How Long Does EU AI Act Compliance Take?
EU AI Act compliance takes days for minimal-risk deployers, weeks for Article 50 cases, and 4–9 months for high-risk providers. Plan back from 2 Dec 2027.
The honest answer is: it depends — but not in a way that makes it unplannable. The two variables that dominate are your highest-risk system's tier and whether you are a provider or a deployer. A company whose AI use consists of a customer-service chatbot and a few productivity tools can close out its obligations in a matter of weeks. A company that develops and places a recruitment-screening model on the market is looking at several months of sustained work before it can lawfully launch.
This article gives realistic planning estimates by scenario, breaks the high-risk compliance path into its constituent workstreams with honest durations, and maps the working-back schedule from the 2 December 2027 deadline. The figures here are planning benchmarks, not legal guarantees — actual time will vary with organisation size, existing documentation maturity, and how quickly sign-off chains move.
The short answer, by scenario
| Scenario | Realistic effort |
|---|---|
| Minimal-risk deployer (productivity tools, internal summarisation, image editing) | 1–2 weeks: AI inventory, Article 4 AI literacy training for staff, light documentation |
| Limited-risk deployer or provider (customer-facing chatbot, synthetic-content generation, emotion-recognition output — Article 50 scope) | 3–5 weeks: AI inventory, Article 50 disclosure implementation, transparency notices, records |
| High-risk deployer (using a third-party high-risk system, e.g. a bank deploying a vendor's credit-scoring model) | 4–8 weeks: due diligence on the provider's compliance package, human oversight procedures (Article 26), log retention setup, potential Article 27 Fundamental Rights Impact Assessment |
| High-risk provider — first system, data governance largely documented | 4–6 months of active work |
| High-risk provider — first system, data lineage weak or undocumented | 6–9 months, possibly longer |
| High-risk provider — multiple Annex III systems simultaneously | Add 6–10 weeks per additional system after the first, depending on overlap |
Article 50 limited-risk transparency obligations apply from 2 August 2026. High-risk obligations for stand-alone Annex III systems apply from 2 December 2027 under the Digital Omnibus agreed in May 2026. High-risk AI embedded in Annex I regulated products — medical devices, machinery, vehicles — follows the 2 August 2028 date. Note separately that Article 5 prohibited practices and Article 4 AI literacy have applied since 2 February 2025; those are not upcoming deadlines, they are overdue ones.
What drives the timeline
Your role. Providers under Article 16 carry the heaviest stack: risk management, technical documentation, data governance, human oversight, accuracy testing, a quality management system, conformity assessment, a declaration of conformity, and registration. Deployers under Article 26 have a shorter list — predominantly following the provider's instructions, ensuring human oversight, maintaining logs for at least six months, and, for certain deployers in public services or in creditworthiness and life/health insurance contexts, running an Article 27 Fundamental Rights Impact Assessment. The provider-vs-deployer distinction is therefore the single biggest determinant of total effort.
The number and complexity of AI systems. Running classification under Article 6 and Annex III across thirty systems takes longer than doing it for three. The Article 6(3) filter — which can remove a system from the high-risk category if it poses no significant risk and meets one of four conditions — requires a documented assessment per system, even when the conclusion is "not high-risk."
Data governance maturity. Article 10 requires providers to show that training, validation, and testing data meet quality standards: that the data is relevant, representative, and free of errors to the extent possible. For companies with well-documented data pipelines, this section of the file is weeks of work. For companies that have never catalogued their training data or tracked data lineage, it is the single most common reason a project slips from five months to nine.
Harmonised standards. Where the European Commission has published harmonised standards for a particular Annex III domain, self-assessment against those standards can satisfy the Article 43 conformity requirement under the Annex VI internal-control route. Where no applicable harmonised standards exist, the burden of demonstrating conformity is higher and the notified-body route under Annex VII may be required (mandatory for Annex III point 1 biometric systems).
Organisational readiness. Sign-off cycles, whether the legal team is already EU AI Act-literate, whether a quality management system exists, and whether there is a designated person who owns compliance day-to-day — each of these can silently add weeks. The technical documentation assembly is rarely the bottleneck at large organisations; the internal approval chain is.
The high-risk workstreams and how long each takes
For a high-risk provider deploying a single Annex III system, the compliance programme typically runs across seven to nine overlapping workstreams. These are not strictly sequential — experienced teams run several in parallel — but each has a critical-path dependency you need to plan around.
AI inventory and classification (Article 6 / Annex III): 1–3 weeks. Before anything else, every system you build or deploy needs to be identified and classified. This means answering, for each system: does it fall within an Annex III category? Does the Article 6(3) filter apply? What is your role? Companies that have never done this often discover systems they had forgotten, or find that a tool procured by one business unit implicates provider-level obligations because it was substantially modified before deployment.
Risk management system (Article 9): 3–6 weeks to establish, ongoing thereafter. The Article 9 risk management system is not a one-time document — it is a recurring process: identify foreseeable risks to health, safety, and fundamental rights; estimate and evaluate; adopt risk measures; test that they work. The initial stand-up of the process, including writing the risk management plan, populating the risk register, and documenting residual risks, typically takes three to six weeks. Maintaining it is a permanent operational obligation.
