Author: Rimsha Zafar
July 14, 2026

The Complete EU AI Act Timeline: From Entry Into Force to Full Enforcement

Is your organisation ready for the enforcement deadlines under the EU AI Act? With multiple compliance phases already in effect and more approaching fast, missing a single deadline could result in penalties reaching millions of euros. Whether you develop AI systems, deploy them in your operations, or supply components to AI providers, the clock is ticking.

 

The EU AI Act (Regulation 2024/1689) became the first comprehensive AI law in the world when it entered into force on 1 August 2024. Rather than applying all at once, it follows a phased rollout stretching from early 2025 through to mid 2028. Each phase introduces specific obligations tied to risk categories, from outright bans on certain AI practices to detailed requirements for high-risk systems and general-purpose AI models.

 

This blog walks through every official milestone on the EU AI Act timeline in chronological order. You will understand exactly which rules apply at each stage, what actions your organisation must take, and where to find the official references. Read on to have a clear compliance roadmap that links each deadline to a concrete next step.

How the EU AI Act Timeline Is Structured

The regulation uses a staggered enforcement model that gives organisations time to prepare for different obligation categories.

Why a Phased Approach Was Chosen

The European Commission recognised that applying every rule simultaneously would overwhelm both regulators and businesses. A phased model lets organisations address the most urgent risks first, beginning with prohibited AI practices, and then build compliance infrastructure progressively. This approach also gives standardisation bodies time to develop harmonised standards that support conformity assessments.

 

Each enforcement date targets a specific risk tier or governance requirement. The timeline runs from 2 February 2025 through to 2 August 2028, with the most recent adjustments introduced through the Digital Omnibus agreement in 2026.

Who Needs to Follow This Timeline

The EU AI Act applies to providers (developers), deployers (users in professional settings), importers, and distributors of AI systems within the EU market. It also catches organisations based outside the EU if their AI system outputs are used within EU territory. Compliance officers, legal teams, product managers, data governance professionals, and executive decision makers all need visibility into these deadlines.

Official Sources You Can Rely On

Every date referenced in this blog comes from official EU institutional sources. The primary references are Regulation (EU) 2024/1689 published in the Official Journal, the European Commission’s AI Act Service Desk timeline, and press releases from the Council of the EU and European Parliament regarding the Digital Omnibus amendments.

1 August 2024: The EU AI Act Enters Into Force

This date marks the formal starting point of the entire EU AI Act timeline and triggers all subsequent deadlines.

What Happened on This Date

The EU AI Act was published in the Official Journal of the European Union on 12 July 2024 as Regulation (EU) 2024/1689. It entered into force twenty days later, on 1 August 2024. From this point, every enforcement milestone is counted in months from this date. The regulation itself does not impose direct obligations on this date, but the compliance clock begins ticking for every organisation in scope.

What Organisations Should Have Done

Forward-thinking organisations used this period to conduct an initial AI inventory. This means cataloguing every AI system in use, under development, or planned for deployment. The goal was to identify which systems might fall under prohibited, high-risk, limited-risk, or minimal-risk categories. Governance teams also began reviewing internal policies to identify gaps against the upcoming requirements.

2 February 2025: Prohibited AI Practices and AI Literacy Take Effect

Six months after entry into force, the first binding obligations kicked in, targeting the most dangerous AI applications.

Prohibited AI Practices Now Banned

Chapter II of the AI Act bans AI systems that pose unacceptable risks to fundamental rights and safety. These prohibitions are now fully enforceable. Organisations found operating banned systems face fines of up to 35 million euros or 7% of global annual turnover, whichever is higher. The eight prohibited practices include:

 

  • Subliminal manipulation techniques that distort behaviour and cause harm
  • Exploitation of vulnerabilities based on age, disability, or social situation
  • Social scoring by public authorities that leads to detrimental treatment
  • Individual criminal risk assessment based solely on profiling or personality traits
  • Untargeted scraping of the internet or CCTV images to build facial recognition databases
  • Emotion recognition in workplaces and educational institutions, except for medical or safety purposes
  • Biometric categorisation systems that infer race, political opinions, trade union membership, religious beliefs, or sexual orientation
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement, with narrow exceptions

 

The 2026 Digital Omnibus amendments also added a new prohibition on AI systems that generate nonconsensual sexual or intimate content and child sexual abuse material.

