EU AI Act Art.71: Exercise of the Delegation — Commission Delegated Acts, Five-Year Period, and Developer Compliance Guide (2026)
EU AI Act Article 71 is the procedural engine behind the Regulation's delegated powers architecture. Throughout Regulation (EU) 2024/1689, the Commission is authorised to adopt delegated acts — legally binding regulations that supplement or amend specific provisions of the AI Act without requiring a full legislative revision. Art.71 specifies the rules governing how the Commission exercises those powers: the duration of the delegation, the conditions under which the European Parliament or Council may revoke it, and the procedure for adopting and scrutinising individual delegated regulations.
For developers and compliance teams, Art.71 is directly relevant for two practical reasons. First, delegated acts adopted under the AI Act can expand the scope of high-risk AI system categories (Art.7), alter the technical documentation requirements for GPAI models (Art.52), or update the list of AI practices subject to harmonised standards (Art.97). Second, monitoring the delegated act pipeline is a compliance obligation — a system that was not classified as high-risk at deployment may become high-risk through a subsequent Commission delegated regulation that adds a new Annex III category.
The Commission's delegated power under the AI Act runs from 1 August 2024 (the date of entry into force) for an initial period of five years, with automatic renewal unless the Parliament or Council objects.
Art.71 in the Enforcement and Delegated Powers Architecture
Art.71 is not a standalone provision — it activates and constrains delegated powers granted at multiple points in the Regulation:
| Article | Delegation Subject | Delegated Act Effect |
|---|---|---|
| Art.6(6) | High-risk classification for AI systems listed in Annex III | Commission may clarify classification conditions for specific system types |
| Art.7(1) | Annex III amendment — adding new high-risk categories | Commission may add entirely new categories of high-risk AI systems to Annex III |
| Art.7(2) | Annex III amendment — modifying existing categories | Commission may expand, restrict, or restructure existing Annex III categories |
| Art.7(3) | Conditions for Annex III cat 1 (biometric systems) scope | Commission may specify assessment criteria for biometric categorisation systems |
| Art.51(2) | GPAI model systemic risk designation | Commission may lower or raise the 10^25 FLOPs threshold for systemic risk classification |
| Art.52(4) | GPAI technical documentation requirements | Commission may supplement Annex XI documentation requirements for GPAI models |
| Art.53(3) | Systemic risk GPAI obligations | Commission may amend or supplement adversarial testing, incident reporting, or cybersecurity requirements |
| Art.97 | Annexes I, III, IV, V, VI, VII, VIII, IX, XI, XII amendment | Broad delegated power to update technical annexes across the Regulation |
| Art.71 | Delegation procedure and constraints | This guide |
Art.71(1): The Five-Year Delegation Period
Art.71(1) grants the Commission the power to adopt delegated acts as referred to throughout the Regulation, subject to the conditions laid down in Art.71.
Duration. The delegation of power is conferred for a period of five years from 1 August 2024 — the date of entry into force of Regulation (EU) 2024/1689. The delegation therefore runs until 31 July 2029, unless renewed or revoked. Under Art.71(1), the Commission must draw up a report on the delegated powers no later than nine months before the expiry of the five-year period — i.e., by 31 October 2028 — to inform the renewal decision.
Tacit renewal. The delegation is automatically renewed for periods of identical duration unless the European Parliament or the Council opposes such renewal not later than three months before the end of each period. This means that, absent explicit opposition, the Commission's delegated power continues rolling for successive five-year blocks.
Practical significance for developers. The five-year delegation window (2024-2029) covers the entire initial compliance and implementation phase of the AI Act. Annex III amendments adding new high-risk categories, GPAI threshold adjustments, and technical documentation specification changes can all be adopted within this period. Organisations that locked their compliance posture at the August 2025 applicability date without monitoring the delegated act pipeline face the risk of becoming non-compliant with no substantive change to their systems.
Art.71(2): Right of Revocation
Art.71(2) gives the European Parliament or the Council the right to revoke the delegation of power referred to in Art.71(1) at any time.
Mechanism. A revocation decision must terminate the delegation of the power specified in the decision. It takes effect the day following publication in the Official Journal of the European Union, or at a later date specified in the decision. Revocation does not affect the validity of delegated acts that are already in force — acts adopted before the revocation remains valid.
Trigger conditions. Either the Parliament or the Council can initiate revocation independently, without the consent of the other institution. Revocation has been used rarely in EU legislative history, but the right is regularly exercised in areas where institutional tensions develop over the pace or direction of Commission delegated regulation.
