EU AI Act timeline Germany with 2026 2027 and 2028 dates
compliance

EU AI Act Timeline Germany: 2026, 2027 and 2028

Timeline Answer

As of June 28, 2026, German businesses should track both the enacted timetable in Regulation (EU) 2024/1689 and the later high-risk dates in the 7 May 2026 provisional Omnibus deal. In practice, procurement teams should work with 2 August 2026 for broad application, 2 December 2027 for stand-alone Annex III high-risk AI if the delay is adopted, and 2 August 2028 for high-risk AI embedded in regulated products.

  • The enacted AI Act still points to 2 August 2026 and 2 August 2027.
  • The Commission and Council now also point to a proposed 2 December 2027 and 2 August 2028 split.
  • German buyers should classify each system before mapping the date.
  • Contracts should secure documentation, oversight, logging, and incident cooperation now.

The EU AI Act timeline for Germany now has to be answered with three operational dates, plus one legal caveat. As of June 28, 2026, German businesses should treat 2 August 2026 as the live framework and transparency date, 2 December 2027 as the proposed later date for stand-alone Annex III high-risk AI, and 2 August 2028 as the proposed later date for high-risk AI embedded in regulated products. The caveat is that Regulation (EU) 2024/1689 still contains the enacted baseline in Article 113, so businesses should track both the legal text and the current implementation direction shown by the European Commission and the Council after the 7 May 2026 provisional Omnibus deal.

That distinction matters because a narrow answer like “the EU AI Act deadline is August 2026” is now too incomplete for procurement, governance, and rollout decisions in Germany. A SaaS recruitment tool, a biometric access system, and AI embedded in a medical or industrial product do not sit on the same timeline.

This page is the timeline hub, not the primary answer owner for each narrow procurement question. For the exact-answer pages, read Which EU AI Act systems move to 2 December 2027?, Which AI systems move to 2 August 2028?, and Does EU AI Act procurement matter before 2027?. For the commercial procurement layer underneath them, see EU AI Act procurement requirements for German enterprises. For the wider supporting pages, also read our EU AI Act August 2026 deadline checklist, GDPR AI procurement, and AI vendor due diligence in Germany.

Quick timeline table for German businesses

DateSystems affectedCurrent source positionWhat German buyers and operators should do now
2 August 2026Broad AI Act application, especially transparency and rollout governance workStill part of the enacted timetable in Regulation (EU) 2024/1689Review disclosures, intake, governance, vendor evidence flows, and role allocation now
2 August 2027Article 6(1) and corresponding high-risk product obligations in the enacted textStill the baseline in Article 113 unless formal delay amendments replace itDo not ignore this date while the delay package remains unfinalised
2 December 2027Stand-alone Annex III high-risk AI under the proposed delay trackReflected in the Commission and Council implementation framing after 7 May 2026Classify HR, scoring, biometric, and similar software systems early and contract for evidence now
2 August 2028High-risk AI embedded in regulated products under the proposed delay trackReflected in the same proposed delay trackAlign procurement with product-law documentation, CE pathways, and supplier cooperation

Why the old one-line August 2026 answer is no longer enough

The old framing worked when the main question was whether the AI Act would broadly start to bite in 2026. It no longer works for businesses trying to decide whether a specific system belongs to the 2026, 2027, or 2028 branch.

The reason is simple:

  1. The enacted Regulation still gives you the baseline text.
  2. The current implementation direction now separates stand-alone Annex III systems from product-embedded systems.
  3. Procurement teams need both answers, because contracts are signed before the formal date question is fully settled.

For search intent, the clean answer is therefore not “there is one deadline.” The clean answer is: German businesses should map AI Act dates by system class and should keep one eye on the enacted Article 113 timetable and another on the proposed Omnibus delay track.

What still applies on 2 August 2026

The 2 August 2026 date still matters. It should not be written off as outdated or replaced entirely by later dates. For many businesses in Germany, it is the first operational deadline that changes internal rollout standards.

Transparency and deployer-facing readiness still matter in 2026

For customer-facing and employee-facing AI, transparency obligations remain an immediate compliance concern. A business using a chatbot, AI assistant, or similar interface may need to disclose clearly that the user is interacting with AI rather than a human. Teams also need governance around intended purpose, output review, escalation, and supplier communication.

For procurement, that means:

  • confirming whether the tool triggers user-facing disclosure duties
  • documenting who inside the business owns the AI rollout
  • checking what instructions for use the vendor provides
  • setting up logging, escalation, and change-management expectations

This is why the EU AI Act August 2026 deadline checklist remains relevant even for companies primarily concerned with later high-risk dates.