Data and data governance (Article 10): weeks to months — often the long pole. Providers must be able to show that data collection practices, labelling, and curation decisions are documented; that known biases have been identified and addressed; and that the dataset is appropriate for the intended purpose. For a company starting from solid data documentation, this is four to six weeks of structured work. For a company that relied on ad hoc practices, the gap analysis alone takes weeks, and remediation can stretch the total to three or four months. Do not underestimate this workstream. It is the most common reason high-risk compliance programmes miss their planned completion dates.
Annex IV technical documentation (Article 11): 4–8 weeks. The Annex IV documentation pack is a structured file covering nine content areas: a general system description and intended purpose; a description of components and the development process; information on training methodology and data; design specifications and architecture; performance metrics and testing results; risk management documentation; changes over the system's lifecycle; standards applied; and post-market monitoring arrangements. Assembling this from scratch — writing, gathering evidence, and getting internal sign-off — typically takes four to eight weeks. Note that Article 11(3) provides a simplified format for small providers, which reduces effort somewhat.
Record-keeping and logging (Article 12): 2–4 weeks (parallel). Article 12 requires that high-risk AI systems generate logs automatically covering the system's operating period, sufficient to ensure the system can be monitored after deployment. Implementing logging to meet this requirement is largely a technical task, typically completed in parallel with documentation and testing. Plan two to four weeks for implementation and testing.
Human oversight (Article 14): 2–4 weeks (parallel with data and documentation). Article 14 requires that high-risk systems be designed and developed so that natural persons can effectively oversee the system during its use, intervene if necessary, and avoid over-reliance on the system's output. Translating this into operational procedure — user interface design, intervention controls, training for human reviewers, and documented oversight protocols — typically takes two to four weeks and runs alongside the technical file assembly.
Accuracy, robustness, and cybersecurity testing (Article 15): 3–6 weeks (overlapping with Article 10 and 12). Testing against the accuracy, robustness, and cybersecurity requirements of Article 15 requires a test plan, a test dataset, and documented results. For systems involving sensitive personal data or operating in adversarial environments, cybersecurity testing alone can add weeks. Plan for this workstream to overlap with the later stages of Article 10 data governance and Article 12 logging.
Quality management system (Article 17): 2–8 weeks, depending on what exists. Article 17 requires providers to maintain a quality management system covering design, development, testing, monitoring, and incident management. Companies that already operate under ISO 9001 or ISO/IEC 42001 will find significant overlap and can adapt existing processes. Companies building from nothing will take six to eight weeks to put a credible QMS in place.
Conformity assessment, Declaration of Conformity, and registration (Articles 43, 47, 49): 2–5 weeks for internal-control route; longer if a notified body is involved. For most Annex III categories (points 2–8), the conformity assessment uses the Annex VI internal-control route: the provider internally reviews the documentation and testing against the requirements and issues an Article 47 EU Declaration of Conformity. This is largely a review-and-sign-off exercise once the earlier workstreams are complete — typically two to three weeks. Registration in the EU database under Article 49 follows. For point 1 biometric systems where harmonised standards are not applied, the Annex VII notified-body route is required; notified bodies have their own timelines, and engaging one typically adds six to twelve weeks depending on queue depth and the complexity of the assessment.
Why "we'll start in 2027" fails
The deadline for high-risk Annex III stand-alone systems is 2 December 2027. Working backwards from that date with a realistic programme of 5–7 months, a high-risk provider needs to have its programme substantially under way by April or May 2027 at the latest. If data lineage is weak — a situation that is more common than uncommon — the programme needs to start by early 2027 to allow time for both remediation and documentation.
Two obligations are not waiting for December 2027. Article 5 prohibited practices have applied since 2 February 2025 — using AI for social scoring by public authorities, real-time remote biometric identification in public spaces for law enforcement outside the narrow exceptions, subliminal manipulation, and other banned practices is already unlawful. Article 4 AI literacy — requiring providers and deployers to take measures to ensure their staff have sufficient AI literacy — has also applied since 2 February 2025. Companies that have not yet addressed either of these are not "early starters" preparing for 2027; they are already non-compliant.
The Digital Omnibus deferral is breathing room for the documentation-heavy high-risk stack. It is not a signal that the Act is less serious than it appeared; it is a recognition that the documentation and assessment work is genuinely extensive and cannot be compressed below a minimum. Starting later does not make it faster — it makes it more expensive, because compressed timelines mean more consultant hours, parallel workstreams under pressure, and corner-cutting risks in the areas that are hardest to fix retrospectively (data governance especially).
How to compress the timeline
You cannot compress all of it, but the following materially reduces elapsed time.
Start with the AI inventory and classification. This is the prerequisite for everything else. Until you know which systems are high-risk and what role you hold, you do not know the scope of the programme. Teams that spend weeks discussing compliance strategy before completing the inventory regularly discover mid-programme that their scope assumptions were wrong.
Parallelise the technical workstreams. Article 9 risk management, Article 10 data governance, Article 12 logging, Article 14 oversight, and Article 15 testing can run in overlapping tracks once the inventory is done. Sequential programmes take longer and create bottlenecks at every handoff.
