2026-04-13·12 min read·sota.io team

EU AI Act Art.98: Delegated Acts — How the Commission Changes AI Compliance Requirements Without Parliament — Developer Guide (2026)

Most developers treat the EU AI Act as a fixed regulatory text — a document they read once, build a compliance programme against, and revisit every few years when something major changes. Article 98 is the reason that approach fails.

Article 98 grants the European Commission delegated powers to amend core technical annexes of the EU AI Act without going through the full co-legislative process with the European Parliament and the Council. New Annex III high-risk categories can be added. The 10²⁵ FLOP systemic risk threshold for GPAI models can be compressed. Technical documentation requirements in Annex IV can be updated. The list of AI techniques in Annex I can be expanded to cover architectures that did not exist when the Act was adopted.

All of this happens via delegated acts — secondary legislation adopted by the Commission alone, subject to a Parliamentary objection window but not a full vote. Understanding how Art.98 works, which provisions it covers, and what the timeline for delegation-triggered changes looks like is the difference between a compliance programme that anticipates change and one that gets blindsided by it.

What Article 98 Actually Says

Article 98 establishes the delegation framework for the entire EU AI Act. It is the constitutional basis for all Commission delegated acts under the Regulation.

Article 98(1) — The Delegation Grant:

Article 98(1) empowers the Commission to adopt delegated acts for a specific, enumerated set of purposes. The Commission is not granted a general power to amend the Act — the delegation is limited to specific articles and annexes where the EU legislator anticipated the need for technical updates without full legislative procedure.

The primary delegated act powers under the EU AI Act include:

Provision	Delegation Purpose	Developer Impact
Art.5(2)	Technical updates to prohibited AI list	New prohibitions added without Parliament vote
Art.7(1)	Annex III amendment — new high-risk categories	Your non-high-risk AI may become high-risk
Art.13(3)(b)	Annex IV technical documentation requirements	Documentation obligations updated
Art.41(1)	Common specifications mandate	Mandatory technical specs via delegated act
Art.51(3)	GPAI systemic risk threshold adjustment	10²⁵ FLOP threshold compression possible
Art.53(3)	GPAI obligations scope update	Additional GPAI compliance requirements
Annex I	AI technique definitions	New architectures added to definition scope

Article 98(2) — Duration of the Delegation:

The delegation is granted for 5 years from the date of entry into force of the Act. Given that the Act entered into force on August 2, 2024, the initial delegation runs until approximately August 2029. The delegation renews automatically for the same period unless the European Parliament or the Council objects at least 3 months before the end of each period.

From a compliance planning perspective, this means:

The first delegation window runs 2024–2029
If no objection, it renews for another 5 years (2029–2034)
The Commission's delegated act powers are therefore effectively permanent until Parliament or Council takes affirmative steps to restrict them

Article 98(3) — Parliament and Council Revocation Right:

The European Parliament or the Council may revoke the delegation at any time. Revocation takes effect the day after its publication in the Official Journal, or on a later date specified in the revocation decision. It does not affect delegated acts already in force — changes already made to Annexes do not get reversed by revocation.

For developers, revocation risk matters primarily as a signal that the political environment has shifted — a revocation of Commission delegated powers would typically precede either full legislative reform or a period of regulatory stability while a new framework is negotiated.

Article 98(4) — The 3-Month Objection Window:

Before a delegated act enters into force, the Commission notifies both the European Parliament and the Council. Either institution can object within 3 months of notification (extendable by another 3 months at the institution's initiative). If no objection is raised, the delegated act enters into force on the date stated in its text.

This 3-month window is the developer's advance warning period. When the Commission publishes its notification of an intended delegated act — visible in the EUR-Lex pre-adoption notifications and Commission work programmes — developers have 3 months to assess the compliance impact before the change becomes mandatory.

Article 98(5) — Urgency Delegated Acts:

Where a case of urgency requires it, the Commission may adopt delegated acts that enter into force immediately without waiting for the 3-month objection period. These urgency delegated acts remain in force for a period of no more than 6 months. The European Parliament and the Council are notified simultaneously with adoption, and they may object within 6 months — causing the act to cease to apply.

