EU Legislation Roundup: May 2026

Staying informed on EU-level law helps you manage risk, maintain compliance and remain competitive in a fast-moving regulatory environment.

This edition, brought to you from our EU Knowledge Hub, highlights:

1. EU-Mexico trade agreements
2. New EU trade preference rules
3. Guidelines on high-risk AI systems
4. Revised framework for the screening of foreign direct investments
5. Critical Medicines Act
6. Cyber-attacks sanctions extension
7. Deal on Digital Omnibus
8. EUDR simplification

EU signs new agreements with Mexico

On May 22, 2026, the EU and Mexico signed a Modernised Global Agreement (MGA) and an Interim Trade Agreement (iTA). The MGA replaces 14 bilateral investment treaties between Mexico and EU Member States.

The agreements remove most remaining tariffs and improve access to public procurement. They strengthen rules on services, investment, digital trade, and intellectual property. They also expand cooperation on security, climate, digital issues, and human rights.

Both agreements now enter ratification procedures. While the MGA requires approval by all EU Member States and Mexico, the iTA follows EU-only ratification, including Parliament consent. The iTA will apply temporarily until the full agreement enters into force.

Why this matters: The agreements may create new opportunities for EU exporters, investors, and service providers in the Mexican market. This is particularly relevant for key sectors including agri-food, machinery, pharmaceuticals, automotive, and medical devices. Businesses in services sectors (including finance, telecommunications, transport, and digital) may also benefit from easier access to the Mexican market. Businesses should review investment structures and assess whether existing protections change under the new framework. They should also adapt supply chains to capture tariff benefits and evaluate eligibility for procurement and services.

EU strengthens trade preference rules

On May 22, 2026, the Council of the EU adopted revised rules on trade preferences for developing countries. The reform updates the Generalised Scheme of Preferences (GSP), which reduces or removes tariffs on imports. It strengthens links between trade benefits and compliance with international standards.

The revised rules tie trade preferences more closely to human rights, labour rights, and environmental protection. They expand the list of international conventions that beneficiary countries must respect. They introduce stronger monitoring and transparency obligations and faster suspension procedures for serious violations. The reform also links preferences to cooperation on migration and readmission. It includes enhanced safeguards to protect EU producers from sudden import surges.

The regulation will apply from January 1, 2027.

Why this matters: The revised GSP increases conditionality and enforcement risks for beneficiary countries. It matters to importers relying on preferential tariffs and sectors exposed to sensitive products. Affected businesses may face tariff changes, supply chain disruption, and safeguard measures affecting imports. They should monitor country compliance and consider diversifying supply chains to mitigate risks.

EU Commission issues draft high-risk AI classification guidance

On May 19, 2026, the European Commission published a draft guidance on classifying high‑risk AI systems under the AI Act. It aims to support consistent application of Article 6 across the EU. It will affect how organisations assess whether their systems fall within scope.

High‑risk classification arises in two main scenarios. First, systems that are safety components of regulated products requiring third‑party assessment are automatically high‑risk. Second, systems used in sensitive areas listed in Annex III are also caught. The guidance includes examples to clarify which systems fall in scope.

A targeted consultation is open until June 23, 2026, inviting feedback on the draft guidelines and accompanying practical examples.

Why this matters: The draft guidance does not alter the legal obligations imposed by the AI Act. It does, however, provide clarifications that will shape how providers and deployers approach high-risk classification under Article 6. Businesses developing or deploying AI systems in the EU should begin conducting classification assessments now and document the basis for each classification. Compliance processes should be reviewed to ensure they align with the guidance's framework. Where AI is used across several business units, similar systems should be classified on a consistent basis.

New EU rules on screening of foreign investments

On May 19, 2026, the European Parliament adopted the new rules for the screening of foreign direct investments (FDI). The framework aims to strengthen the  EU’s ability to address security risks from foreign investments while maintaining openness to global trade.

Key elements include mandatory screening in all Member States, with a scope covering sensitive areas such as dual‑use items, critical technologies, raw materials, and essential infrastructure. This includes sectors vital for security and resilience, including defence, AI, semiconductors, and energy. The revised text improves transparency and streamlines processes, including a shared database and optional single filing portal. Screening decisions remain national, with enhanced coordination.

The Council must still formally adopt the text, expected during 2026. The new rules will then apply 18 months after the regulation enters into force.

Why this matters: The updated FDI screening framework aims to improve consistency across Member States, reducing administrative complexity and increasing predictability for investors. Clearer risk definitions should help businesses anticipate scrutiny and plan transactions more effectively. However, national differences remain, requiring tailored FDI strategies for cross‑border deals. Investors and their advisers should assess screening risk early and align deal timelines with approval processes. Transaction documents should address clearance conditions, cooperation duties, and potential remedies.

