EU AI Act Article 110: Transitional Provisions for Union Institutions — 36-Month Grace Period, EDPS Enforcement, and Procurement Implications (2026)
Article 110 of the EU AI Act creates a dedicated transitional regime for Union institutions, bodies, offices, and agencies — separate from the Art.108 transitional provisions that apply to private-sector providers and deployers. The key difference: Union institutions get 36 months from the regulation's full application date (August 2, 2026), giving them until August 2, 2029 to bring existing AI systems into full compliance.
Understanding Art.110 matters for two developer audiences: teams building AI systems for EU institutions as contractors or procurement respondents, and teams at EU institutions managing AI system inventories and compliance timelines internally.
This guide covers:
- The Art.110 transition timeline and how it differs from Art.108
- What "already in use" means for the grace period to apply
- EDPS enforcement jurisdiction versus national competent authorities
- The AI Office oversight role under Art.91 for Union institutions
- Substantial modification as the trigger that resets the Art.110 clock
- Registration obligations for high-risk AI during the transition period
- Internal governance requirements during the 36-month window
- Procurement implications for developers contracting with EU institutions
- Python tooling for tracking Art.110 compliance timelines
- A 30-item Art.110 transitional readiness checklist
The Art.110 Transition Structure
Article 110(1) establishes the core provision:
Union institutions, bodies, offices and agencies shall bring artificial intelligence systems which are already in use before [the full application date] into compliance with this Regulation by [36 months after the full application date].
This creates a two-tier timeline:
| Date | Event |
|---|---|
| August 2, 2026 | EU AI Act full application date (Art.113) |
| August 2, 2029 | Art.110 deadline for Union institutions to comply with all requirements |
The 36-month window applies to AI systems that were already in use before August 2, 2026. New AI systems deployed by Union institutions after August 2, 2026 are not covered by Art.110 — they must comply from the date of deployment.
Art.110 vs. Art.108: Key Differences
The private-sector transitional provision (Art.108) and the Union institution provision (Art.110) look similar in structure but differ in important ways:
| Dimension | Art.108 (Private sector) | Art.110 (Union institutions) |
|---|---|---|
| Grace period | 24 months (for Annex III) / 36 months (for Annex I) | 36 months (uniform) |
| Deadline | August 2, 2028 (Annex III) | August 2, 2029 |
| Enforcement authority | National competent authorities | EDPS |
| Conformity assessment | Notified body or self-assessment | Internal governance-led process |
| Registration | Art.51 database | Art.51 — but operationalisation unclear |
The extra 12 months in Art.110 versus Art.108(Annex III) reflects the legislative recognition that Union institution procurement and governance processes are slower than private-sector product cycles.
EDPS Enforcement: Why It Matters
Under Art.100 of the EU AI Act, the European Data Protection Supervisor (EDPS) is designated as the competent authority for supervising Union institutions' compliance with the regulation.
This creates a fundamentally different enforcement context compared to private-sector providers:
-
No national authority jurisdiction: The German BNetzA, French CNIL (as AI market surveillance authority), or any other national competent authority cannot supervise or sanction EU institutions for AI Act violations. Only the EDPS has this competence.
-
EDPS and data protection expertise: The EDPS's supervisory experience is primarily in data protection (Regulation 2018/1725). The AI Act adds a new regulatory layer. The EDPS will develop AI-specific supervisory methodology, but this is nascent as of 2026.
-
No public fines regime: The EU AI Act's fine structure (Art.99: up to €35M or 7% global turnover for violations) does not apply to Union institutions in the same way as private entities. The EDPS has different corrective power tools (orders, recommendations, referrals to the European Parliament/Council).
For developers building AI systems for EU institutions: the EDPS enforcement context means compliance expectations will be set through guidance documents and supervisory assessments rather than through market surveillance penalties.