The urgency procedure matters for the GPAI systemic risk context: if a newly emerged AI system presents systemic risk and the current 10²⁵ FLOP threshold does not capture it, the Commission could use the Art.98(5) urgency procedure to lower the threshold immediately while the standard revision process proceeds in parallel.

The Annex III Expansion Risk: The Compliance Threat Developers Face Most

For developers building AI products that currently fall outside the high-risk categories in Annex III, the Art.98 delegation to amend Annex III under Art.7(1) is the most material delegated act risk.

Annex III currently identifies eight high-risk categories. Art.7(1) allows the Commission to add new categories by delegated act where:

The AI system poses a risk to health, safety, or fundamental rights
The AI system is similar in nature to systems already in Annex III
Sufficient evidence of harm has accumulated to justify classification

The combination of Art.97 evaluation data feeding into Commission assessments (see Art.97 developer guide) and Art.98 delegated act powers means Annex III expansion can happen in an 18–24 month cycle: Art.84 MSA annual reports accumulate incident data → Art.97 evaluation identifies classification gaps → Art.98 delegated act amends Annex III → new high-risk classification takes effect.

Categories most likely to be added to Annex III via Art.98 delegated act before 2029:

Application	Current Status	Expansion Trigger	Likely Timeline
AI insurance underwriting	Not high-risk (no direct access denial)	Financial services incident data accumulation	2027–2028
Continuous employee performance scoring	Partial coverage (hiring decisions in Annex III)	HR automation enforcement gaps	2027
AI-assisted loan restructuring	Not high-risk (below underwriting threshold)	Essential services Art.84 data	2028
Generative AI in electoral content	Not high-risk (unless Art.5(1)(a)(iv) applies)	Democracy/elections incident reporting	2026–2027
AI-powered recruitment filtering	Partial (recruitment decisions in Annex III but ambiguous scope)	Clarification via delegated act	2027

For any AI product in these areas, the compliance planning question is not "are we high-risk today?" but "when will we be classified as high-risk and how long do we have to prepare?"

GPAI Threshold Compression: The Art.51(3) Delegated Act

The 10²⁵ floating-point operations (FLOP) training compute threshold for systemic risk designation under Art.51 is explicitly subject to Commission revision by delegated act under Art.98. Art.51(3) states that the Commission may adjust the threshold by delegated act "taking into account evolving technological trends and relevant benchmarks."

The direction of adjustment is almost certainly downward. The FLOP threshold was set in 2023–2024 conditions. Algorithmic improvements (mixture-of-experts architectures, more efficient training methods, hardware advances) mean equivalent capability is achievable at lower compute. By 2026–2027, models with 10²³–10²⁴ FLOP training compute may achieve capabilities comparable to 2024's frontier models.

When the Commission adjusts the threshold downward via delegated act, models that were below the systemic risk threshold become subject to Art.55 obligations:

Adversarial testing and red-teaming before deployment
Systemic risk assessment and ongoing monitoring
Incident reporting to AI Office
Cybersecurity measures for model weights
AI Office information request exposure under Art.90

For GPAI model providers currently below the threshold:

The Art.98 delegated act process provides the 3-month advance warning window. Commission pre-adoption notifications for threshold adjustments will appear in the Commission's delegated acts database before they take effect. Tracking these notifications and building Art.55 compliance readiness in advance of threshold compression is the operational imperative.

Annex I Updates: New AI Techniques Enter Scope

Annex I of the EU AI Act defines what counts as an "AI system" for purposes of the entire regulation. It currently captures machine learning approaches (supervised, unsupervised, reinforcement), logic-based systems, knowledge-based approaches, and statistical methods. Art.98 empowers the Commission to update Annex I when new AI techniques emerge that should be captured within the Act's scope.

For developers, this is the threshold-entry risk: a new architectural approach that currently sits outside Annex I's definition may enter scope via delegated act, subjecting it to all EU AI Act obligations.

What triggers Annex I amendment:

Emergence of a novel AI technique with significant deployment at scale
Evidence that the technique poses regulatory concerns not captured by current definitions
Standards body or AI Office technical assessment that current Annex I creates coverage gaps

Practical implications:

Post-2024 architectural innovations (hybrid neurosymbolic systems, physics-informed AI, probabilistic programming at scale) are candidates for Annex I additions
If you deploy AI techniques that are arguably not covered by current Annex I, document this analysis — it will matter when a delegated act moves the boundary

Annex IV Documentation Requirements: The Ongoing Compliance Target

Annex IV sets out technical documentation requirements for high-risk AI systems. Art.13(3)(b) empowers the Commission to update these requirements by delegated act as technical standards evolve.