AI Literacy Obligations Now Active

Article 4 of the AI Act requires all providers and deployers to ensure their staff and relevant personnel have sufficient AI literacy. This is not a one-off training exercise. Organisations must demonstrate ongoing competence appropriate to the context, intended purpose, and risk level of the AI systems they work with. GDPR Staff Training frameworks can serve as a useful model here, adapted specifically for AI literacy requirements.

2 August 2025: General Purpose AI and Governance Rules Apply

Twelve months after entry into force, the focus shifts to general-purpose AI models and the governance framework that underpins enforcement.

Obligations for General Purpose AI (GPAI) Providers

Chapter V of the AI Act applies from this date. Providers of general-purpose AI models must now meet transparency and copyright-related obligations when placing models on the EU market. 

 

Key requirements include maintaining up-to-date technical documentation, providing clear usage policies to downstream providers, establishing a copyright compliance policy, and publishing a sufficiently detailed summary of training data content. The European Commission published the General Purpose AI Code of Practice on 10 July 2025 to guide compliance.

Systemic Risk Models Face Extra Requirements

GPAI models trained with computational power exceeding 10^25 floating-point operations are classified as presenting systemic risk. Providers of these models must notify the European Commission, conduct model evaluations including adversarial testing, assess and mitigate systemic risks, and report serious incidents. These are in addition to the baseline GPAI transparency obligations.

Governance Structures Must Be Operational

By this date, Member States must designate national competent authorities responsible for supervising the AI Act. They must also adopt national laws on penalties for non-compliance. At the EU level, the AI Board, Scientific Panel of independent experts, and Advisory Forum must be fully established and operational. 

 

The AI Office within the European Commission serves as the lead enforcement body for GPAI model obligations.

2 August 2026: The Majority of AI Act Rules Come Into Force

Two years after entry into force, the bulk of the regulation becomes enforceable, including transparency rules and the first wave of high-risk system obligations.

High-Risk AI Systems in Annex III

Rules for stand-alone high-risk AI systems listed in Annex III of the regulation apply from this date. However, following the Digital Omnibus amendments agreed in May 2026, these dates have been adjusted. The updated application date for stand-alone high-risk AI systems is now 2 December 2027. Annex III covers AI systems used in areas such as biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and asylum management, and administration of justice.

Transparency Obligations (Article 50)

Article 50 transparency requirements apply from 2 August 2026. Providers of AI systems that interact directly with people must ensure that those individuals are informed that they are engaging with an AI system. AI-generated or manipulated content, including deepfakes, must be clearly labelled as artificially generated. Providers of emotion recognition or biometric categorisation systems must inform individuals that such systems are in operation. These transparency measures apply regardless of the risk classification of the AI system.

Innovation Sandboxes and Enforcement Begins

Each EU Member State must have at least one operational AI regulatory sandbox by this date. Sandboxes provide controlled environments where organisations, particularly SMEs, can test AI innovations under regulatory supervision before full market deployment. Enforcement of the AI Act also formally begins at both the national and EU levels from this point. National market surveillance authorities can now inspect, investigate, and impose corrective measures.

2 December 2027: Stand-Alone High-Risk AI Systems Must Comply

Following the Digital Omnibus agreement, this is the updated enforcement date for stand-alone high-risk AI systems under Annex III.

What Changed With the Digital Omnibus

On 7 May 2026, the Council and European Parliament reached a political agreement on the AI Omnibus proposal, part of the broader Digital Omnibus VII legislative package. The Council gave final approval on 29 June 2026. 

 

The original compliance date for Annex III high-risk systems was 2 August 2026, but this was pushed to 2 December 2027 for stand-alone systems. The extension links the application of these rules to the availability of harmonised standards and support tools that organisations need for conformity assessments.

Obligations for Providers of High-Risk AI

Providers must implement a risk management system that runs throughout the AI system’s lifecycle. They must ensure training data governance, maintain technical documentation, enable automatic logging, provide transparency and information to deployers, allow for human oversight, and meet accuracy, robustness, and cybersecurity standards. 

 

A conformity assessment must be completed before placing the system on the market. Providers must also register high-risk systems in the EU database maintained under Article 71.

Obligations for Deployers of High-Risk AI

Deployers must use high-risk AI systems in accordance with the provider’s instructions. They must assign competent personnel for human oversight, ensure input data is relevant and representative, monitor operations for risks, retain system-generated logs for a minimum of six months, conduct a fundamental rights impact assessment where required, and inform affected individuals that they are subject to a high-risk AI system’s decision.

