AI Policy Weekly — Issue 1: EU AI Act reforms, federal preemption, H200 stalemate

This week's briefing covers the EU AI Omnibus deal extending high-risk compliance deadlines and adding new content bans, Trump's December EO asserting federal supremacy over state AI laws (plus an imminent cybersecurity order), a US-China H200 chip agreement that issued 750,000 licenses but shipped zero chips, and the Commerce Department's voluntary pre-release AI evaluation framework.

This week's briefing covers four converging developments: the EU's most significant AI Act revision since the law passed, a Trump executive order asserting federal control over AI regulation, a stalled chip deal that exposed the limits of US export control leverage over China, and an imminent White House cybersecurity order that marks a real shift in the administration's posture toward advanced AI models.

EU AI Act: deadline relief, two new bans, and long-overdue guidance

Three things happened in Brussels this week, each worth tracking separately.
The AI Omnibus deal. On May 7, negotiators from the Council, Parliament, and Commission struck a provisional agreement on the first formal amendments to the EU AI Act since it entered force in August 2024. 1 The headline change is a compliance runway extension for high-risk AI systems: standalone high-risk applications — recruiting tools, credit-scoring models, emotion-recognition systems — must now comply by December 2, 2027, not August 2, 2026, a 16-month delay. High-risk AI embedded in regulated products (medical devices, vehicles, toys) gets until August 2028. 2
The Omnibus also quietly expands the Act's prohibition list. Two new bans take effect December 2, 2026: one on AI systems that generate non-consensual intimate images without the subject's explicit consent, and one on AI-generated child sexual abuse material. Penalties for violations reach €35 million or 7% of global annual revenue. 1
One less-noticed provision: the simplified compliance framework — previously reserved for small businesses — now extends to companies with up to 750 employees and €150 million in annual revenue. For many mid-sized software vendors, this means lighter documentation requirements and access to regulatory sandboxes.
Draft high-risk classification guidelines. On May 19, the European Commission finally published draft guidelines for classifying high-risk AI systems — originally due February 2026, delayed twice. 3 The three-part document covers general classification principles and the two high-risk tracks under Article 6: product-safety AI (Annex I) and the eight use-case areas in Annex III, including biometrics, education, employment, and law enforcement. The Commission notes the examples are non-exhaustive. Public consultation closes June 23.
EU AI Office enforcement powers. From August 2, 2026, the EU AI Office gains formal authority over general-purpose AI model providers: it can demand technical documentation (Art. 91), conduct independent model evaluations including source code access (Art. 92), and order remediation or market withdrawal (Art. 93). 4 A recent analysis notes the Office's current staffing is "significantly insufficient" for the scale of GPAI oversight required — one report recommends the GPAI team expand to at least 160 staff by 2030.

US federal preemption: one order down, another coming

The December 2025 executive order. In December 2025, Trump signed an executive order asserting federal supremacy over AI regulation and blocking states from enforcing AI laws the administration considers inconsistent with its "minimally burdensome" framework. 5 The order established an "AI Litigation Task Force" within the Department of Justice to challenge state laws, directed Commerce to identify "onerous" state restrictions, and threatened to pull federal telecommunications funding from states that don't comply.
The context: 38 states passed AI laws in 2025, many of them prompted by a wave of lawsuits against AI developers over training data and chatbot harms. California's laws — requiring chatbot disclosures and mandating that developers assess catastrophic-risk scenarios — drew explicit attention from the White House. Trump's argument: a regulatory patchwork would impede US competitiveness with China.
The order landed on the same day New York Governor Hochul signed a law requiring disclosure of AI-generated synthetic performers in ads and banning unauthorized digital replicas of deceased persons — a direct collision that will likely produce litigation in the months ahead.
The incoming cybersecurity order. A second executive order is expected this week, focused on AI models with offensive cyber capabilities. 6 The draft would create a voluntary framework requiring AI labs to share frontier models with the government at least 90 days before public release, while giving specific critical infrastructure operators early access. The trigger was concern inside the administration over models like Anthropic's Mythos and OpenAI's GPT-5.5-Cyber, which were found capable of discovering and exploiting software vulnerabilities at unprecedented speed.
This marks a real pivot. The Trump administration's initial posture was aggressive deregulation and CISA budget cuts. The new order is a security-first response to capabilities the administration itself helped accelerate. How "voluntary" the 90-day framework remains in practice — given the access and approval implications — is the key question to watch.

