EU AI Act Art.111 Transitional Provisions: Does Your Existing High-Risk AI System Need to Comply by August 2, 2026?
Post #1 in the sota.io EU AI Act Transitional Compliance Series
August 2, 2026 is 53 days away. If you have a high-risk AI system already deployed in production, the most important question you're probably asking is: do I actually need to be fully compliant by that date?
The answer is more nuanced than most compliance guides suggest. Article 111 of Regulation (EU) 2024/1689 (the EU AI Act) contains transitional provisions that explicitly address systems already on the market. Understanding these provisions can be the difference between a panicked 53-day sprint and a structured multi-year compliance roadmap.
This guide explains exactly who gets a grace period, what triggers the end of that grace period, and how the three-tier transitional deadline structure works.
The Core Question: New vs. Existing Systems
The EU AI Act draws a sharp line between:
- New deployments — high-risk AI systems placed on the market or put into service after August 2, 2026 — these must comply immediately with all requirements from day one.
- Existing deployments — high-risk AI systems already placed on the market or put into service before August 2, 2026 — these may benefit from transitional provisions under Art.111.
If your system was live before August 2, 2026, read on carefully. The transitional provisions are conditional — they apply only as long as you don't trigger the compliance clock.
Article 111: The Three-Tier Transitional Structure
Art.111 creates three distinct compliance tracks for systems already on the market:
Tier 1 — Large-Scale IT Systems (Annex X): December 31, 2030
Art.111(1) addresses AI systems that are components of large-scale IT systems established by the legal acts listed in Annex X. These include systems such as the Schengen Information System (SIS II), the Visa Information System (VIS), Eurodac, and the Entry/Exit System.
Compliance deadline: Systems placed on the market or put into service before 2 August 2027 must be brought into compliance with the Regulation by 31 December 2030.
This is the longest grace period in the Regulation — reflecting the exceptional complexity and critical-infrastructure status of these government-operated systems.
Relevance for private developers: Unless you are building AI components for these specific EU border and immigration IT systems, Tier 1 does not apply to you.
Tier 2 — High-Risk AI Systems Already Deployed (Before Aug 2, 2026)
This is the most relevant tier for most organizations with existing AI systems.
Art.111(2) establishes that high-risk AI systems that were already placed on the market or put into service before 2 August 2026 are NOT required to achieve immediate full compliance, provided they do not undergo a substantial modification.
The operative condition is "no substantial modification." As long as the system continues to operate as deployed — without changes that qualify as substantial modifications under Art.3(23) — the transitional protection applies.
Exception — public authority systems: High-risk AI systems intended to be used by public authorities have a hard deadline: providers and deployers of these systems must comply with the Regulation by 2 August 2030.
This means:
- Private-sector high-risk AI (HR screening, credit scoring, medical imaging) with no substantial modification: transitional protection with no fixed deadline in Art.111(2) — but see the substantial modification trigger below
- Public-authority high-risk AI (law enforcement tools, benefits assessment, border control AI): comply by August 2, 2030
Tier 3 — General-Purpose AI (GPAI) Models: August 2, 2027
Art.111(3) addresses providers of GPAI models. If a GPAI model was placed on the market before 2 August 2025 (the date when GPAI obligations entered into force), providers must take necessary steps to comply by 2 August 2027.
This two-year runway was designed to give GPAI providers time to complete model cards, implement copyright compliance policies, and meet the Art.53 transparency obligations.
The Compliance Trigger: Substantial Modification (Art.3(23))
The most important concept for teams managing existing systems is the definition of substantial modification under Art.3(23):
"a change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or results in a modification to the intended purpose for which the AI system has been assessed"
This definition has two independent triggers, either of which is sufficient:
Trigger A — Compliance impact: Any change that affects whether the system meets the technical requirements of Chapter III, Section 2. This includes changes to the risk management system, data governance, technical documentation, accuracy, robustness, or cybersecurity properties.
Trigger B — Intended purpose change: Any modification that shifts what the system does beyond what was originally assessed. For example: expanding a medical imaging classifier to a new anatomical region, applying an HR screening tool to a new role category, or extending a credit scoring model to a new geographic market.
Critically, the change must be "not foreseen or planned in the initial conformity assessment." This means that planned future enhancements — described in your conformity assessment documentation — may not constitute substantial modifications when implemented. Document your planned evolution carefully.
Decision Tree: Which Compliance Path Applies to You?
Is your high-risk AI system NEW (deployed after Aug 2, 2026)?
YES → Full compliance required from day one (no transitional provisions apply)
NO → Continue below
Was it deployed before August 2, 2026?
YES → Transitional protection potentially applies → Continue below
Is it a component of a large-scale IT system in Annex X?
