Andreas Timm

Tag: Europe AI

  • EU AI Act delay: 24 months for Brussels, 64× for AI

    EU AI Act delay: 24 months for Brussels, 64× for AI

    For the EU, it’s 24 months. For AI, it’s 64×.

    Last Wednesday the EU pushed the AI Act’s hardest deadlines back. Sixteen months for one piece. Twenty-four months for another. Read in regulatory time, that’s a reasonable phased rollout. Read against AI’s own pace of change, it’s something different.

    Exponential curve labeled 1× at Aug 2026 rising to 64× at Aug 2028, headline reads 'When the rules apply, AI is 64× more capable', subtitle 'EU AI Act high-risk deadline vs the AI doubling curve'.
    When the EU’s heaviest AI rules finally apply in 2028, the systems being regulated could be 64× more capable than the ones the rulebook was written for.

    What the EU just decided

    The AI Act is the world’s most demanding rulebook for artificial intelligence. It applies to any company that sells AI to European users — based in Europe or not. It was passed in 2024. Most of it was supposed to start applying in August 2026.

    Last Wednesday, the Council and Parliament agreed to push two of the heaviest pieces back.

    The “high-risk” category is the part most companies care about. It covers biometrics, hiring software, medical AI, AI in critical infrastructure — anything where a bad model output can hurt someone. Under the old timeline, these systems had to be fully compliant by August 2026. Under the new timeline, that becomes December 2027 (sixteen months later) for standalone systems, or August 2028 (twenty-four months later) for AI built into machinery, medical devices, and connected cars.

    Two-column comparison: BEFORE shows a single Aug 2026 deadline bar in grey, AFTER shows two new bars Dec 2027 plus 16 months and Aug 2028 plus 24 months in navy.
    The May 7, 2026 simplification agreement: one August 2026 deadline becomes two later deadlines, sixteen and twenty-four months out.

    What didn’t change matters too. The outright bans (social scoring, manipulative AI, untargeted face scraping) have been live since February 2025. The rules for big AI models — what most people call “frontier AI” — have been live since August 2025. The transparency obligations actually got tighter: providers of generative AI now have three months instead of six to ship watermarking. And a new ban on non-consensual sexual deepfakes lands hard on 2 December 2026.

    So the substance is intact. The triage is on the timeline.

    What METR actually measures

    METR is a research group that measures one specific thing about AI systems: how long they can keep working on a task before the workflow falls apart. Not how smart they are. Not how creative. How long they can stay on track without a human stepping in.

    The way they test it is straightforward. Give a model a real-world task — write a piece of code, run an analysis, debug a system — and measure the time-equivalent of work it can complete on its own. GPT-2 could chain together a few seconds of useful work. Claude 3 Opus held a few minutes. The frontier 2026 generation pushes past an hour.

    Plotted against time, that line is a clean exponential. From 2024 through early 2026, the time-horizon roughly doubled every four months.

    Exponential curve with three points: GPT-2 seconds at lower left, Claude 3 Opus minutes in middle, Frontier 2026 over an hour at upper right, headline 'Doubles every ~4 months', source METR.
    METR’s measurement of how long AI systems can work autonomously. The horizon roughly doubled every four months from 2024 through early 2026.

    Other measures point the same way. Reasoning depth, tool use, multi-step planning, software-engineering benchmarks — every adjacent curve has bent the same way over the same window. METR’s number is the cleanest single proxy I’ve seen, but it’s not an outlier.

    What 64× actually means

    If the doubling holds, the math on the EU’s new deadlines is uncomfortable:

    1. 16 months — four doublings — 16× more capable systems by the December 2027 deadline
    2. 24 months — six doublings — 64× more capable systems by the August 2028 deadline

    64× is not a metaphor. It’s the order-of-magnitude estimate of how much more autonomous task length AI can sustain by the time the EU’s heaviest rules apply.

    To put that in plain terms: if a 2026 model can do a one-hour task on its own, a 2028 model on the same trend can do a 64-hour task. A system that holds a workflow together for 64 hours is a different kind of object than the one the AI Act was drafted to regulate.

    That’s not an argument the rules are wrong. It’s an argument the gap between what the rulebook describes and what the system can actually do widens fast — faster than any 2-3 year drafting cycle can keep up with.

    My read

    My read on this: the headlines called May 7 a Brussels cave to industry pressure. I don’t think that’s the right frame. The substance of the Act is intact — the Commission could have used the simplification to weaken the high-risk classification or gut the impact-assessment requirement. They didn’t. They tightened transparency and added a new prohibition. The triage is on the timeline, not the rules.

