In one sentence: Most high-risk AI systems register in the EU Commission's centralized database (Article 49/71) rather than with any national authority — the national-registration path is a narrow exception for critical infrastructure, and the August 2, 2026 deadline most people are racing toward is very likely about to move to December 2, 2027.
Last reviewed: June 29, 2026 — this page tracks a regulatory process that is changing in real time; check the status box below before relying on any date in this article.
Status as of June 29, 2026 — verify before acting: The EU AI Act's high-risk system deadline is mid-transition. On May 7, 2026, EU negotiators reached a provisional political agreement (the "Digital Omnibus on AI") to push the Annex III high-risk compliance deadline — including EU database registration — from 2 August 2026 to 2 December 2027 (a 16-month deferral). The European Parliament approved this agreement on 16 June 2026. Formal adoption by the Council and publication in the Official Journal are expected in July 2026, ahead of the original August 2 date. Until that publication happens, the original 2 August 2026 deadline remains the legally binding one on paper. Treat December 2, 2027 as the very likely outcome, but confirm formal adoption before standing down any registration work that's already in motion.
TL;DR
Registration of a high-risk AI system happens in the centralized EU database (established under Article 71, registration obligation under Article 49) — not, for most systems, through a separate "national portal." The exception: AI systems used in critical infrastructure (Annex III, point 2) register at national level under Article 49(5), and systems used in law enforcement, migration, asylum, and border control go into a secure, non-public section of the same EU database, accessible only to the Commission and national authorities. The deadline for most of this is very likely moving from August 2026 to December 2027, but the registration mechanics themselves — what you need and how the process works — don't change either way, so preparing now isn't wasted effort regardless of which date ends up applying to your system.
Key takeaways:
- Most high-risk AI systems register centrally with the EU Commission's database, not with a national authority directly — the "national authority" angle applies specifically to critical-infrastructure systems and to the non-public law-enforcement/migration/border-control section.
- You cannot register without finished technical documentation (Annex IV) and a completed conformity assessment — registration is the last step, not the first.
- The Digital Omnibus deadline shift, if formally adopted as expected in July 2026, applies to Annex III (use-based) systems. It does not currently affect prohibited-practice rules (already in force since February 2025) or general-purpose AI model obligations (already in force since August 2025).
- AI systems embedded in regulated products (Annex I — medical devices, machinery, etc.) have their own separate timeline, now expected to move to August 2, 2028 under the same Omnibus package.
Decision Tree: Do You Need to Register, and Where?
Is your AI system listed in Annex III?
│
├─ No → No EU AI Act registration obligation (re-check if use case changes)
│
└─ Yes
│
├─ Is it a critical infrastructure system (Annex III, point 2)?
│ └─ Yes → Register at NATIONAL level with your Member State's designated authority (Article 49(5))
│
├─ Is it used in law enforcement, migration, asylum, or border control (Annex III, points 1, 6, 7)?
│ └─ Yes → Register in the SECURE, NON-PUBLIC section of the EU database (Article 49(4))
│
├─ Have you assessed it as NOT high-risk under Article 6(3), despite matching an Annex III category?
│ └─ Yes → Still register, in the public EU database, with a lighter information set (Article 49(2))
│
└─ None of the above → Register in the PUBLIC section of the EU database (Article 49(1), Article 71)
│
├─ Are you the provider? → You register the system itself, before placing it on the market
└─ Are you a public-authority deployer? → You also register your use of the system, before putting it into serviceIf you're not sure which branch applies, the most common error is assuming a system needs national registration when it's actually a standard Annex III case headed for the central EU database — confirm against the table below before searching for a country-specific form.
Provider vs. Deployer: Who Actually Files What
The Article 49 obligation falls differently depending on your role:
| Provider | Deployer | |
|---|---|---|
| Definition | Develops the AI system, or has it developed, and places it on the market under its own name | Uses an AI system under its own authority in a professional context |
| Registers the system itself? | Yes — before placing on the market or putting into service | No — the provider already did this |
| Registers anything? | N/A (already covered above) | Only if a public authority (or acting on behalf of one): registers its use of the system before putting it into service |
| Private-sector deployers | N/A | Not currently required to register under Article 49, but still have separate obligations under Article 26 (e.g., human oversight, monitoring) |
| Non-EU entity? | Must appoint an EU-based authorized representative, who then handles the Article 49 obligation | Same authorized-representative requirement does not apply — deployer obligations are tied to where the deployer operates |
If you license a third-party AI hiring tool rather than building one, you're almost certainly the deployer, not the provider — and unless you're a public authority, Article 49 registration isn't your filing to make at all. Your obligations sit under Article 26 and (if applicable) the Fundamental Rights Impact Assessment under Article 27 instead. See Secure Privacy's FRIA guide for what deployers specifically owe.