The AI Office Oversight Role (Art.91)
Art.91 creates the EU AI Office within the European Commission, with oversight responsibilities that include monitoring Union institution AI deployment. The AI Office's role in the Art.110 context:
- Coordination: The AI Office coordinates AI governance across Union institutions, including through the Interinstitutional AI Committee
- Guidance: The AI Office issues guidance on AI Act compliance that applies to Union institutions (not just private-sector providers)
- Monitoring: The AI Office can request information from Union institutions about AI system inventories and compliance status
The Interinstitutional AI Committee — a coordination body for AI governance across EU institutions — plays a key role in the Art.110 transition. It is expected to develop shared compliance frameworks, template documentation, and common assessment methodologies that individual institutions can use during the 36-month window.
For developers: if your AI system is deployed across multiple EU institutions, the Interinstitutional AI Committee's guidance will likely create de facto standardised compliance requirements that your technical documentation must satisfy.
Substantial Modification: The Clock Reset Trigger
Art.3(23) defines substantial modification as a change that affects the AI system's compliance with the regulation or changes the intended purpose. Under Art.110, a substantial modification to a Union institution AI system that was in use before August 2, 2026 resets the transitional clock.
A modified system is treated as a new system placed on the market — it must comply from the modification date, not from the Art.110 deadline.
What counts as substantial modification in Union institution AI contexts:
| Change | Likely Classification |
|---|---|
| New use case not in original procurement scope | Substantial modification |
| Integration with a new data source that changes output distribution | Likely substantial modification |
| Update to underlying model (new model version from supplier) | Assess against performance delta |
| Configuration change within original parameters | Not substantial modification |
| Bug fix with no performance impact | Not substantial modification |
| Deployment to new organisational unit with different risk profile | Likely substantial modification |
For procurement teams: changes that fall within the original contract scope and do not affect the AI system's risk profile are generally not substantial modifications. Changes that expand scope or change the use case typically are.
Registration During the Transition Period
Art.51 of the EU AI Act requires registration of high-risk AI systems in an EU database before market placement (or, for deployers, before deployment). The application of Art.51 to Union institutions during the Art.110 transition period is operationally ambiguous:
- The Art.51 database is operated by the European Commission, which is itself a Union institution subject to Art.110
- Union institution AI systems may qualify as high-risk under Annex III (particularly those used in HR decisions, access to public services, or safety-critical functions)
- The Interinstitutional AI Committee is expected to develop guidance on registration obligations during the transition period
For developers building high-risk AI for EU institutions: include a registration support component in your compliance documentation, but confirm the applicable registration pathway with the procuring institution's legal/compliance team as the Art.51 database operationalisation for Union institutions matures.
Internal Governance Requirements During the 36-Month Window
Despite the 36-month transition period, Union institutions are not permitted to ignore the EU AI Act until August 2029. Article 110 implies ongoing governance obligations during the transition:
| Obligation | Timeline |
|---|---|
| AI system inventory (identify all AI systems in use) | Immediately (needed to assess Art.110 scope) |
| Classify AI systems by risk category (prohibited / high-risk / limited-risk / minimal-risk) | By end of 2026 |
| Identify systems requiring full compliance by Art.110 deadline | By end of 2026 |
| Internal AI strategies and impact assessments | 2026–2027 |
| Full compliance for all in-scope systems | August 2, 2029 |
The AI literacy obligation under Art.4 applies from February 2, 2025 — there is no Art.110 exemption for this. Union institution staff interacting with AI systems must receive AI literacy training from February 2025 onwards.
Prohibited practices under Art.5 also applied from February 2, 2025 with no Art.110 exemption. Union institutions cannot use prohibited AI practices during the transition period.
