The EU AI Act deadline calendar: three waves to 2028
The AI Omnibus split one deadline into three. Here's what triggers when, and what each wave means for SaaS.
Until last November, the EU AI Act had one deadline worth memorising: 2 August 2026. Then the AI Omnibus dropped, and that single date stopped being the whole story. The high-risk regime got bumped to 2 December 2027. Embedded-product rules pushed out to 2 August 2028. So you're not looking at one deadline anymore. You're looking at three, on different tracks, with different penalty exposure and different amounts of prep work ahead of each one.
Here's the version I've been walking founders through on intake calls.
Wave 1: Article 50, GPAI, and governance (2 August 2026)
Three things go live that day.
Article 50 transparency. When a real person is talking to an AI inside your product, they have to know. When your product spits out AI-generated text, image, audio, or video, that output needs machine-readable provenance metadata. Same rule for emotion recognition, biometric categorisation, anything that could be called a deepfake. Article 50 is the one that catches almost every SaaS shipping AI into the EU. Doesn't matter what vertical you're in. Doesn't matter how low-risk you think you are. The penalty is €15M or 3% of global turnover under Article 99(4), whichever hurts more.
GPAI provider obligations (Chapter V). This is OpenAI, Anthropic, Mistral, Meta, anyone shipping a foundation model. Not you, assuming you're just hitting their API. Two exceptions to flag. One: fine-tune a GPAI hard enough that it counts as "substantial modification" under Article 25, and you flip into provider status yourself. Two: train a model at scale (compute above 10^25 FLOP), and Article 55's systemic-risk regime joins the party. Otherwise this is upstream's problem, not yours.
Governance (Chapter VII). The AI Board, the AI Office, the scientific panel, and national competent authorities all get teeth on 2 August. National market-surveillance authorities (the people who actually do enforcement) were designated by Member States back in 2025. So this date isn't just when the rules apply. It's when the enforcement machinery wakes up. Same Article 99(4) band.
Wave 2: Annex III high-risk (2 December 2027)
Annex III is the list of eight high-risk use cases. It covers biometrics, critical infrastructure, education, employment, essential services (credit scoring and insurance pricing live here), law enforcement, migration and border control, and the administration of justice and democratic processes. If you're in a regulated vertical (HR tech, edtech, fintech, healthtech triage, legaltech) you've almost certainly got at least one feature inside Annex III, even if nobody's pointed it out yet.
The original date was 2 August 2026. The AI Omnibus, politically agreed on 7 May 2026 and formally adopted 19 November 2025, moved it to 2 December 2027.
The reprieve sits on the calendar, not in the substance. Article 6(2) classification still bites the same way. So does everything from Article 9 (risk management) to Article 15 (accuracy and robustness): data governance, technical documentation, logging, transparency to deployers, human oversight. Article 43 conformity assessment is still on the menu. Article 49 EU database registration too. Eighteen months sounds generous until you cost it out. For a SaaS that hasn't started, that's the realistic floor, not the ceiling.
Wave 3: Annex I embedded (2 August 2028)
Article 6(1) is the high-risk classification that catches AI used as a safety component (or as the actual product) of something already regulated under EU product-safety law. Annex I is the list of those regimes: the Machinery Regulation, MDR, IVDR, the toy directive, lifts, radio equipment, pressure equipment, cableways, PPE, gas appliances, recreational craft, civil aviation, motor vehicles, agricultural vehicles, marine equipment. If the underlying product needs third-party conformity assessment, the AI inside it inherits that requirement.
The Omnibus moved this date from 2 August 2027 to 2 August 2028. Partly because notified bodies needed time to staff up for AI-specific assessment. Partly because the harmonised standards weren't ready.
Obligations are the same Articles 9 to 15 stack as Annex III. The wrinkle: the conformity-assessment route plugs into whatever the sector regulation already requires, so you're solving two compliance puzzles at once. If you're pure software with no hardware bundle, you usually escape this wave. If you're software that ends up inside a regulated device, you don't.
What's already kicked in
Three dates have already triggered.
1 August 2024. The Regulation entered into force. Nothing operational happened.
2 February 2025. Article 5 prohibited practices became enforceable. If you do any of these, you've been out of compliance for over a year: social scoring, untargeted face scraping, manipulative AI exploiting vulnerabilities, real-time public-space biometric ID by law enforcement, biometric categorisation by sensitive attribute, predictive policing, emotion recognition in workplaces or schools. The Omnibus added one more recently: AI generating non-consensual sexually explicit material or CSAM. Penalty here is €35M or 7% of global turnover under Article 99(3). Highest band in the Act, full stop.