Who Actually Has to Register, and Where
| System type | Registers where | Who registers | Legal basis |
|---|---|---|---|
| Most Annex III high-risk systems (employment, credit scoring, education, biometric categorization, essential services) | Public section of the central EU database | Provider (and deployer, if a public authority putting the system into service) | Article 49(1)–(3), Article 71 |
| Critical infrastructure systems (Annex III, point 2 — e.g., AI managing electricity grids, water supply, road traffic safety components) | National level, via the Member State's designated authority | Provider | Article 49(5) |
| Law enforcement, migration, asylum, and border control systems (Annex III, points 1, 6, 7) | Secure, non-public section of the EU database | Provider/deployer | Article 49(4) |
| Systems the provider has assessed as not high-risk under Article 6(3), despite appearing in Annex III | Public section of the EU database (lighter information set) | Provider | Article 49(2), Article 6(4) |
"Register with your national authority" is only accurate for the critical-infrastructure carve-out. Everyone else is registering with a single, EU-wide database run by the Commission — which means there's no "Germany's portal" versus "France's portal" to navigate for the typical employment, credit-scoring, or education use case. If your AI system doesn't fall under critical infrastructure or law enforcement/migration/border control, you can stop looking for a national registration form — it doesn't exist for your case. For a broader walkthrough of how high-risk classification itself works, see Secure Privacy's high-risk AI checklist.
The Registration Process, Step by Step
Registration is the final administrative step in a longer compliance chain — you cannot submit to the database without the upstream work already done. Before you start, you need:
- ✔ Risk classification documented (Annex III category identified, or Article 6(3) non-high-risk assessment on file)
- ✔ Technical documentation complete (Annex IV — intended purpose, architecture, data description, risk management measures, performance metrics)
- ✔ Conformity assessment completed (self-assessment or notified-body assessment, depending on category)
- ✔ EU declaration of conformity issued and signed
- ✔ Annex VIII registration fields drafted (provider details, system ID, intended purpose, classification basis, conformity status)
- ✔ EU authorized representative appointed, if you're a non-EU provider
If any of these is missing, registration isn't the next step — finishing that item is.
Step 1: Confirm and document your risk classification.
Determine whether your system falls under an Annex III use case, and if you believe it doesn't despite appearing to match a category, document that assessment under Article 6(3) — you still have to register, just with a lighter information set. Get this wrong in either direction and you've either under-built your compliance program or wasted resources on controls you didn't need. Secure Privacy's classification drift guide covers how a system can move between categories as its use case evolves.
Step 2: Complete Annex IV technical documentation.
This includes the system's intended purpose, architecture, training/validation/testing data description, risk management measures, and performance metrics. The database registration form pulls directly from this file — you cannot complete registration without it already existing.
Step 3: Run the conformity assessment.
Most Annex III systems can self-assess against the requirements in Articles 9–15 (risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness). Biometric identification systems and a narrower set of categories require third-party assessment by a notified body. Confirm which path applies to your system before assuming self-assessment is sufficient.
Step 4: Issue the EU declaration of conformity.
A formal, signed declaration that the system meets all applicable requirements. This document is itself one of the fields you'll later reference in the registration form.
Step 5: Register in the EU database (or with your national authority, if critical infrastructure).
Per Annex VIII, the registration form requires:
- Provider details (legal name, address, contact, EU authorized representative if you're outside the EU)
- System identification (name, version, unique identifier)
- Intended purpose, matching what's documented in your Annex IV file
- The specific Annex III category and the basis for that classification
- Conformity assessment status and route taken (self-assessment vs. notified body)
Step 6: Keep the registration current.
Any substantial modification to the system requires an update to the registration. This isn't a one-time filing — treat it the way you'd treat a living document, not a launch checklist item you close out and forget.
For a structured way to track all of this across multiple systems rather than per-system spreadsheets, see Secure Privacy's 90-day AI Act implementation playbook.
Common Mistakes That Delay or Invalidate Registration
- Registering before the conformity assessment is actually finished, not just scheduled. The form asks for assessment status, and submitting with a pending or planned assessment as if it were complete is the kind of inaccurate filing that carries its own penalty tier under Article 99.
- Assuming "not high-risk" means "no registration." If your system matches an Annex III category and you've concluded it isn't high-risk under Article 6(3), you still register — just with a lighter field set. Skipping registration entirely on this basis is a common and costly misread of Article 6(4).
- Treating Annex I and Annex III timelines as the same date. Annex I (product-embedded) systems and Annex III (use-based) systems are on separate timelines, and the Digital Omnibus moves them by different amounts (12 months vs. 16 months). Don't apply one deadline to both.
