EU AI Act Art.104: Exercise of the Delegation — Delegated Acts Power Developer Guide (2026)

The EU AI Act does not freeze what counts as high-risk AI. It does not freeze the GPAI systemic risk threshold. It does not freeze conformity assessment procedures. All of these can change via delegated act — a form of secondary legislation adopted by the European Commission without going through the full co-legislative procedure that produced the AI Act itself.

Article 104 is the procedural framework for those changes. It establishes who has the power to adopt delegated acts under the AI Act, for how long, under what constraints, and what safeguards exist for the European Parliament and Council to push back. For developers, Article 104 is not a compliance obligation in itself — but it governs the mechanism by which your compliance obligations can change.

The practical risk: Under Art.7(1), the Commission can add new categories to Annex III (the high-risk AI list) through a delegated act. The minimum time from Commission notification to entry into force is 3 months. An AI system that is not high-risk today can become high-risk in a single Commission decision cycle. Article 104 defines exactly how fast that can happen and what procedural checks exist.

What Article 104 Actually Establishes

Article 104 contains five operative elements:

1. Duration of the delegation. The power to adopt delegated acts is conferred on the Commission for a period of five years from the date of entry into force of the Regulation. The AI Act entered into force on 2 August 2024. The initial delegation window therefore runs from 2024-08-02 to 2029-08-02. The delegation is tacitly extended for periods of identical duration unless the European Parliament or the Council objects to such extension no later than three months before the end of each period.

2. Revocation. The delegation can be revoked at any time by the European Parliament or the Council. A decision to revoke terminates the delegation of the power specified in that decision. It takes effect the day following publication in the Official Journal, or at a later date specified in the decision. It does not affect the validity of any delegated acts already in force.

3. Pre-adoption consultation. Before adopting a delegated act, the Commission shall consult experts designated by each Member State, in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. This is a procedural requirement — the Commission must have the consultation, but the outcome is advisory.

4. Notification. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and the Council.

5. Scrutiny period. A delegated act enters into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification, or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. The scrutiny period of three months may be extended by a further three months at the initiative of the European Parliament or the Council.

Which Articles Grant Delegated Act Powers

Article 104 does not list the specific delegated act powers itself — that would be circular. The powers are distributed across the substantive articles. Article 104 provides the procedural shell that governs all of them. The key delegation grants are:

Art.6(6) — High-Risk AI Classification Criteria

Article 6(6) authorises the Commission to adopt delegated acts to amend the conditions in Art.6(1) and Art.6(2) that determine when an AI system constitutes a high-risk AI system. This means the threshold test for high-risk classification — not just the list in Annex III, but the underlying criteria — can be modified.

Art.7(1) — Annex III High-Risk AI List Expansion

This is the most commercially significant delegated act power. Article 7(1) allows the Commission to amend Annex III by adding new AI system categories to the high-risk list, when those AI systems pose a risk of harm to health, safety or fundamental rights equivalent to those already listed. The methodology in Art.7(2) requires the Commission to consider specified criteria, but the ultimate decision is a Commission act subject only to the 3-month scrutiny window.

Developer implication: If your AI system falls into a category not currently in Annex III, a single Commission delegated act can reclassify it as high-risk. You then have obligations under Art.9-15 (quality management, data governance, transparency, human oversight, robustness), Art.43 (conformity assessment), Art.49 (EU database registration), and Art.48 (CE marking for Annex I products). The practical lead time between Commission notification and the obligation to comply is as short as 3 months.

Art.51(3) — GPAI Systemic Risk Threshold

Article 51(3) authorises the Commission to adopt delegated acts to lower or raise the training compute threshold of 10^25 FLOPs that triggers designation as a GPAI model with systemic risk, and to specify the methodology for calculation. If the threshold is lowered, GPAI models that currently fall below it become subject to the obligations in Art.55 (adversarial testing, incident reporting, cybersecurity measures). If the threshold is raised, currently-designated systemic risk models may lose that status.

