EU AI Act Implementation Timeline — Annex III Deadline 2 December 2027

Important update · 7 May 2026: This page was previously titled around the August 2026 deadline. Following the Digital Omnibus political agreement reached on 7 May 2026 (Strasbourg, Cypriot Presidency), Annex III high-risk obligations now apply on 2 December 2027. The URL has been preserved for SEO continuity, but the content reflects the post-trilogue reality. Until OJEU publication, the original AI Act dates remain legally binding (de lege lata); the Omnibus dates represent the political consensus (de lege ferenda) heading toward formal ratification.

Complete Implementation Timeline (Post-Trilogue)

2 February 2025In force

Prohibitions and AI Literacy

Article 5 (prohibited AI practices) and Article 4 (AI literacy) obligations apply. Prohibited practices include social scoring, untargeted facial recognition database scraping, emotion recognition in workplaces and schools (with limited exceptions), and AI systems that exploit vulnerabilities or use subliminal techniques. Article 4 imposes a direct duty on all providers and deployers to ensure sufficient AI literacy of staff.

2 August 2025In force

GPAI Models and Governance

Obligations for general-purpose AI (GPAI) model providers under Chapter V took effect, along with governance provisions and penalties for prohibited practices. Includes documentation duties, copyright compliance, and the systemic-risk regime for the largest models.

2 August 2026UPCOMING — UNCHANGED

Article 50 Transparency & AI Office Full Enforcement Powers

Article 50 transparency obligations apply for new AI systems — deepfake disclosure, synthetic content marking, and AI-interaction disclosure when interacting with humans. The watermarking baseline applies to systems placed on the market from this date. The EU AI Office obtains full enforcement powers, including the ability to request information, mandate mitigations, and impose fines on GPAI providers under Chapter V.

2 December 2026UPCOMING

New Article 5 Prohibition (NCII / CSAM) & Article 50 Watermarking Grandfathering

The Digital Omnibus introduces a new Article 5 prohibition covering AI systems that generate or facilitate non-consensual intimate imagery and child sexual abuse material. Same date: AI systems placed on the market before 2 August 2026 must comply with Article 50(2) watermarking and synthetic-content marking obligations — closing the four-month transitional grandfathering window.

2 December 2027CRITICAL DEADLINE — POST-TRILOGUE

Annex III High-Risk Obligations (THE NEW CRITICAL DEADLINE)

All obligations for high-risk AI systems listed in Annex III take effect, including:

Risk management system (Article 9)
Data governance (Article 10)
Technical documentation (Article 11 / Annex IV)
Record-keeping and logging (Articles 12, 19)
Transparency and information to deployers (Article 13)
Human oversight (Article 14)
Accuracy, robustness, and cybersecurity (Article 15)
Conformity assessment (Article 43)
Article 71 database registration
EU Authorised Representative appointment (Article 22) — via SecureFound

2 August 2028UPCOMING — POST-OMNIBUS

Annex I Embedded High-Risk AI

High-risk AI systems that are safety components of products already covered by EU harmonisation legislation listed in Annex I (medical devices, machinery, toys, civil aviation, motor vehicles, etc.) must comply by this date — Article 6(1). Under the Digital Omnibus, this date moved from 2 August 2027.

What This Means in Practice

The post-trilogue calendar is best understood as two parallel tracks:

Track 1 — Operational deadlines remain near-term. Article 50 transparency, GPAI obligations under Chapter V, the new Article 5 prohibition on NCII/CSAM, AI Office enforcement powers — these all apply between 2 August 2026 and 2 December 2026. Providers of generative AI systems and GPAI models cannot wait.

Track 2 — Annex III obligations have a real runway. Providers of standalone high-risk AI systems under Annex III now have until 2 December 2027 to complete Annex IV documentation, conformity assessment, EU Authorised Representative appointment, and Article 71 database registration. This is meaningful runway — but Annex IV documentation under Article 11 cannot be retrofitted on a deadline. Risk management records (Article 9), data governance (Article 10), and human-oversight procedures (Article 14) must be designed and operationalised, not assembled in the final weeks.

Reality check: End-to-end registration — from AI system inventory through Annex III classification, Annex IV documentation, conformity assessment, representative appointment via SecureFound, to database submission — takes 8–12 weeks minimum for a single system. Companies with multiple high-risk systems should plan for sequential or parallelised tracks. Starting in mid-2027 to meet a December 2027 deadline assumes everything goes right; starting now means margin for what won't.

Related Resources

Step-by-Step Registration Guide — the complete process, week by week

Penalties for Non-Compliance — what happens if you miss the deadline

Does This Apply to US Companies? — extraterritorial scope explained

EU Authorised Representative via SecureFound — appointment must precede registration

Need Help With EU AI Act Registration?

Lexara Advisory and SecureFound (Spain) guide US companies through every step — from classification to database submission — under one transatlantic engagement.

Contact Lexara Advisory →

Lexara Advisory LLC is an AI governance consulting firm, not a law firm. SecureFound (SECURE FOUND, S.L., Spain) is the strategic EU partner providing Article 22 / Article 54 EU Authorised Representative services. This content is for informational purposes only and does not constitute legal advice. Until OJEU publication of the Digital Omnibus, the original AI Act dates remain legally binding.

EU AI Act Implementation Timeline — What Applies When