One of the easiest mistakes in 2026 is to quote only the delayed 2027/2028 split and forget that the enacted legal text has not yet fully caught up. Article 113 of Regulation (EU) 2024/1689 still matters. Until the delay package is formally adopted and implemented, legal teams should not talk as if 2 August 2027 has disappeared.

That is why a careful internal summary for Germany should read something like this:

  • 2 August 2026 is still the broad application and transparency date.
  • 2 August 2027 remains the enacted high-risk baseline in Article 113.
  • 2 December 2027 and 2 August 2028 are the proposed later dates in the current official implementation direction.

Which systems move to 2 December 2027

The proposed 2 December 2027 date matters most for stand-alone Annex III high-risk AI systems. These are systems whose high-risk status comes from the use case in Annex III, not from being embedded in a separately regulated product.

Procurement-relevant examples of stand-alone Annex III systems

For German businesses, common examples include:

  • employment AI, such as CV screening, applicant ranking, worker scoring, or AI used to influence promotion or termination decisions
  • biometric systems for identification, verification, or sensitive access control
  • education and training systems that affect admissions, progression, or formal assessment
  • eligibility and scoring systems affecting access to essential services
  • critical infrastructure support tools used in sensitive operational environments

These are often purchased as software, APIs, or vendor-managed services rather than hardware. That is why the timeline question is so procurement-heavy. The company buying the tool is usually the deployer, while the supplier controls the system facts, documentation, and intended-purpose description.

What German procurement teams should do now for the 2027 category

Even before 2027, buyers should require:

  1. Classification support. The vendor should explain whether the system is intended to fall within Annex III.
  2. Instructions for use. The business needs operational guidance, not only commercial descriptions.
  3. Logging and oversight support. Contracts should say how the deployer can review outputs and intervene.
  4. Incident cooperation. The vendor should commit to rapid notification and support.
  5. Documentation access. Buyers should know what conformity and technical materials can be made available.

That work belongs in the procurement stage, which is why this timeline page should route directly into EU AI Act procurement requirements for German enterprises instead of duplicating the full contract drafting discussion here.

Which systems move to 2 August 2028

The proposed 2 August 2028 date is the product-side branch of the split timeline. It is aimed at high-risk AI embedded in regulated products, not the typical stand-alone SaaS or workflow purchase.

Product-linked examples that fit the 2028 branch

Depending on the sector and product law framework, this can include AI embedded in:

  • medical devices
  • machinery
  • lifts
  • toys
  • other products subject to Union product-safety or conformity frameworks

For businesses in medtech, manufacturing, industrial technology, robotics, and similar sectors, this distinction matters because the procurement file needs to speak both AI Act and product law. The relevant questions go beyond model behaviour and user oversight. They also touch technical files, CE-marking pathways, supplier change control, and product-side conformity support.

How the 2028 branch differs from normal SaaS procurement

In software procurement, the key issues are usually intended purpose, oversight, logging, transparency, and evidence rights. In product-linked procurement, the buyer also needs to understand:

  • whether the AI is part of a regulated product architecture
  • which product regime governs the item
  • what conformity materials the manufacturer controls
  • how updates, incidents, recalls, or corrective measures are handled

This is why businesses should not force all AI purchases into a single “AI vendor questionnaire.” The date logic depends on the actual legal category of the system.

What procurement teams should do now even before 2027

The later dates do not justify delay. If anything, they make classification and contract design more important, because the business needs to know which evidence path it is building toward.

A workable procurement workflow for German businesses

Use this order:

  1. Identify the AI system and the business use case.
  2. Map the role split: provider, deployer, distributor, or importer where relevant.
  3. Classify the system: transparency-only, stand-alone Annex III, product-embedded high-risk, GPAI-linked, or outside the high-risk categories.
  4. Map the likely date branch: 2026, enacted 2027 baseline, proposed 2027 stand-alone delay, or proposed 2028 product delay.
  5. Translate the result into contract asks: documentation, instructions, oversight support, logging, incident escalation, and change notices.

Contract points that should not wait

Before rollout, German procurement teams should secure:

  • rights to request or inspect relevant technical and compliance documentation
  • clear instructions for use and human oversight expectations
  • commitments on logging and output traceability support
  • prompt notice of serious incidents, material updates, and intended-purpose changes
  • a clear division of responsibility between provider and deployer

Many teams will also need the privacy layer in parallel. That is where GDPR AI procurement and AI vendor due diligence in Germany fit into the same workflow.

How this timeline page fits the wider procurement cluster

This page should answer the date question and route the reader onward. It should not try to become the full commercial pillar.

Use the cluster like this:

That structure avoids cannibalising the pillar page and gives search engines a clearer separation between a timeline spoke, an action page, and supporting due diligence pages.