- Looking for a national portal that doesn't exist for your system. Outside the critical-infrastructure and law-enforcement/migration/border-control carve-outs, there is no country-specific registration form — searching for "[Member State] AI Act registration portal" for a standard employment or credit-scoring system wastes time on something that doesn't apply.
- Letting the registration go stale after a system update. A substantial modification to the system requires an update to the registration — this is a recurring obligation, not a one-time filing you close out at launch.
What the Deadline Shift Actually Changes (and Doesn't)
If the Digital Omnibus is formally adopted as expected in July 2026, these are the dates that move — and the dates that don't:
| Date | Provision | Status | Note |
|---|---|---|---|
| 2 February 2025 | Prohibited AI practices (Article 5) | In force — unaffected | Not part of the Omnibus deferral |
| 2 August 2025 | General-purpose AI model obligations | In force — unaffected | Not part of the Omnibus deferral |
| 2 August 2026 | Annex III high-risk systems (original deadline) | Moving → 2 December 2027 | 16-month deferral, pending formal adoption |
| 2 August 2026 | Article 50 transparency/AI-content labeling | Unaffected — stays 2 August 2026 | Not part of the deferral, despite sharing the same original date |
| 2 December 2026 | New prohibition: AI-generated non-consensual intimate imagery and CSAM | New, unaffected by high-risk timeline | Added by the same Omnibus package |
| 2 August 2027 | Annex I high-risk systems (original deadline) | Moving → 2 August 2028 | 12-month deferral, same package |
| 2 August 2026 | Member State national AI regulatory sandboxes (original deadline) | Moving → 2 August 2027 | 1-year deferral, same package |
The practical implication: don't let "the deadline moved" turn into "we have until 2027 to think about this." Technical documentation, conformity assessment, and the underlying registers Article 49 depends on are months of work, and harmonized standards bodies are still finalizing the guidance you'll need to benchmark against either way.
FAQ
Do I need to wait for the Digital Omnibus to be formally adopted before I can register?
No — the EU database accepts registrations regardless of which deadline ultimately applies to your system. If your technical documentation and conformity assessment are ready, there's no reason to wait for the legislative process to conclude before submitting.
What happens if I register late?
High-risk system non-compliance carries fines of up to €15 million or 3% of global annual turnover, whichever is higher, under Article 99. Supplying incorrect information to authorities carries its own penalty tier of up to €7.5 million or 1% of turnover — so an inaccurate registration is its own distinct risk, separate from a missing one.
My AI system is a safety component in a piece of machinery. Does the August 2026 date apply to me?
Likely not directly, even before the Omnibus. Annex I (product-embedded) systems were already on a separate, later timeline (originally August 2027, now expected to move to August 2028 under the Omnibus). Don't assume the same date applies across Annex I and Annex III — they're governed differently.
Is the EU database public?
For most high-risk systems, yes — the database (Article 71) is publicly accessible, which is part of its transparency function. The exception is the law enforcement, migration, asylum, and border control section, which is restricted to the Commission and national authorities only.
We're a US company with no EU office — do we still register, and how?
Yes, if your high-risk AI system's output is used in the EU. You'll need an EU-based authorized representative, who is legally required to handle the registration obligation under Article 49 on your behalf, along with retaining your technical documentation and conformity declaration for 10 years. For a fuller breakdown of provider obligations by company type, see Secure Privacy's EU AI Act guide for CTOs.
What happens after I submit my registration?
The system receives a unique identifier in the EU database, which becomes public (except for the restricted law-enforcement/migration/border-control section). There's no separate "approval" step from the Commission for most categories — registration is a declaration, not a certification, so the legal weight still sits on your conformity assessment and technical documentation being accurate. Market surveillance authorities can and do check registered entries against the underlying documentation after the fact.
Can deployers register on their own, or does it always go through the provider?
Only public-authority deployers register anything under Article 49, and what they register is their use of an already-provider-registered system — not the system itself. Private-sector deployers (most companies licensing a third-party AI tool) don't file an Article 49 registration at all; their obligations sit elsewhere, primarily Article 26 and, where applicable, the Fundamental Rights Impact Assessment under Article 27.
Does this registration replace our internal AI inventory or risk register?
No, they're legally distinct. An internal AI register is a governance tool you maintain for your own risk management and audit purposes; the EU database registration is a specific legal filing tied to Article 49. You need both, and the internal register is genuinely the foundation the external filing draws from — not a duplicate of it.
Change Log
- June 29, 2026: Initial publication. Status reflects European Parliament approval of the Digital Omnibus on AI (16 June 2026); formal Council adoption and Official Journal publication still pending, expected July 2026.
This page will be updated when the Digital Omnibus is formally adopted and published. If you're reading this after that date and the status box above still says "pending," treat every date in this article as unconfirmed until checked against the Official Journal.