For developers maintaining high-risk AI compliance programmes, this creates an ongoing documentation update obligation. Changes to Annex IV documentation requirements — such as requiring model cards in a specific format, adding new sections for GPAI-component documentation, or mandating automated testing evidence — can arrive via delegated act with the standard 3-month lead time.

Building documentation systems that are modular and updatable — rather than static PDF reports — is the structural response to Art.98 Annex IV amendment risk.

CLOUD Act Intersection: Delegated Acts Can Add EU Infrastructure Requirements

One of the most significant developer implications of the Art.98 delegation mechanism is its ability to introduce EU-jurisdiction storage requirements for specific categories of compliance documentation — without a full legislative process.

The current EU AI Act does not mandate EU-jurisdiction storage for technical documentation, training data records, or GPAI evaluation reports. However, the Commission's Art.97 evaluation reports can identify CLOUD Act compellability conflicts as systematic enforcement problems, and Art.98 delegated acts amending Annex IV or common specifications under Art.41 can then introduce EU-jurisdiction requirements for specific document types.

The pathway from CLOUD Act concern to delegated act requirement:

Art.84 MSA reports: documentation requests blocked by US national security assertions
         ↓
Art.97 Commission evaluation: "systematic risk of CLOUD Act compellability identified"
         ↓
Commission delegated act (Art.98 + Art.13(3)(b)): 
  Annex IV amendment — technical documentation must be stored in EU-jurisdiction systems
         ↓
3-month objection window (no Parliament objection in practice)
         ↓
New Annex IV requirement takes effect: EU-native storage mandatory for Annex III AI systems

For developers currently using US cloud providers for compliance documentation, model weights, and training records, this pathway represents a material infrastructure change risk. The delegated act can apply to existing systems — not just new deployments — giving providers 6–12 months to migrate documentation to EU-jurisdiction systems.

Proactive response: Adopting EU-native infrastructure for compliance documentation before Art.98 delegated acts mandate it is insurance against forced migration under time pressure. It also eliminates the dual-jurisdiction problem where the same AI system creates compliance obligations that conflict with US discovery and national security law.

Python Tooling: Art.98 Delegation Monitoring

from dataclasses import dataclass, field
from enum import Enum
from datetime import date, timedelta
from typing import Optional

class DelegatedActStatus(Enum):
    PLANNED = "in_commission_work_programme"
    NOTIFIED = "notified_to_parliament_council"
    OBJECTION_WINDOW = "3_month_objection_period"
    ADOPTED = "adopted_in_force"
    URGENCY = "urgency_procedure_immediate"
    REVOKED = "revoked_no_longer_in_force"

class AnnexTargeted(Enum):
    ANNEX_I = "ai_technique_definitions"
    ANNEX_III = "high_risk_categories"
    ANNEX_IV = "technical_documentation"
    ART_51 = "gpai_systemic_risk_threshold"
    ART_41 = "common_specifications"
    ART_5 = "prohibited_practices_list"

@dataclass
class Art98DelegatedAct:
    reference: str
    targeted_provision: AnnexTargeted
    status: DelegatedActStatus
    notification_date: Optional[date]
    adoption_date: Optional[date]
    in_force_date: Optional[date]
    description: str
    developer_impact: str
    urgency_procedure: bool = False

    @property
    def objection_deadline(self) -> Optional[date]:
        if self.notification_date and not self.urgency_procedure:
            return self.notification_date + timedelta(days=90)
        return None

    @property
    def days_until_in_force(self) -> Optional[int]:
        if self.in_force_date:
            delta = self.in_force_date - date.today()
            return delta.days
        return None