YES → Tier 1: Comply by December 31, 2030
Is it intended for use by public authorities?
YES → Tier 2 (public sector): Comply by August 2, 2030
Are you making a substantial modification (Art.3(23))?
YES → Full compliance triggered immediately (transitional protection ends)
NO → Tier 2 (private sector): No immediate deadline — but monitor ongoing
What "No Immediate Deadline" Actually Means
It is important not to misread Art.111(2) for private-sector systems as a permanent exemption. The transitional provision means that a system already in production does not have to achieve the full compliance package (Art.9 risk management, Art.17 QMS, Annex IV technical documentation, Art.43/44 conformity assessment) as a condition of continued operation on August 2, 2026.
However:
What this does NOT exempt you from:
- Art.5 prohibited practices (in force since February 2, 2025) — these apply to all systems regardless of when they were deployed
- Market surveillance: NCAs can still investigate your system and require compliance measures (Art.74/83 enforcement powers)
- Contractual obligations: deployers may contractually require providers to certify compliance irrespective of transitional provisions
- Procurement requirements: public contracts may require AI Act compliance certification regardless of Art.111
What you should do now:
- Classify your system — confirm whether it is actually high-risk under Art.6 and Annex III
- Audit your modification pipeline — identify which planned updates could constitute substantial modifications
- Document your intended purpose precisely — a well-defined intended purpose creates a defensible scope for what is not a substantial modification
- Begin compliance work anyway — even if Art.111(2) applies, achieving compliance before your next product update is strategically sound
Practical Example: HR Screening AI
Scenario: You run a SaaS platform providing AI-assisted CV screening for corporate HR teams. The system was live since January 2025.
Art.111(2) analysis:
- Placed on market before August 2, 2026 ✅ — transitional protection potentially available
- Not a public authority system — the 2030 hard deadline does not apply
- Not an Annex X large-scale IT system — Tier 1 does not apply
What happens next:
- If you make no substantial modification → no immediate compliance deadline applies
- If you expand the system to screen for executive roles (different intended purpose) → full compliance triggered
- If you add a new scoring model that changes accuracy characteristics → full compliance triggered
- If you add new protected-attribute filters that affect compliance with Chapter III, Section 2 → full compliance triggered
Recommended action: Document the current intended purpose precisely in writing. Establish an internal "modification review" process that assesses each planned update against the Art.3(23) substantial modification definition before deployment.
Infrastructure Implications
For systems operating under the Art.111(2) transitional provisions, the jurisdiction of your AI infrastructure still matters. NCAs retain the power to inspect and investigate systems under transitional protection — and their ability to access your system's technical documentation, logs, and audit trails is not suspended by Art.111.
If your AI system runs on infrastructure subject to the CLOUD Act (AWS, Azure, GCP, Oracle Cloud), a US government legal demand could expose your system's training data, audit logs, and model documentation to extraterritorial access without your knowledge. Art.111 does not create an exemption from this CLOUD Act exposure.
EU-native infrastructure — Hetzner, OVHcloud, Exoscale, or managed PaaS platforms like sota.io that run exclusively on EU bare metal — eliminates this exposure for the compliance documentation your NCA may eventually request.
What's Coming in This Series
This is the first post in a five-part series on EU AI Act transitional provisions:
- Post 1 (this post): Art.111 overview — which existing systems get a grace period
- Post 2: Art.3(23) substantial modification — a technical guide to identifying compliance-triggering changes
- Post 3: Annex X and Tier 1 large-scale IT systems — the full 2030 deadline structure
- Post 4: GPAI transitional obligations — Art.111(3) and what model providers must do by August 2027
- Post 5: Transitional compliance strategy checklist — the complete action plan for legacy systems
Summary Cheat Sheet
| System Type | Deployed Before Aug 2, 2026 | Compliance Deadline |
|---|---|---|
| High-risk AI, private sector, no substantial modification | Yes | No fixed deadline (transitional protection) — but CLOUD Act and NCA access still apply |
| High-risk AI, public authority use | Yes | August 2, 2030 |
| Large-scale IT (Annex X) | Before Aug 2, 2027 | December 31, 2030 |
| GPAI model | Before Aug 2, 2025 | August 2, 2027 |
| Any high-risk AI, substantial modification | N/A | Full compliance required immediately upon modification |
| Any new high-risk AI system | After Aug 2, 2026 | Full compliance from day one |
The transitional provisions of Art.111 create real flexibility for organizations managing existing systems. But that flexibility is conditional — and the substantial modification definition is broad enough that many routine product updates will trigger full compliance. Plan ahead, document your intended purpose precisely, and treat transitional protection as a runway for structured compliance work, not a permanent exemption.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.