Developer implication: Any GPAI model provider operating near the 10^25 FLOP threshold faces regulatory cliff risk from this delegated act power. The threshold itself is a moving line.

Art.52(4) — Transparency Obligations Technical Specification

Article 52(4) authorises the Commission to adopt delegated acts to specify the technical elements and conditions for labelling AI systems that interact with natural persons (chatbots) and systems generating synthetic content (deepfakes). This governs disclosure format requirements.

Art.53(3) — GPAI Model Documentation Technical Details

Article 53(3) authorises the Commission to adopt delegated acts amending Annex XI (technical documentation for GPAI models) and Annex XII (information for downstream providers), specifying the information to be included. Documentation requirements for GPAI providers can be expanded or modified without full legislative procedure.

Art.78(5) — Market Surveillance Cooperation Rules

Article 78(5) authorises the Commission to adopt delegated acts specifying the rules for the activities under Art.78 regarding market surveillance coordination and cooperation between competent authorities.

The Scrutiny Period in Practice

The 3-month scrutiny period runs from simultaneous notification to the European Parliament and the Council. During this window:

• The EP (acting by majority of its component members) can object
• The Council (acting by qualified majority) can object
• Either institution alone is sufficient to block the delegated act
• If neither objects within 3 months, the delegated act enters into force
• Both institutions can inform the Commission earlier that they will not object, allowing earlier entry into force

The scrutiny period can be extended by a further 3 months at the initiative of either institution. Maximum total scrutiny period: 6 months.

The practical timeline for developers:

From Commission notification to obligation: minimum 3 months, maximum 6 months. For an Annex III expansion that reclassifies your AI system, this is the compliance window you have to respond.

Why Delegated Acts Matter More Than Full Legislative Revisions

Full legislative revisions to the AI Act require co-decision procedure: Commission proposal → EP committee → Council working groups → trilogue negotiations → formal adoption. Typical timeline: 2-4 years. This is how the AI Act itself was produced (2021-2024).

Delegated acts bypass this process entirely. The Commission adopts them unilaterally, subject only to member state expert consultation and the 3-6 month EP/Council scrutiny window. The substantive check (does this delegated act make sense?) is much weaker than the legislative co-decision process.

For the AI Act specifically, this means:

• Annex III can grow faster than most compliance programs can adapt. A company that has done a thorough non-high-risk classification audit may find that audit invalidated by a delegated act expanding Annex III, on a 3-month notice.
• The GPAI threshold is not a permanent line. As compute costs fall and more models exceed 10^25 FLOPs, political pressure to lower the threshold may produce a delegated act that reclassifies models currently in the "large GPAI model, not systemic risk" category into the systemic risk tier.
• Documentation requirements can expand quietly. Annex XI and XII expansions via Art.53(3) delegated acts add to GPAI provider documentation obligations without major political visibility.

Developer Monitoring Obligations

The AI Act does not create an explicit legal obligation to monitor for delegated acts — but the practical obligation is clear: if you do not monitor, you may discover a classification change after the scrutiny period has closed and the obligation has already entered into force.

What to Monitor

Commission AI Act delegated act pipeline: The Commission publishes its work programme annually, including planned delegated acts. Tracking the Commission's work programme for AI Act items gives advance notice of likely delegated acts before formal adoption. The relevant Commission unit is DG CONNECT (Directorate-General for Communications Networks, Content and Technology).

Official Journal of the European Union: Delegated acts are published in the L series of the Official Journal. Monitoring for publications from the Commission under the citation "Regulation (EU) 2024/1689" captures all AI Act delegated acts.

European Parliament Committee on Internal Market and Consumer Protection (IMCO) and Committee on Civil Liberties, Justice and Home Affairs (LIBE): These committees scrutinise AI Act delegated acts in the EP. Committee agendas and opinions provide advance warning of contentious delegated acts and potential objections.

AI Office publications: The AI Office publishes guidance documents, decisions and opinions that frequently signal upcoming regulatory action, including where the Commission is considering using delegated act powers.

