EU AI Act Timeline Germany: 2026, 2027 and 2028
Timeline Answer
As of June 28, 2026, German businesses should track both the enacted timetable in Regulation (EU) 2024/1689 and the later high-risk dates in the 7 May 2026 provisional Omnibus deal. In practice, procurement teams should work with 2 August 2026 for broad application, 2 December 2027 for stand-alone Annex III high-risk AI if the delay is adopted, and 2 August 2028 for high-risk AI embedded in regulated products.
- The enacted AI Act still points to 2 August 2026 and 2 August 2027.
- The Commission and Council now also point to a proposed 2 December 2027 and 2 August 2028 split.
- German buyers should classify each system before mapping the date.
- Contracts should secure documentation, oversight, logging, and incident cooperation now.
The EU AI Act timeline for Germany now has to be answered with three operational dates, plus one legal caveat. As of June 28, 2026, German businesses should treat 2 August 2026 as the live framework and transparency date, 2 December 2027 as the proposed later date for stand-alone Annex III high-risk AI, and 2 August 2028 as the proposed later date for high-risk AI embedded in regulated products. The caveat is that Regulation (EU) 2024/1689 still contains the enacted baseline in Article 113, so businesses should track both the legal text and the current implementation direction shown by the European Commission and the Council after the 7 May 2026 provisional Omnibus deal.
That distinction matters because a narrow answer like “the EU AI Act deadline is August 2026” is now too incomplete for procurement, governance, and rollout decisions in Germany. A SaaS recruitment tool, a biometric access system, and AI embedded in a medical or industrial product do not sit on the same timeline.
This page is the timeline hub, not the primary answer owner for each narrow procurement question. For the exact-answer pages, read Which EU AI Act systems move to 2 December 2027?, Which AI systems move to 2 August 2028?, and Does EU AI Act procurement matter before 2027?. For the commercial procurement layer underneath them, see EU AI Act procurement requirements for German enterprises. For the wider supporting pages, also read our EU AI Act August 2026 deadline checklist, GDPR AI procurement, and AI vendor due diligence in Germany.
Quick timeline table for German businesses
| Date | Systems affected | Current source position | What German buyers and operators should do now |
|---|---|---|---|
| 2 August 2026 | Broad AI Act application, especially transparency and rollout governance work | Still part of the enacted timetable in Regulation (EU) 2024/1689 | Review disclosures, intake, governance, vendor evidence flows, and role allocation now |
| 2 August 2027 | Article 6(1) and corresponding high-risk product obligations in the enacted text | Still the baseline in Article 113 unless formal delay amendments replace it | Do not ignore this date while the delay package remains unfinalised |
| 2 December 2027 | Stand-alone Annex III high-risk AI under the proposed delay track | Reflected in the Commission and Council implementation framing after 7 May 2026 | Classify HR, scoring, biometric, and similar software systems early and contract for evidence now |
| 2 August 2028 | High-risk AI embedded in regulated products under the proposed delay track | Reflected in the same proposed delay track | Align procurement with product-law documentation, CE pathways, and supplier cooperation |
Why the old one-line August 2026 answer is no longer enough
The old framing worked when the main question was whether the AI Act would broadly start to bite in 2026. It no longer works for businesses trying to decide whether a specific system belongs to the 2026, 2027, or 2028 branch.
The reason is simple:
- The enacted Regulation still gives you the baseline text.
- The current implementation direction now separates stand-alone Annex III systems from product-embedded systems.
- Procurement teams need both answers, because contracts are signed before the formal date question is fully settled.
For search intent, the clean answer is therefore not “there is one deadline.” The clean answer is: German businesses should map AI Act dates by system class and should keep one eye on the enacted Article 113 timetable and another on the proposed Omnibus delay track.
What still applies on 2 August 2026
The 2 August 2026 date still matters. It should not be written off as outdated or replaced entirely by later dates. For many businesses in Germany, it is the first operational deadline that changes internal rollout standards.
