The EU AI Act deadline calendar: three waves to 2028

Wave 1: Article 50, GPAI provider transparency, and governance (2 August 2026)

Three blocks of obligation begin to apply on 2 August 2026.

Article 50 transparency. Every SaaS surface where a natural person interacts with an AI system must disclose that fact. Every piece of AI-generated content (text, image, audio, video) must carry a machine-readable provenance mark. Every emotion-recognition or biometric-categorisation feature must inform the user. Every deepfake must be labelled. This is the wave that catches almost every SaaS shipping AI into the EU, regardless of vertical or risk profile. Penalty band: €15 million or 3% under Article 99(4).

GPAI provider obligations under Chapter V. Providers of general-purpose AI models that placed a model on the EU market after 2 August 2025 must comply with Article 53 transparency duties (training-data summary, copyright policy, technical documentation). Providers of GPAI models with systemic risk (training compute above 10²⁵ FLOP) must additionally comply with Article 55. These bind frontier-model providers, not the SaaS that uses those models through an API. A SaaS that fine-tunes a GPAI to the point of substantial modification under Article 25 can become a provider in its own right.

Governance framework under Chapter VII. The AI Board, the AI Office, national competent authorities, and the scientific panel become operative. National market-surveillance authorities, designated by Member States before 2 August 2025, take on enforcement responsibility. From an enforcement standpoint, 2 August 2026 is the day the institutional machinery starts running. Penalty band for governance violations: €15 million or 3% under Article 99(4).

Wave 2: Annex III high-risk obligations (2 December 2027)

Annex III lists eight categories of high-risk AI use: biometrics, critical infrastructure, education, employment, essential services (including credit scoring and insurance pricing), law enforcement, migration and border control, justice and democratic processes. SaaS in regulated verticals (HR tech, edtech, fintech credit-scoring, healthtech triage, legaltech) typically have at least one feature inside Annex III.

The AI Omnibus, politically agreed 7 May 2026 and adopted 19 November 2025, moved the Annex III application date from 2 August 2026 to 2 December 2027. The substance of the high-risk regime did not change. Article 6(2) classification still applies. Articles 9 through 15 (risk management, data governance, technical documentation, logging, transparency to deployers, human oversight, accuracy and robustness) still apply. Article 43 conformity assessment still applies. Article 49 registration in the EU AI database still applies. The eighteen months between now and December 2027 is the realistic minimum for a SaaS that has not started the work. Penalty band: €15 million or 3% under Article 99(4). Full breakdown: see the Annex III pillar.

Wave 3: Annex I embedded-product obligations (2 August 2028)

Article 6(1) classifies an AI system as high-risk where it is intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex I, AND the product is required to undergo third-party conformity assessment. Annex I covers the Machinery Regulation, the Medical Devices Regulation, the In Vitro Diagnostic Medical Devices Regulation, the toy directive, lifts, radio equipment, pressure equipment, cableways, personal protective equipment, gas appliances, recreational craft, civil aviation, motor vehicles, agricultural and forestry vehicles, two- and three-wheel vehicles, and marine equipment.

The AI Omnibus moved the Annex I application date from 2 August 2027 to 2 August 2028 to align with notified-body capacity and harmonised-standards publication. The same Articles 9 through 15 obligations apply, integrated with the sector-specific conformity-assessment procedure. SaaS embedded in regulated hardware (medical-device decision-support, machinery vision systems, automotive AI) sits in this wave. Pure-software SaaS that does not become a safety component of a regulated product does not. Penalty band: €15 million or 3% under Article 99(4). Full breakdown: see the Annex I pillar.

Dates already past, and what they require now

Three dates have already triggered.

1 August 2024. Regulation (EU) 2024/1689 entered into force. No operational obligation triggered on this date.

2 February 2025. Article 5 prohibited practices became enforceable. If your product does social scoring of natural persons, untargeted face scraping, manipulative AI exploiting vulnerabilities, real-time remote biometric ID in public spaces by law enforcement, biometric categorisation by sensitive characteristics, predictive policing, emotion recognition in workplaces or education, or any of the other Article 5 prohibitions, you have been non-compliant since this date. Penalty band: €35 million or 7% under Article 99(3). The AI Omnibus did not change Article 5 dates. The AI Omnibus added one new prohibition: AI generating non-consensual sexually explicit content or child sexual abuse material.

2 August 2025. GPAI provider obligations under Chapter V, the governance framework under Chapter VII, the notification framework under Chapter III Section 4, the GPAI penalty regime under Chapter XII, and Article 78 (confidentiality) all became applicable. Frontier-model providers have been complying since this date. SaaS deployers are not bound by these provisions; they are bound by the downstream Article 50 obligations that trigger on 2 August 2026.