Monitoring Cadence

CLOUD Act Intersection

The delegated act process itself has a CLOUD Act dimension. When the Commission drafts delegated acts, it draws on technical assessments, stakeholder submissions, and expert group inputs. If your compliance submissions, technical documentation, or stakeholder responses are stored on US cloud infrastructure:

Commission consultation submissions: If your company submits responses to Commission consultations about proposed delegated acts (e.g., an Art.7(1) Annex III expansion consultation), those documents could be compelled under CLOUD Act. The submission is voluntary, but the stored draft, internal analysis, and strategic positioning documents are potentially accessible.

Annex III expansion monitoring materials: If you maintain a delegated act monitoring system (internal regulatory intelligence function), the analysis it produces — including assessments of your own AI systems' vulnerability to reclassification — is potentially sensitive. If stored on US cloud infrastructure, it is potentially CLOUD Act-compellable.

EU sovereign infrastructure strategy: Store delegated act monitoring outputs, compliance gap analyses, and internal reclassification risk assessments on EU-hosted infrastructure. This is not legally required, but eliminates the CLOUD Act compellability risk for strategically sensitive internal documents.

The 5-Year Window: What Changes Before 2029

The Commission's delegated act powers run to 2029-08-02. In the five years between 2024-08-02 and 2029-08-02, the AI landscape will change substantially. The delegated act mechanism is specifically designed for situations where the legislative text cannot anticipate technical change:

• Annex III Expansion: New categories likely as AI use in consequential domains (hiring, credit, healthcare, education) proliferates. Systems not currently listed may be added as harm evidence accumulates.
• GPAI Threshold: The 10^25 FLOP threshold was set in 2024. As compute costs fall and training runs scale, the threshold may be lowered to capture a broader set of models.
• Transparency Labelling: Specific disclosure format requirements for AI-generated content will evolve as deepfake and synthetic content risks become better understood.
• Conformity Assessment Updates: Annex VII procedural updates may follow as notified bodies accumulate experience and identify gaps.

Developer planning horizon: When assessing compliance costs for AI systems with multi-year development cycles, the delegation window creates regulatory uncertainty through 2029. A system that completes development in 2027 may be subject to delegated act changes adopted in 2026 or 2027. Build delegated act change response into product roadmaps, not just initial compliance plans.

Python Tooling for Delegated Act Tracking

from dataclasses import dataclass, field
from datetime import datetime, date, timedelta
from enum import Enum
from typing import Optional, List
import json

class DelegatedActStatus(Enum):
    ANNOUNCED = "announced"        # In Commission work programme
    CONSULTATION = "consultation"  # Member State expert consultation
    ADOPTED = "adopted"            # Commission has formally adopted
    SCRUTINY = "scrutiny"         # 3-month EP/Council scrutiny window
    EXTENDED = "extended"         # Scrutiny extended additional 3 months
    IN_FORCE = "in_force"         # Published in OJ, now binding
    OBJECTED = "objected"         # EP or Council objected, blocked

class DelegatedActBasis(Enum):
    ART_6_6 = "Art.6(6)"    # High-risk classification criteria
    ART_7_1 = "Art.7(1)"    # Annex III expansion (high-risk list)
    ART_51_3 = "Art.51(3)"  # GPAI systemic risk threshold
    ART_52_4 = "Art.52(4)"  # Transparency technical specification
    ART_53_3 = "Art.53(3)"  # GPAI documentation (Annex XI/XII)
    ART_78_5 = "Art.78(5)"  # Market surveillance cooperation

@dataclass
class DelegatedActTracker:
    """Track EU AI Act delegated acts under Art.104 scrutiny procedure."""
    
