Annex I of the EU AI Act covers AI systems that are safety components of products already regulated under EU product safety legislation — medical devices, machinery, vehicles, aviation, toys. The compliance deadline is 2 August 2028, extended by 24 months by the 2026 Digital Omnibus.
What Annex I covers — AI embedded in regulated products
Annex I of the EU AI Act lists EU legislation governing product safety. When an AI system constitutes a safety component of a product covered by these laws, that AI system is classified as high-risk under Art. 6(1). The deadline is 2 August 2028, extended by 24 months by the 2026 Digital Omnibus.
The defining characteristic: the AI is embedded within a regulated product and performs a safety-critical function. The AI is not placed on the market independently — it ships as part of the product.
Which product legislation triggers Annex I?
| EU legislation | AI examples |
|---|---|
| Machinery Regulation (2023/1230) | AI-based collision avoidance, robotic control systems, predictive maintenance for safety functions |
| Medical Devices Regulation (MDR 2017/745) | AI diagnostic tools in imaging, AI-assisted surgical robots, clinical decision support systems |
| In Vitro Diagnostic Regulation (IVDR 2017/746) | AI for pathology analysis, AI-assisted lab diagnostics |
| Motor Vehicles type-approval (2018/858 + related) | AI for autonomous driving functions, ADAS safety systems |
| Agricultural vehicles (167/2013) | AI safety systems in tractors and agricultural machinery |
| Marine Equipment Directive (2014/90) | AI navigation and safety systems on vessels |
| Civil aviation (EASA framework) | AI in flight control, navigation, and safety monitoring |
| Railways (2016/797) | AI in train control, signalling, and collision prevention |
| Lifts (2014/33) | AI safety monitoring in lifts and escalators |
| Personal protective equipment (2016/425) | AI-integrated PPE with safety functions |
| Pressure equipment (2014/68) | AI safety monitoring in pressure vessels |
| Toys (2009/48) | AI systems in toys with safety-relevant functions |
| Recreational craft (2013/53) | AI navigation systems in boats |
| Radio equipment (2014/53) | AI in radio equipment with safety functions |
How Annex I conformity assessment works
Unlike Annex III (which has its own standalone conformity procedure), Annex I compliance is integrated into the existing conformity assessment for the relevant sector legislation.
For medical devices (MDR/IVDR): The MDR/IVDR conformity assessment (Annex IX Technical Documentation review, or Annex X Type Examination) is extended to cover AI Act requirements. Technical documentation must additionally include:
- AI-specific risk management (Art. 9)
- Training and validation data description (Art. 10)
- Accuracy, robustness, and cybersecurity measures (Art. 15)
- Human oversight design (Art. 14)
The MDR/IVDR notified body handles the combined assessment where qualified. Where an AI Act notified body is required separately, coordination between the two is needed.
For machinery and vehicles: Similar integration applies. The type-approval or conformity assessment procedure for the product is extended to include AI Act requirements. The technical file is a combined document.
Obligations for providers of Annex I AI (by 2 August 2028)
| Obligation | Article | How it integrates |
|---|---|---|
| Risk management | Art. 9 | Added to existing product risk assessment |
| Data governance | Art. 10 | Training/validation data documented in technical file |
| Technical documentation | Art. 11 | Combined with sector-specific technical file |
| Transparency | Art. 13 | Instructions for professional users/deployers |
| Human oversight | Art. 14 | Designed into product safety architecture |
| Accuracy and robustness | Art. 15 | Tested as part of product performance validation |
| QMS | Art. 17 | Extended to cover AI lifecycle |
| Conformity assessment | Art. 43 + Annex VII | Via existing sector legislation procedure |
| Registration | Art. 71 | EU AI database registration |
| CE marking | Art. 48 | Existing CE marking on product covers AI component |
Why 2028 — and what to do now
The 24-month extension acknowledges real-world complexity: coordinating AI Act compliance across two overlapping regulatory regimes (sector law + AI Act) while harmonised standards are still being developed takes longer than standalone systems.
But the extension is not a reason to wait. Start now on:
- AI inventory — identify which products contain AI safety components
- Classification — confirm which qualify as Annex I high-risk (safety component test)
- Gap assessment — map current technical documentation against Art. 11/Annex IV requirements
- Notified body engagement — determine whether your current MDR/IVDR/Machinery notified body is also designated for AI Act assessment, or whether coordination with a separate AI notified body is needed
- QMS extension — begin extending your ISO 13485 (medical) or ISO 9001 (machinery) QMS to cover AI lifecycle requirements
Notified body capacity for AI Act assessments will be constrained as 2028 approaches. Early engagement is a competitive advantage.
Intersection with DORA and NIS2
Medical device manufacturers and industrial equipment providers in critical sectors also face NIS2 obligations. AI systems embedded in networked medical devices or critical infrastructure equipment may simultaneously be Annex I high-risk AI (AI Act), subject to NIS2 security measures, and — if used in financial contexts — DORA ICT requirements. See our convergence analysis →.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Annex I of the EU AI Act lists existing EU product safety legislation. AI systems that are safety components of products governed by this legislation — such as medical devices (MDR/IVDR), machinery, motor vehicles, aviation equipment, or toys — are classified as high-risk under Art. 6(1). These systems must comply by 2 August 2028.
Annex I AI compliance is integrated into the existing conformity assessment procedure for the relevant product safety legislation. A medical device AI, for example, is assessed under MDR Annex IX or X — the AI Act requirements are added to that process. There is no separate AI-only certification procedure for Annex I systems.
The 2026 Digital Omnibus granted Annex I embedded systems an additional 24-month extension (vs. 16 months for Annex III standalone). The extra time reflects the additional complexity of coordinating AI Act conformity assessment across two overlapping regulatory regimes — the sector-specific legislation and the AI Act — simultaneously.
No separate AI-only certification. The AI Act compliance is conducted within the existing MDR/IVDR conformity assessment. Notified bodies designated under the AI Act (for AI) may need to be involved alongside MDR/IVDR notified bodies. The technical documentation covers both the device's safety requirements and the AI-specific requirements.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.