Procurement Implications for Developers
If you are developing AI systems that EU institutions may procure, Art.110 creates specific documentation and contractual requirements:
Pre-August 2026 procurement (systems in use before the deadline):
- Your system is eligible for Art.110 transition provisions on the institution's side
- But your own compliance as a provider is governed by Art.108, not Art.110
- Include Art.110 compliance roadmap documentation in tender responses
Post-August 2026 procurement (new deployments):
- Art.110 transition does not apply — the institution must deploy compliant systems from day one
- Your tender documentation must demonstrate full EU AI Act compliance
- Annex IV technical documentation required for high-risk systems
Tender specification clauses to expect post-August 2026:
- Conformity declaration or notified body certificate for high-risk Annex III systems
- Technical documentation meeting Annex IV requirements
- Art.9 risk management system documentation
- Art.13 transparency obligations for user-facing interfaces
- Art.14 human oversight design specifications
Python Tooling: Union Institution Compliance Tracker
from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional
class AISystemRiskLevel(Enum):
PROHIBITED = "prohibited"
HIGH_RISK = "high_risk"
LIMITED_RISK = "limited_risk"
MINIMAL_RISK = "minimal_risk"
class ComplianceStatus(Enum):
IN_USE_BEFORE_DEADLINE = "in_use_before_deadline"
DEPLOYED_AFTER_DEADLINE = "deployed_after_deadline"
COMPLIANT = "compliant"
PENDING_TRANSITION = "pending_transition"
REQUIRES_IMMEDIATE_ACTION = "requires_immediate_action"
FULL_APPLICATION_DATE = date(2026, 8, 2)
ART110_DEADLINE = date(2029, 8, 2)
PROHIBITED_PRACTICES_DATE = date(2025, 2, 2)
AI_LITERACY_DATE = date(2025, 2, 2)
@dataclass
class UnionInstitutionAISystem:
system_id: str
name: str
description: str
risk_level: AISystemRiskLevel
first_use_date: date
annex_iii_category: Optional[str] = None
substantial_modifications: list[date] = field(default_factory=list)
compliance_status: ComplianceStatus = ComplianceStatus.PENDING_TRANSITION
class UnionInstitutionTransitionalTracker:
"""
Tracks AI system compliance timelines for Union institutions under Art.110.
"""
def __init__(self, institution_name: str):
self.institution_name = institution_name
self.systems: dict[str, UnionInstitutionAISystem] = {}
def register_system(self, system: UnionInstitutionAISystem) -> None:
self._classify_system(system)
self.systems[system.system_id] = system
def _classify_system(self, system: UnionInstitutionAISystem) -> None:
if system.risk_level == AISystemRiskLevel.PROHIBITED:
system.compliance_status = ComplianceStatus.REQUIRES_IMMEDIATE_ACTION
return
effective_start = system.first_use_date
if system.substantial_modifications:
effective_start = max(system.substantial_modifications)
if effective_start < FULL_APPLICATION_DATE:
system.compliance_status = ComplianceStatus.IN_USE_BEFORE_DEADLINE
else:
system.compliance_status = ComplianceStatus.DEPLOYED_AFTER_DEADLINE
def check_compliance_deadline(self, system_id: str) -> dict:
system = self.systems[system_id]
today = date.today()
if system.compliance_status == ComplianceStatus.REQUIRES_IMMEDIATE_ACTION:
return {
"system_id": system_id,
"status": "IMMEDIATE ACTION REQUIRED",
"reason": "Prohibited AI practice — Art.5 applies from 2025-02-02",
"days_overdue": (today - PROHIBITED_PRACTICES_DATE).days,
}
if system.compliance_status == ComplianceStatus.IN_USE_BEFORE_DEADLINE:
days_remaining = (ART110_DEADLINE - today).days
return {
"system_id": system_id,
"status": "ART110_TRANSITION",
"deadline": str(ART110_DEADLINE),
"days_remaining": days_remaining,
"compliant_by": str(ART110_DEADLINE),
"risk_level": system.risk_level.value,
}
if system.compliance_status == ComplianceStatus.DEPLOYED_AFTER_DEADLINE:
return {
"system_id": system_id,
"status": "FULL_COMPLIANCE_REQUIRED",
"reason": "Deployed after August 2, 2026 — Art.110 transition does not apply",
"risk_level": system.risk_level.value,
}
return {"system_id": system_id, "status": "COMPLIANT"}
def record_substantial_modification(self, system_id: str, modification_date: date) -> None:
system = self.systems[system_id]
system.substantial_modifications.append(modification_date)
self._classify_system(system)
print(
f"[Art.110] Substantial modification recorded for {system_id} on {modification_date}. "
f"New status: {system.compliance_status.value}. "
f"If modified after 2026-08-02: full compliance required immediately."