    legal_basis: DelegatedActBasis
    title: str
    status: DelegatedActStatus
    commission_notification_date: Optional[date] = None
    scrutiny_deadline: Optional[date] = None  # +3 months from notification
    extended_deadline: Optional[date] = None  # +6 months if extended
    entry_into_force_date: Optional[date] = None
    oj_reference: Optional[str] = None
    affects_your_systems: bool = False
    impact_summary: str = ""
    response_actions: List[str] = field(default_factory=list)
    
    def set_notification_date(self, notification_date: date) -> None:
        self.commission_notification_date = notification_date
        self.scrutiny_deadline = notification_date + timedelta(days=90)
        self.extended_deadline = notification_date + timedelta(days=180)
        self.status = DelegatedActStatus.SCRUTINY
    
    def days_until_scrutiny_closes(self) -> Optional[int]:
        if self.scrutiny_deadline:
            delta = (self.scrutiny_deadline - date.today()).days
            return delta
        return None
    
    def is_urgent(self) -> bool:
        days = self.days_until_scrutiny_closes()
        return days is not None and 0 <= days <= 45
    
    def compliance_window_assessment(self) -> dict:
        """Assess your available compliance window if this act enters into force."""
        if self.entry_into_force_date:
            days_remaining = (self.entry_into_force_date - date.today()).days
            urgency = "CRITICAL" if days_remaining < 30 else \
                      "HIGH" if days_remaining < 90 else \
                      "MEDIUM" if days_remaining < 180 else "LOW"
            return {
                "entry_into_force": self.entry_into_force_date.isoformat(),
                "days_remaining": days_remaining,
                "urgency": urgency,
                "affects_systems": self.affects_your_systems
            }
        elif self.scrutiny_deadline:
            earliest_in_force = self.scrutiny_deadline + timedelta(days=1)
            days_to_earliest = (earliest_in_force - date.today()).days
            return {
                "earliest_possible_in_force": earliest_in_force.isoformat(),
                "days_to_earliest": max(0, days_to_earliest),
                "urgency": "HIGH" if days_to_earliest < 45 else "MEDIUM",
                "affects_systems": self.affects_your_systems
            }
        return {"status": "pre-notification", "urgency": "MONITOR"}

@dataclass  
class Art104DelegationMonitor:
    """Monitor the overall Art.104 delegation framework and active delegated acts."""
    
    DELEGATION_START = date(2024, 8, 2)
    DELEGATION_END = date(2029, 8, 2)  # 5-year initial period
    
    active_delegated_acts: List[DelegatedActTracker] = field(default_factory=list)
    
    def delegation_days_remaining(self) -> int:
        return (self.DELEGATION_END - date.today()).days
    
    def get_acts_by_status(self, status: DelegatedActStatus) -> List[DelegatedActTracker]:
        return [a for a in self.active_delegated_acts if a.status == status]
    
    def get_urgent_acts(self) -> List[DelegatedActTracker]:
        return [a for a in self.active_delegated_acts if a.is_urgent()]
    
    def get_acts_affecting_you(self) -> List[DelegatedActTracker]:
        return [a for a in self.active_delegated_acts if a.affects_your_systems]
    
    def high_risk_reclassification_risk(self) -> dict:
        """Assess risk of being reclassified as high-risk via Art.7(1) delegated act."""
        annex_iii_acts = [
            a for a in self.active_delegated_acts 
            if a.legal_basis == DelegatedActBasis.ART_7_1
        ]
        in_scrutiny = [a for a in annex_iii_acts 
                       if a.status in (DelegatedActStatus.SCRUTINY, DelegatedActStatus.EXTENDED)]
        return {
            "active_annex_iii_delegated_acts": len(annex_iii_acts),
            "acts_in_scrutiny_window": len(in_scrutiny),
            "risk_level": "HIGH" if in_scrutiny else "LOW",
            "recommendation": (
                "Review proposed Annex III expansion against your AI systems immediately"
                if in_scrutiny else
                "No active Annex III reclassification risk — continue monitoring"
            )
        }
    
    def gpai_threshold_risk(self) -> dict:
        """Assess GPAI systemic risk threshold change risk via Art.51(3)."""
        threshold_acts = [
            a for a in self.active_delegated_acts
            if a.legal_basis == DelegatedActBasis.ART_51_3
        ]
        return {
            "current_threshold_flops": "10^25",
            "active_threshold_change_acts": len(threshold_acts),
            "risk_level": "HIGH" if threshold_acts else "MONITORING",
        }
    
