Last updated: March 2026
The EU AI Act doesn’t switch on overnight. Since entering into force on 1 August 2024, its obligations are being phased in over three years — with different deadlines applying to different risk categories, roles in the supply chain, and types of AI systems. Some deadlines have already passed. Others are months away. And the Digital Omnibus proposal may push certain dates further.
This guide provides the complete implementation timeline, explains what applies at each phase, clarifies who is affected, and covers the potential impact of the Digital Omnibus on your compliance roadmap.
The Complete EU AI Act Timeline at a Glance
| Date | What Happens | Who Is Affected |
|---|---|---|
| 1 August 2024 | AI Act enters into force | Everyone — the clock starts |
| 2 February 2025 | Prohibited AI practices banned; AI literacy obligations apply | All operators of AI systems |
| 2 August 2025 | GPAI model obligations apply; governance infrastructure must be in place; penalty regime takes effect; member states designate national competent authorities | GPAI model providers; member states |
| 2 February 2026 | Commission publishes guidelines on high-risk AI classification | All operators of high-risk AI systems |
| 2 August 2026 | High-risk AI obligations (Annex III) apply; transparency obligations (Article 50) apply; regulatory sandboxes must be operational; GPAI penalty enforcement begins | Providers and deployers of high-risk AI systems; all AI system operators with transparency obligations |
| 2 August 2027 | High-risk AI obligations for product-embedded systems (Annex I) apply; GPAI models placed on market before August 2025 must be compliant; full enforcement for all remaining provisions | Providers of AI systems embedded in regulated products; legacy GPAI providers |
| 2 August 2030 | Legacy high-risk AI systems used by public authorities must be brought into compliance | Public authorities using pre-existing high-risk AI systems |
| 31 December 2030 | Large-scale IT systems (Annex X) in freedom, security, and justice must comply | Operators of large-scale EU IT systems |
Phase-by-Phase EU AI Act Timeline Breakdown
Phase 1: Entry into Force (1 August 2024)
The AI Act was formally adopted on 13 June 2024 and entered into force on 1 August 2024. No obligations applied immediately — this date simply started the phased implementation clock.
Phase 2: Prohibitions and AI Literacy (2 February 2025) ✅ ALREADY IN EFFECT
Six months after entry into force, the first substantive obligations kicked in. These are now enforceable.
Prohibited AI practices (Article 5) are banned outright:
| Prohibited Practice | Description |
|---|---|
| Social scoring | AI systems that evaluate individuals based on social behaviour or personality characteristics for detrimental treatment |
| Subliminal manipulation | AI systems deploying subliminal techniques to materially distort behaviour, causing significant harm |
| Exploitation of vulnerabilities | AI systems exploiting vulnerabilities of specific groups (age, disability, social or economic situation) |
| Real-time remote biometric identification | In publicly accessible spaces for law enforcement (with limited exceptions) |
| Emotion recognition in workplace/education | AI systems inferring emotions of employees or students (with limited exceptions) |
| Untargeted scraping for facial recognition | Creating facial recognition databases through untargeted scraping of images from internet or CCTV |
| Biometric categorisation on sensitive characteristics | Categorising individuals based on biometric data to infer race, political opinions, religious beliefs, sexual orientation |
| Predictive policing based solely on profiling | AI systems making risk assessments of individuals predicting criminal offences based solely on profiling or personality traits |
AI literacy (Article 4): All providers and deployers of AI systems must ensure their staff has a sufficient level of AI literacy. Note: the Digital Omnibus proposes to shift this responsibility to member states and the Commission instead.
Penalties for prohibited practices: Up to €35 million or 7% of global annual turnover, whichever is higher. This is the highest penalty tier in the AI Act.
Phase 3: GPAI and Governance (2 August 2025) ✅ ALREADY IN EFFECT
One year after entry into force, obligations for general-purpose AI models and the institutional framework kicked in.
GPAI model providers must now comply with:
| Obligation | Description |
|---|---|
| Technical documentation | Maintain and make available detailed technical documentation about the model |
| Training data transparency | Publish a sufficiently detailed summary of training data content |
| Copyright compliance | Implement a policy to comply with EU copyright law, particularly the text and data mining opt-out |
| Downstream provider information | Provide information and documentation to downstream providers integrating the model |
GPAI models with systemic risk face additional obligations: adversarial testing, incident monitoring and reporting to the AI Office, cybersecurity protections, and energy consumption reporting.