What this means in practice. If you are a SaaS that has not done an Article 5 audit, do it now. If you use a GPAI through an API, verify the upstream provider's Article 53 disclosures are published and reference them in your model card. These two items are housekeeping the practice resolves during initial intake.

How to run three waves in parallel

Most SaaS the practice audits will hit at least two waves. A typical fintech credit-scoring product hits Wave 1 (Article 50 transparency for any user-facing AI) and Wave 2 (Annex III credit-scoring obligations). A medical-device SaaS hits Wave 1, Wave 2 (if its AI is used in a healthtech context outside MDR), and Wave 3 (where the AI is a safety component of the medical device under MDR). The waves are independent; the work is cumulative.

The practice runs the three waves as separate engagements, sequenced by deadline.

Wave 1 engagement: Article 50 compliance. Five business days, €997. Covers feature-by-feature Article 50 classification, disclosure code (chat banner, content-marking, deepfake labelling, emotion-recognition notice), accessibility under Article 50(5), and a published Article 50 statement. Deliverable: signed assurance letter and an implementation pack. Commission before end of June 2026 to leave implementation buffer before 2 August.

Wave 2 engagement: Annex III readiness programme. Eighteen months, milestone-billed. Covers Article 6 classification (feature by feature), Article 9 risk management system, Article 10 data governance, Article 11 technical documentation under Annex IV, Article 12 logging, Article 13 instructions for use, Article 14 human oversight, Article 15 accuracy and robustness, Article 43 conformity assessment, Article 49 EU database registration. Start now; finish before 2 December 2027.

Wave 3 engagement: Annex I embedded-product compliance. Two years, integrated with the sector-regulation conformity-assessment cycle. Covers the same Articles 9 through 15, mapped against the underlying Union harmonisation regulation. Engage MDR-, Machinery-, or RED-designated notified body that is also AI Act designated. Plan from now to 2 August 2028.

Founders running all three waves in parallel: the practice assigns a lead reviewer per wave and a programme manager across them. Most SaaS hit one or two, not three. Triage at /audit determines which.

Frequently asked questions

Why did the dates change?

The AI Omnibus is a legislative package of amendments to several EU digital regulations including the AI Act. The Commission proposed it as the Digital Package on Simplification, the European Parliament and Council reached political agreement on 7 May 2026, and the package was adopted on 19 November 2025. The amendments moved the Annex III high-risk application date from 2 August 2026 to 2 December 2027 and the Annex I embedded-product application date from 2 August 2027 to 2 August 2028. The official reasoning: notified-body capacity and harmonised-standards publication were not on track to support the original dates. Article 50, Article 5, the GPAI provider regime, and the governance framework were not delayed.

Are there earlier dates I should also track?

Two. Article 5 prohibited practices have been enforceable since 2 February 2025. If you have not audited your product for Article 5 exposure, do that before anything else; the penalty band is the highest in the Act at €35M or 7%. GPAI provider obligations under Chapter V have been enforceable for upstream model providers since 2 August 2025. As a SaaS deployer you are not directly bound, but your model card should reference the upstream's Article 53 disclosures.

My SaaS hits multiple waves. How do I plan?

Sequence by deadline. Ship Article 50 (Wave 1) before 2 August 2026. Start the Annex III programme (Wave 2) immediately; it is eighteen months of work and the deadline is December 2027. If you are also in Wave 3 (embedded hardware via Annex I), engage the sector-specific notified body now; notified-body capacity is constrained through 2027. The waves share the Articles 9 to 15 backbone, so Annex III and Annex I work overlaps technically; only the conformity-assessment route and integration with the underlying sector regulation differ.

Do the penalties differ between waves?

The Article 99(4) band of up to €15 million or 3% of worldwide annual turnover covers Article 50 violations, Annex III non-compliance, and Annex I non-compliance. Article 5 prohibited-practice violations sit in a higher band under Article 99(3): up to €35 million or 7%. Supplying incorrect or misleading information to authorities is a lower band under Article 99(5): up to €7.5 million or 1%. SMEs benefit from proportionality under Article 99(6) but the ceilings are unchanged.

Is there a wave that does not affect software-only SaaS?

Wave 3 (Annex I embedded-product) generally does not apply to pure-software SaaS that is not bundled into a regulated hardware product. If your customer is a medical-device manufacturer integrating your AI as a component, or a machinery vendor doing the same, you may inherit provider obligations under Article 25. In those scenarios you sit in Wave 3 by inheritance. Pure SaaS-to-SaaS or SaaS-to-consumer with no hardware path generally does not.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
• https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal
• https://artificialintelligenceact.eu/article/113/
• https://artificialintelligenceact.eu/article/99/
• https://artificialintelligenceact.eu/annex/1/
• https://artificialintelligenceact.eu/annex/3/