The EU AI Act High-Risk Deadline Moved to 2027. Here's the 16-Week Plan to Use the Runway.

The deferral isn't a reprieve — it's a planning window. This is the phased program disciplined regulated firms are running now, while the slower ones wait.

Branded Golonex Press featured graphic illustrating the new 2027 EU AI Act compliance timeline and 16-week readiness calendar

In May 2026, EU lawmakers reached a provisional agreement under the Digital Omnibus on AI to push back the AI Act's high-risk obligations. Standalone high-risk systems (Annex III) move from 2 August 2026 to 2 December 2027; high-risk AI embedded in regulated products (Annex I) moves to 2 August 2028. The change is provisional pending formal adoption, and it is targeted — the Article 5 prohibitions and the general-purpose AI rules already apply, and several transparency obligations remain on the 2026 track.

We wrote about the original Chapter III obligations in detail in our earlier readiness brief. Everything in that piece still holds — the requirements didn't change, only the dates. What follows is the plan for the time you were just handed.

Sixteen-plus months of relief is real. The mistake is treating it as time off.

The work that high-risk compliance actually requires — a living risk management system, governed data, tamper-evident logging, genuine human oversight, and the documentation to prove all of it — is engineering, not paperwork. It takes longer than teams expect, and it can't be retrofitted into a live production system without pain. The firms that win the 2027 deadline are the ones building quietly through the window they were just handed.

So here is the concrete answer to "what do we actually do with the extra time": a 16-week readiness program, in four phases. (It compresses to roughly 12 weeks if you overlap the middle phases and have engineering capacity to spare.)

Phase 1 — Discover & Classify (Weeks 1–4)

You can't govern what you haven't inventoried.

  • Weeks 1–2: Inventory & classify. Build a single register of every AI system, model, API call, and automated decision in the business. Then run each against the Annex III high-risk criteria (employment, credit and essential services, biometrics and healthcare) and document the rationale.
  • Weeks 3–4: Gap assessment & governance kickoff. For each high-risk system, measure current controls against Chapter III, rate the gaps by severity and effort, and assign accountable owners. The output is a prioritized remediation backlog and an approved roadmap.

Most teams skip the inventory and pay for it later. It's the cheapest step and the one that makes everything after it possible.

Phase 2 — Foundational Controls (Weeks 5–8)

Stand up the governance backbone so compliance becomes an operating discipline, not a document.

  • Risk management system (Article 9). A continuous process to identify, estimate, and mitigate risks across each system's lifecycle — not a one-time assessment.
  • Data governance (Article 10). Provenance and lineage, documented design and collection choices, data-quality criteria, and active testing for bias and demographic skew.
  • Roles, policy, and literacy. Clear deployer accountability and sign-offs, AI use and oversight policies, vendor due diligence for third-party models, and training for the people who operate these systems.

Phase 3 — Technical Build (Weeks 9–12)

The engineering core, and the part auditors scrutinize hardest.

  • Technical documentation (Article 11, Annex IV). Build it as a byproduct of development — system description, design specs, capabilities and limitations, validation — versioned, not assembled in a year-end scramble.
  • Logging and record-keeping (Article 12). Instrument automatic, tamper-evident logging into your agent orchestration: inputs, outputs, operational decisions, and confidence signals, with defined retention.
  • Human oversight (Article 14). Real-time visibility and the ability to intercept, pause, or reverse a decision, with escalation thresholds and trained reviewers.
  • Transparency, accuracy, robustness (Articles 13, 15, 50). Instructions for use, accuracy and cybersecurity measures, adversarial testing, and any required disclosures.

Phase 4 — Validate & Operationalize (Weeks 13–16)

Prove it works, then keep it working.

  • Validation and conformity prep. End-to-end control testing, bias and robustness re-tests against your thresholds, and assembly of the conformity-assessment pack (including CE marking inputs where applicable).
  • ISO/IEC 42001 alignment. Map your controls onto an AI Management System so you have a systemic paper trail that satisfies internal IT auditors and maps cleanly onto the Act.
  • Continuous compliance. Post-market monitoring, a serious-incident reporting process, a review cadence with named owners, and a clean handoff from program to business-as-usual. High-risk compliance is continuous, not a one-time certification.

A note on liability that changes the urgency calculus: calling a compliant frontier-model API does not transfer your obligations. When you put an AI system into service for your own operations, you are a deployer under the Act — and if you fine-tune, substantially modify, or badge a high-risk system as your own, you take on provider obligations too (for a full legal analysis of these distinct value-chain roles, see The Definitive EU AI Act Glossary). Either way, when your pipeline wrongly denies someone credit or screens out a qualified applicant, the liability is yours, not the model vendor's. That's precisely why the logging and oversight controls in Phases 3 and 4 matter: they're the only thing that gives you defensible visibility into what your systems are actually doing.

The point of the plan

The goal isn't to "pass an audit." It's to make compliance the thing that lets you deploy AI faster — because your IT and legal teams can see exactly what every system is doing and why. The deadline moved. The work didn't. The firms that use the runway will deploy in 2027 with confidence; the ones that bank it will be remediating under pressure.

Through the Golonex AI Solutions Lab we build multi-agent workflows with these Chapter III controls designed in from the start, and through our GRC practice we map your existing systems against the high-risk criteria.

Want to know where your systems stand against Chapter III? Request a Readiness Assessment at golonex.ai/contact.

References & Citations

Golonex Press Briefing Service

Build Your Own Downstream Decision Layer

Golonex designs and deploys secure, compliant multi-agent operations for corporate pipelines. Let our engineers automate your highest-friction workflows.

Schedule Operational Audit →