EU AI Act Dates for German Businesses: 2026, 2027 and 2028
Short answer
For German businesses, 2 August 2026 is not the universal EU AI Act deadline for every high-risk AI obligation. It is the broad application date for the main framework, including Article 50 transparency duties, while stand-alone Annex III high-risk AI systems move to 2 December 2027 and product-embedded high-risk AI systems move to 2 August 2028.
- Article 50 transparency and other broad AI Act obligations apply from 2 August 2026.
- Stand-alone Annex III high-risk AI systems move to 2 December 2027.
- High-risk AI embedded in regulated products moves to 2 August 2028.
- German procurement teams should still contract for documentation, oversight, and incident reporting now.
EU AI Act timeline Germany now needs to be read in three dates, not one. For German businesses, 2 August 2026 is the main framework application date and the date for Article 50 transparency obligations, but stand-alone Annex III high-risk AI systems move to 2 December 2027 and product-embedded high-risk AI systems move to 2 August 2028. If your legal or procurement team is still using “the August 2026 AI Act deadline” as a catch-all answer, that framing is now too broad.
This matters in practice because buyers, compliance leads, founders, and in-house counsel need to know which date matches which obligation. A customer-facing chatbot rollout raises different timing questions from an AI recruitment tool or an AI-enabled product component. The right answer is no longer “everything is due in August 2026.”
For the procurement-intent exact-date split, start with our EU AI Act procurement timeline for Germany before 2027. For the contract workflow that sits underneath those dates, see our guides on AI Act procurement requirements for German enterprises, GDPR AI procurement, and AI vendor due diligence in Germany.
Quick Answers to the EU AI Act Timeline Questions
Which EU AI Act high-risk systems move to 2 December 2027?
The 2 December 2027 date now captures stand-alone Annex III high-risk AI systems. For German businesses, that usually means AI used in employment, biometrics, education, critical infrastructure, migration, and access to essential services where the system is not embedded in a regulated product.
Which AI systems move to 2 August 2028 under the AI omnibus agreement?
The 2 August 2028 date applies to high-risk AI systems embedded in regulated products. These are systems tied to product-safety and CE-marking frameworks, such as certain AI-enabled medical devices, machinery, lifts, toys, or similar regulated equipment.
Does the EU AI Act still matter in AI procurement before 2027?
Yes. AI procurement still matters before 2027 because deployers in Germany need contract rights, documentation access, logging support, oversight instructions, and incident escalation clauses before the system goes live. The later date changes when some obligations bite, but it does not remove the need to prepare evidence and contracts now.
The Short Answer: Which Obligation Applies on Which Date?
As of May 21, 2026, the European Commission’s AI Act overview states that the Act is fully applicable from 2 August 2026, with exceptions. Those exceptions now matter for German-business queries:
| Date | What applies | Why it matters for Germany |
|---|---|---|
| 2 February 2025 | Prohibited AI practices and AI literacy duties | Banned uses were already not allowed; internal training should already exist |
| 2 August 2025 | Governance rules and GPAI obligations | Relevant for providers of general-purpose AI models and governance setup |
| 2 August 2026 | Broad framework application, including Article 50 transparency and other obligations still due then | Relevant for customer-facing AI, disclosure, internal governance, and procurement readiness |
| 2 December 2027 | Stand-alone Annex III high-risk AI systems | Relevant for HR, scoring, biometrics, education, migration, and other Annex III use cases |
| 2 August 2028 | High-risk AI embedded in regulated products | Relevant for product-linked compliance and sectoral safety frameworks |
The European Commission uses this split timeline on its official AI Act page. The Council of the EU’s March 13, 2026 press release also states that the delayed application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.
What Still Applies on 2 August 2026?
The correction is not that 2 August 2026 no longer matters. It still matters a great deal. What changed is that legal and commercial teams should stop treating it as the universal deadline for every high-risk AI obligation.
