
The EU AI Act Pushed Its Deadline to 2027, and Quietly Added a Third EU Representative
Short answer
The 2026 simplification package delayed the AI Act's high-risk obligations for use-based systems from 2 August 2026 to 2 December 2027, and for product-regulated systems to 2 August 2028. The delay does not remove Article 22: a provider based outside the EU that places a high-risk AI system on the EU market must, by written mandate, appoint an EU authorised representative before it goes on sale. It is a mandatory local point of contact, the same pattern as the GDPR representative and the GPSR responsible person, and it carries a penalty tier of up to 15 million euro or 3 percent of global turnover.
The 2026 reset
The deadline moved. The duty did not.
In June 2026 the European Union did something unusual with the AI Act: it made it easier. A simplification package, endorsed by the Parliament on 16 June and finalised by the Council on 29 June, pushed the law's hardest deadline back by sixteen months. The obligations for use-based high-risk AI systems, everything in Annex III, moved from 2 August 2026 to 2 December 2027. Product-regulated high-risk systems moved further still, to 2 August 2028.
If you build AI outside the EU and sell it into Europe, the headlines told you that you just got more time. That part is true. What the headlines did not tell you is that the delay changed a date, not a duty, and that one of those duties is a requirement you have almost certainly never heard of.
- Feb 2025Bans and AI literacy
Prohibited AI practices and the AI literacy duty took effect.
- Aug 2025General-purpose AI models
Obligations for GPAI model providers began to apply.
- Aug 2026Governance and penalties
The governance structure and the penalty regime arrive.
- Dec 2027New deadlineHigh-risk systems, Annex III
Use-based high-risk duties, and the Article 22 representative that rides with them. Moved here from August 2026.
- Aug 2028High-risk in regulated products, Annex I
High-risk AI embedded in regulated products.
What stayed live
Two clocks, not one
What moved was the compliance date for high-risk systems. The rest of the Act keeps its own clock. The bans on prohibited AI practices and the AI literacy duty have applied since February 2025, and the general-purpose AI model rules since August 2025. The governance structure and the penalty regime arrive in August 2026.
The structure of the high-risk obligations, including who has to be your contact inside the Union, did not soften. It was simply given a later start line, and a later start line is exactly where companies relax.
The requirement
A third EU representative, hiding in the high-risk chapter

Buried in the high-risk chapter is Article 22, and it reads almost word for word like two rules you already know. Prior to making a high-risk AI system available on the Union market, a provider established outside the EU must, by written mandate, appoint an authorised representative established in the Union. That representative verifies that the conformity documentation exists, keeps it available to authorities for ten years, cooperates with regulators on any risk action, and serves as the official point of contact. Providers of general-purpose AI models based outside the EU carry a parallel duty under Article 54.
One pattern, three times
You have met this rule twice already
If that shape feels familiar, it should. Three EU laws now ask a non-EU company for the same thing: a named contact, at a real EU address, that regulators can knock on.
GDPR Article 27
- Covers
- Personal data of people in the EU
- Named in
- Your privacy notice
- Enforced by
- Data protection authorities
GPSR Responsible Person
- Covers
- Consumer product safety
- Named in
- Your product listing
- Enforced by
- Market surveillance and marketplaces
AI Act Article 22
- Covers
- High-risk AI system conformity
- Named in
- Your conformity documentation
- Enforced by
- AI market surveillance authorities
The GDPR one we cover in Article 27 explained, and the product-safety one in the Amazon sellers guide. Same underlying design, three separate appointments. The AI Act one is simply the newest, and because its deadline just slid to the end of 2027, it is the one companies are most tempted to file under later.
Scope
Who this actually applies to
Not every AI company needs an Article 22 representative, and it is worth being precise, because the AI Act is easy to over-read. The requirement attaches to providers of high-risk AI systems. If your product is a chatbot, a content generator or an internal productivity tool that does not fall into a high-risk category, Article 22 does not apply to you, though the transparency rules in Article 50 might, and the ban on prohibited practices always does.
If your system does one of the high-risk jobs the Act lists, screening job applicants, scoring creditworthiness, operating in education, healthcare, critical infrastructure or law enforcement, and you are based outside the EU, this is squarely your requirement. And there is a quieter overlap: almost every AI company that sells into Europe is also processing EU personal data to do it, which means the GDPR representative under Article 27 already applies today, deadline or no deadline.
The catch
Why a later deadline is its own kind of trap
Sixteen extra months sounds like relief. In compliance it usually means the opposite. The work behind a high-risk AI system is not the appointment of a representative, which is quick. It is the conformity documentation the representative has to be able to show: the technical file, the risk management records, the data governance evidence. That work takes quarters, not weeks, and it is the kind of project that only ever starts when a deadline feels close.
Move the deadline out by sixteen months and the predictable result is that the project starts sixteen months later, against the same wall. The representative is meant to be one of the last pieces you slot in, once the documentation exists. The deadline moved. The runway did not get longer in any way that helps a company that waits.
The move
What a non-EU AI company should do now

- Inventory your AI systems. List what you build and deploy into the EU, and mark anything that could touch a high-risk use in Annex III. You cannot plan for a requirement you have not scoped.
- Classify honestly. Prohibited, high-risk, limited-risk or minimal-risk. The classification decides which obligations apply and whether Article 22 is even in play. When it is genuinely unclear, that is a question for a qualified lawyer, not a guess.
- Close the requirement that already applies. If you sell into the EU, the GDPR representative under Article 27 is live now, not in 2027. Our free compliance checker tells you in about a minute whether it applies to you.
- Plan the AI Act representative into your 2027 timeline, not your 2027 panic. Build the conformity documentation on a schedule that makes the appointment a formality.
Selling into the EU while you sort out AI Act timing?
The GDPR representative requirement applies today, long before the AI Act deadline. Find out in about a minute whether it applies to you. No signup required.
USANTIS provides the EU representative for the GDPR today, and is preparing AI Act authorised representation under Article 22 for the point where the obligation bites. The pattern is one we know well, because it is the same one three times over. The 2027 date is not a reason to forget it. It is the reason to be ready before everyone else remembers.
Frequently asked questions
Written by
Usantis
The Usantis editorial team writes about EU representation and Article 27 GDPR for companies based outside the EU. More articles
Stay off the enforcement tracker.
See whether Article 27 applies to you in about a minute, then set up your EU representative.