EU AI Act Transitional Provisions: Complete Compliance Strategy & Master Developer Checklist 2026
Post #5 in the sota.io EU AI Act Transitional Compliance Series
This is the final post in the five-part series on EU AI Act transitional provisions. Posts one through four covered the individual tracks in depth: existing high-risk AI systems, the substantial modification trigger, Annex X large-scale IT systems, and GPAI model provider obligations. This post brings everything together into one usable document: a master decision matrix, integrated timeline, and consolidated compliance checklist.
If you are building, deploying, or maintaining an AI system that was live before August 2, 2026 — this checklist is your operational starting point.
The Four Transitional Tracks: A Summary
Article 111 of Regulation (EU) 2024/1689 creates four distinct compliance tracks, each with its own deadline and trigger conditions:
| Track | Applies To | Deadline | Key Condition |
|---|---|---|---|
| Track A — New deployments | AI systems placed on market after 2 Aug 2026 | Immediate | Full compliance required from day one |
| Track B — Existing high-risk AI (private sector) | High-risk AI already deployed before 2 Aug 2026 | No fixed deadline while unmodified; triggers upon substantial modification under Art.3(23) | Must not undergo substantial modification |
| Track B2 — Existing high-risk AI (public authorities) | High-risk AI used by public authorities, deployed before 2 Aug 2026 | 2 August 2030 | Public authority use-case |
| Track C — Annex X large-scale IT systems | AI components of LSIT systems (SIS II, VIS, Eurodac, EES, ETIAS, others in Annex X) | 31 December 2030 | Must have been placed on market or in service before 2 August 2027 |
| Track D — GPAI models | Providers of GPAI models placed on market before 2 August 2025 | 2 August 2027 | Model was on EU market before GPAI chapter entry into force |
Step 1: Determine Your Track
Run through this decision flow for each AI system in your portfolio:
Question 1: Was the system first placed on the EU market or put into service on or after August 2, 2026?
- Yes → Track A. Full compliance required immediately. Skip to the Track A checklist.
- No → Continue to Question 2.
Question 2: Is the system an AI component of one of the large-scale IT systems listed in Annex X (SIS II, VIS, Eurodac, EES, ETIAS, or other government border/immigration systems)?
- Yes → Track C. Deadline December 31, 2030. Skip to the Track C checklist.
- No → Continue to Question 3.
Question 3: Is the system a GPAI model (not a high-risk AI application, but a foundation or general-purpose model), and was it placed on the EU market before August 2, 2025?
- Yes → Track D. Deadline August 2, 2027. Also check Track B if the model is also deployed as a high-risk application.
- No → Continue to Question 4.
Question 4: Is the system classified as high-risk under Annex III of the EU AI Act, and was it deployed before August 2, 2026?
- Yes, and it is used by or for public authorities → Track B2. Deadline August 2, 2030.
- Yes, and it is not used by public authorities → Track B. No fixed deadline, but watch for the Art.3(23) substantial modification trigger.
- No → This system is either not in scope for the transitional provisions or is not a high-risk system. Review your classification under Annex III and Art.6.
Track A Checklist: New Deployments (Post-August 2, 2026)
If your system is being placed on the market or put into service after August 2, 2026, all EU AI Act obligations apply immediately. There is no grace period.