Developer implications. Revocation would not automatically un-classify AI systems that became high-risk through a delegated act — a revocation terminates future delegated acts but does not repeal those already in force. Developers should not treat revocation risk as a pathway to reduced compliance obligations.
Art.71(3): Notification to Parliament and Council
Before adopting a delegated act, the Commission must notify the European Parliament and the Council of its intention. Art.71(3) requires this notification to include the content of the intended delegated act, the legal basis, and the urgency procedure considerations if applicable.
This notification is the practical trigger for the scrutiny period in Art.71(4). The Parliament and Council receive the notification and must decide within the scrutiny period whether to object.
Art.71(4): The Scrutiny Period — Objection Procedure
Art.71(4) establishes the standard scrutiny procedure for delegated acts under the AI Act.
Default period. A delegated act adopted under the Regulation shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to those institutions. This three-month window runs from the date the Commission formally notifies the Parliament and the Council of the adopted act.
Extension. At the initiative of the European Parliament or the Council, the three-month period may be extended by three months — giving a maximum scrutiny period of six months for standard delegated acts.
Effect of objection. If either the Parliament or the Council objects within the scrutiny period, the delegated act does not enter into force. The Commission may then amend or withdraw the act. Objections are binding — either institution acting alone can block a delegated act.
Effect of non-objection. If neither institution objects within the scrutiny period, the delegated act is published in the Official Journal of the European Union and enters into force on the date specified in the act (typically after a defined implementation period).
Practical workflow for developers. The scrutiny period creates a predictable window between Commission adoption of a delegated act and its legal effectiveness. Monitoring the Commission's notification to the Parliament and Council — which is published in the Official Journal under the "L" series (legislative instruments) — gives compliance teams a minimum three-month lead time before a delegated act imposes new obligations.
Art.71(5): Urgency Procedure
Art.71(5) — cross-referenced with Art.73 (urgency procedure) — allows the Commission to adopt delegated acts that enter into force immediately upon notification if an urgent reason requires it. The Parliament and Council may still object during a reduced scrutiny period; if either institution objects, the delegated act is repealed.
Urgency triggers. The AI Act does not exhaustively define urgency, but consistent with EU legislative practice, urgency is available when:
- A newly identified AI risk poses immediate harm that existing legal provisions cannot address
- A technical development in AI capabilities creates a regulatory gap requiring immediate closure
- A Court of Justice ruling requires urgent regulatory response
Developer implications. Urgency procedure delegated acts bind immediately upon notification — there is no three-month lead time. Compliance teams monitoring the delegated act pipeline should treat urgency procedure notifications as requiring immediate assessment of impact on deployed systems.
Delegated Acts Already Adopted Under Art.71
Since the AI Act entered into force in August 2024, the Commission has begun exercising its delegated powers. Key delegated regulations to monitor:
| Delegated Act | Legal Basis | Subject Matter | Status (2026) |
|---|---|---|---|
| Commission Delegated Regulation supplementing Annex III | Art.7(2) | Clarifying classification conditions for AI systems in Art.6(2) high-risk categories — workplace safety assessment, educational evaluation systems | Under development (2025 consultation) |
| Commission Delegated Regulation on GPAI technical documentation | Art.52(4) | Supplementing Annex XI technical documentation requirements for GPAI model providers — inference architecture, training data provenance | Under development (2025 AI Office consultation) |
| Commission Delegated Regulation on systemic risk threshold | Art.51(2) | Potential adjustment of the 10^25 FLOPs threshold for GPAI systemic risk classification in light of FLOP efficiency improvements | Under consideration (AI Office evaluation) |
| Commission Delegated Regulation amending Annex I | Art.97(1) | Updating the definition of AI system (Annex I) to reflect OECD updates to the AI definition | Pending (aligned with OECD AI definition review 2025-2026) |
Monitoring source. The official tracking mechanism for delegated acts under the AI Act is the Commission's delegated acts register, supplemented by EUR-Lex legislative documents under document type "R_DEL" and the EU AI Office's communications on GPAI-specific delegated regulations.