)
def generate_inventory_report(self) -> dict:
return {
"institution": self.institution_name,
"report_date": str(date.today()),
"total_systems": len(self.systems),
"by_status": {
status.value: sum(
1 for s in self.systems.values() if s.compliance_status == status
)
for status in ComplianceStatus
},
"immediate_action_required": [
s.system_id
for s in self.systems.values()
if s.compliance_status == ComplianceStatus.REQUIRES_IMMEDIATE_ACTION
],
"art110_transition_eligible": [
s.system_id
for s in self.systems.values()
if s.compliance_status == ComplianceStatus.IN_USE_BEFORE_DEADLINE
],
}
Usage Example
tracker = UnionInstitutionTransitionalTracker("European Commission DG DIGIT")
tracker.register_system(UnionInstitutionAISystem(
system_id="EC-AI-001",
name="HR Screening Tool",
description="AI-assisted CV screening for Commission staff recruitment",
risk_level=AISystemRiskLevel.HIGH_RISK,
first_use_date=date(2024, 3, 15),
annex_iii_category="Annex III(4)(a) — Employment and workers management",
))
tracker.register_system(UnionInstitutionAISystem(
system_id="EC-AI-002",
name="Document Classification System",
description="Automatic classification of incoming correspondence",
risk_level=AISystemRiskLevel.MINIMAL_RISK,
first_use_date=date(2023, 6, 1),
))
# Check compliance deadlines
for sys_id in ["EC-AI-001", "EC-AI-002"]:
result = tracker.check_compliance_deadline(sys_id)
print(result)
# Record a substantial modification
tracker.record_substantial_modification("EC-AI-001", date(2026, 9, 15))
# Generate inventory report
report = tracker.generate_inventory_report()
print(report)
Art.110 Transitional Readiness Checklist (30 Items)
Inventory and Classification (by end of 2026)
- Complete inventory of all AI systems in use before August 2, 2026
- Each system classified: prohibited / high-risk / limited-risk / minimal-risk
- Annex III category assigned for all high-risk systems
- Substantial modification history documented for all systems
- Systems deployed after August 2, 2026 identified (not Art.110 eligible)
Immediate Obligations (no Art.110 exemption)
- Art.5 prohibited practices review complete — no prohibited AI in use
- Art.4 AI literacy training programme implemented (from 2025-02-02)
- Staff using AI systems have received AI literacy training
Art.110 Transition Planning
- Compliance roadmap created for each high-risk AI system
- Internal compliance deadline set before August 2, 2029
- Responsible person assigned for each system's compliance
- Budget allocated for compliance work during transition period
- Procurement contracts reviewed for supplier compliance obligations
Governance Structure
- Interinstitutional AI Committee liaison designated
- EDPS supervisory contact established
- AI Office engagement plan in place
- Internal AI governance policy approved at management level
- AI system change control process includes substantial modification assessment
High-Risk System Compliance (by August 2, 2029)
- Art.9 risk management system established for each high-risk AI
- Art.10 data governance documentation complete
- Art.11 technical documentation (Annex IV) complete
- Art.12 logging capability implemented
- Art.13 transparency information provided to users
- Art.14 human oversight measures implemented
- Art.15 accuracy, robustness, cybersecurity assessment complete
Registration
- Art.51 registration pathway confirmed with EDPS/AI Office
- High-risk AI systems registered in EU database (when operational)
Procurement
- Pre-August 2026 contracts reviewed for Art.110 eligibility
- Post-August 2026 procurement templates updated for full compliance requirements
- Tender evaluation criteria include EU AI Act compliance documentation
See Also
- EU AI Act Art.113: Application Dates — When Does the AI Act Apply? — the four application dates that set the Art.110 transition start point
- EU AI Act Art.9: Risk Management System for High-Risk AI (2026) — the Art.9 obligation that Union institutions must meet by August 2029
- EU AI Act Art.8: Compliance Requirements for High-Risk AI Systems (2026) — the Art.8 activation clause and Art.9–15 compliance framework
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.