EU AI Act procurement before 2027: timeline for Germany
Exact-Date Procurement Answer
For German procurement teams, the exact-date split now matters more than the old catch-all August 2026 framing. Under the current AI omnibus political agreement announced on 7 May 2026, stand-alone Annex III high-risk AI systems move to 2 December 2027, product-embedded high-risk AI moves to 2 August 2028, and core contract and evidence work still has to be done before go-live.
- Stand-alone Annex III high-risk AI points to 2 December 2027.
- Product-embedded high-risk AI points to 2 August 2028.
- Article 50 transparency and broader framework duties still matter on 2 August 2026.
- German buyers should negotiate provider support before rollout, not near the deadline.
EU AI Act procurement before 2027 still matters for German businesses, but the date answer is now split. For the procurement-intent questions businesses actually ask, the direct answer is this: stand-alone Annex III high-risk AI systems point to 2 December 2027, high-risk AI embedded in regulated products points to 2 August 2028, and AI procurement still matters before 2027 because contracts, documentation access, oversight instructions, logging, and incident escalation have to be in place before go-live.
There is also an important status point. As of 22 May 2026, the European Commission’s public AI Act timeline still displays the earlier structure with 2 August 2026 and 2 August 2027, but it now adds a note that the Digital Omnibus proposal would change the timing for high-risk systems. The Council of the EU then announced on 7 May 2026 that the Council presidency and the European Parliament reached a provisional agreement fixing 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products. For procurement planning, German companies should treat that split as the live official direction and keep tracking formal adoption.
If you need the broader contract layer, see our guides to EU AI Act procurement requirements for German enterprises, EU AI Act dates for German businesses, GDPR AI procurement, and AI vendor due diligence in Germany.
Short answer: which date applies to which AI system?
Short answer for procurement teams: use 2 August 2026 for transparency and framework readiness, 2 December 2027 for stand-alone Annex III high-risk AI, and 2 August 2028 for high-risk AI embedded in regulated products.
| Date | Procurement meaning | Typical buyer question |
|---|---|---|
| 2 August 2026 | Article 50 transparency, governance readiness, and evidence-building still matter | ”What must already be fixed before rollout?“ |
| 2 December 2027 | Stand-alone Annex III high-risk AI systems | ”Which SaaS or workflow tools move to the later date?“ |
| 2 August 2028 | High-risk AI embedded in regulated products | ”Which product-linked systems move even later?” |
That split matters because buyers often search “AI Act deadline” as if there were one universal date. For procurement, that is now the wrong frame. The better question is: which system type am I buying, and what rights must I secure before deployment?
Which EU AI Act high-risk systems move to 2 December 2027?
Under the current omnibus political agreement, 2 December 2027 is the exact-date answer for stand-alone Annex III high-risk AI systems. “Stand-alone” matters here. The AI is used in a high-risk field, but it is not embedded in a separately regulated product.
Stand-alone Annex III categories that matter in procurement
For German enterprises, the main stand-alone Annex III procurement categories usually include:
- Employment and worker management, such as CV screening, candidate ranking, performance scoring, promotion support, or termination-risk analysis
- Biometrics, such as identity verification, facial recognition, or certain access-control systems
- Education and vocational training, where AI influences admission, assessment, or access
- Critical infrastructure, where AI affects essential operational decisions
- Access to essential services, including credit scoring and similar eligibility decisions
- Migration, asylum, border, law-enforcement, and justice contexts, where relevant to the sector or buyer
For many German legal, procurement, and compliance teams, this is the date that answers the query: which EU AI Act high-risk systems move to 2 December 2027? If the tool is a stand-alone recruitment system, scoring engine, or biometric workflow, 2 December 2027 is the date you should map in your procurement register.
Procurement examples for German buyers
Common enterprise examples include:
- an AI recruiting platform screening applicants for a German GmbH
- an AI-based worker evaluation tool used by HR or line management
- a biometric identity-verification system in financial services
- a scoring tool shaping access to credit, insurance, or essential services
- an AI-enabled education or certification system where outcomes affect access or ranking
These are not product-embedded machinery cases. They are the classic stand-alone deployment cases where German companies buy software, connect it to internal data, and act as deployers.
Which AI systems move to 2 August 2028 under the AI omnibus agreement?
The 2 August 2028 date is the answer for high-risk AI systems embedded in regulated products. This is the product-linked branch of the procurement timeline.
Product-embedded high-risk AI
This category is relevant where the AI sits inside a product already connected to sectoral product-safety or CE-marking frameworks. Depending on the specific use case, that can include AI used in or with:
- certain medical devices
- machinery
- lifts
- toys
- watercraft
- other regulated equipment under Union harmonisation legislation
For many startup and SaaS buyers, this later branch will be less common than the stand-alone Annex III branch. But for medtech, robotics, industrial-tech, automotive-adjacent, manufacturing, and hardware-heavy businesses, it can be the decisive procurement date.
Why the 2028 category is different
The procurement workflow is different because the evidence chain is different. Product-embedded systems often sit inside a broader regulated-product file with sector-specific safety obligations, CE-marking logic, and documentation flows that do not look like a normal SaaS rollout. That is why it is a mistake to answer every procurement query with the same generic “AI Act high-risk deadline.”
