EU AI Act Enforcement Dates and Deadlines: Complete Timeline

The EU AI Act Timeline Is Already Underway

Here is the thing most teams get wrong: they treat the EU AI Act as a future problem. It is not. It entered into force on August 1, 2024, and its provisions are rolling out in phases through 2027. Some obligations bite right now. Others land in the coming months. The one that will reshape the most businesses, full compliance for high-risk AI systems, arrives on August 2, 2026.

A phased rollout sounds gentle. It is not, because it means different rules switch on at different moments, and which ones apply to you depends on the kind of AI system, its risk classification, and where you sit in the AI value chain. Miss a deadline and you are not just carrying legal exposure on paper. You are looking at administrative fines of up to 35 million EUR or 7% of worldwide annual turnover for the worst violations.

We wrote this guide to lay out the full enforcement timeline, every major date in one place. We explain what each deadline actually means once it hits, and we give you concrete things to do before each milestone.

The Foundation: Entry Into Force and the AI Office

August 1, 2024 | Entry Into Force

The EU AI Act (Regulation (EU) 2024/1689) landed in the Official Journal of the European Union on July 12, 2024, and entered into force 20 days later on August 1, 2024. That is the date that started the clock on every enforcement deadline that follows.

Entry into force is not the same as enforceability, and the difference matters. The regulation runs on a staggered model: different chapters switch on at different intervals after that August 1 start date.

February 2, 2025 | AI Office Establishment Deadline

By this date, the European Commission had to stand up the AI Office. Think of it as the central EU-level body running implementation and enforcement for the whole Act. Its responsibilities include:

• Developing guidelines and implementing acts for the regulation
• Coordinating enforcement actions across Member States
• Managing the EU database of high-risk AI systems
• Overseeing compliance of general-purpose AI (GPAI) models
• Helping shape the development of codes of practice

The AI Office was formally set up and became operational in early 2024, ahead of this deadline, sitting inside the European Commission's Directorate-General for Communications Networks, Content and Technology (DG CNECT).

Phase 1: Prohibited Practices (Already Enforceable)

February 2, 2025 | Banned AI Practices Take Effect

This was the first real enforcement milestone, and it has teeth. Since February 2, 2025, the following AI practices have been prohibited outright under Article 5 of the AI Act:

• Subliminal manipulation: AI systems that deploy subliminal techniques beyond a person's consciousness to materially distort behaviour in a manner likely to cause significant harm
• Exploitation of vulnerabilities: AI systems that exploit vulnerabilities of specific groups of persons due to their age, disability, or social or economic situation
• Social scoring: AI systems by public authorities (or on their behalf) that evaluate or classify natural persons based on their social behaviour or personality characteristics, leading to detrimental treatment
• Real-time remote biometric identification in publicly accessible spaces by law enforcement, except in narrowly defined circumstances
• Untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases
• Emotion recognition in workplaces and educational institutions, except for medical or safety reasons
• Biometric categorisation to infer sensitive attributes (race, political opinions, trade union membership, religious beliefs, sex life or sexual orientation), except for certain law enforcement purposes

What this means today: if your organisation runs any AI system that lands in one of these prohibited categories, you are already in breach. Full stop. The penalties here are the harshest in the entire Act: fines of up to 35 million EUR or 7% of worldwide annual turnover, whichever is higher.

Want the practice-by-practice breakdown and a way to audit your own systems against it? We cover that in our guide on EU AI Act Prohibited Practices.

Preparation Status Check

• Have you audited all your AI systems against the prohibited practices list?
• Have you removed or decommissioned any systems that fall within the prohibitions?
• Have you documented your assessment and conclusions?

Phase 2: AI Literacy and Governance Obligations

February 2, 2025 | AI Literacy Obligation (Article 4)

This one is easy to overlook, and that is the danger. Also live since February 2, 2025, Article 4 says providers and deployers must make sure their staff, and anyone else operating or using AI systems on their behalf, carry a sufficient level of AI literacy. It applies to every AI system you touch, not only the high-risk ones.

The regulation defines AI literacy as the skills, knowledge, and understanding that let providers, deployers, and affected people make informed decisions about deploying AI, weighing their rights and obligations, the intended purpose of the system, and the risks and benefits in play.

What this means today: you should already have AI literacy training running for everyone who works with AI systems. Not just the engineers. Business users, procurement teams, and management all count.

