EU AI Act 2027 Compliance Calendar: GPAI, High-Risk AI & SaaS Provider Timeline

Post #3 in the EU AI Act Enforcement Timeline 2026-2028 Series

Most EU AI Act coverage treats August 2, 2026 as the final act. It is not. Twelve months later — on August 2, 2027 — a second major wave of obligations activates, affecting every AI system embedded in a regulated physical product. At the same time, 2027 is when the enforcement machinery built in 2026 begins its first full operating cycle: national competent authorities (NCAs) completing initial supervisory rounds, the EU AI Office running its first full GPAI audit year, and market surveillance becoming measurably active.

This guide maps the full 2027 compliance calendar for three categories of organizations: providers of GPAI models, providers and deployers of high-risk AI systems already under 2026 rules, and SaaS providers whose AI systems are embedded in products covered by Union harmonisation legislation.

The August 2, 2027 Deadline: Annex I Section A Products

The EU AI Act's application schedule, set out in Art. 113, uses a 36-month transition from the Regulation's entry into force date (August 1, 2024) for one specific category of high-risk AI: systems covered by Art. 6(1).

Art. 6(1) covers AI systems that either are themselves, or function as safety components of, products subject to Union harmonisation legislation listed in Annex I, Section A — and where that legislation requires a third-party conformity assessment. These are sometimes called "new approach" product categories.

The full list of Annex I Section A legislation includes:

The new Machinery Regulation (EU) 2023/1230, which replaces Directive 2006/42/EC, is also relevant — it explicitly addresses machinery incorporating AI and its interaction with the AI Act conformity assessment chain.

For all AI systems falling under Art. 6(1), the compliance deadline for the core high-risk AI obligations — the Art. 9 risk management system, Art. 10 data governance, Art. 11 technical documentation, Art. 13 transparency to deployers, Art. 14 human oversight provisions, and Art. 15 robustness and cybersecurity requirements — is August 2, 2027, not August 2, 2026.

Who This Affects: The AI-in-Product Developer Profile

The Art. 6(1) category is more common in SaaS and AI developer contexts than most compliance guides acknowledge. The affected organizations include:

Medical SaaS companies whose AI is used in clinical decision support, diagnostic imaging, patient monitoring, or physiological parameter calculation as a component of a medical device regulated under MDR or IVDR. If your AI model outputs are consumed by a CE-marked device, you are likely in scope.

Industrial IoT and automation providers whose AI-driven anomaly detection, predictive maintenance, or process control functions are embedded in machinery subject to CE marking under the Machinery Regulation. SaaS platforms providing AI inference to edge systems in manufacturing lines fall here.

Connected vehicle software providers — telematics, driver-assistance inference, real-time sensor fusion — where the AI component is safety-relevant in a vehicle covered by EU type approval. This category intersects with both the Machinery Regulation and sector-specific vehicle regulations.

Radio equipment and IoT device manufacturers incorporating AI into radio-connected devices covered by Directive 2014/53/EU — increasingly common in smart home, industrial wireless, and medical IoT device categories.

If your organization's AI system is embedded in any of these product categories and the underlying product legislation requires a notified body conformity assessment, you have until August 2, 2027 to complete the full high-risk AI compliance program.

The Conformity Assessment Bottleneck

The 36-month transition for Annex I Section A products was not a gift — it was a recognition that the notified body ecosystem for these product categories operates on long lead times.

Under the EU AI Act, high-risk AI systems in Annex I Section A products must go through the conformity assessment procedure prescribed by the applicable Union harmonisation legislation (Art. 43(1)), adapted to include the AI-specific requirements. This means:

• The notified body assessing your medical device's conformity must also assess the AI system's compliance with Art. 9–Art. 15.
• Coordinating technical documentation across the AI Act requirements and the sectoral legislation (MDR technical file, Machinery Regulation technical file, etc.) is a parallel process, not a sequential one.

Notified bodies across the EU have been building AI Act competence since 2024. By early 2027, the backlog for conformity assessments in medical devices and machinery will be significant. Organizations that begin their assessment engagement in 2027 rather than in 2026 face substantial delays.

Practical implication: If your AI system falls under Art. 6(1), begin notified body engagement no later than Q3 2026. "We have until August 2027" translates operationally to "our technical documentation must be assessment-ready by Q1 2027 at the latest."