Governance infrastructure now operational: The EU AI Office, the AI Board (member state representatives), the Scientific Panel, and the Advisory Forum are all operational. Member states were required to designate national competent authorities (notifying authorities and market surveillance authorities) and communicate them to the Commission by this date.
Penalty regime: Administrative fines are now enforceable for most obligations — up to €35M/7% for prohibited practices, up to €15M/3% for other violations, and up to €7.5M/1% for supplying incorrect information. However, penalties specific to GPAI model providers are deferred until August 2026.
Code of Practice: The GPAI Code of Practice was published on 10 July 2025, providing guidance for GPAI providers. A second draft of the Code of Practice on marking and labelling AI-generated content was published in March 2026.
Phase 4: The Big One — High-Risk AI and Transparency (2 August 2026)
This is the date that matters most for the majority of organisations. The bulk of the AI Act’s obligations become enforceable.
High-risk AI systems (Annex III) must comply with:
| Requirement | Article | Description |
|---|---|---|
| Risk management system | Art. 9 | Continuous, iterative risk identification, assessment, and mitigation throughout the AI system lifecycle |
| Data governance | Art. 10 | Quality criteria for training, validation, and testing datasets |
| Technical documentation | Art. 11 | Comprehensive documentation per Annex IV before market placement |
| Record-keeping | Art. 12 | Automatic logging of events throughout the system’s lifetime |
| Transparency and information | Art. 13 | Instructions for use enabling deployers to interpret outputs and use the system appropriately |
| Human oversight | Art. 14 | Technical measures enabling effective human oversight of the AI system |
| Accuracy, robustness, cybersecurity | Art. 15 | Appropriate levels of accuracy, robustness, and cybersecurity throughout the lifecycle |
| Quality management system | Art. 17 | Documented QMS covering all aspects of compliance |
| Conformity assessment | Art. 43 | Assessment of compliance before market placement (self-assessment or third-party depending on system type) |
| EU database registration | Art. 49 | Registration in the EU public database before market placement |
| Post-market monitoring | Art. 72 | Monitoring system proportionate to the nature of the AI system and its risks |
High-risk use cases under Annex III include:
| Category | Examples |
|---|---|
| Biometrics | Remote biometric identification, emotion recognition, biometric categorisation |
| Critical infrastructure | Safety components in management of road traffic, water, gas, heating, electricity |
| Education | Systems determining access to education, evaluating learning outcomes, monitoring prohibited behaviour during exams |
| Employment | Recruitment, CV screening, task allocation, performance monitoring, promotion/termination decisions |
| Access to essential services | Credit scoring, creditworthiness assessment, risk assessment in life and health insurance |
| Law enforcement | Individual risk assessment, polygraphs, evidence evaluation, crime prediction |
| Migration and border control | Risk assessment, document verification, asylum application examination |
| Administration of justice | Research and interpretation assistance for courts |
Transparency obligations (Article 50) apply: AI systems interacting with people (chatbots) must disclose their artificial nature. AI-generated content (deepfakes, synthetic media) must be labelled. Emotion recognition and biometric categorisation systems must inform users.
Additional milestones on this date: Each member state must have at least one operational AI regulatory sandbox. Penalties for GPAI model providers become enforceable. Market surveillance authorities gain full investigatory and enforcement powers.
Phase 5: Product-Embedded AI and Legacy Systems (2 August 2027)
The remaining provisions apply, completing full enforcement.
Annex I systems — high-risk AI systems that are safety components of regulated products (medical devices, machinery, vehicles, toys, lifts, radio equipment, civil aviation, etc.) — must comply with all high-risk requirements.
Legacy GPAI models placed on the market before August 2025 must have taken all necessary compliance steps by this date.
Full enforcement: All remaining provisions are applicable. The AI Act is fully effective.
Phase 6: Long-Term Compliance (2030)
Public authority legacy systems: High-risk AI systems used by public authorities that were placed on the market or put into service before August 2026 must be brought into compliance by 2 August 2030.
Large-scale IT systems: AI systems that are components of large-scale IT systems in the area of freedom, security, and justice (listed in Annex X) must be brought into compliance by 31 December 2030.