Pre-Launch Requirements
- Art.9 Risk Management System — Documented and continuously operating risk identification, evaluation, and mitigation processes for each high-risk use case
- Art.10 Data Governance — Training, validation, and testing data sets documented with source, processing, and bias-assessment methodology
- Art.11 + Annex IV Technical Documentation — Complete documentation package including system description, development methodology, capability and performance metrics, data governance summary, and conformity assessment results
- Art.12 Record-Keeping — Automatic logging enabled with sufficient granularity and retention period (minimum duration depends on intended purpose; Art.12(1) specifies the principle)
- Art.13 Transparency — Instructions for use prepared and provided to deployers, covering intended purpose, performance limitations, and maintenance requirements
- Art.14 Human Oversight — Technical measures built into system enabling effective operator intervention, monitoring, and override
- Art.15 Accuracy, Robustness, and Cybersecurity — Testing results documented; cybersecurity measures implemented; performance metrics validated against thresholds
- Art.17 Quality Management System — Written QMS covering design, development, post-market monitoring, and change management
- Art.43 Conformity Assessment — Completed before market placement; either self-assessment (Annex VI/VII) or third-party notified body assessment (Annex VII, for Annex I systems)
- Art.47 EU Declaration of Conformity — Signed and ready for submission
- Art.48 CE Marking — Applied to system documentation and user interface as required
- Art.49 Registration — System registered in the EU database (once operational per Art.74) prior to market placement for Annex III systems used by public authorities
- Art.72 Post-Market Monitoring — PMS plan documented and operational from day one
- Art.73 Serious Incident Reporting — Incident detection pipeline established; reporting obligations to national market surveillance authority active
Infrastructure note: All technical documentation, logs, and monitoring data for EU market deployments should be stored on EU-jurisdiction infrastructure. If audit evidence for Art.12 or Art.11 logs is stored on cloud platforms subject to the US CLOUD Act (AWS, Azure, GCP), that evidence is accessible to US law enforcement without EU regulatory visibility. EU-native managed infrastructure (such as sota.io on Hetzner Germany) closes this exposure.
Track B Checklist: Existing High-Risk AI — Private Sector
For high-risk AI systems already deployed before August 2, 2026, the primary compliance obligation is managing the substantial modification trigger under Art.3(23). Full compliance is required immediately upon any substantial modification.
Monitoring the Art.3(23) Trigger — Ongoing
The Art.3(23) definition has two independent triggers. Either one is sufficient to require immediate full compliance.
Trigger 1 — Compliance Impact (any change that affects Chapter III, Section 2 requirements):
- Has the risk profile changed? (new risks identified, existing mitigations no longer adequate)
- Has data governance changed? (new training data sources, different annotation methodology, expanded geographic scope)
- Has technical documentation become inaccurate? (system performance now outside documented thresholds)
- Has accuracy, robustness, or cybersecurity capability changed materially?
- Has the human oversight mechanism been altered?
Trigger 2 — Intended Purpose Change:
- Is the system being applied to a new use-case or population that was not in the original conformity assessment?
- Is the system being deployed in a new geographic market beyond the original EU scope?
- Has the risk classification category shifted? (e.g., from low-risk to high-risk under Annex III)
- Has the system been integrated with another system in a way that changes its risk profile?
If any trigger is activated: Full compliance under Chapters III and IV is required before the modified version is placed on the market or put into service. At that point, work through the Track A checklist above.
If no trigger is activated: Document your assessment and retain it as compliance evidence. AUDITOR RECOMMENDATION: Run the trigger assessment at every sprint, release, or change management review — not just annually.
Documentation to Maintain While Transitional Protection Applies
- Change log documenting every modification to the system with a trigger assessment outcome for each entry
- Evidence that the system was deployed before August 2, 2026 (deployment records, version control history, infrastructure provisioning logs)
- Current system description sufficient to support a future conformity assessment when required
Track B2 Checklist: Existing High-Risk AI — Public Authority Use
For high-risk AI systems used by or for public authorities that were deployed before August 2, 2026, the deadline is August 2, 2030. The Annex III use-cases most commonly affected include:
- Law enforcement biometric identification (Art. 6 + Annex III, Chapter 1)
- Migration, asylum, and border control AI (Annex III, Chapter 7)
- Administration of justice (Annex III, Chapter 8)
- Benefits and social services assessment (Annex III, Chapter 5)
- Education and vocational training assessment systems (Annex III, Chapter 3)
Four-Year Roadmap to August 2, 2030:
| Phase | Timeframe | Actions |
|---|---|---|
| Gap Assessment | 2026 Q3–Q4 | Map current system against full Annex III requirements; identify compliance gaps |
| Documentation & QMS | 2027 Q1–Q2 | Build Art.11/Annex IV documentation package; implement Art.17 QMS |
| Technical Remediation | 2027 Q3–2028 Q2 | Implement Art.9, Art.10, Art.14 requirements; resolve technical gaps |
| PMS & Incident Pipeline | 2028 Q3–Q4 | Art.72 post-market monitoring operational; Art.73 reporting pipeline live |
| Conformity Assessment | 2029 Q1–Q3 | Self-assessment or notified body assessment; Art.47 Declaration of Conformity signed |
| Registration & CE | 2029 Q4–2030 Q1 | EU database registration; CE marking applied |
| Buffer | 2030 Q2–Q3 | Remediate any audit findings; deadline August 2, 2030 |
- Gap assessment completed and documented
- Internal timeline and resource plan aligned to the 2030 deadline
- Change management process in place to catch Art.3(23) triggers before they create an unmanaged compliance event
Track C Checklist: Annex X Large-Scale IT Systems
If you are building AI components for EU government-operated large-scale IT systems (SIS II, VIS, Eurodac, EES, ETIAS, and others listed in Annex X), the compliance deadline is December 31, 2030, for systems placed on the market or put into service before August 2, 2027.