2 August 2025. A bunch of things came online at once: GPAI provider obligations under Chapter V, the governance framework, the notification framework, the GPAI penalty regime, plus Article 78 on confidentiality. Frontier-model providers have been working through that list since then. If you're a SaaS deployer using their API, you're not bound by these directly. What you owe is Article 50 transparency, landing on 2 August 2026.
The honest version of "what to do right now": if you've never run an Article 5 check, do that this week. If you use an LLM through an API, find the upstream's Article 53 disclosures and reference them in your model card. Boring stuff. We knock both out during intake on every audit.
Running three waves at once
Almost no SaaS sits in only one wave. A fintech doing credit scoring is in Wave 1 (any user-facing AI surface owes Article 50) and Wave 2 (credit scoring sits squarely in Annex III). A medical-device SaaS hits Wave 1, maybe Wave 2 if its AI is used in a healthtech context outside MDR, and Wave 3 because the AI is a safety component of an MDR-class device. The waves don't replace each other. They stack.
Here's how we sequence the work when more than one wave is in scope.
Wave 1: Article 50 audit. Five business days, €997. Feature-by-feature classification, drop-in disclosure code, accessibility under Article 50(5), a published transparency statement, the implementation pack. Signed assurance letter at the end. Commission before end of June if you want any buffer before August.
Wave 2: Annex III readiness. Eighteen months, milestone-billed. Article 6 classification across every feature, an Article 9 risk management system, Article 10 data governance, the Annex IV technical file under Article 11, Article 12 logging, Article 13 instructions for use, Article 14 human oversight, Article 15 testing, Article 43 conformity assessment, Article 49 registration. Kick off now. Land before December 2027.
Wave 3: Annex I. Two years. Integrates with the notified-body cycle under your sector regulation. The Articles 9 to 15 stack maps across, but the conformity-assessment route flows through whichever notified body handles your MDR, Machinery, or RED. Engage them in 2026. Plan to 2028.
Founders running all three get a lead reviewer per wave plus a programme manager across them. Most don't need all three. The intake call at disclos.eu/audit figures out which.
FAQ
Why did the dates change?
The AI Omnibus is the Commission's amendment package, marketed as the Digital Package on Simplification. Political agreement was on 7 May 2026; formal adoption on 19 November 2025. It pushed Annex III from 2 August 2026 to 2 December 2027, and Annex I from 2 August 2027 to 2 August 2028. Official reasoning was notified-body capacity and harmonised-standards readiness. Article 50, Article 5, the GPAI provider regime, and the governance framework didn't move.
Are there earlier dates I should also track?
Two. Article 5 prohibited practices since 2 February 2025. The penalty here is the highest in the Act at €35M or 7%, so check yourself first. GPAI provider obligations under Chapter V since 2 August 2025. That one binds upstream, but your model card should reference whichever foundation model's Article 53 disclosures you rely on.
My SaaS hits multiple waves. How do I plan?
Sequence by deadline. Ship Article 50 before 2 August 2026. Start Annex III now. Eighteen months of work, December 2027 deadline. If you're also in Annex I, engage your sector-regulation notified body in 2026; capacity is tight through 2027. The Articles 9 to 15 backbone overlaps between Annex III and Annex I, so the technical work isn't duplicated. The conformity-assessment route and the sector-regulation integration are where the two waves split.
Do the penalties differ between waves?
The Article 99(4) band of €15M or 3% covers Article 50, Annex III, and Annex I non-compliance. Article 5 violations sit in the higher Article 99(3) band: €35M or 7%. Article 99(5) (incorrect or misleading information to authorities) caps lower at €7.5M or 1%. SMEs get proportionality under Article 99(6), but the ceilings don't change.
Is there a wave that doesn't affect software-only SaaS?
Usually Wave 3. Annex I needs the AI to be embedded in a regulated hardware product. If you're pure software with no hardware bundle, you're out. If you license your model to a medical-device manufacturer or machinery vendor that integrates it as a safety component, Article 25 inheritance can pull you back in. Worth checking quarterly.
Originally published at disclos.eu/blog/eu-ai-act-deadline-calendar. If you want me to run the audit on your product, the intake is at disclos.eu/audit.
