The EU AI Act was published in the Official Journal on 12 July 2024 and entered into force 20 days later. Unlike GDPR, which gave organisations two years to prepare, the AI Act's phased timeline has different obligations entering force on different dates. Some are already in effect. Others arrive in August 2026.
This article sets out every material deadline and what it means for your organisation.
The Complete AI Act Timeline
1 August 2024 — Entry into Force
The AI Act entered into force. The countdown to all subsequent deadlines starts here.
2 February 2025 — Prohibited AI Systems
The first compliance deadline. AI practices and systems classified as prohibited under Article 5 are banned as of this date.
Prohibited systems include:
- Subliminal manipulation techniques that cause harm to individuals
- Exploitation of vulnerabilities of specific groups (age, disability, social situation)
- Social scoring by public authorities
- Real-time remote biometric identification in public spaces (with narrow exceptions)
- Emotion recognition in workplace and education settings
- AI systems that infer sensitive attributes (race, political opinion, religion, sexual orientation) from biometric data
What this means: If any of your products or features fall into these categories, they were required to be discontinued by February 2025.
2 August 2025 — GPAI Model Obligations
General Purpose AI (GPAI) model providers must comply with transparency and documentation requirements from this date. This includes:
- Technical documentation and transparency obligations
- Training data summaries and copyright compliance
- Systemic risk assessment obligations for frontier models
What this means: If you develop or release a GPAI model (LLM, multimodal model), your obligations are in force now. Downstream deployers building on GPAI APIs are not directly subject to this deadline but should review the documentation their providers publish.
2 August 2025 — Governance Infrastructure
EU member states must have designated national competent authorities. The European AI Office becomes fully operational. Codes of practice for GPAI models must be finalised.
2 August 2026 — High-Risk AI Systems (Main Deadline)
This is the primary compliance deadline for most AI companies. From this date:
For AI system providers:
- All high-risk AI systems (Annex III) must have completed conformity assessment
- Technical documentation must be complete
- CE marking must be in place (where applicable)
- Systems must be registered in the EU AI database
- Post-market monitoring systems must be in place
For AI deployers (companies using high-risk AI):
- Must comply with deployer obligations (Article 26): transparency to affected individuals, human oversight, data governance where relevant, cooperation with providers
For all AI systems:
- Systems with limited transparency risk (chatbots, deepfakes, AI-generated content) must carry disclosure obligations
The August 2026 deadline applies to: Credit scoring AI, recruitment AI, CV screeners, educational assessment AI, critical infrastructure AI, law enforcement AI, health and safety component AI, and other Annex III categories.
2 August 2027 — High-Risk AI in Regulated Products
AI systems embedded in products covered by specific EU product safety legislation (medical devices, machinery, radio equipment) have a later deadline:
- CE marking under the product regulation covers AI Act compliance
- The additional lead time allows alignment with MDR/IVDR review timelines
- Applies to: medical device AI, IVD AI, agricultural equipment AI, aviation AI
Ongoing After 2026 — Enforcement
National market surveillance authorities begin active enforcement. The EU AI Office can investigate and fine GPAI model providers directly. Fines of up to €35 million or 7% of global turnover for prohibited AI; up to €15 million or 3% for other violations.
What You Should Be Doing Now
| Action | When |
|---|---|
| Classify all AI systems against Annex III | Now |
| Identify any prohibited AI features and discontinue | Already required (Feb 2025) |
| Begin technical documentation for high-risk systems | Now |
| Review GPAI provider documentation for base model risk assessment | Now |
| Plan conformity assessment process (self-assessment or notified body) | Q1 2026 |
| Complete conformity assessment | Q2 2026 |
| Register in EU AI database | Before August 2026 |
| Deploy EU-compliant version | By August 2026 |
Common Misconceptions About the Timeline
"The deadline is August 2026 — I have time." You do, but less than you think. Conformity assessment requires complete technical documentation, which takes months to prepare if you have not been building it. Companies starting in early 2026 will struggle to complete by August.
"GPAI obligations don't affect me because I build on APIs." Partially correct. GPAI provider obligations apply to OpenAI, Anthropic, Google — not to you. But if you build a high-risk application on their models, your high-risk obligations still apply by August 2026.
"If I have GDPR documentation, AI Act documentation is covered." No. AI Act technical documentation is substantially different from GDPR documentation. AI Act requires training data documentation, performance metrics, and bias testing that GDPR does not require.