Export controls: H200 licenses issued, zero chips shipped

The Nvidia H200 situation this week illustrated how much distance exists between a licensing decision and an actual outcome.
The US cleared approximately 10 Chinese companies to buy Nvidia H200 chips — the second-tier chip below the H100-class hardware, which remains blocked for China. 7 Licenses for roughly 750,000 units were issued. As of mid-May, no chips had been delivered.
After the Trump-Xi summit, Trump said China had refused to buy the H200s. Chinese officials said chip export controls were not formally discussed at the meeting. China's stated position is that it prefers domestic alternatives — and by some accounts, Beijing is now more interested in AMD's chips than Nvidia's. The deal that was announced as a diplomatic breakthrough has so far produced no commerce. 8
Separately, a congressional proposal circulating this week would extend US export controls to the chipmaking equipment supply chain — specifically requiring Dutch manufacturer ASML and Japanese equipment makers to comply with US controls. A CNAS commentary this week argued that chip-only restrictions miss the more durable leverage point: controlling the machines that make the chips. 9
The broader January 2025 regulatory change — imposing worldwide licensing requirements on advanced AI chips after a 120-day grace period — remains in effect, meaning the H200 situation is not just a China bilateral story. Global buyers of advanced compute hardware now operate under a licensing regime that didn't exist two years ago.

Platform security: pre-release government access takes shape

The cybersecurity executive order described above is the week's most significant development on AI safety. Its practical effect, if adopted, is that the US federal government would receive advance access to any frontier model deemed to pose national security risk — before that model is released to the public or sold commercially.
Commerce has already moved in this direction through voluntary agreements: the Department finalized expanded arrangements with Google and other leading AI developers this week for federal researchers to evaluate advanced AI capabilities and national security risks ahead of public release. 10
The NIST AI Risk Management Framework remains the de facto governance standard in the US for private-sector AI deployments. It is voluntary — but the FTC has begun using AI-related consumer harm as an enforcement hook, and several states that have passed AI laws reference the NIST framework directly. The federal preemption order creates ambiguity about whether those state laws, even if they reference federal frameworks, can be enforced going forward.

What to watch next

  • EU: Final text of the AI Omnibus expected in July after formal Council and Parliament votes. High-risk guidelines public consultation closes June 23 — the Commission's responses to comments will signal how prescriptive the final guidance gets.
  • US federal preemption: The AI Litigation Task Force at DOJ has yet to file its first challenge to a state law. Which state gets targeted first will set the tone for the federal-state conflict.
  • Cybersecurity EO: Whether the "voluntary" 90-day pre-release framework carries any real compliance teeth — and whether Anthropic, OpenAI, and Google DeepMind accept the terms without negotiation.
  • Export controls: No H200 chips have moved. The next Nvidia earnings call will likely clarify whether the company sees any realistic path to H200 revenue in China, or whether the licenses are effectively dormant.

References

  1. 1EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions
  2. 2AI Act Update: EU Resolves to Change Rules and Extend Deadlines
  3. 3European Commission delivers draft high-risk AI guidelines after delays
  4. 4How Much Power Does the EU AI Office Actually Have?
  5. 5Trump Executive Order on AI Preempts State Regulations
  6. 6Trump AI executive order seeks early government access to advanced models
  7. 7US clears H200 chip sales to 10 China firms as Nvidia CEO looks for breakthrough
  8. 8Nvidia's Future in China Remains Unclear After Trump-Xi Summit
  9. 9CNAS Insights: MATCHing Policy to Strategy
  10. 10State of AI governance and regulations in the United States 2026

Add more perspectives or context around this Drop.

  • Sign in to comment.