Art. 47 Declaration of Conformity: The 2027 Deliverable

When conformity assessment is complete, the provider issues a Declaration of Conformity under Art. 47. For Art. 6(1) systems, this declaration must:

1. Identify the specific AI system by name, version, and all variants covered
2. State that the AI system conforms to the EU AI Act requirements applicable to high-risk AI systems
3. Cross-reference any Union harmonisation legislation applied in the conformity assessment
4. Include the technical file reference, the notified body's identification number and the certificate number where applicable
5. Be signed by a natural person authorized to do so on behalf of the provider

The Art. 47 declaration is the formal compliance artifact that NCAs will request during market surveillance. For AI systems embedded in products, the declaration must align with, and be distinguished from, any equivalent declaration under the sectoral legislation — they are separate documents with different scopes.

Organizations deploying AI systems in regulated product categories should have a draft Art. 47 declaration template prepared well before the August 2027 deadline.

2027 Operations for High-Risk AI Already Under August 2026 Rules

For organizations whose AI systems came under full enforcement in August 2026 — those listed in Annex III covering biometrics, critical infrastructure, education, employment, essential services, law enforcement, and similar — 2027 is the first full year of ongoing compliance operations.

The key operational rhythms by mid-2027:

Post-Market Monitoring: First Annual Review Cycle

Art. 72 requires providers of high-risk AI systems to maintain a post-market monitoring system throughout the system's operational lifetime. The Regulation requires an annual review of performance data for most high-risk AI categories (with shorter cycles where warranted by risk level).

By August 2027 — one year after initial enforcement — the first annual review cycle should be complete for any high-risk AI system deployed before August 2026. The output is a post-market monitoring report that:

• Summarizes the data collected from deployed instances
• Assesses whether the system's performance against its intended purpose has remained within acceptable parameters
• Identifies any incidents or near-misses, even those not rising to Art. 73 serious incident thresholds
• Updates the risk management documentation if new risks have been identified

This report is not submitted to any authority automatically, but NCAs may request it during surveillance inspections. Providers who cannot produce an annual post-market monitoring report for a system deployed since 2026 face a compliance gap.

Serious Incident Reporting: Pipeline Maturity

By mid-2027, organizations that operate high-risk AI systems should have a mature Art. 73 incident detection and reporting pipeline — one that has been tested in practice, not just in tabletop exercises. The first real incidents surfaced in H2 2026 will have clarified how NCAs interpret reporting thresholds and timelines.

Key operational questions that 2027 operations should have resolved:

• Who in the organization is the designated contact for NCA communications on AI Act incidents?
• How does your monitoring system distinguish between a performance degradation (tracked internally) and a serious incident (requiring Art. 73 notification)?
• Do you have a tested escalation path from first detection to formal notification within the required timeframes?

Technical Documentation Updates

Art. 11 requires technical documentation to remain up to date throughout the system's lifetime. Any substantial modification to a high-risk AI system triggers an obligation to review and update the technical documentation — and potentially requires a new conformity assessment if the modification changes the system's risk profile.

The 2027 calendar therefore includes: documenting every meaningful change to the AI system since the initial conformity assessment, assessing whether any such change constitutes a "substantial modification" as defined in the Regulation, and initiating a new conformity assessment where required.

GPAI Compliance in 2027: Second Annual Cycle

GPAI model providers have been under Chapter V obligations since August 2, 2025. By 2027, the second annual compliance cycle is underway.

What the Second Annual Cycle Adds

The first annual cycle (2025–2026) established baseline documentation: the training data descriptions, capability evaluations, and initial Code of Practice compliance reports. By the second cycle:

• The EU AI Office has published guidance clarifying interpretations from the first year's enforcement actions
• The GPAI Code of Practice (in its final form, following the drafting process that concluded in 2025–2026) is the established framework for demonstrating compliance
• Organizations have operational experience with the documentation maintenance requirements and know which compliance gaps caused issues in practice

For providers of systemic-risk GPAI models (Art. 55), the second annual adversarial testing program should apply lessons learned from the first cycle. If red-team exercises in 2026 surfaced failure modes, the 2027 cycle must document how those were addressed.

GPAI and Embedded AI Systems

A SaaS provider that uses a GPAI model as part of a high-risk AI system faces layered compliance in 2027:

1. Their GPAI model provider's Art. 53 documentation obligations pass certain responsibilities downstream to deployers
2. The deployer's own high-risk AI obligations under Art. 9–Art. 15 apply to the combined system
3. If the GPAI model is substantially integrated into an Annex I Section A product (now under the 2027 deadline), the Art. 6(1) conformity assessment must account for the GPAI layer

Organizations that outsource inference to third-party GPAI providers need contractual provisions covering how GPAI model updates, version deprecations, and performance changes will be communicated — because any of these can trigger their own obligation to review conformity and update technical documentation.