    @property
    def compliance_preparation_window(self) -> str:
        if self.notification_date and not self.in_force_date:
            # Estimate: 3-month objection window + typically 6-12 months until mandatory
            estimated_in_force = self.notification_date + timedelta(days=365)
            delta = estimated_in_force - date.today()
            if delta.days > 0:
                return f"approximately {delta.days} days to prepare compliance changes"
        elif self.in_force_date:
            delta = self.in_force_date - date.today()
            if delta.days > 0:
                return f"{delta.days} days remaining before mandatory compliance"
            return "IN FORCE — compliance changes required now"
        return "status unknown — monitor EUR-Lex"

@dataclass
class Art98ComplianceMonitor:
    """
    Monitor Art.98 delegated act pipeline for compliance impact.
    Track notification → objection window → in force lifecycle.
    """
    watched_provisions: list[AnnexTargeted]
    gpai_training_compute_flop: Optional[float] = None
    current_annex_iii_categories: list[str] = field(default_factory=list)
    documentation_jurisdiction: str = "us_cloud"  # "eu_native" or "us_cloud"

    def assess_threshold_compression_exposure(
        self, new_threshold_flop: float
    ) -> dict:
        """
        Check if threshold compression delegated act would bring model in scope.
        Returns compliance obligations triggered and preparation checklist.
        """
        if self.gpai_training_compute_flop is None:
            return {"status": "unknown", "reason": "training compute not specified"}

        currently_in_scope = self.gpai_training_compute_flop >= 1e25
        would_be_in_scope = self.gpai_training_compute_flop >= new_threshold_flop

        if currently_in_scope:
            return {"status": "already_in_scope", "action": "maintain_art55_compliance"}

        if would_be_in_scope and not currently_in_scope:
            return {
                "status": "threshold_compression_trigger",
                "current_flop": self.gpai_training_compute_flop,
                "new_threshold": new_threshold_flop,
                "obligations_triggered": [
                    "Art.55(1)(a): adversarial testing before deployment",
                    "Art.55(1)(b): systemic risk assessment",
                    "Art.55(1)(c): AI Office incident reporting",
                    "Art.55(1)(d): cybersecurity measures for model weights",
                    "Art.90: AI Office information request exposure",
                ],
                "preparation_time_months": 6,
                "immediate_actions": [
                    "Initiate adversarial testing programme",
                    "Draft systemic risk assessment document",
                    "Establish AI Office reporting protocols",
                    "Assess model weight storage jurisdiction",
                ],
            }

        return {"status": "not_triggered", "action": "continue_monitoring"}

    def assess_annex_iv_cloud_act_risk(self) -> dict:
        """
        Check infrastructure exposure to Art.98 Annex IV amendment
        that may mandate EU-jurisdiction storage.
        """
        if self.documentation_jurisdiction == "eu_native":
            return {
                "status": "compliant",
                "risk": "low",
                "reason": "EU-native storage already eliminates CLOUD Act compellability",
            }
        return {
            "status": "exposed",
            "risk": "high",
            "current_risk": "CLOUD Act compellability of compliance documentation",
            "delegated_act_risk": "Art.98 Annex IV amendment may mandate EU-jurisdiction",
            "recommended_action": "migrate compliance documentation to EU-native infrastructure",
            "estimated_migration_window": "6-12 months after delegated act adoption",
        }


def track_art98_pipeline(
    provision: AnnexTargeted,
    impact_description: str
) -> dict:
    """
    Generate tracking template for an Art.98 delegated act.
    Use when Commission work programme announces Annex amendment intent.
    """
    return {
        "monitor": "EUR-Lex delegated acts database",
        "commission_register": "Register of Commission documents",
        "notification_tracking": "Official Journal C series",
        "objection_window": "90 days from Parliament/Council notification",
        "urgency_check": "Official Journal L series — immediate entry into force",
        "provision_tracked": provision.value,
        "compliance_action": impact_description,
        "review_frequency": "monthly until adopted, weekly in objection window",
    }

The 30-Item Art.98 Future-Proofing Checklist

Understanding Your Delegation Exposure (1–10)