Core Definitions Behind the Split Timeline
- A stand-alone Annex III high-risk AI system is an AI system used in one of the high-risk areas listed in Annex III, such as recruitment screening or biometric identification, without being part of a separately regulated product.
- A product-embedded high-risk AI system is AI integrated into a product already governed by product-safety legislation and CE-marking frameworks.
- A deployer is the company using the AI system in its own business, while the provider is the company placing that AI system on the market.
These definitions matter because the date split is driven by the type of system involved, not by whether the buyer calls the tool “AI-powered” in commercial materials.
Article 50 Transparency and Disclosure Obligations
For many German companies, Article 50 is the first practical AI Act issue that affects customer operations and public-facing workflows. If users interact with a chatbot, voice agent, or similar AI interface and could reasonably think they are dealing with a human, the AI nature of the interaction must be disclosed.
The same transparency logic also matters for certain AI-generated content. If a system generates or materially manipulates content in a way that triggers the Act’s disclosure rules, the organisation using it needs a documented implementation approach. This is one reason the 2 August 2026 date still belongs near the top of any practical AI Act timeline page.
GPAI and Governance Duties Already in Force
The Commission also states that governance rules and obligations for GPAI models became applicable on 2 August 2025. That date remains important for providers and organisations close to the model layer. If your company develops, fine-tunes, or distributes general-purpose models, your timeline analysis cannot start in 2026.
For many German buyers, however, the procurement question is narrower: are we simply using a third-party AI product, or are we operating close enough to the model layer that GPAI obligations may matter? That distinction should be made early during vendor review.
What 2 August 2026 Still Means for Procurement Teams
Even where a specific high-risk use case moves to 2027 or 2028, procurement should not wait. A contract signed in 2026 can still create 2027 enforcement problems if it does not secure:
- Technical documentation access
- Instructions for use and human oversight guidance
- Logging and traceability support
- Incident notification and escalation rights
- Change-control duties when the vendor updates the system
That is why the real procurement message is not “nothing happens until 2027.” The right message is: the legal timeline is split, but evidence-building and contract preparation start now.
Which High-Risk AI Systems Move to 2 December 2027?
The Commission’s current wording says that rules for systems used in certain high-risk areas apply from 2 December 2027. In practice, that covers the stand-alone Annex III categories that most German businesses actually ask about.
Stand-Alone Annex III Systems
These are the AI use cases that usually drive commercial queries about AI procurement and deployer readiness:
- Employment and worker management
- Biometrics
- Education and training access
- Critical infrastructure
- Credit scoring and other essential private or public services
- Migration, asylum, and border control
- Certain law-enforcement and justice use cases
If a German company is buying a recruitment-screening tool, a biometric access system, or a scoring engine, the old shorthand “high-risk AI deadline = August 2026” is now misleading. The more precise answer is that the stand-alone high-risk application date moves to 2 December 2027 under the current official timeline framing.
Procurement Examples Relevant to German Buyers
For legal, compliance, and procurement teams in Germany, common examples include:
- HR and recruiting: CV screening, candidate scoring, worker evaluation, promotion support
- Biometrics: facial recognition, identity verification, certain attendance tools
- Customer operations: systems that influence access to essential services or materially shape decisions about individuals
- Credit and insurance: scoring, eligibility, or risk classification tools
These systems still require serious diligence now because classifying them, collecting evidence, mapping data flows, and negotiating vendor clauses takes time. The later legal date does not remove the operational workload.
Which Systems Move to 2 August 2028?
The Commission’s page says that high-risk AI systems embedded into regulated products have an extended transition period until 2 August 2028. The Council uses similar language and refers to high-risk AI systems embedded in products.
This category is different from a stand-alone SaaS tool used by HR or compliance. It concerns AI that sits inside a product already linked to sectoral product-safety frameworks or CE-marking structures. That timing distinction matters because many general business readers search “AI Act deadline” without realising that product-linked AI and stand-alone Annex III systems no longer share the same operative date.
