AI Regulatory Update For Energy: New Timelines In The EU, New Standards In The U.S.

At a Glance

• EU timeline extended, not relaxed. The EU has reached political agreement to push back compliance deadlines for high-risk AI systems—to December 2, 2027 (Annex III) and August 2, 2028 (Annex I)—while leaving the Act’s substantive obligations unchanged.
• U.S. expectations accelerating. NIST has launched development of a Trustworthy AI Profile for Critical Infrastructure, signaling imminent, sector-specific guidance that will likely function as a de facto standard across U.S. energy operations.
• Different mechanisms, same direction. The EU’s binding regime and NIST’s voluntary framework converge on core expectations: documented governance, human oversight, technical robustness, and lifecycle risk management.
• Regulatory momentum continues to evolve. AI regulation has not slowed—it is shifting in form and focus, with extended EU timelines coupled with more immediate U.S. standard-setting.
• Practical implication for energy companies. The question is no longer whether to build AI governance, but how to design a unified framework that can withstand scrutiny under both EU and U.S. regimes.
• Action now, not later. The EU delay creates a longer runway, but also raises expectations; companies that use this window to build defensible, integrated governance programs will be best positioned as both regimes take shape.

A Quickly Shifting Landscape

In our March 2026 alert, we wrote that the EU AI Act's August 2, 2026, compliance deadline made structured AI governance an urgent priority for energy companies operating in or serving the EU market. In the two months since, the regulatory landscape has shifted on both sides of the Atlantic. The EU has reached a political agreement to push the high-risk compliance deadline back by more than a year. At nearly the same time, the U.S. National Institute of Standards and Technology (NIST) launched a parallel effort to develop a Trustworthy AI in Critical Infrastructure Profile that will, in time, set expectations for how AI is deployed across U.S. energy operations.

The pace of AI regulation has not slowed. It has shifted in form and focus. For energy executives, the practical question is no longer whether to build a structured AI governance program but how to design one that responds to two regimes operating on different mechanisms while pointed at the same underlying concerns.

EU AI Act: A Wider Window, Not an Open One

On May 7, 2026, the European Parliament and the Council of the EU reached a political agreement on the Digital Omnibus on AI, a reform package that simplifies the AI Act without weakening its core protections. The most significant change for energy companies is the new compliance timeline for high-risk AI systems.

Under the agreement, the compliance deadline for high-risk AI systems classified under Annex III, which captures most operational AI used in energy management and critical infrastructure, moves from August 2, 2026, to December 2, 2027. For AI systems classified as high-risk under Annex I of the Act—meaning, AI embedded as a safety component in products subject to third-party conformity assessment under EU harmonization legislation such as the Machinery Regulation, the Pressure Equipment Directive, or the ATEX Directive— the deadline moves from August 2, 2027, to August 2, 2028.

These dates are not yet law. The political agreement still requires formal adoption by the European Parliament and the Council, followed by publication in the Official Journal of the European Union. Until that process is complete, the original deadlines remain technically in force. While political agreements at this stage of the EU legislative process rarely fall apart, the timing of formal adoption matters, and energy companies should track it closely.

What changed and what did not. The substantive obligations of the AI Act are unchanged. Risk management, data governance, technical documentation, human oversight, conformity assessment, and EU database registration all remain. The penalty exposure remains. The classification analysis we set out in our March alert, covering both the Annex III safety component pathway through critical infrastructure and the Annex I embedded product pathway, continues to apply. What changed is the timeline. The delay was driven by a practical problem: the technical standards and regulatory guidance businesses need to comply were not ready in time.

The agreement also restructures the interplay between the AI Act and existing EU product safety laws. In particular, it introduces a mechanism allowing the Commission to limit direct AI Act applicability where sectoral legislation, most notably the Machinery Regulation, contains AI-specific requirements equivalent to those of the AI Act. AI-specific obligations for machinery would then be added through delegated acts under the Machinery Regulation itself. For energy companies with AI embedded in machinery covered by the Machinery Regulation, this potentially reduces direct AI Act exposure, though the underlying obligations will resurface in sectoral form. The agreement also broadens access to regulatory sandboxes for real-world testing, including a new EU-level sandbox.

The practical implication. The longer runway is an opportunity to comply diligently, not an invitation to delay. It is reasonable to infer that regulators may be less forgiving precisely because they have granted businesses additional time to prepare. An energy company that arrives in late 2027 with a half-built compliance program will be in a much harder position than one that would have arrived in the same condition under the original August 2026 deadline. Companies that use this window to do the work properly will be substantially better positioned than those that treat the delay as breathing room.

The U.S. Picture: NIST Steps Forward on Critical Infrastructure

While the EU was negotiating the Digital Omnibus, NIST was advancing a parallel and increasingly consequential effort closer to home. On April 7, 2026, NIST's Information Technology Laboratory released a concept note announcing the development of the AI Risk Management Framework Trustworthy AI in Critical Infrastructure Profile. The profile is designed to apply NIST's existing AI Risk Management Framework (AI RMF) to the operational realities of critical infrastructure sectors, with energy explicitly identified as a primary focus.

For energy companies, this development is, in many respects, more immediate than the EU update. The EU deadline has moved to late 2027. The NIST process is happening right now, with a Community of Interest forming and stakeholder input being solicited at this stage.