    def generate_monitoring_report(self) -> dict:
        return {
            "report_date": date.today().isoformat(),
            "delegation_framework": {
                "start": self.DELEGATION_START.isoformat(),
                "end": self.DELEGATION_END.isoformat(),
                "days_remaining": self.delegation_days_remaining()
            },
            "acts_summary": {
                "total_tracked": len(self.active_delegated_acts),
                "in_scrutiny": len(self.get_acts_by_status(DelegatedActStatus.SCRUTINY)),
                "urgent": len(self.get_urgent_acts()),
                "affecting_you": len(self.get_acts_affecting_you())
            },
            "high_risk_reclassification": self.high_risk_reclassification_risk(),
            "gpai_threshold": self.gpai_threshold_risk()
        }


# Example usage
monitor = Art104DelegationMonitor()

# No active delegated acts as of April 2026 — Commission is still
# in the implementation/guidance phase for the August 2026 deadline.
# This will change: expect Annex III consultation in H2 2026 as
# enforcement data accumulates post-general-application-date.

report = monitor.generate_monitoring_report()
print(json.dumps(report, indent=2))

Art.104 vs the Full Legislative Revision Path

A common misconception is that Art.104 delegated acts are equivalent in significance to full legislative amendments. They are not — but they can be more consequential for individual companies because:

The governance gap: Full legislative revisions take so long that industry can usually adapt during the process. Delegated acts move fast enough that companies with 6-12 month development cycles can be caught mid-cycle by a classification change.

The Revocation Safeguard

Article 104(3) gives both the European Parliament and the Council the power to revoke the delegation of power. This is a genuine safeguard, but it has practical limits:

• Revocation terminates the delegation prospectively — it does not invalidate delegated acts already in force
• Revocation requires institutional initiative (typically triggered by political disagreement with specific Commission acts or general policy divergence)
• The scrutiny mechanism (3-month window) is the more likely check on individual delegated acts than formal revocation

No AI Act delegated act power has been revoked as of April 2026. The mechanism exists but has not been used. The practical backstop against Commission overreach is the 3-month scrutiny window.

Compliance Checklist — 30 Items for Art.104 Readiness

Delegation Framework Understanding (Items 1-5)

1. Do you understand that Art.104 is the procedural shell for delegated acts — not an obligation itself, but the mechanism that can change your obligations?
2. Have you identified which specific delegated act powers (Art.6(6), Art.7(1), Art.51(3), Art.52(4), Art.53(3), Art.78(5)) are relevant to your AI systems?
3. Does your team understand that the Commission's delegation runs to 2029-08-02 — meaning delegated acts can be adopted for 5 years?
4. Are you aware that the tacit renewal mechanism means the delegation continues beyond 2029 unless the EP or Council actively objects?
5. Do you have a legal contact or external counsel who tracks Commission delegated act activity under the AI Act?

Annex III Reclassification Risk (Items 6-12)

1. Have you conducted a classification audit of all AI systems against current Annex III categories?
2. Have you assessed which of your AI systems are in domains adjacent to current Annex III categories (potential expansion targets)?
3. Do you monitor the Commission's Work Programme for planned Annex III delegated acts?
4. Do you have a response playbook for what happens if your AI system is added to Annex III? Who gets notified? What changes are required?
5. Have you estimated the cost and time required to achieve high-risk AI compliance if reclassified?
6. Is your development roadmap structured so that Annex III reclassification can be absorbed without full restart?
7. Do you track EC consultations on Art.7(1) Annex III amendments (published on the EC Have Your Say portal)?

GPAI Threshold Monitoring (Items 13-17)

1. If you train or deploy a GPAI model, do you know your training compute in FLOPs relative to the current 10^25 threshold?
2. Have you assessed your threshold margin — how far below 10^25 FLOPs are you, and what threshold change would bring you within scope?
3. Do you monitor AI Office publications and Commission statements about potential GPAI threshold adjustments?
4. If the threshold were lowered to 10^24 FLOPs, would your model be reclassified? Are you prepared for Art.55 obligations?
5. Is your GPAI model documentation sufficient to satisfy Art.53(3) even if Annex XI is expanded via delegated act?