The Digital Omnibus: What Might Change
In November 2025, the European Commission published the Digital Omnibus proposal, which could significantly alter the timeline for high-risk AI compliance. The proposal is currently being debated by the European Parliament and Council.
Key proposed changes:
| Current Deadline | Proposed New Deadline | What’s Affected |
|---|---|---|
| 2 August 2026 | Up to 2 December 2027 | High-risk AI systems under Annex III |
| 2 August 2027 | Up to 2 August 2028 | High-risk AI systems under Annex I (product-embedded) |
| 2 August 2026 | 2 February 2027 | AI-generated content marking (Article 50(2)) for systems already on market |
How the delay mechanism works: The high-risk obligations would not kick in until the Commission confirms that adequate compliance support tools (harmonised standards, common specifications, guidelines) are available. Once confirmed, obligations apply six months later for Annex III systems and twelve months later for Annex I AI systems. The backstop dates (December 2027 and August 2028) apply regardless.
Other proposed changes:
| Change | Impact |
|---|---|
| AI literacy obligation shifted to member states and Commission | Reduces direct burden on providers and deployers |
| Registration requirement removed for systems self-assessed as not high-risk | Reduces administrative overhead |
| SME simplifications extended to small mid-cap enterprises (under 750 employees, under €150M revenue) | Wider access to simplified compliance |
| Processing of sensitive personal data allowed for bias detection and correction | Removes a significant barrier to responsible AI development |
| Codes of practice become soft law only | Commission loses power to make them binding |
| EU-level AI regulatory sandbox established under AI Office | New centralised testing environment |
Critical caveat: The Digital Omnibus is a proposal, not law. It must pass through Parliament and Council negotiations. Compliance experts uniformly advise treating August 2026 as the binding deadline until any changes are formally adopted. Organisations banking on the delay are taking a significant compliance risk.
In February 2026, rapporteurs in the European Parliament proposed setting fixed deadlines of December 2027 (Annex III) and August 2028 (Annex I), with MEPs proposing further amendments on issues ranging from AI-generated sexual deepfakes to AI Office resourcing. The final outcome remains uncertain.
How EYREACT Can Help
With enforcement in August 2026, the compliance window is closing. EYREACT automates EU AI Act compliance from risk classification to audit-ready documentation, giving you the structured infrastructure to meet every deadline on this timeline.
Our platform tracks 400+ rules derived directly from the AI Act, manages evidence across Living Compliance Binders, and monitors & updates your compliance status in real time so you always know where you stand.
Timeline by Role in the AI Value Chain
Different actors face different deadlines. Here’s when key obligations become applicable by role:
| Role | Feb 2025 | Aug 2025 | Aug 2026 | Aug 2027 |
|---|---|---|---|---|
| Provider (high-risk, Annex III) | Prohibited practices; AI literacy | — | Full high-risk obligations, QMS, conformity assessment, registration, post-market monitoring | — |
| Provider (high-risk, Annex I) | Prohibited practices; AI literacy | — | — | Full high-risk obligations |
| Provider (GPAI, new models) | Prohibited practices; AI literacy | Technical documentation, transparency, copyright, downstream info | GPAI penalty enforcement | — |
| Provider (GPAI, legacy models) | Prohibited practices; AI literacy | — | — | Full GPAI compliance |
| Deployer (high-risk) | Prohibited practices; AI literacy | — | Human oversight, input data monitoring, information obligations, FRIA | — |
| Importer | Prohibited practices; AI literacy | — | Verify provider compliance, CE marking, documentation | Annex I product verification |
| Distributor | Prohibited practices; AI literacy | — | Verify CE marking, provider/importer compliance | Annex I product verification |
| Authorised Representative | — | — | AR obligations under Art. 22: documentation custody, authority liaison, compliance verification | — |
What You Should Be Doing Right Now to Beat the Clock?