Reuse templates. The Annex IV technical documentation structure is fixed. The Article 9 risk register structure is fixed. Building these from a structured template rather than from a blank document saves two to four weeks per system, especially for teams without prior experience of the format.
Address Article 4 AI literacy now. Literacy training for all staff involved in AI use or development is already legally required. Running this in the background while the technical programme is under way is sensible and eliminates an overdue obligation.
How Confir helps
Confir is a rule-based, deterministic EU AI Act compliance tool — not an AI-powered system. The same inputs produce the same outputs every time, and every finding maps to the specific rule that produced it, which matters for audit-defensibility.
On the workstreams above, Confir collapses the two most time-consuming phases — classification and technical file assembly — from weeks of consultant-guided work to a structured guided workflow. The classification engine applies Article 6 and Annex III logic via plain-English scenarios and derives your role (provider under Article 16 or deployer under Article 26) without requiring you to read 144 pages of regulation first. The Annex IV documentation pack and the Article 47 EU Declaration of Conformity are generated from your intake responses. The Article 9 risk register is maintained as a live document within the tool.
Confir starts at €600 per year. Self-serve, EU-hosted, credit-card checkout. See confir.eu for current plans.
Frequently Asked Questions
How long does EU AI Act compliance take for a company deploying a third-party AI tool?
For a company using a third-party AI tool in a non-high-risk context — general productivity, content drafting, internal search — the compliance effort is light: AI inventory (days), Article 4 AI literacy measures for staff (one to two weeks), and basic documentation. If the tool is customer-facing and falls under Article 50 (a chatbot, emotion-recognition output, or synthetic-content generation), add two to three weeks for disclosure implementation. The deployer's heaviest obligations arise only when the tool is genuinely high-risk — classification under Article 6 and Annex III is therefore the first question to answer.
Is the 2 December 2027 deadline firm, or will it slip again?
The 2 December 2027 date reflects the Digital Omnibus political agreement reached between the European Parliament and the Council in May 2026, with formal adoption expected before 2 August 2026. There is no current proposal for a further deferral. Planning on 2 December 2027 as the operative deadline is the correct approach; high-risk AI embedded in Annex I regulated products has a separate date of 2 August 2028.
What is the longest part of a high-risk compliance programme?
Data governance under Article 10 is consistently the longest workstream for providers who have not previously documented their training data. Identifying data sources, demonstrating representativeness, documenting known biases and mitigations, and getting that documentation into the form required by Annex IV can take months where records are sparse. Starting this workstream early — even before the full classification exercise is complete for all systems — is worthwhile if your organisation relies on data that was not assembled with compliance in mind.
Does a company need a notified body for the EU AI Act conformity assessment?
For most high-risk Annex III systems, the Annex VI internal self-assessment route is available — the provider internally reviews the documentation and issues the Article 47 Declaration of Conformity. The Annex VII notified-body route is required for Annex III point 1 biometric systems where harmonised standards have not been applied, and it adds six to twelve weeks depending on the notified body's availability. High-risk AI in Annex I regulated products (medical devices, machinery) follows an integrated assessment under Article 43(3) that is managed through the relevant product-law conformity route, not the standalone AI Act procedure.
Can a company wait until 2027 to start its high-risk compliance programme?
Waiting until January 2027 to start is a high-risk strategy in a different sense of the term. A programme covering data governance remediation and full Annex IV documentation needs five to nine months of active work. Beginning in January 2027 for a December 2027 deadline leaves no margin for the discovery of data-lineage gaps or notified-body queue delays. Starting in the second half of 2026 — now, in other words — is the more defensible position, and it has the advantage of addressing the already-live Article 4 AI literacy obligation at the same time.
Are the Article 5 prohibited-practice and Article 4 AI literacy obligations already in force?
Yes. Both applied from 2 February 2025. Article 5 prohibits specific high-harm uses outright — among them, real-time remote biometric identification of natural persons in publicly accessible spaces for law-enforcement purposes (outside narrow exceptions), social scoring by public authorities, and manipulation of persons through subliminal techniques. Article 4 requires all providers and deployers to take measures ensuring their staff have sufficient AI literacy. Neither has a future effective date; neither is part of the Digital Omnibus deferral.
What does EU AI Act compliance cost?
Costs vary widely. Consultant-led programmes for a single high-risk system typically run from €20,000 to €80,000 or more depending on system complexity and data governance starting point. Tool-assisted self-serve compliance — using structured templates and a classification engine — substantially reduces that figure. Confir starts at €600 per year for self-serve compliance covering registration, classification, and technical file generation for one or more systems.
Related guides
- EU AI Act compliance implementation roadmap
- EU AI Act deadlines — obligations by date
- Digital Omnibus: the 2027 high-risk deadline explained
- How to build your AI inventory under Article 6
- AI risk classification: Article 6 and Annex III explained
- Annex IV technical documentation: what goes in the file
- Article 9 risk management system: requirements and how to meet them
- Conformity assessment under Article 43: Annex VI vs Annex VII
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →