EU Delays High-Risk AI Rules as DeepL Moves Hosting to AWS

Europe’s provisional agreement on the AI Act delays enforcement of rules for high-risk systems until the end of 2027 and coincides with DeepL’s decision to move parts of its hosting to Amazon Web Services, raising questions about data location and legal access.

Under the revised timetable, obligations for AI used in biometric identification, critical infrastructure and law enforcement will come into force in late 2027 rather than this year. The European Commission narrowed the scope to exempt equipment already covered by sectoral rules and eased some compliance requirements that businesses said would duplicate existing obligations.

The provisional deal must still receive formal approval from EU institutions after extended negotiations between national representatives and members of the European Parliament. At the same time, negotiators tightened other provisions: tools that generate sexually explicit images of real people without consent will be banned, and AI-generated content must carry visible watermarks or clear labels starting this December.

Kim van Sparrentak, a Dutch member of the European Parliament, described the ban on explicit deepfakes as intended to protect women and children from harmful uses of generative AI.

DeepL, a Cologne-based machine translation company used by governments, courts and large firms, told paying customers it will no longer process all customer data only on its own servers as it expands internationally and will use Amazon Web Services for parts of its infrastructure. The company reported $185.2 million in revenue last year and recently introduced a live voice-to-voice translation feature. DeepL stated that Amazon will not have access to customer content, that customer data will be encrypted and not used to train models, and that a data residency option will keep information stored in Europe for customers who choose it.

Some customers responded with concern about data control and legal exposure. Jörg Weishaupt, founder of a software firm in Madeira, canceled his subscription and said, “These are confidential documents, and I want to know where they end up.” Commentators noted U.S. laws such as the Patriot Act and the CLOUD Act allow U.S. authorities to request data from cloud providers, which some view as a potential legal risk for data held by U.S.-based cloud services.

EU officials framed the delay as a response to industry warnings that overlapping rules would raise compliance costs and slow deployment, and the compromise exempts certain industrial machinery already regulated by existing rules.

The provisional agreement and DeepL’s hosting change are separate developments that intersect on questions of data storage, legal access and the enforcement timeline for AI systems. The final text of the law and the technical arrangements companies adopt will determine how those issues are addressed.