Here’s a prioritised action plan to catch up with EU AI Act timeline:
| Priority | Action | Why Now |
|---|---|---|
| Immediate | Complete AI system inventory and risk classification | You need to know what you have before you can comply |
| Immediate | Determine your role per system (provider, deployer, both) | Obligations differ significantly by role |
| Immediate | Verify no prohibited practices are in use | These have been enforceable since February 2025 |
| High | Begin risk management documentation for high-risk systems | Article 9 requires continuous, iterative risk management — start now |
| High | Start technical documentation per Annex IV | This is extensive and cannot be done last minute |
| High | Establish quality management system | Article 17 requires documented QMS covering all compliance areas |
| High | Implement human oversight measures | Article 14 requires technical measures enabling effective oversight |
| Medium | Plan conformity assessment approach | Self-assessment vs third-party — know which applies to you |
| Medium | Prepare for EU database registration | Registration must happen before market placement |
| Medium | Establish post-market monitoring system | Article 72 requires ongoing monitoring proportionate to risk |
| Ongoing | Monitor Digital Omnibus negotiations | Timeline may shift, but don’t count on it |
Penalty Structure
| Violation | Maximum Fine | Effective From |
|---|---|---|
| Prohibited AI practices (Article 5) | €35 million or 7% of global annual turnover | February 2025 |
| Non-compliance with high-risk obligations | €15 million or 3% of global annual turnover | August 2026 |
| Supplying incorrect information to authorities | €7.5 million or 1% of global annual turnover | August 2025 |
| SME/startup penalty reductions | Lower of the two amounts (fixed vs percentage) | Same as above |
FAQ
When does the EU AI Act come into full effect?
The AI Act entered into force on 1 August 2024, but its obligations apply in phases. The most significant deadline for most organisations is 2 August 2026, when high-risk AI system requirements and transparency obligations become enforceable. Full enforcement, including product-embedded AI systems, is complete by 2 August 2027.
Has the August 2026 deadline been delayed?
Not yet. The European Commission’s Digital Omnibus proposal (November 2025) suggests extending high-risk deadlines to December 2027 (Annex III) and August 2028 (Annex I), conditional on the availability of harmonised standards. However, this proposal is still being negotiated and has not been adopted. Until formally passed, August 2026 remains the binding deadline.
What happens if I miss the August 2026 deadline?
Non-compliance with high-risk AI obligations can result in administrative fines of up to €15 million or 3% of global annual turnover, whichever is higher. Market surveillance authorities can also order withdrawal of AI systems from the market, mandate corrective actions, or restrict market access.
Do the rules apply to AI systems already on the market?
Yes. The AI Act applies to all operators of high-risk AI systems in place before August 2026. There is no blanket grandfather clause. However, high-risk systems lawfully on the market before the rules apply can continue operating without new certification if no significant design changes occur — this was clarified in the Digital Omnibus proposal.
Does the AI Act apply outside the EU?
Yes. Like the GDPR, the AI Act has extraterritorial reach. It applies to any provider placing an AI system on the EU market or putting it into service in the EU, regardless of where the provider is established. Non-EU providers must also appoint an authorised representative in the EU for high-risk systems and GPAI models.
What is the difference between Annex I and Annex III high-risk systems?
Annex I covers AI systems that are safety components of products already regulated by EU harmonisation legislation (medical devices, machinery, vehicles, etc.). These have until August 2027. Annex III lists specific use cases classified as high-risk by their application domain (employment, credit scoring, law enforcement, etc.). These must comply by August 2026.
When do GPAI obligations apply?
GPAI model obligations have been enforceable since 2 August 2025 for new models. Legacy GPAI models (placed on the market before August 2025) have until 2 August 2027 to comply.
What is the GPAI Code of Practice?
Published on 10 July 2025, the Code of Practice provides guidance for GPAI model providers on meeting their obligations, including transparency, copyright compliance, and safety evaluations. A separate Code of Practice on marking and labelling AI-generated content is under development, with a second draft published in March 2026.
When must AI regulatory sandboxes be operational?
Each EU member state must have at least one operational AI regulatory sandbox by 2 August 2026. The Digital Omnibus also proposes giving the AI Office authority to establish an EU-level sandbox.
What is the AI Pact?
Announced in September 2024, the AI Pact is a voluntary initiative where over 100 companies pledged to work toward early AI Act compliance. Signatories committed to identifying high-risk AI systems, promoting AI literacy, and preparing governance frameworks ahead of mandatory deadlines.
This article is for informational purposes only and does not constitute legal advice. Organisations should seek qualified legal counsel for jurisdiction-specific compliance guidance.