For most startup and venture-backed software companies, the 2028 date matters less often than 2026 and 2027. But for manufacturers, medtech, industrial tech, automotive suppliers, robotics businesses, and other regulated-product companies, it can be the key date.
What Procurement Teams Should Do Now Despite the Split Timeline
The split timeline does not justify delay. It just changes the sequence of the answer.
1. Separate the use cases by date
Create a basic register with three columns:
- Obligations relevant on 2 August 2026
- Stand-alone Annex III high-risk systems relevant on 2 December 2027
- Product-embedded high-risk systems relevant on 2 August 2028
If you cannot sort your AI estate this way, your internal timeline is still too vague.
2. Fix public-facing transparency first
For companies using chatbots, virtual agents, AI-assisted support, or similar user-facing tools, the Article 50 workstream is often the fastest to operationalise. Disclosures, interface design, escalation logic, and user communication can usually be tightened before the more technical high-risk questions arise.
3. Build procurement clauses before the legal date bites
Your vendor agreement should already anticipate later enforcement dates. Do not wait until late 2027 to ask for rights you should have negotiated at signature. At minimum, request:
- Documentation delivery rights
- Update notification rights
- Support for deployer logging and oversight
- Regulatory cooperation clauses
- Clear allocation of provider and deployer responsibilities
Our AI Act procurement guide explains the contract layer in more detail, including what German deployers should request on conformity documentation, instructions for use, audit rights, and incident cooperation.
4. Coordinate AI Act and GDPR review
In Germany, AI procurement rarely sits inside a single legal silo. The same project may require:
- AI Act classification
- GDPR controller-processor analysis
- Article 28 DPA review
- DPIA or broader risk assessment
- Works council involvement under section 87(1) no. 6 BetrVG
That is why procurement teams should link this page with GDPR AI procurement and enterprise AI legal risk, rather than treating the AI Act date question as a stand-alone compliance issue.
Why This Matters for German Businesses Specifically
German companies are often buyers and deployers rather than model developers. That means the business risk usually appears in:
- procurement sign-off,
- internal approval workflows,
- documentation gaps,
- employee-facing deployment,
- and the inability to explain who is responsible for what once the vendor is already live.
For those teams, the practical question is not just “what date is the AI Act deadline?” The better question is: which obligation applies on which date, and what evidence do we need before then?
That is the framing AI search engines, legal teams, and procurement stakeholders can actually use.
FAQ
What AI Act obligations start on 2 August 2026 for German businesses?
The date 2 August 2026 still matters because it is the broad application date for the EU AI Act framework, and it includes Article 50 transparency obligations and other rules that still apply then. But it is no longer accurate to describe it as the universal start date for all high-risk AI obligations, because stand-alone Annex III systems move to 2 December 2027 and product-embedded systems move to 2 August 2028.
Which EU AI Act high-risk systems move to 2 December 2027?
The official Commission timeline now says that systems used in certain stand-alone high-risk areas move to 2 December 2027. For German businesses, that is the key date for many Annex III procurement questions, especially in employment, biometrics, education, critical infrastructure, and access to essential services.
Which AI systems move to 2 August 2028 under the AI omnibus agreement?
The 2 August 2028 date applies to high-risk AI systems embedded in regulated products. This is the product-linked branch of the timeline and is most relevant where AI sits inside regulated equipment or other product-safety frameworks.
Does the EU AI Act still matter in AI procurement before 2027?
Yes. Vendor contracts, technical documentation requests, oversight procedures, incident clauses, and governance records should be built before the later high-risk dates arrive. If you only start this work close to late 2027, you will usually be too late to negotiate clean evidence and workable controls.
This guide is general information only and does not constitute legal advice. Specific AI Act classification, procurement, and deployment questions should be assessed against the concrete system, vendor documentation, data flows, and sector-specific rules involved.