Frequently asked questions

What is the EU AI Act implementation timeline for Germany?

As of June 28, 2026, German businesses should track both the enacted and the proposed timelines. The enacted text still points to 2 August 2026 for broad application and 2 August 2027 for Article 6(1)-related timing, while the current implementation direction after the 7 May 2026 provisional Omnibus deal points to 2 December 2027 for stand-alone Annex III high-risk AI and 2 August 2028 for high-risk AI embedded in regulated products.

Does the AI Act enforcement timeline mean nothing happens before 2027?

No. That is the wrong operational reading. Procurement, governance, transparency, role mapping, and evidence collection all start earlier. A business can create compliance problems in 2026 by signing a poor contract even if its main high-risk use case falls into a later category.

Which systems are usually stand-alone Annex III systems?

Typical examples are recruitment and worker-management tools, biometric identification systems, education assessment systems, certain scoring systems, and other use cases that are listed directly in Annex III. The high-risk status comes from the use case itself rather than from product integration.

Which systems are usually product-embedded high-risk systems?

These are AI systems built into products that already sit inside regulated product frameworks. Depending on the sector, that can include certain medical devices, machinery, lifts, toys, and similar products that follow conformity and product-safety pathways.

Why do official sources look inconsistent on the dates?

They look inconsistent because they are describing different layers of the timeline. Regulation (EU) 2024/1689 remains the enacted legal text, while the European Commission, the AI Act Single Information Platform, and the Council now also reflect the later implementation direction coming out of the 7 May 2026 provisional Omnibus agreement.

Usually yes, if the system affects employment, biometrics, regulated products, essential services, or high-stakes internal workflows. This page provides general information only. The correct AI Act, GDPR, and product-law position depends on the system architecture, the vendor documentation, and the intended use in your business.

Need help with the EU AI Act timeline in Germany?

Compound Law advises businesses in Germany on AI procurement, vendor contracts, deployer obligations, product-linked AI questions, and GDPR coordination. This page is general information only and does not replace legal advice for a specific system, contract, or regulated product.

Related Compliance Guides

Facial recognition in Germany under AI Act and GDPR
compliance

Is Facial Recognition Legal in Germany? AI Act & GDPR Rules

Facial recognition in Germany is legal only in narrow cases. See what the AI Act prohibits, when Article 9 GDPR applies, and what to do before 2 August 2026.

Communication APIs Germany GDPR data residency retention comparison
compliance

Communication APIs for Germany: GDPR, Data Residency, Retention

Compare communication APIs, voice APIs, and CPaaS vendors for Germany by DPA terms, EU data residency, retention controls, subprocessors, and support.

AI hiring tools compliance checklist for Germany
compliance

AI Hiring Tools in Germany: EU AI Act, GDPR and Works Council

AI hiring tools in Germany need EU AI Act, GDPR Article 22, DPIA, and works council review before rollout. Use this buyer checklist before procurement.

Frequently asked questions

For German businesses, the practical timeline answer is no longer a single deadline. As of June 28, 2026, the enacted AI Act still applies broadly from 2 August 2026, with Article 6(1) and corresponding high-risk product rules applying from 2 August 2027, while the 7 May 2026 provisional Omnibus deal points to a later split of 2 December 2027 for stand-alone Annex III high-risk AI and 2 August 2028 for high-risk AI embedded in regulated products.

This is the proposed later date for stand-alone Annex III high-risk AI systems if the Omnibus delay package is formally adopted. Typical examples for procurement teams are recruitment screening, worker evaluation, biometric identification, education assessment, access-to-services scoring, and other high-risk use cases whose risk status follows from Annex III rather than from being built into a separately regulated product.

This is the proposed later date for high-risk AI embedded in regulated products under the same delay track. It matters most for AI linked to product-safety and CE-marking regimes, such as certain medical devices, machinery, lifts, toys, or similar regulated equipment.

Yes. Even where later dates may apply to high-risk categories, German buyers still need transparency, governance, intake, contract, and evidence work before deployment. Procurement should not wait for a later date if the business is already selecting vendors, defining intended purpose, or onboarding AI into customer-facing or employee-facing workflows.

Not yet. Regulation (EU) 2024/1689 remains the enacted legal text, and its Article 113 structure still matters. The 2 December 2027 and 2 August 2028 dates come from the 7 May 2026 provisional agreement between the Council and Parliament and from the way the European Commission now frames the implementation path. That means businesses should track both the enacted text and the proposed delay track until formal adoption is complete.

Because most German companies buying AI are deployers, while the vendor is usually the provider. The provider controls technical documentation, intended-purpose framing, conformity evidence, and product-side facts. Procurement is where a deployer secures the contractual rights needed to use that material for compliant rollout.

Book Free Call