Art.71 vs. Art.73: Implementing Acts Distinguished
Art.71 covers delegated acts — the most legally significant form of Commission secondary legislation, which can amend or supplement the legislative text of the AI Act. Art.73 (not covered in this guide) covers implementing acts — Commission regulations that specify uniform implementation conditions but cannot amend the legislative text.
| Feature | Delegated Acts (Art.71) | Implementing Acts (Art.73) |
|---|---|---|
| Legal basis | Art.290 TFEU | Art.291 TFEU |
| Can amend AI Act text | Yes — Annexes, thresholds, categories | No — implementation detail only |
| Oversight | EP + Council objection right | Standing Committee procedure |
| Urgency procedure | Yes (Art.71(5) + Art.73) | Yes (examination procedure) |
| Example | Adding new Annex III high-risk category | Specifying format for EU AI database submissions |
| Scrutiny period | 3 months (extendable to 6) | Typically no EP/Council objection right |
For compliance programmes, delegated acts require substantive assessment — they can change which AI systems are regulated and how. Implementing acts require operational adjustment — they change HOW existing obligations are fulfilled without changing WHAT those obligations are.
CLOUD Act Implications of Delegated Technical Specifications
When the Commission adopts delegated acts supplementing technical documentation requirements (Art.52(4)) or GPAI model obligations (Art.53(3)), the resulting compliance artefacts — training data provenance records, adversarial testing reports, incident reporting logs, model cards, conformity assessment documentation — may be stored on US-incorporated cloud infrastructure.
CLOUD Act production orders. If delegated technical specifications require extensive documentation of AI system capabilities, training data, and security properties, and those documents are stored on US-law-governed infrastructure, they become potentially accessible to US law enforcement through a CLOUD Act production order without EU legal process. The confidentiality provisions in Art.70(6) apply to penalty proceedings, but not to the underlying technical documentation stored pre-investigation.
Practical mitigation. AI Act compliance documentation — technical documentation (Annex IV/XI), conformity assessment records, post-market monitoring reports, incident response records, and adversarial testing results — should be stored on EU-incorporated, EU-law-governed infrastructure. Delegated acts may increase both the volume and sensitivity of required documentation; architecture decisions made before delegated acts are adopted should account for this trajectory.
Python DelegatedActMonitor Implementation
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
class DelegatedActStatus(Enum):
ANNOUNCED = "announced" # Commission announced intent
CONSULTATION = "consultation" # Public consultation phase
NOTIFIED = "notified" # Notified to EP and Council, scrutiny running
IN_FORCE = "in_force" # Scrutiny passed, published in OJ
OBJECTED = "objected" # Parliament or Council objected
WITHDRAWN = "withdrawn" # Commission withdrew before entry into force
URGENCY = "urgency" # Urgency procedure — enters into force immediately
class DelegatedActImpact(Enum):
HIGH_RISK_CLASSIFICATION = "high_risk_classification" # Changes what is high-risk
GPAI_THRESHOLD = "gpai_threshold" # Changes systemic risk FLOPs threshold
TECHNICAL_DOCUMENTATION = "technical_documentation" # Changes documentation requirements
ANNEX_UPDATE = "annex_update" # General annex update
DEFINITION_UPDATE = "definition_update" # Updates AI definition
@dataclass
class DelegatedAct:
act_id: str
legal_basis: str # e.g. "Art.7(2)"
subject_matter: str
impact_type: DelegatedActImpact
status: DelegatedActStatus
notification_date: Optional[date] = None
scrutiny_deadline: Optional[date] = None
entry_into_force: Optional[date] = None
is_urgency_procedure: bool = False
def days_until_scrutiny_deadline(self) -> Optional[int]:
if self.scrutiny_deadline is None:
return None
return (self.scrutiny_deadline - date.today()).days
def is_action_required(self) -> bool:
if self.status == DelegatedActStatus.URGENCY:
return True
if self.status == DelegatedActStatus.NOTIFIED:
days = self.days_until_scrutiny_deadline()
return days is not None and days <= 45
if self.status == DelegatedActStatus.IN_FORCE:
if self.entry_into_force:
return date.today() >= self.entry_into_force - timedelta(days=90)
return False
def compliance_lead_time_days(self) -> Optional[int]:
if self.status == DelegatedActStatus.URGENCY:
return 0
if self.entry_into_force:
return (self.entry_into_force - date.today()).days
if self.status == DelegatedActStatus.NOTIFIED:
