The most demanding tier of the European Union’s Artificial Intelligence Act concerns high-risk AI systems. Their core obligations — risk management, data governance, documentation, human oversight, conformity assessment and CE marking — were tied to a 2 August 2026 milestone, with further phased dates running to 2027 and beyond. This explainer sets out the framework and the moving timeline as it stood. It is news analysis, not legal advice.
What counts as high-risk
The Act treats two broad groups as high-risk. The first covers AI systems that are safety components of products already regulated under EU harmonisation law (Annex I), such as machinery or medical devices. The second covers stand-alone systems used in defined areas (Annex III), including biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and the administration of justice. Our pillar page on the EU AI Act sets out the full risk taxonomy.
What providers must do
For high-risk systems, providers face a structured set of obligations, including:
- A continuous risk-management system across the lifecycle.
- Data governance covering training, validation and testing datasets.
- Detailed technical documentation and automatic logging.
- Transparency to deployers and appropriate human oversight.
- Appropriate accuracy, robustness and cybersecurity.
Deployers carry their own duties under Article 26, such as using systems in line with instructions and ensuring human oversight in practice.
Conformity assessment and CE marking
Before a high-risk system is placed on the market, it must undergo a conformity assessment to demonstrate it meets the requirements. Depending on the system, this may be a self-assessment by the provider or, in some cases, involve a designated notified body. Systems that pass are registered in an EU database and carry the CE marking, the same conformity mark already familiar from EU product law. This product-safety mechanism is what distinguishes the high-risk tier from the lighter transparency duties elsewhere in the Act. Many organisations preparing for it align their internal controls with frameworks such as the NIST AI RMF and ISO/IEC 42001, though these are not a substitute for the Act’s legal conformity route.
The phased timeline — and a proposed deferral
The original calendar tied the main body of high-risk obligations to 2 August 2026, with product-embedded (Annex I) systems following on a longer transitional schedule into 2027. However, the timeline became the subject of legislative change. A “Digital Omnibus” proposal advanced through the EU institutions sought to defer key high-risk obligations — including those for Annex III stand-alone systems and the fundamental-rights impact assessment — to later dates, with reporting indicating a move toward December 2027 for Annex III and August 2028 for certain Annex I systems.
An important caveat applies: until any amending instrument is published in the Official Journal, the original dates remain the binding law. Readers should therefore verify the current position against the authoritative European Commission timeline rather than relying on any single snapshot.
Why the dates are layered
The phasing reflects the Act’s dependence on supporting infrastructure: harmonised standards, notified-body capacity and Commission guidance all need to mature before conformity assessment can operate at scale. Spreading the high-risk obligations across multiple dates was intended to give that ecosystem time to develop, and the proposed deferral was framed around readiness concerns of a similar kind.
The role of harmonised standards
A defining feature of the high-risk tier is its reliance on technical standards. The Act anticipates that European harmonised standards will translate its broad legal requirements — such as “appropriate” data governance or “adequate” robustness — into specific, testable technical specifications. A system that conforms to a relevant harmonised standard benefits from a presumption of conformity with the corresponding legal requirement, which is what makes self-assessment viable for many systems. The development of these standards through the European standardisation bodies is therefore on the critical path, and delays in finalising them were among the readiness concerns cited in discussions about the timeline.
Registration and the EU database
Beyond conformity assessment and CE marking, providers of many high-risk systems must register them in an EU database before placing them on the market. The database is intended to give regulators and, in part, the public visibility into which high-risk systems are in circulation and who is responsible for them. Combined with logging and documentation duties, registration reflects the Act’s traceability ambition: the ability to reconstruct, after the fact, how a high-risk system was built, tested and used.
What this means in practice
For organisations building or deploying systems that may be high-risk, the practical task is classification first: determining whether a system falls within Annex I or Annex III, and in what role. A single product can involve multiple parties — a model provider, a system provider and one or more deployers — each with distinct duties, so mapping responsibilities along the value chain is as important as the technical build. Terminology such as provider, deployer, notified body and conformity assessment is defined in the Regulation; our dictionary offers plain-language entries for readers approaching these concepts for the first time.
In summary
The high-risk tier is the operational heart of the EU AI Act, turning principles such as oversight and robustness into documented, assessable requirements backed by CE marking. Its precise effective dates were in flux as deferral proposals moved through the legislative process, so the exact calendar should always be checked against the official record. This article describes the framework and the state of the timeline; it does not provide legal advice.
Leave a Reply