Phase 3: General-Purpose AI Obligations

August 2, 2025 | GPAI Model Obligations Take Effect

The next big marker lands on August 2, 2025. That is when the obligations for general-purpose AI (GPAI) models under Chapter V of the AI Act become enforceable.

What counts as a GPAI model? One trained on a large amount of data using self-supervision at scale, showing significant generality, and able to competently handle a wide range of distinct tasks. The large language models (LLMs) you already know, GPT-4, Claude, Gemini, and Llama, are the headline examples.

Obligations for All GPAI Model Providers (Article 53)

From August 2, 2025, all GPAI model providers must:

• Prepare and keep up-to-date technical documentation of the model, including its training and testing processes, and the results of the model's evaluation
• Provide information and documentation to downstream providers who integrate the GPAI model into their AI systems
• Establish a policy to respect EU copyright law, including the text and data mining opt-out provisions of the Copyright Directive
• Publish a sufficiently detailed summary about the content used for training the GPAI model, using a template provided by the AI Office

Additional Obligations for Systemic Risk GPAI Models (Article 55)

Some GPAI models carry a heavier load. Models classified as posing systemic risk (those trained with total computing power exceeding 10^25 floating point operations (FLOPs), or designated by the Commission based on certain criteria) face additional obligations:

• Performing model evaluations, including adversarial testing, to identify and mitigate systemic risks
• Assessing and mitigating possible systemic risks at the EU level
• Tracking, documenting, and reporting serious incidents and possible corrective measures to the AI Office and relevant national competent authorities
• Ensuring an adequate level of cybersecurity protection for the model and its physical infrastructure

Codes of Practice Timeline

The Act leans on codes of practice as the route for GPAI model providers to show they comply. The AI Office was asked to encourage and help draw these up, aiming to have them ready by August 2, 2025, the same date GPAI obligations switch on. Sign up to an approved code of practice and you can lean on it to demonstrate compliance until harmonised standards are in place.

What to do now: if you provide or use GPAI models, treat the August 2, 2025 deadline as live. Review the technical documentation requirements, work out whether any of your models might be tagged as systemic-risk, and keep an eye on the codes of practice as the AI Office develops them.

Phase 4: The Big Deadline for High-Risk AI Obligations

August 2, 2026 | Full High-Risk AI Obligations Take Effect

This is the big one. More organisations will feel August 2, 2026 than any other date on this list, because that is when the full set of obligations for high-risk AI systems listed in Annex III becomes enforceable. Providers and deployers both. No exceptions.

Annex III high-risk AI systems cover AI used in:

1. Biometric identification and categorisation of natural persons
2. Management and operation of critical infrastructure (including road traffic, water, gas, heating, and electricity supply)
3. Education and vocational training (determining access, evaluating learning outcomes, assessing appropriate levels of education)
4. Employment, workers management, and access to self-employment (recruitment, CV screening, performance evaluation, promotion and termination decisions)
5. Access to and enjoyment of essential private and public services (creditworthiness assessment, emergency services dispatching, health and life insurance risk assessment)
6. Law enforcement (individual risk assessment, polygraphs, evidence evaluation, crime prediction)
7. Migration, asylum, and border control management (polygraphs, risk assessment, document authenticity verification)
8. Administration of justice and democratic processes (AI systems for applying the law to concrete facts, influencing the outcome of elections)

What Becomes Enforceable

From August 2, 2026, providers and deployers of Annex III high-risk AI systems must comply with:

• Risk management systems (Article 9): identifying and mitigating risks throughout the AI system lifecycle
• Data governance (Article 10): ensuring training data quality, relevance, representativeness, and freedom from bias
• Technical documentation (Article 11 and Annex IV): complete documentation of the system's design, development, testing, and performance
• Record-keeping and logging (Article 12): automatic logging of events during the AI system's operation
• Transparency and instructions for use (Article 13): providing deployers with information necessary for compliant use
• Human oversight (Article 14): designing systems for effective human oversight, including override capabilities
• Accuracy, robustness, and cybersecurity (Article 15): ensuring consistent performance and resilience
• Quality management systems (Article 17): systematic compliance governance
• Conformity assessment (Article 43): verifying compliance before market placement
• EU declaration of conformity (Article 47): formal declaration of compliance
• CE marking (Article 48): affixing the CE marking to compliant systems
• Registration in the EU database (Article 49): registering high-risk AI systems before market placement
• Post-market monitoring (Article 72): systematic ongoing performance monitoring
• Serious incident reporting (Article 62): reporting to national competent authorities