Transparency and deployer-facing readiness still matter in 2026
For customer-facing and employee-facing AI, transparency obligations remain an immediate compliance concern. A business using a chatbot, AI assistant, or similar interface may need to disclose clearly that the user is interacting with AI rather than a human. Teams also need governance around intended purpose, output review, escalation, and supplier communication.
For procurement, that means:
- confirming whether the tool triggers user-facing disclosure duties
- documenting who inside the business owns the AI rollout
- checking what instructions for use the vendor provides
- setting up logging, escalation, and change-management expectations
This is why the EU AI Act August 2026 deadline checklist remains relevant even for companies primarily concerned with later high-risk dates.
The enacted legal text still points to 2 August 2027 for part of high-risk AI
One of the easiest mistakes in 2026 is to quote only the delayed 2027/2028 split and forget that the enacted legal text has not yet fully caught up. Article 113 of Regulation (EU) 2024/1689 still matters. Until the delay package is formally adopted and implemented, legal teams should not talk as if 2 August 2027 has disappeared.
That is why a careful internal summary for Germany should read something like this:
- 2 August 2026 is still the broad application and transparency date.
- 2 August 2027 remains the enacted high-risk baseline in Article 113.
- 2 December 2027 and 2 August 2028 are the proposed later dates in the current official implementation direction.
Which systems move to 2 December 2027
The proposed 2 December 2027 date matters most for stand-alone Annex III high-risk AI systems. These are systems whose high-risk status comes from the use case in Annex III, not from being embedded in a separately regulated product.
Procurement-relevant examples of stand-alone Annex III systems
For German businesses, common examples include:
- employment AI, such as CV screening, applicant ranking, worker scoring, or AI used to influence promotion or termination decisions
- biometric systems for identification, verification, or sensitive access control
- education and training systems that affect admissions, progression, or formal assessment
- eligibility and scoring systems affecting access to essential services
- critical infrastructure support tools used in sensitive operational environments
These are often purchased as software, APIs, or vendor-managed services rather than hardware. That is why the timeline question is so procurement-heavy. The company buying the tool is usually the deployer, while the supplier controls the system facts, documentation, and intended-purpose description.
What German procurement teams should do now for the 2027 category
Even before 2027, buyers should require:
- Classification support. The vendor should explain whether the system is intended to fall within Annex III.
- Instructions for use. The business needs operational guidance, not only commercial descriptions.
- Logging and oversight support. Contracts should say how the deployer can review outputs and intervene.
- Incident cooperation. The vendor should commit to rapid notification and support.
- Documentation access. Buyers should know what conformity and technical materials can be made available.
That work belongs in the procurement stage, which is why this timeline page should route directly into EU AI Act procurement requirements for German enterprises instead of duplicating the full contract drafting discussion here.
Which systems move to 2 August 2028
The proposed 2 August 2028 date is the product-side branch of the split timeline. It is aimed at high-risk AI embedded in regulated products, not the typical stand-alone SaaS or workflow purchase.
Product-linked examples that fit the 2028 branch
Depending on the sector and product law framework, this can include AI embedded in:
- medical devices
- machinery
- lifts
- toys
- other products subject to Union product-safety or conformity frameworks
For businesses in medtech, manufacturing, industrial technology, robotics, and similar sectors, this distinction matters because the procurement file needs to speak both AI Act and product law. The relevant questions go beyond model behaviour and user oversight. They also touch technical files, CE-marking pathways, supplier change control, and product-side conformity support.
How the 2028 branch differs from normal SaaS procurement
In software procurement, the key issues are usually intended purpose, oversight, logging, transparency, and evidence rights. In product-linked procurement, the buyer also needs to understand:
- whether the AI is part of a regulated product architecture
- which product regime governs the item
- what conformity materials the manufacturer controls
- how updates, incidents, recalls, or corrective measures are handled
This is why businesses should not force all AI purchases into a single “AI vendor questionnaire.” The date logic depends on the actual legal category of the system.
What procurement teams should do now even before 2027
The later dates do not justify delay. If anything, they make classification and contract design more important, because the business needs to know which evidence path it is building toward.
