Article 89 — Time limitation in proceedings (EU AI Act)

Article 89 of Regulation (EU) 2024/1689 — Time limitation in proceedings. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 89 of Regulation (EU) 2024/1689 (the EU AI Act) establishes harmonised time limitation rules governing enforcement proceedings for infringements of the Regulation. It sets out two distinct limitation periods that national market surveillance and enforcement authorities across the European Union must observe.

First, Article 89 establishes a five-year limitation period for the imposition of penalties. This period begins on the date on which the infringement was committed. For continuing or repeated infringements — for example, where a provider places a non-compliant high-risk AI system on the market over an extended period — the limitation period runs from the date on which the infringing conduct ceased.

Second, Article 89 provides a three-year limitation period for the actual enforcement of any penalty once it has been formally imposed by a competent authority and the decision has become final.

Critically, both periods are subject to interruption mechanisms. Limitation periods for the imposition of penalties are interrupted whenever a competent authority takes an investigative or procedural act in connection with the infringement. Upon each interruption, the period starts running afresh from the beginning. However, the Regulation provides that proceedings cannot be extended indefinitely through successive interruptions: an absolute ceiling applies so that operators retain legal certainty about their maximum exposure.

Article 89 thereby balances the public interest in effective enforcement of AI Act obligations against the fundamental right of operators to legal certainty, ensuring that authorities act within reasonable and foreseeable timeframes.

What This Means in Practice

Article 89 has direct and concrete implications for providers, deployers, importers, and distributors of AI systems operating in the European Union, as well as for the national market surveillance authorities designated under Article 70 of the Regulation.

For operators, the five-year limitation period means that historic non-compliance cannot be pursued indefinitely. A provider who placed a high-risk AI system on the market in breach of Chapter III requirements — for instance, without completing the conformity assessment required by Article 43, or without registering in the EU database under Article 71 — faces a finite window of exposure to administrative penalties. Once the limitation period has run without an interrupting act from a competent authority, enforcement proceedings can no longer be initiated for that specific infringement.

For continuing obligations — such as ongoing failures to maintain post-market monitoring plans under Article 72, or persistent breaches of transparency obligations under Article 50 — the clock does not start running until the breach actually ends. Operators cannot therefore benefit from the limitation period simply by ignoring obligations over many years while the system remains deployed.

For legal and compliance teams, Article 89 shapes document retention strategies. Evidence relevant to demonstrating conformity — technical documentation, risk assessments, quality management system records — should be preserved for at least five years after any AI system is placed on the market or put into service, to enable a defence if enforcement proceedings are initiated late in the limitation window.

For national authorities, Article 89 imposes discipline on enforcement timelines, encouraging prompt investigation and penalisation rather than the indefinite accumulation of files.

Key Obligations

• Five-year imposition period: Competent authorities must initiate and conclude penalty imposition proceedings within five years of the date of the infringement, or of the date on which a continuing infringement ceased.
• Three-year enforcement period: Once a penalty decision is final, authorities must enforce it within three years; lapsed decisions cannot be executed.
• Interruption of limitation periods: Each investigative or enforcement act taken by a competent authority interrupts the running of the limitation period, restarting the five-year clock from the point of interruption.
• Absolute ceiling on interruptions: Notwithstanding successive interruptions, an absolute outer limit applies to prevent indefinite prolongation of uncertainty for operators.
• Continuing infringements rule: For infringements of a continuing nature, the limitation period commences only upon cessation of the conduct, meaning ongoing non-compliance does not benefit from the passage of time.
• Document retention alignment: Operators should calibrate their technical documentation and conformity records retention periods to at least five years post-market placement to remain capable of defending proceedings within the limitation window.

Relationship to Other Articles

Article 89 sits within Title IX of the EU AI Act, which governs post-market monitoring and market surveillance, and it functions as a procedural safeguard that conditions the exercise of the enforcement powers distributed across that Title.

It must be read alongside Article 70 (market surveillance authorities and their designation), which identifies the competent bodies whose procedural acts are capable of interrupting limitation periods. The investigative tools granted by Article 74 (powers of market surveillance authorities) and Article 79 (national supervisory measures) generate the types of interrupting acts that Article 89 contemplates.

Article 99 (penalties) and Article 101 (administrative fines for GPAI model providers) define the substantive penalties whose imposition and enforcement are time-limited by Article 89. Without understanding the penalty framework, the practical significance of the limitation periods cannot be assessed.

Finally, Article 78 (confidentiality) is relevant because the investigative acts that interrupt limitation periods may involve the exchange of confidential business information, meaning that interruption acts are not always publicly visible to the operator at the moment they occur.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal of the European Union. Article 89 forms part of the market surveillance and enforcement framework, which applies progressively in line with the Regulation's phased schedule.

The prohibition on unacceptable-risk AI practices (Title II) became enforceable from 2 February 2025. Infringements of those prohibitions committed from that date onward are immediately subject to the five-year limitation period established by Article 89.

Rules applicable to general-purpose AI (GPAI) models under Title VIII became applicable from 2 August 2025. From that date, enforcement proceedings against GPAI model providers are also governed by the Article 89 limitation framework.

The obligations applicable to high-risk AI systems under Annex I (safety-component systems in regulated sectors) apply from 2 August 2026, while high-risk systems listed in Annex III become fully subject to enforcement from 2 August 2027. The Article 89 limitation clock for those categories starts running from the dates of first infringement after the relevant application date.

Operators should note that the five-year limitation period will begin accumulating immediately upon first non-compliance after each applicable date, meaning that documentation and evidence preservation must begin in parallel with the Regulation's phased rollout — not retrospectively.