If you are a deployer, your side of the obligations includes:

• Appropriate use and oversight (Article 26): using systems according to instructions, assigning competent human oversight
• Fundamental rights impact assessment (Article 27): for public bodies and certain private deployers
• Input data relevance (Article 26(4)): ensuring input data is relevant to the intended purpose
• Monitoring and incident reporting (Article 26(5)): monitoring system operation and informing providers and authorities of risks

For the full breakdown of what providers and deployers each have to do, lean on our EU AI Act Compliance Checklist.

National Competent Authorities Deadline

Member States had to name their national competent authorities and notify the Commission by August 2, 2025. These are the bodies that enforce the AI Act on the ground, country by country. Each Member State must also designate or set up at least one notifying authority and at least one market surveillance authority.

Readiness is uneven, and that is worth knowing if you operate across borders. A few countries, notably France, Germany, the Netherlands, and Spain, moved early to build their AI regulatory structures. Plenty of others are still naming authorities and growing the capacity to enforce.

Phase 5: Extended Deadline for Certain High-Risk Systems

August 2, 2027 | Annex I High-Risk Systems (Products Under EU Harmonisation Legislation)

The last big enforcement deadline is August 2, 2027. That is when obligations kick in for high-risk AI systems that are safety components of products, or are themselves products, covered by the EU harmonisation legislation listed in Annex I. This sweeps in AI systems subject to:

• Machinery Regulation (2023/1230)
• Toy Safety Directive (2009/48/EC)
• Recreational Craft Directive (2013/53/EU)
• Lifts Directive (2014/33/EU)
• Radio Equipment Directive (2014/53/EU)
• Pressure Equipment Directive (2014/68/EU)
• Cableway Installations Regulation (2016/424)
• Personal Protective Equipment Regulation (2016/425)
• Appliances Burning Gaseous Fuels Regulation (2016/426)

One catch worth flagging: AI systems that are medical devices (covered under the MDR/IVDR in Annex II) run on a different clock. Their AI Act obligations apply from August 2, 2026, not 2027, because they sit under the Annex III high-risk classification too.

What this means: if your AI system is a safety component of a product regulated under any of the legislation listed in Annex I, you have until August 2, 2027 to reach full compliance. Do not let that breathing room fool you. Start preparing now, because the conformity assessment process for these products often pulls in third-party notified bodies, and their review queues are long.

Complete Timeline Summary

Date	Milestone	Key Obligations
July 12, 2024	Publication in Official Journal	N/A
August 1, 2024	Entry into force	All deadlines begin counting
February 2, 2025	Prohibited practices enforceable	Article 5 bans apply; AI literacy obligation (Article 4)
August 2, 2025	GPAI obligations apply	Technical documentation, copyright compliance, training data summaries; national competent authority designation deadline
August 2, 2026	High-risk AI (Annex III) obligations apply	Full provider and deployer obligations for all Annex III high-risk systems
August 2, 2027	High-risk AI (Annex I products) obligations apply	Full obligations for AI in products under EU harmonisation legislation

Preparation Advice for Each Deadline

For February 2, 2025 (Already Past: Verify Compliance)

This deadline has come and gone. If you have not done these yet, do them today:

1. Audit against prohibited practices. Run every AI system in your portfolio against the Article 5 prohibitions. Write down what you find. If a system falls inside a prohibition, decommission it or change it so it falls outside the prohibition's scope.
2. Implement AI literacy training. Ensure all relevant staff have completed it. Document the training, its content, and attendance records.
3. Review and remediate. If you discover gaps, address them immediately. The penalties for prohibited practices are already enforceable.