return (self.scrutiny_deadline + timedelta(days=30)).days # approximate
return None
@dataclass
class DelegatedActMonitor:
organisation_name: str
has_high_risk_ai_systems: bool
has_gpai_models: bool
high_risk_categories: list[int] = field(default_factory=list) # Annex III category numbers
gpai_flops_estimate: Optional[float] = None # training FLOPs count
tracked_acts: list[DelegatedAct] = field(default_factory=list)
def add_act(self, act: DelegatedAct):
self.tracked_acts.append(act)
def relevant_acts(self) -> list[DelegatedAct]:
relevant = []
for act in self.tracked_acts:
if act.impact_type == DelegatedActImpact.HIGH_RISK_CLASSIFICATION:
if self.has_high_risk_ai_systems:
relevant.append(act)
elif act.impact_type == DelegatedActImpact.GPAI_THRESHOLD:
if self.has_gpai_models:
relevant.append(act)
elif act.impact_type == DelegatedActImpact.TECHNICAL_DOCUMENTATION:
if self.has_high_risk_ai_systems or self.has_gpai_models:
relevant.append(act)
else:
relevant.append(act)
return relevant
def action_items(self) -> list[str]:
items = []
for act in self.relevant_acts():
if act.is_action_required():
lead = act.compliance_lead_time_days()
if act.status == DelegatedActStatus.URGENCY:
items.append(
f"URGENT: {act.act_id} ({act.legal_basis}) enters into force "
f"immediately — assess impact on {act.impact_type.value} now"
)
elif lead is not None and lead <= 90:
items.append(
f"ACTION REQUIRED: {act.act_id} ({act.legal_basis}) — "
f"{lead} days until compliance required — {act.subject_matter}"
)
else:
items.append(
f"MONITOR: {act.act_id} ({act.legal_basis}) scrutiny deadline "
f"{act.scrutiny_deadline} — {act.subject_matter}"
)
return items
def summary(self) -> str:
relevant = self.relevant_acts()
urgent = [a for a in relevant if a.status == DelegatedActStatus.URGENCY]
in_force = [a for a in relevant if a.status == DelegatedActStatus.IN_FORCE]
scrutiny = [a for a in relevant if a.status == DelegatedActStatus.NOTIFIED]
return (
f"Delegated Act Monitor — {self.organisation_name}\n"
f" Tracked acts (relevant): {len(relevant)}\n"
f" Urgency procedure (immediate): {len(urgent)}\n"
f" In force: {len(in_force)}\n"
f" Under scrutiny: {len(scrutiny)}\n"
f" Action items: {len(self.action_items())}"
)
# Example usage
monitor = DelegatedActMonitor(
organisation_name="ExampleCorp AI Team",
has_high_risk_ai_systems=True,
has_gpai_models=False,
high_risk_categories=[4, 5], # Art.6(2) + Annex III cat 4 (employment), cat 5 (education)
)
annex_iii_act = DelegatedAct(
act_id="DEL-2025-ANNEX-III-EMPLOYMENT",
legal_basis="Art.7(2)",
subject_matter="Expanding Annex III category 4 (employment/HR AI) to include performance monitoring AI systems",
impact_type=DelegatedActImpact.HIGH_RISK_CLASSIFICATION,
status=DelegatedActStatus.NOTIFIED,
notification_date=date(2025, 6, 1),
scrutiny_deadline=date(2025, 9, 1),
entry_into_force=date(2025, 12, 1),
)
monitor.add_act(annex_iii_act)
print(monitor.summary())
print("\nAction items:")
for item in monitor.action_items():
print(f" - {item}")
Art.71 Compliance Checklist
| # | Item | Who | Timing |
|---|---|---|---|
| 1 | Establish a delegated act monitoring procedure for the AI Act: assign responsibility for tracking Commission notifications to the European Parliament and Council (published in OJ series L and C) specifically for delegated acts adopting under Art.6(6), Art.7(1)-(3), Art.51(2), Art.52(4), Art.53(3), and Art.97 — these are the articles that can change your compliance scope | Compliance, Legal | Before deployment, then quarterly |
| 2 | Register for EUR-Lex legislative document alerts with filter "R_DEL" and legal basis "Regulation (EU) 2024/1689" — this provides automated notification of Commission-adopted delegated acts before the scrutiny period ends and before entry into force | Compliance | Before deployment |
| 3 | Include delegated act impact assessment in your annual AI Act compliance review: for each delegated act that entered into force in the preceding 12 months, assess whether it changes the high-risk classification of any system in your portfolio, whether it imposes additional technical documentation requirements, and whether any system previously outside the Regulation's scope is now covered | Legal, Technical | Annual |
| 4 | Build lead-time buffers for delegated act compliance: the standard three-month scrutiny period plus publication lead time means delegated acts typically enter into force six to twelve months after the Commission announces its intention — start impact assessment at the announcement stage, not at entry into force | Product, Compliance | Ongoing |