    By 2028, the AI Act could be regulating systems 64× more capable than what existed when its rules were written.

    My expectation is that the August 2026 cliff was always going to slip. What’s more interesting is what the slip exposes: regulators and AI now run on incompatible clocks, and there’s no obvious mechanism to reconcile them. The Act assumed a 2-3 year drafting cycle would land on systems recognisably similar to the ones it described. That assumption broke somewhere between GPT-4 and the agentic generation that followed.

    Three things I’m watching

    • The 2 August 2026 deadline for national authorities. That date didn’t move. If most countries still don’t have working AI authorities by August, December 2027 becomes the next deadline at risk.
    • The European technical standards. Without finalised standards from the standards bodies, “high-risk” is a definition without a benchmark. Whether the Commission publishes them before the new deadline is the gating item.
    • The EU-US-UK divergence. The same week the EU softened its timeline, the US signed pre-launch testing agreements with the five frontier labs through CAISI. These two regulatory paths now point in different directions, and that gap is where the next year of this story plays out.

    One last thought

    Sixteen months. Twenty-four months. In any other regulatory context, those numbers feel reasonable. In AI they feel like an era. That’s not a problem the Commission can solve in a single omnibus.

    To be clear I am not asking for more regulation, I am asking for more decision speed!

  • Davos 2026 made AI sovereignty the policy line — and the corporate one

    Davos 2026 made AI sovereignty the policy line — and the corporate one

    What was announced

    The World Economic Forum 2026 met in Davos January 19–23 with AI as the dominant agenda item. The conversation converged on three themes: risk-proportionate governance, runtime governance for multi-agent systems, and what Microsoft CEO Satya Nadella framed as “corporate AI sovereignty” — firms owning the intelligence layer that encodes their distinctive capabilities. Anthropic CEO Dario Amodei warned the forum that frontier AI is uniquely well-suited to autocracy, calling for targeted chip-export controls. A WEF press release on the same week reported leading organizations are shifting from “potential” to “performance” — measuring AI by realized output rather than pilot count.

    What it means

    The vocabulary shift is the substantive event. For two years, AI policy discussion at this forum was framed as risk management — what to restrict, what to monitor, what to ban. The 2026 framing is different. It treats AI as critical infrastructure where the governance question is who owns it, not whether it should exist. “Sovereignty” applied to AI is a deliberate echo of “data sovereignty” — a recognition that the layer of intelligence inside an organization is becoming as load-bearing as its data layer was a decade ago.

    For governments, this redirects policy from rule-writing to capability-building: domestic compute, domestic foundation models, controlled exports. For corporations, it redirects strategy from procurement to capability ownership: which models do you fine-tune yourself, which workflows encode your tacit knowledge, and which partners do you let inside the trust boundary. Both translations point to the same architectural question: where does the irreducible cognitive core of your organization live, and who can take it from you.

    Andreas’s view

    My read on this: Davos is a leading indicator of where C-suite vocabulary moves over the next 12 months. “Corporate AI sovereignty” is not a slogan — it is a framing that makes specific decisions easier to defend in a board meeting. Building your own model fine-tunes is sovereignty. Choosing not to send your customer interactions through a third-party model API is sovereignty. Maintaining a private inference cluster is sovereignty. The vocabulary justifies budgets that previously read as duplicative or paranoid.

    I don’t think the sovereignty framing is purely defensive. There is a competitive argument inside it: organizations that operate as pure consumers of frontier models are paying rent on the cognitive layer of their own business. Organizations that operate as owner-operators of a fine-tuned, workflow-embedded intelligence layer pay less rent and accumulate a moat that compounds with their data. The Davos talking points are starting to reflect that distinction.

    The way I see it, the question that matters this quarter is not “what is our AI strategy” but “what would it take to lose access to our primary model provider, and what would happen to the business if we did.” If the answer is catastrophic, the sovereignty argument is operational, not philosophical, and it has a budget implication.

    Three things I’m watching

    1. I’ll be watching whether companies run model-dependency stress tests — simulating the operational impact of losing their primary frontier-model provider for 30, 90, and 180 days. The result is the size of their sovereignty problem, and whether they even know that number tells me a lot.
    2. The companies that preserve strategic optionality will be the ones that draw a clear line between work requiring owned cognition (fine-tuned, embedded, internal) and work that can run on rented cognition (API-served frontier models) — and treat that boundary as a capital decision, not a procurement decision.
    3. I’ll be watching how the policy direction develops across major operating jurisdictions. Sovereignty framing in Davos has a consistent track record of translating into sovereignty requirements in regulated industries within 12–24 months.

    References and related signals