Inferensys

Glossary

Legacy System Grace Period

A defined transitional timeline under the EU AI Act permitting high-risk AI systems already on the market before the regulation's application date to continue operating without immediate withdrawal, provided they achieve full registration compliance by a specified deadline.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
TRANSITIONAL COMPLIANCE

What is Legacy System Grace Period?

A defined transitional timeline under the EU AI Act allowing pre-existing high-risk AI systems already on the market to continue operating while achieving full registration compliance, preventing immediate market withdrawal.

A Legacy System Grace Period is a regulatory mechanism that exempts high-risk AI systems placed on the market or put into service before the EU AI Act's application date from immediate conformity assessment and EU AI Act Database registration. This transitional window prevents the abrupt, legally mandated withdrawal of critical infrastructure, allowing providers to retroactively compile the required technical documentation file and secure a Unique Registration ID without disrupting ongoing operations.

The duration of the grace period is strictly time-limited and typically applies only if the system has not undergone a substantial modification that alters its intended purpose. During this window, legacy systems must still comply with post-market monitoring obligations, and the provider must demonstrate a good-faith effort toward achieving full pre-market authorization equivalence before the transitional deadline expires.

Transitional Provisions

Key Characteristics of the Legacy System Grace Period

The EU AI Act defines a specific window during which high-risk AI systems already on the market can continue operating while providers work to achieve full registration compliance, preventing immediate market disruption.

01

Defined Transitional Timeline

The grace period is a fixed, non-extendable window defined by the EU AI Act's staggered enforcement dates. It applies exclusively to systems placed on the market or put into service before the Act's application date for high-risk categories. The exact duration depends on the system's classification, with critical infrastructure and safety components often having shorter transition periods than other high-risk categories. This timeline is calculated from the Act's entry into force, not from the date of an individual conformity assessment.

24-36 months
Typical Transition Window
02

Pre-Existing Market Placement

To qualify for the grace period, a system must have been lawfully placed on the Union market before the relevant obligations take effect. This means the system must have completed any previously required conformity procedures under existing legislation, such as the Machinery Directive or Medical Device Regulation. A system merely in development or beta testing does not qualify. The burden of proof rests on the provider to demonstrate the exact date of first market placement through commercial records and supply chain documentation.

03

Substantial Modification Trigger

The grace period is immediately voided if a legacy system undergoes a substantial modification. This is defined as any change to the system's intended purpose or a modification that materially alters its risk profile beyond what was covered in the original risk assessment. Routine software patches, security updates, and minor performance improvements that do not change the fundamental function or risk level do not trigger a new conformity assessment. The determination of what constitutes 'substantial' is a critical legal analysis point.

04

Ongoing Post-Market Monitoring

Even during the grace period, providers are not exempt from post-market monitoring obligations. Legacy systems must have a documented plan for collecting and analyzing real-world performance data. This includes:

  • Serious incident reporting to National Competent Authorities
  • Proactive data gathering on system malfunctions and unexpected behaviors
  • Retention of logs for auditability The monitoring system must be proportionate to the risk level and serve as the foundation for the eventual conformity assessment.
05

Registration Backlog Preparation

Providers must use the grace period to prepare a complete technical documentation file and EU database registration package. This includes compiling:

  • The intended purpose declaration
  • Training data provenance records
  • Residual risk disclosures
  • Results of the conformity assessment Waiting until the deadline approaches risks administrative bottlenecks at Notified Bodies. Proactive engagement with a National Competent Authority is recommended to clarify documentation expectations for legacy system architectures.
06

No Retroactive CE Marking

The grace period does not grant a retroactive CE marking. Legacy systems may continue to operate without the physical or digital CE mark until the transition deadline, provided they were legally placed on the market under prior rules. However, once the grace period expires, the system must either have obtained a CE marking through a completed conformity assessment or be withdrawn from the market. A market withdrawal notification must be filed if the provider chooses not to pursue compliance.

LEGACY SYSTEM COMPLIANCE

Frequently Asked Questions

Clarifying the transitional provisions for pre-existing high-risk AI systems under the EU AI Act, including registration deadlines, substantial modification triggers, and ongoing compliance obligations.

The legacy system grace period is a transitional timeline defined by the EU AI Act that allows high-risk AI systems already placed on the market or put into service before the regulation's application date to continue operating without immediate full compliance. Specifically, these pre-existing systems are exempt from the new conformity assessment and registration requirements for a defined window—typically two years after the Act becomes applicable—unless they undergo a substantial modification. This provision prevents market disruption by avoiding the immediate withdrawal of critical infrastructure AI, such as medical diagnostic software or industrial safety components, while still mandating eventual alignment with the Act's transparency and risk management obligations. The grace period clock starts from the date of application, not the date of publication, and providers must maintain detailed records proving the system's pre-existing status.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.