 

Handling sensitive personal information within these systems requires particular care under both the AI Act and the GDPR.

2 August 2027: GPAI Transition Deadline and Legacy Model Compliance

This date represents the final compliance window for GPAI models already on the market before August 2025.

Legacy GPAI Models Must Now Comply

General-purpose AI models that were placed on the EU market before 2 August 2025 have a two-year transition window. By 2 August 2027, these models must meet all applicable GPAI obligations, including technical documentation, copyright policies, and training data summaries. Providers who have been operating under the transition grace period will no longer have any exemptions after this date.

What This Means for Downstream Providers and Deployers

Organisations that build applications on top of GPAI models must verify that their upstream providers are compliant. If a foundation model provider fails to meet the 2 August 2027 deadline, downstream deployers may inherit compliance risks. Due diligence on supplier compliance becomes critical from this point. Building proper user consent mechanisms into AI-driven products also remains essential for transparent operations.

2 August 2028: High-Risk AI in Regulated Products Must Comply

The final enforcement date on the EU AI Act timeline covers AI systems embedded in products already regulated under existing EU legislation.

Which Products Are Affected

Article 6(1) of the AI Act classifies AI systems as high risk when they are safety components of products covered by EU harmonisation legislation listed in Annex I. This includes sectors such as machinery, toys, lifts, medical devices, motor vehicles, aviation, rail systems, marine equipment, and civil aviation security. AI systems embedded in these products must meet the full set of high-risk obligations by 2 August 2028.

Why the Extended Timeline Exists

These products are already subject to existing EU safety and conformity assessment regimes. The extended deadline allows manufacturers and notified bodies to align AI Act requirements with existing sectoral legislation. It also provides time for the development of harmonised standards specific to AI components within these product categories. The Digital Omnibus amendments confirmed that this date remains unchanged.

Penalties for Non-Compliance Under the EU AI Act

The enforcement framework includes a tiered penalty structure that scales with the severity of the violation.

Fines by Violation Category

  • Prohibited AI practices: up to 35 million euros or 7% of global annual turnover
  • High-risk system obligations: up to 15 million euros or 3% of global annual turnover
  • Incorrect information supplied to authorities: up to 7.5 million euros or 1% of global annual turnover

 

For SMEs and startups, the regulation specifies proportionate caps on fines. The Digital Omnibus amendments also extended certain regulatory exemptions to small mid-cap companies, reducing the compliance burden on smaller organisations while maintaining accountability standards.

Enforcement Bodies

National market surveillance authorities handle enforcement for most AI systems operating within their territory. The AI Office within the European Commission directly enforces rules relating to GPAI models. Cross-border cases may involve coordination between multiple national authorities and the AI Board.

Complete EU AI Act Timeline at a Glance

Below is a consolidated view of every key date and what it triggers.

 

  • 1 August 2024: AI Act enters into force. Compliance clock starts.
  • 2 February 2025: Prohibited AI practices banned. AI literacy obligations apply (Chapters I and II).
  • 2 August 2025: GPAI obligations apply. Governance structures (AI Board, national authorities) must be operational. Penalty frameworks adopted.
  • 2 August 2026: Transparency rules (Article 50) apply. Innovation sandboxes operational. Enforcement begins at the national and EU levels.
  • 2 December 2027: Stand-alone high-risk AI systems (Annex III) must comply. Updated from the original August 2026 date via Digital Omnibus.
  • 2 August 2027: Legacy GPAI models (placed on the market before August 2025) must meet all GPAI obligations.
  • 2 August 2028: High-risk AI systems embedded in regulated products (Annex I) must comply.

Final Thoughts

The EU AI Act timeline stretches across four years of phased enforcement, with each deadline introducing specific obligations for different risk categories. Prohibited practices are already banned. GPAI rules are live. Transparency requirements apply from August 2026, and high-risk system obligations follow in December 2027 and August 2028. Organisations that map their AI systems to these milestones now will avoid regulatory surprises and build a sustainable compliance posture. The time to act is before each deadline, not after.

Prepare for the EU AI Act with Seers’ AI Governance

Navigating the EU AI Act timeline requires clear visibility into your AI systems, their risk classifications, and the obligations that apply at each phase. Seers provides AI governance tools that help organisations map their AI inventory, track compliance deadlines, and manage regulatory requirements across jurisdictions. Start building your compliance framework before the next deadline arrives. 

