EU AI Act Compliance Timeline and Deadlines

The EU AI Act is already law. What trips teams up is that "already law" and "applies to my system today" are two different things. The Regulation entered into force on 1 August 2024, but Article 113 spreads the actual obligations across a phased schedule that runs to 2027. Miss the distinction and you either panic early or, worse, assume you have years of runway when a deadline has already passed.

Here is the schedule that matters, what each date switches on, and how to figure out which date applies to you.

The Dates That Matter

1 August 2024 — Entry into force

The clock starts. Nothing is enforceable yet, but every later deadline counts from here. This is also the point from which the Commission and the AI Office began standing up the guidance, codes of practice, and harmonised standards that the substantive obligations rely on.

2 February 2025 — Prohibitions and AI literacy

The first teeth. Two things switched on:

• Article 5 prohibitions. The eight unacceptable-risk practices — social scoring, untargeted facial scraping, emotion recognition in workplaces and schools, and the rest — became illegal to place on the market or put into service. Breaching these carries the heaviest penalty in the Act, up to 35 million euros or 7% of worldwide turnover.
• Article 4 AI literacy. Providers and deployers must ensure staff who deal with AI systems have a sufficient level of understanding to operate them responsibly. This one is easy to overlook because it is not tied to a risk tier — it applies broadly.

If you operate in the EU and have not screened your systems against Article 5, that work is overdue, not upcoming.

2 August 2025 — GPAI, governance, and penalties

The middle phase brought three things into effect:

• General-purpose AI model obligations (Chapter V). Providers of GPAI models owe technical documentation, downstream information for the businesses building on top of them, a copyright policy, and a summary of training data (Article 53). Models presumed to carry systemic risk — broadly, those trained above 10^25 FLOPs under Article 51 — owe additional duties under Article 55, including model evaluations and adversarial testing.
• Governance. The AI Office, the AI Board, and national competent authorities became operational, giving the Act its enforcement machinery.
• Penalties. The fine regime in Article 99 became applicable.

There is a grandfathering wrinkle worth knowing: GPAI models that were already on the market before 2 August 2025 have until 2 August 2027 to come fully into line.

2 August 2026 — General application

This is the big one, and the date most high-risk providers should have circled. On this date the Act applies generally, which brings into force:

• Annex III high-risk obligations. The full provider stack — risk management (Article 9), data governance (Article 10), Annex IV technical documentation (Article 11), human oversight (Article 14), conformity assessment (Article 43) — becomes enforceable for the eight Annex III use-case categories.
• Article 50 transparency. The disclosure duties for chatbots, deepfakes, and synthetic content take effect.

If your system is high-risk under Annex III, this is the deadline you are building toward. And because a proper Annex IV technical file and a conformity assessment take months, not weeks, the preparation window is now, not in mid-2026.

2 August 2027 — High-risk safety components

The final phase. High-risk systems that fall under Article 6(1) — AI that acts as a safety component of a product already regulated under EU sectoral law in Annex I, such as medical devices and machinery — get an extra year before their obligations apply. The same date is the compliance deadline for pre-existing GPAI models mentioned above.

How to Tell Which Date Applies to You

The schedule only helps once you know your system's risk tier and the obligations that come with it, because different tiers map to different dates. A quick way to reason about it:

1. Does the system touch Article 5? Then your deadline was 2 February 2025 — and the answer needs to be "we don't do that."
2. Is it a GPAI model? Then 2 August 2025 (or 2 August 2027 if it predates that date).
3. Is it high-risk under Annex III? Then 2 August 2026.
4. Is it a high-risk safety component under Annex I? Then 2 August 2027.
5. Is it limited-risk (transparency only)? Then the Article 50 duties apply from 2 August 2026.
6. Minimal-risk? No mandatory deadline at all.

Notice that step one of every version of this is classification. You cannot place a system on the timeline until you know its tier, which is why the risk categories come first in any sensible compliance plan.

Why "We Have Until 2026" Is the Wrong Read

The most common misreading is treating 2 August 2026 as the day work starts rather than the day it must be finished. For a high-risk system, the obligations due on that date include a completed conformity assessment and a maintained Annex IV technical file. Those are not last-minute artefacts. The risk management system under Article 9 is meant to run across the lifecycle, and the technical documentation is supposed to be assembled and kept current as the system evolves.

In practice, a team aiming for the 2026 date should be classifying systems and scoping documentation well before then, refreshing the assessment whenever a system materially changes — because a material change can flip a deployer into a provider under Article 25 and reset which obligations apply.

Build a Living Schedule, Not a One-Off Memo

The dates above are fixed, but your obligations are not. New systems appear, purposes shift, and a deployer who fine-tunes a model can inherit provider duties overnight. The realistic approach is to re-run a readiness assessment per system on a recurring basis and tie each obligation to its Article 113 date.

That is what a structured assessment is for: it pins each applicable obligation to the right deadline so you are managing a calendar rather than a wall of regulation. Our walkthrough of assessing readiness with AI shows how to generate that deadline-mapped obligation list, and the EU AI Act Readiness tool produces it directly from a description of your system.

None of this is legal advice — phasing details and the carve-outs around them are exactly the sort of thing to confirm with counsel — but knowing which of these five dates governs your system is the difference between planning and scrambling.