Track C rarely applies to commercial SaaS developers. If it applies to you, you are likely a technology provider to a national government or EU agency. Key compliance points:
- Confirm the specific Annex X legal act governing your system (each LSIT has its own regulation governing AI component procurement and oversight)
- Confirm the system was or will be placed on the market or in service before August 2, 2027 (otherwise Track A applies)
- Align the full AI Act compliance implementation timeline to the December 31, 2030 deadline
- Note that the same Art.3(23) substantial modification trigger applies: modifications can pull compliance obligations forward regardless of the 2030 deadline
- Coordinate with national market surveillance authorities on the compliance pathway, as these systems often involve multiple procurement layers
Track D Checklist: GPAI Model Providers (August 2, 2027)
For providers of general-purpose AI models that were placed on the EU market before August 2, 2025 — the date when GPAI chapter obligations entered into force — the compliance deadline is August 2, 2027.
Determine GPAI Model Classification
- Does the model qualify as a GPAI model under Art.3(63)? (generative, capable of a wide range of tasks, trained on large data)
- Does the model meet the GPAI systemic risk threshold under Art.55? (cumulative compute above 10^25 FLOPs, or Commission determination)
If systemic risk threshold applies: Art.55 obligations are mandatory — adversarial testing, incident reporting, model evaluation, cybersecurity protocols — in addition to Art.53 obligations.
Art.53 Compliance Checklist (All GPAI Models)
- Technical documentation — Detailed model documentation package including architecture description, training data summary, evaluation benchmarks, and known limitations
- Copyright compliance policy — Policy implementing Art.4(3) of Directive 2019/790 for training data; summary of opt-out honoring mechanisms
- Model card / information for downstream providers — Capabilities, limitations, known risks, safeguards, intended use cases, and contraindications for prohibited or high-risk applications
- Open-source assessment — If the model is open-source (weights publicly available), confirm which Art.53 obligations apply under the open-source exemption (Art.53(2)) and which remain
- Infrastructure for documentation storage — Technical documentation and model cards must be retained and accessible to regulators; EU-jurisdiction storage avoids CLOUD Act exposure for model evaluation data
Art.55 Compliance Checklist (Systemic Risk GPAI Models Only)
- Adversarial testing protocols documented and executed (Art.55(1)(a))
- Serious incident reporting pipeline established to the European AI Office (Art.55(1)(b))
- Cybersecurity architecture documented and aligned to the systemic risk profile (Art.55(1)(c))
- Energy consumption reporting established (Art.55(1)(d))
2027 Timeline — 14 Months Remaining
With August 2, 2027 approximately 14 months from the August 2026 Act full-application date, GPAI providers should be in active compliance build now:
- Technical documentation package drafted
- Copyright compliance policy reviewed by legal counsel and documented
- Model card / downstream provider information finalized
- If systemic risk: adversarial testing plan underway
Consolidated Timeline: 2026–2030
2026-08-02: EU AI Act fully applies
├── All NEW high-risk AI systems: full immediate compliance
├── Existing HR AI (private, no mod): substantial modification trigger active
└── Existing HR AI (public authority): 4-year roadmap begins
2027-08-02: GPAI model provider deadline
└── Art.111(3): GPAI models on market before 2025-08-02 must comply
2030-08-02: Public authority high-risk AI deadline
└── Art.111(2): HR AI used by public authorities must comply
2030-12-31: Annex X large-scale IT systems deadline
└── Art.111(1): AI in SIS II, VIS, Eurodac, EES, ETIAS, others
Infrastructure Considerations Across All Tracks
Regardless of which track applies, three infrastructure decisions affect compliance evidence quality and auditability:
1. Documentation storage jurisdiction. Art.11 technical documentation, Art.12 logs, Art.72 post-market monitoring data, and Art.55 adversarial testing records constitute compliance evidence. If this data lives on infrastructure subject to the US CLOUD Act, US law enforcement can compel disclosure without an EU court order. This creates regulatory blind spots. EU-native infrastructure eliminates this exposure at the data layer.
