying, importing, or distributing AI systems within the EU, regardless of where that business is incorporated. A US or UK company whose AI product is used by a Cypriot employer or consumer is equally subject to the Act.

The Act divides AI applications into four risk tiers. At the top sit practices that are outright prohibited, including AI systems that manipulate users subliminally, systems used by public authorities to score citizens based on social behaviour, and real-time facial recognition surveillance in public spaces by law enforcement (with very narrow, judicially authorised exceptions). These prohibitions have been enforceable since 2 February 2025.

The May 2026 amendments also introduced a new category of prohibited practice: AI systems that generate non-consensual sexually explicit or intimate imagery of real, identifiable individuals, so-called “nudification” apps, as well as AI-generated child sexual abuse material. Companies must comply with this prohibition by 2 December 2026.

Below the prohibited tier sits the high-risk category, covering AI systems used in employment screening, credit scoring, healthcare, education admissions, border control, and the administration of justice. Businesses deploying AI in any of these contexts face the most demanding compliance obligations: risk management systems, technical documentation, human oversight requirements, conformity assessments, and mandatory registration in an EU-wide database.

Lower down the pyramid there is a limited risk category; AI systems that interact with users, such as chatbots and deepfake-generating tools, must comply with transparency obligations, including clearly disclosing to users that they are interacting with an AI.

The AI Act does not introduce rules for AI that is deemed minimal or no risk (ie. the fourth tier).

Updated EU AI Act compliance timelines

The May 2026 Digital Omnibus agreement introduced fixed, revised deadlines for high-risk AI obligations, replacing the original August 2026 target. The new framework gives Cyprus businesses two distinct compliance dates to plan against:

• 2 December 2027 for standalone high-risk AI systems listed in Annex III of the Act, including those involving biometrics, critical infrastructure, education, employment, law enforcement, and border management.
• 2 August 2028 for AI systems embedded in regulated products (such as medical devices, machinery, and safety components) covered by EU sectoral legislation.

These revised deadlines are intended to ensure that the necessary technical standards, guidance documents, and compliance tools are in place before obligations take effect. Critically, they do not reduce the substance of the obligations, only the date by which they must be met.

On transparency, the grace period for implementing watermarking obligations for AI-generated content (images, video, audio, and text) has been shortened from six months to three. Providers must comply by 2 December 2026.

Other technical amendments under the Digital Omnibus

The May 2026 agreement also introduced a number of more technical refinements: broader scope for the use of sensitive personal data in bias detection and mitigation (subject to strict necessity); governance refinements, including a stronger role for the AI Office in certain supervisory areas; and targeted simplification measures, including the extension of certain compliance flexibilities to small mid-cap companies, reduced administrative burdens, and improved access to regulatory sandboxes and real-world testing environments. Taken together, these changes are intended to improve the operability of the framework without altering its fundamental structure.

What the EU AI Act means for businesses in Cyprus

As an EU Member State, Cyprus is fully subject to the AI Act. Like all Member States, Cyprus is required to designate national competent authorities responsible for market surveillance and enforcement of the Act within its territory. These authorities will have significant powers: to access AI systems and documentation, to order corrective measures, and to impose fines. The fine regime is substantial; up to €35 million or 7% of global annual turnover for the most serious violations (prohibited practices), and up to €15 million or 3% for high-risk AI non-compliance.

For Cypriot businesses, this creates a compliance obligation that is as significant as it is technically demanding. A business using an AI-powered HR platform to screen job applications, or a financial institution using AI to assess creditworthiness, is already a deployer of high-risk AI with legal obligations on a firm trajectory toward full enforceability.

Three things Cypriot businesses should do right now

1. Conduct an AI inventory

The most pressing priority is a systematic catalogue of every AI tool the business uses, across every function. Many businesses are surprised to discover how many AI features are embedded in the SaaS products they already use: automated CV screening in applicant tracking systems, predictive analytics in CRM platforms, algorithmic pricing engines. Each of these must be assessed against the Act’s risk classification criteria.

2. Run an Article 5 audit

The prohibited practices under the Act are already enforceable, and the May 2026 amendments have expanded the list. If any AI system your business uses falls into a prohibited category, including any nudification or non-consensual intimate imagery tools, it must be ceased immediately.

3. Build governance infrastructure

Begin appointing an AI Officer or equivalent function, implementing AI literacy training for relevant staff (a legal obligation under Article 4), and reviewing contractual arrangements with AI vendors to ensure compliance obligations are properly allocated.

The compliance window is shorter than it appears

With high-risk AI obligations now running to December 2027 and August 2028, it can be tempting to treat compliance as a future problem. It is not. Building a compliant risk management system, producing Annex IV technical documentation, completing a conformity assessment, and registering AI systems in the EU database are not quick tasks. For organisations with multiple high-risk AI deployments, the compliance programme needs to be underway now; treat the extended timelines as a genuine window to get it right, not as breathing room to defer action.

Our team advises businesses across Cyprus on EU AI Act readiness, including AI inventory exercises, risk classification, contractual compliance, and regulatory engagement. If your organisation is uncertain about its obligations under the EU AI Act, reach out to us.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal requirements are subject to change; firms should obtain specialist legal advice tailored to their specific circumstances and legal status.