GET AI GOVERNANCE

Frequently Asked Questions (FAQs)

When did the EU AI Act officially enter into force?

The EU AI Act (Regulation 2024/1689) was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024. This starting date is what all subsequent enforcement milestones are calculated from. The phased application model means different provisions become enforceable at different points over a four-year period running through to August 2028.

Which AI practices are currently banned under the EU AI Act?

The regulation bans eight categories of AI practices considered an unacceptable risk. These include subliminal manipulation, social scoring, untargeted facial recognition database building, workplace emotion recognition, biometric categorisation based on protected characteristics, and real-time remote biometric identification for law enforcement. A ninth prohibition on AI-generated nonconsensual intimate content was added through the 2026 Digital Omnibus amendments.

What are the obligations for general-purpose AI model providers?

Providers must maintain technical documentation, publish a training data summary, comply with copyright law, and provide clear usage policies. Models classified as systemic risk (trained above 10^25 FLOP) carry additional obligations, including adversarial testing, risk mitigation measures, and incident reporting to the European Commission. The General Purpose AI Code of Practice offers practical compliance guidance.

How did the Digital Omnibus change the EU AI Act timeline?

The Digital Omnibus VII package, politically agreed on 7 May 2026 and confirmed on 29 June 2026, pushed the application date for stand-alone high-risk AI systems from 2 August 2026 to 2 December 2027. It linked compliance to the availability of harmonised standards. It also extended SME exemptions to small mid-caps and added the prohibition on AI-generated nonconsensual intimate content.

What happens if my organisation misses an EU AI Act deadline?

Penalties vary by violation category. Operating a prohibited AI system can incur fines up to 35 million euros or 7% of global turnover. Failing to meet high-risk system obligations carries fines up to 15 million euros or 3% of turnover. Providing incorrect information to regulators can cost up to 7.5 million euros or 1% of turnover. Proportionate caps apply to SMEs and startups.

Does the EU AI Act apply to organisations outside the European Union?

The regulation has extraterritorial reach. It applies to any provider or deployer, regardless of location, if the output of their AI system is used within the EU. This means non-EU companies selling into the European market or providing AI services accessed by EU users must comply with the same obligations and deadlines as EU-based organisations.

What is the role of national competent authorities under the AI Act?

Each EU Member State must designate at least one national competent authority to oversee AI Act enforcement within its territory. These authorities are responsible for market surveillance, investigating complaints, conducting inspections, and imposing corrective measures or penalties. They coordinate with the AI Board at the EU level and work alongside the AI Office for matters involving GPAI models.

Are there any exemptions for small and medium enterprises?

The AI Act includes proportionate compliance measures for SMEs, including reduced fines and access to AI regulatory sandboxes for testing innovations. The Digital Omnibus amendments extended certain exemptions to small mid-cap companies as well. However, core obligations such as prohibited practice bans and transparency requirements apply equally regardless of company size.

What should deployers of high-risk AI systems prepare for by December 2027?

Deployers must assign competent staff for human oversight, ensure input data quality, monitor systems for risks, retain logs for at least six months, conduct fundamental rights impact assessments where required, and inform affected individuals. Building these processes now, well ahead of the December 2027 deadline, gives organisations sufficient time to test and refine their compliance workflows.

Where can I find the official EU AI Act text and implementation timeline?

The full regulation is published as Regulation (EU) 2024/1689 on EUR-Lex. The European Commission’s AI Act Service Desk provides an interactive implementation timeline with milestone descriptions. Press releases from the Council of the EU and European Parliament offer updates on amendments such as the Digital Omnibus package.

 

Rimsha Zafar

Rimsha is a Senior Content Writer at Seers AI with over 5 years of experience in advanced technologies and AI-driven tools. Her expertise as a research analyst shapes clear, thoughtful insights into responsible data use, trust, and future-facing technologies.

ORCIDResearchGateGoogle ScholarLinkedIn 

Unlock Accurate Insights with Google Consent Mode v2

Is Your Website at Risk of Losing Conversions?


Take our Free Cookie Audit and find out

Ready to Build Trust and Drive Business Growth?

Join 50,000+ websites using Seers.Ai to turn compliance into trust, insights, & measurable business growth.