2. Log retention architecture. Art.12 automatic logging requirements specify that logs must be retained with sufficient granularity to support post-incident analysis and market surveillance inspection. Build log retention architecture to your longest applicable compliance horizon — not just the nearest deadline.
3. Change management system. The Art.3(23) substantial modification trigger is only manageable if every code commit, model update, data pipeline change, and deployment configuration change is captured with a compliance assessment decision. This is a software engineering workflow requirement, not just a legal one.
Series Recap: What Each Post Covered
| Post | Topic | Core Finding |
|---|---|---|
| #1 — Art.111 Existing Systems | Which systems get a grace period and why | Two independent tracks: private sector (trigger-based) vs. public authority (2030 hard deadline) |
| #2 — Art.3(23) Substantial Modification | When does a software update trigger full compliance? | Two independent triggers: compliance-impact changes AND intended-purpose changes — either one is sufficient |
| #3 — Annex X Large-Scale IT Systems | The 2030 deadline for government AI infrastructure | Only LSIT systems (SIS II, VIS, Eurodac, EES, ETIAS) get this track; high entry bar for private sector applicability |
| #4 — Art.111(3) GPAI Model Providers | The 2027 grace period for existing foundation models | Art.53 required for all GPAI models; Art.55 required only if systemic risk threshold met |
| #5 (this post) | Master checklist and integrated strategy | Use the decision matrix to determine your track, then work through the track-specific checklist |
Next Steps: The 53-Day Audit
August 2, 2026 is 53 days away. Whether you are in scope for Track A, B, C, or D, the immediate action is the same: run a portfolio audit.
For each AI system or model in your portfolio:
- Classify. Run the Step 1 decision flow above. Document the track determination with evidence.
- Gap-assess. Match the appropriate track checklist against your current state. Mark each item Red/Amber/Green.
- Prioritize. Red items with near-term deadlines drive the sprint backlog. Track A items for systems launching after August 2, 2026 are priority zero.
- Infrastructure-audit. Check where compliance evidence is stored. If technical documentation, logs, or monitoring data is on US-parent-cloud infrastructure, assess the CLOUD Act exposure.
- Change-manage. Implement the Art.3(23) trigger assessment as a standing item in your engineering change management process.
The EU AI Act's transitional provisions are not a delay — they are a structured compliance pipeline. Teams that use the remaining 53 days and the subsequent multi-year timelines well will arrive at their deadlines with auditable evidence and tested systems. Teams that misread the provisions as a blanket exemption will face a cliff-edge compliance event at the next substantial modification.
EU AI Act citation reference for this series:
- Regulation (EU) 2024/1689 of the European Parliament and of the Council — Art.3(23) (substantial modification definition), Art.3(63) (GPAI model definition), Art.6 (classification rules for high-risk AI), Art.9 (risk management system), Art.10 (data governance), Art.11 and Annex IV (technical documentation), Art.12 (record-keeping), Art.13 (transparency), Art.14 (human oversight), Art.15 (accuracy, robustness, cybersecurity), Art.17 (quality management system), Art.43 (conformity assessment), Art.47 (declaration of conformity), Art.48 (CE marking), Art.49 (registration), Art.53 (GPAI model obligations), Art.55 (systemic risk GPAI obligations), Art.72 (post-market monitoring), Art.73 (serious incident reporting), Art.111 (transitional provisions), Annex III (high-risk AI classification), Annex X (large-scale IT systems).
Primary source: EUR-Lex — Regulation (EU) 2024/1689
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.