Market Surveillance Patterns in 2027

By 2027, EU AI Act market surveillance is operating with 12+ months of experience. Based on how market surveillance has developed in comparable EU regulatory regimes (GDPR, MDR, NIS2), the 2027 patterns typically include:

Sector-focused inspection campaigns: NCAs do not inspect uniformly across all AI categories. They conduct coordinated campaigns — "sweeps" — targeting a specific high-risk AI category. In 2027, expect coordinated sweep campaigns in 2–3 Annex III categories, likely employment and biometrics (both high public interest and regulatorily mature).

Documentation requests as the primary tool: Most NCA inspections in the first enforcement years are desk-based — requesting documentation rather than conducting on-site audits. NCAs will request: technical documentation (Art. 11), Declaration of Conformity (Art. 47), post-market monitoring report (Art. 72), and incident reports filed under Art. 73. Organizations that maintain these in accessible, audit-ready form respond faster and with less disruption.

Cross-border coordination: The European AI Board (Art. 65) was established to coordinate NCA activities across member states. By 2027, the Board's coordination function should be producing joint guidance and potentially joint inspection actions for cross-border AI systems. SaaS providers serving multiple EU markets should expect that an NCA inquiry in one jurisdiction may be part of a coordinated multi-jurisdiction effort.

AI Office and GPAI oversight: The EU AI Office has direct oversight of systemic-risk GPAI models (Art. 55). By 2027, the AI Office will have completed at least one full audit cycle and will be moving toward more structured enforcement actions for non-compliant GPAI providers.

SaaS Provider 2027 Compliance Checklist

Use this checklist based on your organization's profile:

If your AI is in Annex III (high-risk, under enforcement since Aug 2026):

• Annual post-market monitoring report complete for all deployed high-risk AI systems
• Incident reporting pipeline tested and operational; designated NCA contact in place
• Technical documentation updated to reflect all changes since initial conformity assessment
• Substantial modifications reviewed; new conformity assessments initiated where needed
• Art. 47 Declaration of Conformity on file and accessible for NCA requests
• Deployer notification fulfilled for any significant changes (Art. 13)

If your AI is embedded in Annex I Section A products (deadline Aug 2, 2027):

• Notified body engagement initiated (no later than Q3 2026 for August 2027 certification)
• Combined technical documentation prepared: AI Act requirements + sectoral legislation
• Art. 9 risk management system complete and documented
• Art. 10 data governance documentation covering training and validation data
• Art. 11 technical documentation aligned with the notified body's assessment format
• Art. 14 human oversight provisions designed and documented
• Art. 47 Declaration of Conformity draft prepared
• EUDB registration submitted (EU database for high-risk AI systems, Art. 49)

If you use or provide GPAI models:

• Second annual documentation review complete (training data, capabilities, limitations)
• GPAI Code of Practice compliance report updated for the second annual cycle
• For systemic-risk models: second adversarial testing program complete and documented
• Downstream deployers notified of any model updates that affect compliance
• Contractual provisions with downstream deployers reviewed for adequacy

What 2027 Means for Organizations Not Yet Compliant

For organizations that missed the August 2, 2026 deadline — or treated it as aspirational rather than mandatory — 2027 brings escalating risk. NCAs do not publicize enforcement actions before they take them. The first sign of NCA interest is typically an information request, which may carry a 30-day response deadline. Non-response or inadequate response can escalate to formal investigation.

The EU AI Act's penalty structure (Art. 99–Art. 101) includes substantial fines for violations related to prohibited AI practices, violations of other high-risk AI obligations, and failures to supply accurate documentation — with the amounts scaling by violation severity and organization size based on global annual turnover. The 2027 market surveillance pattern means these fines move from theoretical to operational.

For organizations that are non-compliant but genuinely invested in reaching compliance: engaging proactively with your relevant NCA — through a voluntary notification of compliance gaps and a remediation timeline — is consistently better received than responding to enforcement. Several EU regulatory regimes have established formal "self-disclosure" pathways for organizations identifying compliance gaps before an incident occurs.

The Horizon: From 2027 to Full EU AI Act Maturity

The 2027 calendar marks the EU AI Act reaching its intended coverage. By the end of 2027:

• All three application phases from Art. 113 are active
• Every category of high-risk AI is under enforcement
• The GPAI regime has completed two full annual cycles
• Market surveillance is operational across all EU member states

What follows — 2028 and beyond — is covered in Post #4 of this series, which maps the full enforcement maturity phase: NCA inspection methodology, cross-border enforcement actions, the second generation of technical standards, and how the EU AI Act adapts to AI development patterns that were not anticipated in 2024.

This is Post #3 in the EU AI Act Enforcement Timeline 2026-2028 Series. Post #1 covers the August 2, 2026 transition. Post #2 maps Q4 2026 obligations. Post #4 will address 2028 market surveillance maturity and NCA inspection patterns. Post #5 is the complete roadmap finale.