For August 2, 2025 (Immediate Priority)

4. GPAI model providers: Prepare technical documentation, establish copyright compliance policies, and draft training data summaries
5. Downstream integrators: Identify all GPAI models used in your AI systems and ensure your providers are prepared to supply the required documentation
6. Monitor codes of practice: Track the AI Office's development of codes of practice and assess whether signing up to one would strengthen your compliance position

For August 2, 2026 (Primary Planning Horizon)

7. Classify all AI systems by risk level. Use the Annex III categories to determine which systems are high-risk.
8. Determine your role. Map your organisation to provider, deployer, importer, or distributor for each AI system.
9. Conduct gap analysis. Compare your current compliance posture against every requirement in Articles 8-27.
10. Build or extend your quality management system. Implement systematic processes for compliance governance.
11. Prepare technical documentation. Complete Annex IV documentation for all high-risk systems.
12. Implement human oversight protocols. Design and document oversight mechanisms for each high-risk system.
13. Conduct conformity assessments. Complete internal or third-party conformity assessments as required.
14. Register in the EU database. Prepare for registration of all high-risk AI systems.
15. Establish post-market monitoring. Put systematic performance monitoring in place for every high-risk system.
16. Conduct fundamental rights impact assessments. Complete before deploying high-risk systems (mandatory for public bodies, strongly recommended for all deployers).

Want to see which platforms can carry the weight of this process for you? We line them up side by side in Best EU AI Act Compliance Tools Compared.

For August 2, 2027

17. Product manufacturers: Coordinate AI Act compliance with existing product safety conformity assessments
18. Engage notified bodies early. Third-party assessment capacity is limited; book early to avoid delays.
19. Integrate AI Act requirements into product development cycles. Treat AI Act compliance as a design requirement, not a post-development add-on.

Delegated and Implementing Acts: The Details Still Being Written

The AI Act hands a lot of rulemaking authority to the European Commission, and not all of that work is finished. Several delegated and implementing acts are still being drafted, and they will fill in detail the framework currently leaves open:

• Harmonised standards: The Commission has tasked European standardisation organisations (CEN, CENELEC, ETSI) with developing harmonised standards for the AI Act. Compliance with these standards will provide a presumption of conformity with the regulation's requirements. Development is ongoing, with initial standards expected by late 2025 or early 2026.
• Common specifications: Where harmonised standards are not available, the Commission may adopt common specifications as implementing acts. Providers that comply with common specifications will also enjoy a presumption of conformity.
• High-risk system classification amendments: The Commission can update the list of high-risk AI systems in Annex III through delegated acts, adding or modifying categories as technology and risks evolve.
• Benchmarks and metrics: The AI Office is developing benchmarks for evaluating GPAI models, including methodologies for assessing systemic risk.

Keep a close watch on these. The day-to-day reality of compliance will be shaped in large part by the standards and specifications that come out of this work.

Enforcement and Penalties Quick Reference

The Act ties the size of the penalty to the seriousness of what you did:

Violation	Maximum Fine
Prohibited AI practices (Article 5)	35 million EUR or 7% of worldwide annual turnover
High-risk AI obligations (Chapters 2-3, Title III)	15 million EUR or 3% of worldwide annual turnover
Incorrect information to authorities	7.5 million EUR or 1% of worldwide annual turnover

There is a bit of relief built in for SMEs and startups: the regulation says fines should be proportionate, and the lower of the two amounts (fixed sum or percentage of turnover) applies. Do not exhale too soon, though. Even the reduced figure can be an existential hit for a smaller company.

For the full picture of how enforcement plays out in practice, read our guide on EU AI Act Fines and Enforcement.

What You Should Do Today

Wherever you are on the road to compliance, here is what to do right now:

1. Know your deadlines. Use this timeline to identify which obligations already apply to you and which are approaching.
2. Inventory your AI systems. You cannot comply with regulations you do not understand. Document every AI system your organisation develops, deploys, or distributes.
3. Classify by risk. Work out which systems are high-risk, which are GPAI, and which fall under the prohibited practices. Our EU AI Act Risk Assessment Guide gives you a structured method to do it.
4. Assign ownership. Compliance requires clear internal accountability. Designate a responsible person or team for AI Act compliance.
5. Start with what is already enforceable. If you have not verified compliance with the prohibited practices and AI literacy obligations, do that today.
6. Plan for August 2, 2026. This is the deadline that touches the most organisations. Kick off your compliance programme now, not six months from now.

Start Your Free Compliance Assessment

The EU AI Act's timeline is aggressive on purpose. The Commission gave organisations real time to prepare, but it locked the protections for consumers and citizens to fixed dates that are not moving. Here is what we have learned watching teams work through it: the ones who read the timeline and plan backwards from each deadline get there with room to spare. The ones who wait until a deadline is breathing down their neck pay for it twice, in rushed compliance costs and in enforcement risk, with their access to the EU market on the line. Pick your earliest deadline and start working back from it today.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.