Identify which Annex III categories apply to your current AI products — these are the compliance baseline before any Art.98 amendment
Document which AI products currently fall outside Annex III but operate in sectors with Art.97 expansion risk (financial services, employment, healthcare triage, electoral content)
If you operate a GPAI model: determine your training compute in FLOP and your distance from the current 10²⁵ threshold
Identify all provisions currently exempting your systems from high-risk obligations — these are delegation-vulnerable exemptions
Map your current Annex IV documentation against the requirements — gaps become more expensive to close after an amendment
Identify AI techniques your products use that might be added to Annex I via delegated act (hybrid architectures, probabilistic programming, emerging approaches)
Determine where your compliance documentation is stored — EU-native or US-cloud affects Annex IV amendment exposure
Check if any Commission work programme items reference Annex III review or GPAI threshold revision — early signal of upcoming delegated acts
Identify which harmonised standards your conformity assessment relies on — if common specifications are adopted via Art.98/Art.41, your standards-based conformity may need updating
Assess your product development pipeline — new products in 12–18 months may enter scope under a delegation-amended Annex III

Monitoring the Delegation Pipeline (11–20)

Subscribe to EUR-Lex delegated acts notifications for AI Act references
Monitor the Commission's annual work programme — delegated act intentions are typically signalled 12–18 months in advance
Track the European AI Board's technical opinions — they inform Commission delegated act proposals
Monitor AI Office annual reports under Art.88 — these identify compliance gaps that delegated acts may address
Watch Art.84 MSA annual reports aggregated by the Commission — high incident sectors are Annex III expansion candidates
Monitor Art.97 evaluation process — Commission evaluation reports under Art.97 directly feed delegated act proposals
Track General Court cases challenging existing AI Act provisions — court findings can accelerate Commission delegated act responses
Monitor European standardisation organisations (CEN/CENELEC) mandated standards pipeline — common specifications replace harmonised standards via Art.98/Art.41
Watch for urgency delegated acts — check Official Journal L series for immediately-effective AI Act amendments
Identify the 3-month objection window notification dates — this is the last point at which industry feedback to Parliament/Council can influence whether the delegated act enters into force

Preparing for Delegation-Triggered Changes (21–30)

Build a compliance documentation system that is modular and updatable — Annex IV amendments require documentation changes, not full-system rework
Design AI systems to be composable around high-risk classification — if a component becomes high-risk via Annex III amendment, it should be isolatable without a full rebuild
For GPAI models near the threshold: maintain Art.55 compliance readiness even if currently below threshold — the cost of being prepared is lower than emergency preparation after a delegated act
Establish a 6-month Annex III monitoring cycle — review classification assumptions against Commission publications every 6 months
Migrate compliance documentation to EU-native infrastructure before Annex IV amendment mandates it — the delegated act window (3 months objection + 6-12 months until mandatory) may not provide sufficient migration time
Develop an internal "delegated act impact assessment" process — when a Commission delegated act is notified, a fast-path assessment of your compliance impact should be possible within 2 weeks
Engage with the consultation period before delegated acts — the Commission typically runs stakeholder consultations before formal delegated act adoption, providing the earliest opportunity to shape the outcome
Train compliance teams on the distinction between delegated acts (Art.98) and implementing acts (committee procedure) — different timelines and objection mechanisms apply to each
For products in electoral/political content: the Art.5(2) delegation to add prohibited practices is the most legally consequential delegated act — monitor closely and maintain strict usage policy controls
Review all Art.98-exposed compliance assumptions annually — a compliance programme built in 2024 may require significant updates by 2027 even if no formal delegated act has been adopted, based on Commission consultation papers and draft proposals signalling the direction of change

Why Art.98 Matters More Than Developers Realise

The EU AI Act compliance community tends to treat the regulation as static law — find the right Annex III box, build the required technical documentation, pass conformity assessment. Art.98 is the reason this approach is incomplete.

The Commission has 5 years of delegated power to amend the technical annexes that define your compliance obligations. The amendment pathway is faster than full legislative process and more responsive to technological change than Parliament/Council procedures. The 3-month objection window is the only check between a Commission delegated act proposal and your compliance obligations changing.

For developers investing in AI compliance infrastructure today, the Art.98 trajectory points in one direction: compliance systems that are adaptive — that can incorporate new Annex III categories, updated Annex IV documentation requirements, and compressed GPAI thresholds — without requiring full architecture redesign.

The Art.98 delegated act pipeline is not a regulatory risk in the abstract sense. It is a concrete compliance planning input with a 3–18 month warning cycle. Building monitoring and response capacity into your regulatory affairs function is the operational response.