| 5 | Assess urgency procedure risk for your AI system categories: if your systems operate in areas of heightened regulatory sensitivity (biometric identification, GPAI systemic risk, law enforcement AI, critical infrastructure AI), urgency procedure delegated acts can impose immediate obligations without the standard three-month lead time — maintain ready-to-activate compliance response protocols | Compliance, Operations | Before deployment |
| 6 | Document AI Act delegated act compliance separately from base regulation compliance: as delegated acts amend Annexes and impose supplementary requirements, your technical documentation and conformity assessment records must reflect both the base regulation requirements and any applicable delegated regulation amendments — version-control your compliance documentation against the applicable delegated act effective dates | Compliance, IT | Ongoing |
| 7 | For GPAI model providers: monitor the AI Office's consultation processes on potential Art.51(2) systemic risk threshold amendments and Art.52(4) technical documentation supplements — the AI Office publishes consultation documents before the Commission formalises delegated act proposals, providing earlier warning than the official notification trigger | AI/ML team, Legal | Quarterly |
| 8 | Store delegated act compliance artefacts on EU-law-governed infrastructure: delegated acts on GPAI technical documentation (Art.52(4)) and adversarial testing (Art.53(3)) may require extensive technical records that become subject to CLOUD Act production orders if stored on US-incorporated cloud infrastructure — align your document storage architecture with the projected documentation requirements of forthcoming delegated acts | IT, Legal | Before Art.52/53 delegated acts enter into force |
| 9 | Engage in Commission consultations on proposed delegated acts: the Commission conducts public consultations on planned delegated acts, particularly Annex III amendments under Art.7(2) — industry feedback can shape whether a proposed high-risk category expansion covers your systems, SME proportionality conditions, or implementation timelines | Policy, Legal | As consultations open |
| 10 | Maintain a delegated act tracker as part of your AI governance register: for each delegated act under Art.71, document its legal basis, the compliance changes it imposes, the date it entered into force for your organisation, and the remediation actions taken — this tracker is evidence of good-faith compliance monitoring and can be presented to NCAs in enforcement proceedings | Compliance | Ongoing |
Series Context: Chapter IX Governance, Enforcement, and Penalties
| Article | Coverage | Post |
|---|---|---|
| Art.57 | National Competent Authorities — designation, tasks, independence | Art.57 guide |
| Art.58 | NCA enforcement powers — investigation, access, corrective measures | Art.58 guide |
| Art.59 | AI Board — composition, independence, NCA coordination | Art.59 guide |
| Art.60 | EU AI database — public registry, EUID governance, Commission management | Art.60 guide |
| Art.61 | Scientific Panel — independent experts, model evaluation, AI Office advisory | Art.61 guide |
| Art.62 | AI Office enforcement powers — corrective measures, market withdrawal, emergency action | Art.62 guide |
| Art.63 | Advisory Forum — multi-stakeholder consultation, composition, tasks, CoP input | Art.63 guide |
| Art.64 | Access to data and documentation — market surveillance authority enforcement powers | Art.64 guide |
| Art.65 | Reporting of serious incidents — provider NCA notification obligations | Art.65 guide |
| Art.66 | Market surveillance, information exchange, enforcement coordination | Art.66 guide |
| Art.67 | Union safeguard procedure — Commission review of conflicting NCA enforcement | Art.67 guide |
| Art.68 | AI regulatory sandboxes — national establishment, provider exemptions, compliance pathway | Art.68 guide |
| Art.69 | Codes of conduct — voluntary requirements, AI Office facilitation, SME access | Art.69 guide |
| Art.70 | Administrative penalties — prohibited practices, high-risk obligations, GPAI models | Art.70 guide |
| Art.71 | Exercise of the delegation — Commission delegated acts, five-year period, parliamentary oversight | This guide |
| Art.72 | Post-market monitoring — provider obligations, data collection plans, serious incident correlation | Art.72 guide |
EU AI Act Art.71 analysis based on Regulation (EU) 2024/1689 as published in the Official Journal of the European Union. Delegation period runs from 1 August 2024. Delegated act tracking information is current as of April 2026 — the Commission's delegated act pipeline is subject to change. CLOUD Act conflict analysis reflects the state of EU-US data transfer frameworks as of 2025. This guide reflects the text of the Regulation as enacted and does not constitute legal advice.