Fines up to €20,000,000 or 4% of global turnover
A dark data center corridor in deep navy blue, rows of server racks receding toward a warm golden light, representing the EU AI Act reaching non-EU technology companies
For US Companies

The EU AI Act Pushed Its Deadline to 2027, and Quietly Added a Third EU Representative

Usantis Jul 6, 2026 5 min read

Short answer

The 2026 simplification package delayed the AI Act's high-risk obligations for use-based systems from 2 August 2026 to 2 December 2027, and for product-regulated systems to 2 August 2028. The delay does not remove Article 22: a provider based outside the EU that places a high-risk AI system on the EU market must, by written mandate, appoint an EU authorised representative before it goes on sale. It is a mandatory local point of contact, the same pattern as the GDPR representative and the GPSR responsible person, and it carries a penalty tier of up to 15 million euro or 3 percent of global turnover.

The 2026 reset

The deadline moved. The duty did not.

In June 2026 the European Union did something unusual with the AI Act: it made it easier. A simplification package, endorsed by the Parliament on 16 June and finalised by the Council on 29 June, pushed the law's hardest deadline back by sixteen months. The obligations for use-based high-risk AI systems, everything in Annex III, moved from 2 August 2026 to 2 December 2027. Product-regulated high-risk systems moved further still, to 2 August 2028.

If you build AI outside the EU and sell it into Europe, the headlines told you that you just got more time. That part is true. What the headlines did not tell you is that the delay changed a date, not a duty, and that one of those duties is a requirement you have almost certainly never heard of.

  1. Feb 2025
    Bans and AI literacy

    Prohibited AI practices and the AI literacy duty took effect.

  2. Aug 2025
    General-purpose AI models

    Obligations for GPAI model providers began to apply.

  3. Aug 2026
    Governance and penalties

    The governance structure and the penalty regime arrive.

  4. Dec 2027New deadline
    High-risk systems, Annex III

    Use-based high-risk duties, and the Article 22 representative that rides with them. Moved here from August 2026.

  5. Aug 2028
    High-risk in regulated products, Annex I

    High-risk AI embedded in regulated products.

What stayed live

Two clocks, not one

What moved was the compliance date for high-risk systems. The rest of the Act keeps its own clock. The bans on prohibited AI practices and the AI literacy duty have applied since February 2025, and the general-purpose AI model rules since August 2025. The governance structure and the penalty regime arrive in August 2026.

The structure of the high-risk obligations, including who has to be your contact inside the Union, did not soften. It was simply given a later start line, and a later start line is exactly where companies relax.

The requirement

A third EU representative, hiding in the high-risk chapter

A hand signing a formal legal document with a fountain pen, representing the written mandate that appoints an EU authorised representative
Article 22 turns on a written mandate: a non-EU provider appoints an EU representative, in writing, before the system reaches the market.

Buried in the high-risk chapter is Article 22, and it reads almost word for word like two rules you already know. Prior to making a high-risk AI system available on the Union market, a provider established outside the EU must, by written mandate, appoint an authorised representative established in the Union. That representative verifies that the conformity documentation exists, keeps it available to authorities for ten years, cooperates with regulators on any risk action, and serves as the official point of contact. Providers of general-purpose AI models based outside the EU carry a parallel duty under Article 54.

€15M / 3%
penalty tier for an Article 22 violation, whichever is higher
10 years
records the EU representative keeps available
Written
mandate required before market entry

One pattern, three times

You have met this rule twice already

If that shape feels familiar, it should. Three EU laws now ask a non-EU company for the same thing: a named contact, at a real EU address, that regulators can knock on.

Data protection

GDPR Article 27

Covers
Personal data of people in the EU
Named in
Your privacy notice
Enforced by
Data protection authorities
Applies today
Product safety

GPSR Responsible Person

Covers
Consumer product safety
Named in
Your product listing
Enforced by
Market surveillance and marketplaces
Applies today
High-risk AI

AI Act Article 22

Covers
High-risk AI system conformity
Named in
Your conformity documentation
Enforced by
AI market surveillance authorities
From Dec 2027

The GDPR one we cover in Article 27 explained, and the product-safety one in the Amazon sellers guide. Same underlying design, three separate appointments. The AI Act one is simply the newest, and because its deadline just slid to the end of 2027, it is the one companies are most tempted to file under later.

Scope

Who this actually applies to

Not every AI company needs an Article 22 representative, and it is worth being precise, because the AI Act is easy to over-read. The requirement attaches to providers of high-risk AI systems. If your product is a chatbot, a content generator or an internal productivity tool that does not fall into a high-risk category, Article 22 does not apply to you, though the transparency rules in Article 50 might, and the ban on prohibited practices always does.

If your system does one of the high-risk jobs the Act lists, screening job applicants, scoring creditworthiness, operating in education, healthcare, critical infrastructure or law enforcement, and you are based outside the EU, this is squarely your requirement. And there is a quieter overlap: almost every AI company that sells into Europe is also processing EU personal data to do it, which means the GDPR representative under Article 27 already applies today, deadline or no deadline.

The catch

Why a later deadline is its own kind of trap

Sixteen extra months sounds like relief. In compliance it usually means the opposite. The work behind a high-risk AI system is not the appointment of a representative, which is quick. It is the conformity documentation the representative has to be able to show: the technical file, the risk management records, the data governance evidence. That work takes quarters, not weeks, and it is the kind of project that only ever starts when a deadline feels close.

Move the deadline out by sixteen months and the predictable result is that the project starts sixteen months later, against the same wall. The representative is meant to be one of the last pieces you slot in, once the documentation exists. The deadline moved. The runway did not get longer in any way that helps a company that waits.

The move

What a non-EU AI company should do now

A tidy desk with a laptop, a checklist and a pen, representing the practical steps a non-EU company takes to prepare for the AI Act
Preparation is a 2026 activity, not a 2027 scramble. Four steps put you ahead of the deadline.
  1. Inventory your AI systems. List what you build and deploy into the EU, and mark anything that could touch a high-risk use in Annex III. You cannot plan for a requirement you have not scoped.
  2. Classify honestly. Prohibited, high-risk, limited-risk or minimal-risk. The classification decides which obligations apply and whether Article 22 is even in play. When it is genuinely unclear, that is a question for a qualified lawyer, not a guess.
  3. Close the requirement that already applies. If you sell into the EU, the GDPR representative under Article 27 is live now, not in 2027. Our free compliance checker tells you in about a minute whether it applies to you.
  4. Plan the AI Act representative into your 2027 timeline, not your 2027 panic. Build the conformity documentation on a schedule that makes the appointment a formality.

Selling into the EU while you sort out AI Act timing?

The GDPR representative requirement applies today, long before the AI Act deadline. Find out in about a minute whether it applies to you. No signup required.

Run the free checker

USANTIS provides the EU representative for the GDPR today, and is preparing AI Act authorised representation under Article 22 for the point where the obligation bites. The pattern is one we know well, because it is the same one three times over. The 2027 date is not a reason to forget it. It is the reason to be ready before everyone else remembers.

Frequently asked questions

Stay off the enforcement tracker.

See whether Article 27 applies to you in about a minute, then set up your EU representative.