Does the EU AI Act still matter in AI procurement before 2027?
Yes. It matters now, even where the exact application date for the relevant high-risk bucket is later.
Procurement work starts before the legal date
German companies do not buy compliance on the deadline itself. They buy it when they sign the contract, define the rollout scope, approve the use case, and allocate responsibilities between provider and deployer.
Before go-live, procurement teams should already secure:
- technical documentation access
- instructions for use
- human-oversight guidance
- logging and traceability support
- incident-notification and escalation clauses
- change notices when the vendor updates the system, model, or intended-purpose framing
If those items are missing from the contract package, the business often reaches 2027 or 2028 with weak evidence, unclear accountability, and poor operational controls.
Why 2 August 2026 still matters
This page is not another generic “August 2026 deadline” explainer, but 2 August 2026 still matters for procurement. Article 50 transparency duties and the broader AI Act framework still shape:
- customer-facing chatbots and virtual agents
- disclosure wording and interface design
- governance, ownership, and internal approval paths
- intake processes for AI systems that may later prove high-risk
The right procurement message is not “nothing matters before 2027.” The right message is: the legal dates are split, but evidence-building starts now.
What German procurement teams should ask vendors now
For German buyers, the practical question is not only “what date applies?” It is also “what should we demand now because that date applies later?”
Use this procurement checklist when reviewing a vendor:
- Classify the use case. Is the deployment likely low-risk, GPAI-related, stand-alone Annex III high-risk, or product-embedded high-risk?
- Confirm the AI Act role. Is the vendor acting as provider, GPAI model provider, importer, distributor, or another operator in the chain?
- Request instructions for use. Deployer obligations are hard to satisfy if the provider does not supply usable operating instructions.
- Ask for documentation access. For high-risk scenarios, procurement should ask what technical and conformity material the provider can actually deliver.
- Define human oversight. The contract should support human review, override logic, escalation, and role ownership.
- Require logging support. Without logs and audit trails, later evidence is often too weak for internal or regulatory review.
- Add incident and change clauses. The provider should notify the deployer about serious incidents, material defects, and relevant updates.
- Coordinate the GDPR layer. Many projects also need GDPR AI procurement review, a DPA analysis, transfer checks, and maybe a DPIA.
- Document German-specific governance. Employee-facing use cases can trigger works-council and labour-law review long before the AI Act date becomes the headline issue.
For a fuller buyer-side checklist, see AI vendor due diligence in Germany and our more contract-focused page on EU AI Act procurement requirements for German enterprises.
How this page relates to the broader 2026, 2027 and 2028 timeline
This page owns the procurement-intent exact-date question. It is the right page if the reader asks:
- which high-risk systems move to 2 December 2027
- which systems move to 2 August 2028
- whether AI procurement still matters before 2027
Our broader timeline page remains the general explainer for the 2025, 2026, 2027, and 2028 sequence. Our procurement requirements page remains the deeper contract and deployer-obligations page.
That distinction matters for AI search engines too. Someone asking for the precise procurement date split needs a verdict-first answer with exact dates and system categories, not a generic overview of the whole regulation.
Frequently asked questions
Which EU AI Act high-risk systems move to 2 December 2027?
Under the current 7 May 2026 Council-Parliament political agreement on the AI omnibus package, stand-alone Annex III high-risk AI systems point to 2 December 2027. For German buyers, that usually means stand-alone AI in areas such as employment, biometrics, education, critical infrastructure, migration, and access to essential services.
Which AI systems move to 2 August 2028 under the AI omnibus agreement?
The 2 August 2028 date points to high-risk AI embedded in regulated products. This is the product-linked branch of the timeline, not the typical stand-alone SaaS or workflow-tool procurement case.
Does the EU AI Act still matter in AI procurement before 2027?
Yes. Procurement still matters before 2027 because the deployer usually needs documentation access, oversight design, logging, incident routes, and update clauses before rollout. Those are not items you can safely bolt on at the end.
Is the 2027 and 2028 split already final law?
As of 22 May 2026, the Commission’s service-desk timeline still shows the earlier dates with a note about the proposal, while the Council announced on 7 May 2026 that Council and Parliament reached a provisional agreement fixing 2 December 2027 and 2 August 2028. That means procurement teams should plan with the split dates, but also track the formal adoption steps.
Do I need a different workflow for providers and deployers?
Yes. Most German companies procuring AI are deployers, while the vendor is the provider. The provider usually controls conformity documentation and intended-purpose framing, while the deployer controls rollout, internal oversight, user instructions, and operational evidence. Procurement is where those responsibilities have to be connected.
Need help structuring AI procurement before 2027?
If your team is buying AI for HR, legal operations, customer workflows, scoring, product features, or internal productivity, the exact-date answer should feed directly into the contract package. Compound Law supports German businesses with AI procurement review, provider and deployer role mapping, GDPR alignment, and rollout governance.
This page is general information only and does not replace legal advice for a specific system, contract, or regulated-product context.