A workable procurement workflow for German businesses
Use this order:
- Identify the AI system and the business use case.
- Map the role split: provider, deployer, distributor, or importer where relevant.
- Classify the system: transparency-only, stand-alone Annex III, product-embedded high-risk, GPAI-linked, or outside the high-risk categories.
- Map the likely date branch: 2026, enacted 2027 baseline, proposed 2027 stand-alone delay, or proposed 2028 product delay.
- Translate the result into contract asks: documentation, instructions, oversight support, logging, incident escalation, and change notices.
Contract points that should not wait
Before rollout, German procurement teams should secure:
- rights to request or inspect relevant technical and compliance documentation
- clear instructions for use and human oversight expectations
- commitments on logging and output traceability support
- prompt notice of serious incidents, material updates, and intended-purpose changes
- a clear division of responsibility between provider and deployer
Many teams will also need the privacy layer in parallel. That is where GDPR AI procurement and AI vendor due diligence in Germany fit into the same workflow.
How this timeline page fits the wider procurement cluster
This page should answer the date question and route the reader onward. It should not try to become the full commercial pillar.
Use the cluster like this:
- Read this page when you need the timeline logic for 2026, 2027, and 2028.
- Read Which EU AI Act systems move to 2 December 2027? for the stand-alone Annex III date owner.
- Read Which AI systems move to 2 August 2028? for the product-embedded date owner.
- Read Does EU AI Act procurement matter before 2027? for the before-2027 buyer answer.
- Read EU AI Act procurement requirements for German enterprises when you need the contract clauses and document requests.
- Read EU AI Act August 2026 deadline checklist when you need a broader operational checklist for the near-term framework date.
- Read GDPR AI procurement and AI vendor due diligence in Germany when privacy, processor terms, or vendor assessment overlap with the AI Act workstream.
That structure avoids cannibalising the pillar page and gives search engines a clearer separation between a timeline spoke, an action page, and supporting due diligence pages.
Frequently asked questions
What is the EU AI Act implementation timeline for Germany?
As of June 28, 2026, German businesses should track both the enacted and the proposed timelines. The enacted text still points to 2 August 2026 for broad application and 2 August 2027 for Article 6(1)-related timing, while the current implementation direction after the 7 May 2026 provisional Omnibus deal points to 2 December 2027 for stand-alone Annex III high-risk AI and 2 August 2028 for high-risk AI embedded in regulated products.
Does the AI Act enforcement timeline mean nothing happens before 2027?
No. That is the wrong operational reading. Procurement, governance, transparency, role mapping, and evidence collection all start earlier. A business can create compliance problems in 2026 by signing a poor contract even if its main high-risk use case falls into a later category.
Which systems are usually stand-alone Annex III systems?
Typical examples are recruitment and worker-management tools, biometric identification systems, education assessment systems, certain scoring systems, and other use cases that are listed directly in Annex III. The high-risk status comes from the use case itself rather than from product integration.
Which systems are usually product-embedded high-risk systems?
These are AI systems built into products that already sit inside regulated product frameworks. Depending on the sector, that can include certain medical devices, machinery, lifts, toys, and similar products that follow conformity and product-safety pathways.
Why do official sources look inconsistent on the dates?
They look inconsistent because they are describing different layers of the timeline. Regulation (EU) 2024/1689 remains the enacted legal text, while the European Commission, the AI Act Single Information Platform, and the Council now also reflect the later implementation direction coming out of the 7 May 2026 provisional Omnibus agreement.
Do I need legal advice for a specific AI system?
Usually yes, if the system affects employment, biometrics, regulated products, essential services, or high-stakes internal workflows. This page provides general information only. The correct AI Act, GDPR, and product-law position depends on the system architecture, the vendor documentation, and the intended use in your business.
Need help with the EU AI Act timeline in Germany?
Compound Law advises businesses in Germany on AI procurement, vendor contracts, deployer obligations, product-linked AI questions, and GDPR coordination. This page is general information only and does not replace legal advice for a specific system, contract, or regulated product.