Annex III high-risk obligations apply 2 December 2027 — — days remaining
Following the Digital Omnibus political agreement of 7 May 2026, Annex III high-risk obligations under the EU AI Act now apply on 2 December 2027 — but the preparation window is finite. Article 71 database registration requires Annex IV technical documentation, conformity assessment, and an Article 22 EU Authorised Representative already in place. Most US providers are not in scope of the August 2026 obligations directly — but the systems they place on the EU market will be in scope at end-2027, and the documentation cannot be retrofitted.
Article 71 of the EU AI Act requires providers of high-risk AI systems to register their systems in an EU-wide database before placing them on the market or putting them into service. This obligation applies regardless of where your company is headquartered — if your AI system affects EU users, you are in scope.
Any provider — including US companies — that places a high-risk AI system on the EU market or whose AI outputs affect EU users. No EU office required. No EU employees required. Article 2 establishes extraterritorial scope.
Systems classified as high-risk under Annex III, including AI used in hiring, credit scoring, biometric identification, critical infrastructure, education access, and law enforcement.
Annex III obligations apply 2 December 2027 following the Digital Omnibus political agreement of 7 May 2026. End-to-end compliance preparation takes 8–12 weeks minimum — Annex IV documentation cannot be retrofitted.
On 7 May 2026 (Strasbourg, Cypriot Presidency), Council and Parliament reached political agreement on the Digital Omnibus on AI (COM(2025) 836). The headline change for high-risk AI providers: Annex III obligations apply 2 December 2027 instead of 2 August 2026, and Annex I embedded products move to 2 August 2028.
Other dates remain operational: Article 50 transparency and watermarking apply 2 August 2026; the AI Office obtains full enforcement powers on the same date; the new Article 5 prohibition on AI-generated CSAM and non-consensual intimate imagery applies 2 December 2026; Article 4 AI literacy and the eight existing Article 5 prohibitions remain in force since 2 February 2025.
Until publication in the Official Journal, the original AI Act dates remain legally binding (de lege lata). The agreement is the political consensus; legal certainty follows trilogue ratification and OJEU publication.
Source: EU AI Act, Regulation (EU) 2024/1689, Article 99. SMC privileges (50–500 employees, €10M–€100M turnover) introduced under the Digital Omnibus political agreement of 7 May 2026. Full penalty breakdown →
Annex III of the EU AI Act enumerates eight areas of use. If your AI system falls into any of these categories and affects EU users, you likely have a registration obligation under Article 71. See the full Annex III breakdown.
Not sure if your system qualifies? Ask our AI assistant below or take the free assessment.
EU AI Act registration is not a single form. It requires technical documentation, conformity assessment, an EU Authorised Representative mandate, and precise classification before submission. Lexara Advisory delivers the US-side compliance audit; SecureFound, established in Spain, delivers the Article 22 mandate. See our detailed step-by-step guide.
Lexara identifies all AI systems in your organization and classifies each under the EU AI Act risk framework — Annex III categories. Most companies don't know how many AI systems they have — we find them all, including third-party tools you deploy.
For each high-risk system, we produce the mandatory Annex IV technical documentation required under Article 11 — system description, risk management records, data governance, training data methodology, human oversight procedures, and accuracy metrics.
We guide you through the conformity assessment process, determining whether your system requires third-party assessment by a Notified Body or qualifies for self-assessment. This is where most companies stall — we remove the bottleneck.
Non-EU providers must appoint an EU Authorised Representative under Article 22 before registration. The mandate is a written legal instrument — not an administrative formality.
Established in Adeje, Tenerife (Spain), SecureFound is led by bar-admitted attorneys and serves as Authorised Representative under Articles 22 (high-risk) and 54 (GPAI) for non-EU providers. A single mandate covers all 27 EU Member States; AESIA acts as the coordinating home authority. Documentation custody for the full statutory 10-year period, EU data residency, GDPR-compliant infrastructure.
The Lexara × SecureFound partnership delivers one transatlantic compliance stack, two jurisdictions — Lexara handles US-side Annex IV documentation, conformity assessment, and gap analysis; SecureFound holds the European mandate and faces the regulator. Visit securefound.com or read more about Article 22.
SecureFound, as your appointed Authorised Representative, prepares and submits all required Annex VIII information to the EU AI database under Article 49. You receive registration confirmation and compliance documentation package for your records and client contracts.
End-to-end compliance — inventory, Annex IV documentation, conformity assessment, EU Authorised Representative mandate, and Article 71 database submission — takes 8–12 weeks of focused work. Annex IV documentation cannot be retrofitted on a deadline.
Lexara Advisory LLC is an AI governance consulting firm, not a law firm.
SecureFound (SECURE FOUND, S.L., NIF B-56538416) is an AI governance consultancy in Spain, not a law firm.
This page provides general information about EU AI Act compliance obligations.
🤖 AI — not a human or lawyer