Critical Medicines Act reaches informal trilogue agreement

On May 12, 2026, the Parliament, Council, and Commission negotiators reached an informal trilogue agreement on the Critical Medicines Act. The regulation aims to strengthen the supply and availability of critical medicines across the EU. It promotes more resilient, diversified supply chains, tackling shortages of key medicines and improving supply security and availability.

The rules incentivise EU-based manufacturing of critical medicines and ingredients, reducing dependence on non-EU countries.

Why this matters: The agreement still requires formal adoption and publication before the regulation enters into force. Businesses relying on critical medicines supply chains should begin assessing the likely compliance implications.

EU Council extends cyber-attack sanctions listings

On May 11, 2026, the Council of the EU extended cyber-attack sanctions listings until May 18, 2027.

The underlying legal framework had already been extended until May 18, 2028.

The regime enables targeted sanctions against persons responsible for significant cyber-attacks which constitute an external threat. Measures include asset freezes and prohibitions on making funds or economic resources available to listed persons. The regime currently covers nineteen individuals and seven entities.

Why this matters: The extension maintains restrictions and enforcement expectations for businesses exposed to cyber-related sanctions risks. Businesses may need to update sanctions screening processes to reflect extended listings and potential additions before May 2027. They should review counterparties for exposure to listed persons and brief relevant teams on the restrictions on dealing with them. Ongoing monitoring of new listings and sector guidance can help mitigate compliance and operational risks.

EU agrees to simplify AI Act rules

On May 7, 2026, the Council of the EU and the Parliament reached a deal (subject to formal adoption) to simplify the AI Act. The agreement aims to reduce compliance burdens and adjust implementation timelines. It introduces targeted changes affecting high‑risk systems, transparency rules, and SMEs. SMEs will benefit from simplified quality management rules previously reserved for microenterprises.  They also benefit from simplified technical documentation, reduced fees, and capped penalties.

The agreement delays the application of high‑risk AI rules until December 2027 or August 2028. Certain regulatory exemptions are extended to SMEs and small mid‑cap companies. A new ban is introduced on AI systems generating non‑consensual intimate content. The grace period for transparency obligations on AI‑generated content is shortened to three months. Where strictly necessary, limited processing of sensitive personal data is permitted for bias testing.

Why this matters: The delay provides additional time to prepare for high‑risk AI obligations and clarifies key compliance elements. It affects providers and deployers assessing classification, governance and transparency requirements. Businesses may need to reassess eligibility for simplified obligations and ensure exempted systems meet registration requirements where applicable. They should also verify that sensitive data use for bias testing meets strict necessity conditions. Earlier transparency planning for AI‑generated content and close monitoring of sector‑specific guidance may help reduce implementation risks.

EU reviews EUDR to simplify implementation

On May 4, 2026, the Commission published a simplification review of the EU Deforestation Regulation (EUDR). The review keeps core rules unchanged, while proposing targeted updates to Annex I and implementation guidance.

It proposes to expand scope to certain downstream products, including soluble coffee and palm oil derivatives used in chemicals and consumer goods. It proposes removing leather goods and retreaded tyres, and excludes samples, packaging materials, second‑hand goods, and waste. The IT system will relaunch in June 2026 with a simplified declaration form for micro and small primary operators. A voluntary grouping feature will reduce administrative burden for complex supply chains. Updates also include new Application Programming Interface specifications and a system contingency plan. Proposed scope changes are not yet legally binding.

Why this matters: The review aims to reduce administrative burden while maintaining due diligence obligations and providing greater clarity ahead of the regulation’s implementation before the end of this year. Under the updated framework, due diligence statements are generally submitted only by operators placing products on the EU market for the first time, with downstream operators subject to streamlined obligations and expected to rely on upstream due diligence information. Deadlines remain unchanged. Businesses should map Annex I changes, check if they qualify as downstream operators, and update internal systems ahead of the June 2026 IT relaunch.

Co-authored by Uendi Barreti and Paola Paccani (Knowledge)

Further reading

Executive Compliance Guide: Critical Raw Materials Act & Updates | Navigating EU Law

Industrial Accelerator Act | Think Tank | European Parliament

Comparing EU institutions' positions on a new legal framework for innovative companies | Think Tank | European Parliament

Chips act 2.0 | Think Tank | European Parliament

EU Deforestation Regulation Simplification Review Released | Flash Update

EU Pay Transparency Directive