Monitoring Infrastructure (Items 18-23)

1. Do you have an Official Journal monitoring subscription or automated alert for AI Act delegated act publications?
2. Do you track EP IMCO and LIBE committee agendas for AI Act delegated act scrutiny items?
3. Do you subscribe to AI Office newsletters and publications?
4. Do you track the Commission's Have Your Say portal for AI Act delegated act consultations?
5. Is someone on your team responsible for delegated act monitoring, or is this task unassigned?
6. Have you set a monitoring cadence (weekly, monthly) appropriate to your risk exposure?

Response Readiness (Items 24-28)

1. Do you have a defined process for escalating delegated act intelligence to product, legal, and compliance teams?
2. Can you trigger a classification review within 2 weeks of a new delegated act being published?
3. Is your quality management system (Art.9) designed to be updatable in response to delegated act changes without full redesign?
4. Do you have a documented process for updating conformity assessment documentation if requirements change via Art.53(3)?
5. Is your post-market monitoring system (Art.72) adaptable to new market surveillance cooperation requirements from Art.78(5) delegated acts?

CLOUD Act and Infrastructure (Items 29-30)

1. Are your delegated act monitoring outputs and internal reclassification risk analyses stored on EU-hosted infrastructure rather than US cloud services?
2. Do you have an EU-sovereign document storage strategy for compliance materials that would be sensitive if disclosed (including internal assessments of your systems' vulnerability to Annex III reclassification)?

Summary: What Art.104 Means for Your Compliance Strategy

Article 104 is not a checklist you complete once. It is an ongoing monitoring obligation that runs until 2029. The key operational conclusions:

Build for regulatory change. AI systems with 2-3 year development cycles will encounter at least one significant delegated act during their lifecycle. Compliance architectures that are modular — where high-risk AI obligations can be layered in without full rebuild — are substantially more durable than monolithic designs optimised for the classification that exists at build time.

Monitor the pipeline, not just the gazette. By the time a delegated act is published in the Official Journal, the scrutiny period is running and you may have as little as 3 months to respond. Following the Commission Work Programme and EC consultation processes gives you 6-18 months of advance warning for most significant delegated acts.

The Annex III expansion risk is real and active. The Commission has the power under Art.7(1) to expand high-risk AI categories. As the August 2026 general application date passes and enforcement data accumulates, the political and evidential conditions for an Annex III expansion will improve. Plan for it.

GPAI providers near the threshold face cliff risk. If you are within one order of magnitude of 10^25 FLOPs, the Art.51(3) delegated act power is a genuine regulatory cliff. Monitor the threshold adjustment discussion actively.

The 5-year window (2024-2029) is the most consequential period in the EU AI Act's implementation lifecycle. Article 104 governs the most flexible change mechanism within it.

See Also

• EU AI Act Art.7: Annex III High-Risk AI List Amendments via Delegated Acts — Developer Guide — Art.7(1) is the primary power Art.104 procedurally governs: the Commission can expand the high-risk AI list without full legislative procedure
• EU AI Act Art.51: GPAI Model Classification and Systemic Risk — Developer Guide — Art.51(3) grants the delegated act power to adjust the 10^25 FLOP systemic risk threshold, directly governed by the Art.104 scrutiny procedure
• EU AI Act Art.6: High-Risk AI Classification and Annex III — Developer Guide — Art.6(6) authorises delegated acts to amend the high-risk classification criteria themselves, not just the Annex III list
• EU AI Act Art.98: Delegated Acts Powers — Developer Guide — Art.98 lists all articles that confer delegated act powers; Art.104 is the procedural counterpart that defines how those powers are exercised
• EU AI Act Art.103: Entry into Force and Application Dates — Developer Guide — Art.103 establishes the initial application timeline; Art.104 delegated acts can shift compliance obligations within that timeline without amending Art.103 itself