Why a voluntary framework matters. The NIST profile, like the underlying AI RMF, is voluntary. But that label can be misleading. NIST guidance often becomes the de facto standard of care in regulated industries through several mechanisms. Sector frameworks and guidance in U.S. energy have a long track record of alignment with NIST work. NERC and NIST jointly mapped the NERC CIP cybersecurity standards to the NIST Cybersecurity Framework, and TSA Pipeline Security Directives expressly permit operators to rely on the NIST Cybersecurity Framework to demonstrate compliance.

Insurance carriers and counterparties build NIST-aligned expectations into contracts and underwriting. Likewise, plaintiffs and enforcement authorities point to NIST guidance as evidence of what reasonable care looked like at the relevant time. For energy companies, a "voluntary" NIST profile on AI in critical infrastructure will, within a relatively short window, function as the practical baseline.

What the profile is expected to address. The concept note signals that the framework will focus on the operational realities of AI deployed across the energy IT, OT, and ICS environments. Specific areas include:

• Deterministic behavior, explainability, graceful degradation, and fail-safe operation in safety-critical contexts.
• Adversarial robustness across the full AI lifecycle, including training, deployment, and post-deployment monitoring.
• Rigorous testing, evaluation, validation, and verification (TEVV), including for AI integrated with legacy control systems.
• Visibility and trust across the AI supply chain, including AI bills of materials (AIBOMs) to track components and provenance.
• Practical guidance for AI agents that operate with reduced human supervision, including guardrails against hijacking, data poisoning, and unverified inputs.

Mapping the profile to energy operations. The expected scope maps directly onto the categories of AI use we identified in our March alert.

In upstream operations, AI systems for automated well control, pressure monitoring, blowout prevention, and offshore platform safety monitoring will face NIST expectations around adversarial robustness, deterministic behavior under degraded conditions, and TEVV that goes well beyond standard machine learning validation.

In midstream operations, SCADA-integrated AI controlling pipeline operations, automated leak detection, and integrity management platforms sit at the center of the profile's IT/OT/ICS focus. The graceful degradation and fail-safe expectations are particularly relevant where AI interfaces directly with control systems that have physical consequences.

In downstream operations, AI for process control, automated hazard detection, and equipment integrity monitoring will need to demonstrate the explainability and human oversight characteristics the profile is expected to emphasize.

In LNG operations, AI safety monitoring for liquefaction, regasification, and cryogenic infrastructure will face TEVV expectations calibrated to the safety stakes of cryogenic and high-pressure systems.

In power generation and utilities, AI for grid management, load forecasting, dispatch, and fault detection sits squarely in the profile's focus on AI that directly influences physical processes. Supply chain transparency, including AIBOMs, will matter here given the heavy use of vendor-provided AI in grid operations.

The profile's stakeholder engagement process is currently open. NIST is soliciting input on use cases, governance challenges, and existing guidance that may need to be reinterpreted for AI in critical infrastructure. That window is open now, and energy companies should be aware of it.

Two Different Mechanisms, One Practical Direction

The EU AI Act and the emerging NIST profile are different in form. The EU regime is binding regulation backed by penalties and conformity assessment requirements. The NIST regime is voluntary guidance that translates into industry standards through sector regulators, contracts, insurance, and litigation.

In substance, they point in the same direction. Both regimes prioritize documented governance and clear human oversight; technical robustness ,including data quality and adversarial resilience, transparency and traceability across the AI supply chain; comprehensive technical documentation that can be inspected by regulators or counterparties; and continuous monitoring and post-deployment risk management.

For energy companies across the critical infrastructure spectrum operating in both jurisdictions, the practical implication is that a well-designed compliance architecture can serve both regimes. A single AI inventory, a single classification process supplemented by jurisdiction-specific overlays, common technical documentation, and a unified governance structure will satisfy both far more efficiently than parallel tracks. For energy companies operating only in the U.S., the EU AI Act may feel distant, but the NIST profile alone will likely require many of the same operational changes. The cost of building compliance to either standard is largely the cost of building compliance to both.

What to Do Now (Updated)

Our March alert set out seven action items focused on EU AI Act compliance. Those remain valid, with one important update: do not pause structured compliance work because of the EU deadline shift. The substantive work, including AI inventory, classification, vendor contract remediation, governance ownership, and technical documentation, takes longer than most companies expect. Companies that treat December 2027 as a runway rather than a reprieve will be in a far stronger position than those that pause and restart.

Building on the original action items, energy companies should now also:

• Track formal adoption of the EU Digital Omnibus on AI. Until adoption and publication in the Official Journal, the original deadlines (August 2, 2026 for Annex III and August 2, 2027 for Annex I) remain in force, and a delay in the formal process could compress timelines unexpectedly.
• Begin mapping current AI systems against the trustworthiness characteristics expected to feature in the NIST CI Profile. The underlying NIST AI RMF is publicly available and provides a useful starting point before the profile is finalized.
• Consider how existing NERC CIP, TSA security directive, and other sector-specific compliance programs intersect with emerging AI obligations. AI systems already subject to these regimes will face overlapping expectations.
• For multinational operations, design a single AI governance architecture that supports both EU AI Act compliance and NIST-aligned U.S. expectations. Parallel programs are expensive and create internal inconsistency.
• Audit vendor and procurement contracts for both EU AI Act allocation of obligations and the supply chain transparency expectations emerging from NIST, including provisions on AIBOMs, model documentation, and post-deployment monitoring rights.
• Monitor the NIST Community of Interest. The framework is being shaped now, and the use cases and governance challenges surfaced during this window will influence what the final profile expects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.